refcontrol
is a Firefox addon
Mozilla has rolled out Firefox 14, which automatically encrypts web searches through Google, but the new release leaves an important back door open to advertisers. The move also quietly undermines Mozilla’s crusade in the past years on maintaining the privacy of netizens by using Do-Not-Track as a plea to websites not to track …
The story is that Mozilla was misleading users when they state on their blog that:
"Additionally, using HTTPS helps providers like Google remove information from the referrer string. While Google users may expect Google to know what they are searching for, Firefox users may not be aware these search terms are often transmitted to sites they visit when they click on items in the search results; enabling HTTPS search helps sites like Google strip this information from the HTTP referrer string, putting the user better in control of when and to whom their interests are shared."
and making no mention of the exception for advertisers. But then again most of Mozilla's funding comes from Google, doesn't it...
"This story is nothing more that a bad misunderstanding of what HTTPS is."
Obviously, you don't know about all of the other bad people that want to see your Google traffic. For instance, I know of a company that works with ISPs to tap all of their traffic, and look for Google searches and the responses. They would collect the Google tracking ID, and search terms. And they would see which sites the users go to, using the Google tracking ID to link up the search terms and browsing click trail. This was very valuable data, and they would use it link the google tracking ID and the ISPs user records together, to provide super-targeted ads. You don't know about this right now. And your ISPs probably has enough weasel words in their privacy policy that they could route all of your Internet traffic to DPRK, and wouldn't have to tell you.
With Firefox search going https, it shuts down half of what these bad guys can do. If all of the Google tracking IDs are also sent over https, they are dead in the water.
"that breaks a lot of sites doesn't it? especially image URLs tend to expect a valid referrer."
Actually no it doesn't. I've had the referrer header turned off in every browser I use for about 10 years now. Occasionally I have to turn it back on for some stupid site that won't work but 95% of the time I have no problem. Also if a site does require it I only turn it on and use that site if I absolutely have to, if there is a competitor that will work without the referrer then they get my business.
I love how Google manages to come up with things that appear well intentioned on the surface like HTTPS search, but whose purpose is to consolidate their advertising monopoly and ultimately financial position even more.
It's the same with SPDY, that seems good except for the fact that the server can now push ads over the connection even if ad blocking software doesn't request them.
The latest is their Transparency Report, which again sounds great however it actually consolidates links to pirate media in a single, easy to access, location - causing companies to issue takedowns for the ChillingEffects site itself, in a never-ending self-loop: http://torrentfreak.com/google-builds-largest-database-of-links-to-pirated-media-120717/
That is why I try to strip out or otherwise mangle all of the advertisements, and tracking information, using squid and firewall rules. Its not perfect, but it sure helps. If you didn't have control before, don't expect them to actually give it to you now. But the illusion of control is just as good right?
I actually saw those ads a while back- when I was using a browser for a short time that I couldn't have adblocked (don't ask). I had to stop reading theregister until I got the ad blocking back, as the obnoxious flashing HP et al ads were making it quite hard to see, spazzing around in my peripheral vision, twitching and flashing.
It is that simple, really, if I can't have the site without the ads, I generally don't want the site. I am not sure that I can think of any examples, off the top of my head.
"The move also quietly undermines Mozilla’s crusade in the past years on maintaining the privacy of netizens by using Do-Not-Track to anonymise users' searches."
"Do not track" does absolutely nothing to anonymise users' searches. All it does is add an extra HTTP header, "DNT: 1", indicating to the server that the user does not want to be tracked. This is a political, not a technical, approach, and I worry that users will think it actually gives them some sort of real protection. In fact I think it's rather amusing how a web browser can basically say, "please do not track me! Thanks. And by the way, the unique identifier you gave me last time is ac2983b6."
Using HTTPS by default is a good thing, even if it is only for Google searches. HTTPS authenticates the server and provides confidentiality from anyone intercepting or tampering with the connection between your browser and the web server, so your ISP, or the shady laptop user in the corner of the café, cannot see what you're searching for. It has nothing to do with whether the web server can track you or not.
"Additionally, using HTTPS helps providers like Google remove information from the referrer string."
If Google suppresses tracking when you use HTTPS (which I doubt), it's because Google decided to do that. Using HTTPS neither helps nor hinders.
"If you happen to click on an ad on a page you hit then the encryption is removed and advertisers can see who you are and where you’ve been."
Advertisers probably see that information without your clicking on it. HTTPS is to stop people intercepting your connection, it does nothing to control what the remote server does with the information you send it. (Note that advertisers don't intercept TCP connections to gather data, Google gives the data to them.)
As you say, the line in the article... "Do-Not-Track to anonymise users' searches" ... what a load of utter codswallop.
DNT is a plea to a web site to ignore you. The truth is it will be ignored, and if anything draw more attention to those who wish to remain anonymous.
NoScript, AdBlock Plus, and Do Not Track Plus, with the 'do not track' flag set in firefox. Plus I use DuckDuckGo as my search engine, which promises it does not collect or share personal information. I don't see very many ads of any sort.
