幹壞事是進步最大的原動力
看到「Waterfox G4.1.0 update reduces requirement to SSE 4.1, sets Startpage as the default search engine for Private Tabs」這篇才發現 Waterfox 在 2019 年年底的時候早就被廣告公司 System1 收購:「Waterfox web browser sold to System1」,過了兩個多月被 Ghacks 寫成新聞後才發表對應的公告:「Waterfox has joined System1」。
先前研究 Google Chrome 的替代品時有列到清單裡找機會測,看起來可以跳過了...
而這次的報導則是題到了 Waterfox 將 Private Tabs 的預設搜尋引擎改成 Startpage,關於 Startpage 之前在「Startpage 被廣告公司收購」這邊也提過了...
Tumblr 推出 US$4.99/mo 的 ad-free plan:「This is 100% new and 100% Tumblr with 0% ads.」。
但我的想法還是偏好上一篇提到的 uBlock Origin:「裝 uBlock Origin 擋詐騙廣告:金石堂」。
昨天在噗浪上看到這則:「金石堂的google搜尋推薦第一位是詐騙網站」。
這邊一直在推廣 uBlock Origin,在主要的幾個瀏覽器上都有支援:
從上面那則噗裡的討論可以看到,把一個檢舉掉了,過幾個小時候另外一個還是會冒出來...
Hacker News Daily 上看到的,美國聯邦政府的 CIO Clare Martorana 行文建議行政管理和預算局 (Office of Management and Budget) 安裝 ad block 軟體以確保資訊安全:「The NSA and CIA Use Ad Blockers Because Online Advertising Is So Dangerous」。行文的文件在「Wyden Letter to OMB on Ad-Blocking」這邊可以看到,另外在 Hacker News 上的討論「The NSA and CIA use ad blockers (vice.com)」也可以翻。
有很多惡意軟體 (像是 malware) 會透過合法的 ad network 散布,然後竊取資料,甚至是透過麥克風監聽環境音:
I write to urge the Office of Management and Budget (OMB) to protect federal networks from foreign spies and criminals who misuse online advertising for hacking and surveillance, by setting clear new rules for agencies in its forthcoming “zero trust” cybersecurity policy.
I have pushed successive administrations to respond more appropriately to surveillance threats, including from foreign governments and criminals exploiting online advertisingto hack federal systems. This includes seemingly innocuous online advertisements, which can be used to deliver ‘malware to phones and computers—often without requiring users to click anything. This ‘malware can steal, modify or wipe sensitive government data, or record conversations by remotely enabling a computers built-in microphone.
記得我是從 Firefox 還叫做 Phoenix 的時代就在用 ad blocker 了... 建議大家一定要裝啊,以現在來說應該都是裝 uBlock Origin,在有支援 extension 的瀏覽器都有商店可以直接安裝。
GitHub 的公告簡單明瞭,也不用你操作,直接在 github.io 上抵制 FLoC:「GitHub Pages: Permissions-Policy: interest-cohort=() Header added to all pages sites」,在「[Feature request] Set HTTP header to opt out of FLoC in GitHub Pages」這邊有些討論,另外在 Hacker News 上的討論也可以看一下:「GitHub blocks FLoC across all of GitHub Pages (github.blog)」。
不過不確定為什麼 custom domain 的就不加上去,可能微軟內部的法務團隊討論出來的結果?
All GitHub Pages sites served from the github.io domain will now have a Permissions-Policy: interest-cohort=() header set.
Pages sites using a custom domain will not be impacted.
Google 打算在 Google Chrome 裡面強推的 FLoC 最近有很多消息,但因為沒看完 spec 就一直丟著了... 可以先參考 iThome 的「繼Brave瀏覽器之後,DuckDuckGo、Vivaldi也要封鎖Google FLoC廣告投放技術」,雖然裡面提的很淺。
目前檯面上除了廣告產業以外,所有看到的人與組織都反對 FLoC。
從 EFF 的「Google’s FLoC Is a Terrible Idea」,之後 DuckDuckGo 也發表了「Use the DuckDuckGo Extension to Block FLoC, Google’s New Tracking Method in Chrome」,再來是 Brave 的「Why Brave Disables FLoC」與 Vivaldi 的「No, Google! Vivaldi users will not get FLoC’ed.」。
最新的進展是 WordPress 決定把 FLoC 當作 security concern 來看,打算直接推出 security hotfix 更新,預設關閉 FLoC:「Proposal: Treat FLoC as a security concern」,在 Hacker News 上也有討論:「Proposal: Treat FLoC as a security concern (make.wordpress.org)」。
主要的原因是正常的 WordPress 版本會在今年七月才出,會跟不上 FLoC 的進度:
Currently, 5.8. is only scheduled for July 2021. FLoC will likely be rolling out this month.
我自己也因為 FLoC 而又再次跳到 Brave,還遇到 imgur Uploader 套件不見 (可以參考「What Happen to the imgur uploader extension?」),以及有些套件無法運作的問題...