Of course the advertising industry will move on. Offense and defense have played leapfrog throughout history, in just about every venue.
somewhat off topic, but along similar lines...
"You can sue the unscrupulous ones, or at least open complaints about them."
Also, if they don't withhold their telephone number, e.g. if they (appear to) use an 07xxxx/08xxxxx number in the UK, you can also politely contact the licenced telecom operator that provides that number (details below) and point out that one of their customers appears to be abusing the terms of their contract. Do it politely as it is entirely possible the CLI is being spoofed. But do it.
If the telco involved wishes to retain their licence, they have to take complaints seriously, and it is in their interests to do something about the abuser. Even if it is only to move them on to another telco.
Spread the word.
There are also an increasing number of affordable phones that simply don't make a noise on an anonymous incoming call, so you just don't hear them, and if suitably configured, these phones will take a message from a genuine anonymous (or maybe international) caller. I came across a £40 pair of Gigaset phones with this capability in my local supermarket a few days ago. In a variant on a similar theme you can get affordable phones that have a whitelist, ie they only make a noise if the CLI is in its list of known numbers, otherwise it's straight to answerphone.
If you are a Virgin cablephone customer (callerID is not free, unlike BT Privacy At Home), you can often get callerID for free by asking the callcentre first line nicely and then when they refuse, ask to speak to retentions.
In the UK, Ofcom administer the numbering plan. The "which telco issues what number" list of numbers to issuers can currently be found at:
http://www.ofcom.org.uk/static/numbering/index.htm
"If you are a Virgin cablephone customer (callerID is not free, unlike BT Privacy At Home), you can"
AC, I have to pick you up on one point. BT Privacy At Home is not free it is "free".
If you do not make enough calls in a quarter BT reserve the right to charge you for the Incoming caller display aspect of the BT Privacy service; which I found out the hard way*. I made two calls in a quarter, instead of the required three and got a £8 charge as a result.
* Yeah it's probably detailed in clause 271, on page 58 of the Ts&Cs but charging £8 for the sake of not making three 10p calls is completely out of proportion and is surely designed only to piss off customers while wallet raping them.
Yes, it's all very well sharing tips on how to prevent your web searches being able to be tracked by the search engine provider and their advertisers...
...but all those web servers and databases don't run on fresh air. Companies can either follow the Microsoft approach (selling bloatware to you at inflated prices) or the Google approach (provide advertising space).
While ads could theoretically be context-free, the click through rate would be very low (possibly even insignificant), making companies wonder why they were going to the bother of paying to advertise. However, if the search engine looks at what you're searching for, and finds adverts with keywords attached that match what you've searched for, the click through rate will be much higher, companies will be satisfied they're getting more visits / purchases as a result of their advertising, and will consider paying for more advertising with the search engine.
Google has an advantage over other search engines (other than its sheer market size!) in that as it also owns its own advertising network, all the juicy data you give it remains completely in house. They don't sell your data to third parties because they have no need to. It would, however, be interesting to know how much of your search history is passed to the advertiser - just the search which resulted in you clicking on their ad, or everything (probably unrelated) you searched for beforehand? Also bear in mind that although they can track your machine, unless you're stupid enough to be browsing on a mobile phone with location information turned on, particularly if you're using a dynamic IP address, your Geo IP information could be anywhere within a couple of hundred miles of yourself. As others have said, given most browsers have ad blocking extensions, any information the companies do collect on you will go to waste (other than saying someone that matches your profile isn't interested in them) because they'll have a zero click through rate from you!
You gave your permission. If you don't want to see ads, don't go to ad driven sites. It's quite simple, really. Requesting my website from my server implies you want me to send you my web site. That site includes ads.
That's like going into a resturaunt, ordering a burger and coke and getting mad when they charge you for a coke.
No, it's more like you running a soup kitchen that refuses to serve blind people, because they can't see your sponsor's advertising billboard.
If you want to run a commercial website, then require registration and payment for access, but don't publish freely then whine when people freely access your site in a selective manner that doesn't suit you.
Are you related to Danny Carlton, by any chance?
"Danny Carlton is a delusional megalomaniac, who seems to think that the whole world has some kind of legal and moral obligation to view advertisements. This is indeed a bizarre misconception. If I leave the room or change channels whilst adverts are being shown on television, am I breaking the law? If I browse a Web site, and use my fingers to cover up an advert, so I can no longer see it, am I committing some mortal sin? If I pluck out my eyes, and perforate my eardrums, so that I never again have to be subjected to the horrors of advertising-spam, does that make me evil (or just loony-tunes like Danny Carlton)? So what's the difference between that, and using some software to conveniently and automatically block it for me? If I don't want to see adverts, then there is no law in the world that compels me to endure them, and (God forbid) if there is such a law, then that law needs to be abolished as a matter of extreme urgency. As one Digg commenter recently put it (paraphrased); "Advertising is an opportunity ... not a right." One advertises in the hope that people may see and respond to that advertisement ... not in the expectation that the law or some twisted sense of morality will compel people to do so."
Apperently you didn't read the person I was responding to. Don't worry, I'll wait.
Oh, you're just too slow, so let me point this out:
"Adverts use my time and bandwidth without permission"
You implictly gave your permission for me to send me my website WHEN YOU SENT A REQUEST ASKING FOR IT to my server. I never, NOT ONCE, said that you have to look at it. Block it, ignore it, masterbate to it, I don't care, but don't tell me I'm sending you something you didn't consent to WHEN YOU REQUESTED IT.
*I'm* not the one whining, but I suppose accusing someone of doing what they are arguing against is the height of discourse these days.
Sad.
>You implictly gave your permission for me to send me my website WHEN YOU SENT A REQUEST ASKING FOR IT to my server.
Yes, we've asked for your webpage. We haven't asked for you to send us a whole bunch of ads from third party advertising servers that can track us across sites.
If your business model requires adverts then serve them off your own webserver. If you can't be bothered to do that then expect them to be adblocked.
You didn't "send" anything. You placed something in a publicly visible space for all to see, then whined when people didn't look at the bits you wanted them to.
Like I said, if you don't like the public having free access to what you publicly display, then don't make it public, make it private, and require advance registration and payment.
The spammer mentality is really bizarre.
Hmmm hmmm... Let me give you a small heads up.
If i wanted a car, i'd have searched for "car" and looked at the results. Same for everything else. So, if sitexyz doesn't have shit worth of content to show in real searches, the only thing your clients get from me is.... nothing.
Brain is trained to totally ignore any ad that slips through the blocks. And even if i notice it, 2nd stage kicks in telling me "ad, not important". That's what you people managed, a really epic achievement. Now people IGNORE ads. Even the important and meaningful ones.
So, all your client money is getting him is fattening YOUR wallet. It's doing next to nothing for him, well, except making him less wealthy of course.
If/when people do come around and not only start denying you referer data, but also start supplying you with JUNK referer data, your value will come down to what it really is, next to nothing.
Maybe then some of the advertising victims, i mean, clients, can stop squandering their greens and instead use it to top up what they constantly neglect, their sites real content.
Web will go on, it's just that you're gonna have to start doing some real work for your clients instead of just being a near zero value leech.
This whole "tracking" thing is bogus. What advertisers don't seem to realize is it doesn't make economic sense for them to do this (or pay to have it done for them).
Google AdSense, etc. promises advertisers ads which are 'pin-point-selectively delivered to your target demographic', or some swill like that. And, advertisers have fallen for it. It's like the old 1950s ads for "blah-blah-blah at the push of a button."
It's simple. If I'm at a sports site, it makes sense to show me ads for sporting equipment and upcoming sports events. If I'm at a sports site, there's a pretty good chance I'll click on such an ad. Likewise, if I'm at an automobile review site, it makes sense to show me ads for automobiles, auto accessories, tools, and such. If I'm at an auto site, there's a pretty good chance I'll click on one of those ads.
But even with all the tracking going on, I"m consistently served with the "wrong" ads.
Don't try to sell me more of the same thing (new PC power supply) that I've already bought. When I need another one, I'll buy it then, but not until.
Don't decide that because I've bought bulk kitty litter, I have an infant and want to see ads for diapers. I don't.
A show of hands: how many other people here have developed visual/mental filters to Google's ads on their search results pages?
Want to know if it's raining? Then, look outside.
Want to know if your company's service, products, or policies stink? Look at the angry, torch-and-pitchfork-bearing crowds outside your corporate headquarters, and the tons of "I hate your company/products/policies and here's why ... go FOAD" emails and letters.
It can simple. Make me a happy customer by (1) making a quality product at a reasonable price; (2) not tracking me; and (3) using common sense in selecting ads to show me. You could make a lot of money that way.
I sometimes wonder if we are not just trying to hold back a rising tide.
You and me are ok, we have the chops and take the time to do the necessary.
The average user? Not so much.
It is a war. On the whole they are winning. They will keep winning that much more as time goes by.
Even though much more powerful anti-scripting and anti-tracking tools come out, their government sanctioned 'loop holes' built into the next version of their browser or plug-in or whatever, will get the best of most people most the time. Anyone here have Java disabled? Are you sure it really is? On all your browsers?
Ah the Golden age of computing, full of so much Eastern Promise. Now we just have the digital imprimatur:
http://www.fourmilab.ch/documents/digital-imprimatur/
Forgive me if I am off thread. I do ramble. I know. Even in my own head.
I use proxy search engines like Duck Duck Go (SSL) when searching for most stuff, just-in-case Firefox lets stuff past Ghostery, Adblock+, NoScript etc. and only use Google when I want to see specific kinds of results.
I also run different browser instances for different types of task, specifically to sabotage most ad-tracking and demographics mechanisms.