全美第二大的 T-Mobile US 打算要賣使用者的瀏覽記錄了,除非你登入進去選擇退出:「T-Mobile to Step Up Ad Targeting of Cellphone Customers」,Hacker News 上的討論則可以看「T-Mobile to share customers' data with advertisers unless they opt out (thehill.com)」這邊。
The No. 2 U.S. carrier by subscribers said in a recent privacy-policy update that unless they opt out it will share customers’ web and mobile-app data with advertisers starting April 26.
這次的改變包括了 2020 年併購 Sprint 的使用者:
T-Mobile’s new policy will also cover Sprint customers acquired through the carriers’ 2020 merger. Sprint had previously shared similar data only from customers who opted into its third-party ad program.
所以連在美國都有 DNS over HTTPS (或是 DNS over TLS) 與 ESNI 需求了...
在「Disqus, the dark commenting system」這邊才看到 Disqus 被網路廣告公司買的消息:
Disqus was acquired by an advertising company called Zeta Global in 2017. Obviously, advertising companies do everything to increase their revenue (Ex: the Big G).
引用的報導則是在「Zeta Global acquires commenting service Disqus」這邊可以看到,大約在三年前發生的事情...
基本上已經變成廣告追蹤平台了:
I analyzed the network requests log. Disqus makes HTTP requests to 11 different third-party domains through the browser. All of these websites are trackers/pixels (Even some were detected as malware by my security guard).
而且就算是付費會員也一樣,還是會追蹤:
When you provide a free product, money should come from somewhere. Disqus uses advertising for that. Now, I subscribed to a paid plan trial of Disqus to see if things change or not. No! Even in the paid plans, the same pixels are loaded on the client-side. Looks like there's no way to opt-out from tracking.
後面的推薦可以看看就好,自己架應該還是比較好的選擇... 用「open source comment system」搜有些東西可以參考。
在 Hacker News Daily 上看到 Maza ad blocking,這是一個擋廣告與追蹤的軟體,原理就是在 DNS 上檔掉某些網域。
運作方式跟 Pi-hole 接近,其中 Pi-hole 是提供一個 DNS server 擋,這套軟體則是透過 /etc/hosts 來擋。
目前只支援 macOS 與 Linux,不過這樣看起來使用的族群有點怪,因為在 desktop 上有更多手段可以擋,透過 DNS 類的擋法主要還是拿來對手機上無法無天的 app...
不過先關注一下好了,之後也許會在某些場合下用到?
前陣子 Chromium 團隊在研究要移除 User-Agent 字串的事情 (參考「User-Agent 的淘汰提案」),結果 kiwibrowser 就直接炸下去,Google 很久前就會針對自家網站送出 x-client-data 這個 HTTP header,裡面足以辨識使用者瀏覽器的單一性:「Partial freezing of the User-Agent string#467」。
在 Google 的白皮書裡面是說用在 server 的試驗:
We want to build features that users want, so a subset of users may get a sneak peek at new functionality being tested before it’s launched to the world at large. A list of field trials that are currently active on your installation of Chrome will be included in all requests sent to Google. This Chrome-Variations header (X-Client-Data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.
The variations active for a given installation are determined by a seed number which is randomly selected on first run. If usage statistics and crash reports are disabled, this number is chosen between 0 and 7999 (13 bits of entropy). If you would like to reset your variations seed, run Chrome with the command line flag “--reset-variation-state”. Experiments may be further limited by country (determined by your IP address), operating system, Chrome version and other parameters.
但因為這個預設值開啟的關係,就算關掉後也足以把使用者再分類到另外一個區塊,仍然具有高度辨識性,不是你 Google 說無法辨識就算數。
另外如果看 source code 裡的說明:
// Note the criteria for attaching client experiment headers:
// 1. We only transmit to Google owned domains which can evaluate
// experiments.
// 1a. These include hosts which have a standard postfix such as:
// *.doubleclick.net or *.googlesyndication.com or
// exactly www.googleadservices.com or
// international TLD domains *.google. or *.youtube..
// 2. Only transmit for non-Incognito profiles.
// 3. For the X-Client-Data header, only include non-empty variation IDs.
可以看到 *.doubleclick.net、*.googlesyndication.com 與 www.googleadservices.com 全部都是廣告相關,另外 Google 自家搜尋引擎是直接提供廣告 (不透過前面提到的網域),YouTube 也是一樣的情況,所以完全可以猜測 x-client-data 這個資料就是用在廣告相關的系統上。
The Register 在「Is Chrome really secretly stalking you across Google sites using per-install ID numbers? We reveal the truth」這邊用粗體的 Update 提到了 GDPR 的問題,不確定是不是開始有單位在調查了:
Updated Google is potentially facing a massive privacy and GDPR row over Chrome sending per-installation ID numbers to the mothership.
在這個問題沒修正之前,只能暫時用操作 HTTP header 的 extension 移掉這個欄位。