[PrivacyBadger] Pushing Privacy Badger's buttons, part 2

Mike O'Neill michael.oneill at baycloud.com
Mon Sep 12 07:21:22 PDT 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Don,

How does an extension check for it? Does it block the resource or clear the cookie?

I looked at your blog post and there is (in ad.aloodo.com) a cookie name "site" value the parent site domain and a cookie named [ object Object] which looks like it’s a javascript error (you must be writing an object to document.cookie somewhere). Neither of them are high entropy so PB will not ordinarily see them as tracking (is that right Cooper?).

I think it would be a good idea to come up with some standard cookie names. There is a proposal for an amendment to RFC 6265 for "well known" cookie names prefixed by "__" e.g. __Secure

I suggested one (__DNT=0) to override DNT:1 for browsers that don't support the API. You could only declare "web wide" consent with that, and takes the pressure off them from implementing the API so it is not very useful and I am not pushing it. Cooper suggested a standard name for the advertiser's opt-out cookie which would be a good idea, but perhaps a distraction from them just respecting DNT

How about __BlockMe? 

If you can return a Set-Cookie header  couldn't you also return Tk: D ?

Mike

- -----Original Message-----
From: 'Don Marti' [mailto:dmarti at zgp.org] 
Sent: 12 September 2016 14:19
To: Mike O'Neill <michael.oneill at baycloud.com>
Cc: 'Cooper Quintin' <cooperq at eff.org>; privacybadger at eff.org
Subject: Re: [PrivacyBadger] Pushing Privacy Badger's buttons, part 2

I have made some progress on this.

There is now an "un-tracking pixel" that will just set
the Aloodo cookie -- no third-party JavaScript
required.

Faster than running the whole script.  And it comes
with a long "Expires:" time, so the browser won't
re-load it for every page.

  http://blog.aloodo.org/misc/howto/#pixel

Good for

 * sites that want to help but don't want to show
   tracking warnings

 * sites that are concerned about load times and
   bandwidth

 * sites that don't want to run 3rd-party JS

 * sites that can add an image but not a script (for
   example, those hosted on Wordpress.com)

So now there can be some sites running the whole
Aloodo script, to warn users, and some sites just
running the pixel, to pre-prime the browsers so the
script can get better results.


begin Mike O'Neill quotation of Sat, Apr 16, 2016 at 05:19:04PM +0100:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Thinking about this I think a better "block me" response would be a Tracking Status Value of "D", which means the web application is "Disregarding" DNT.
> 
> T could be a valid TSV when Tracking for one of the permitted uses is happening, although the particular permitted use must be declared in the "qualifiers" property. PB could check for a T along with an absent "qualifiers" property, or one that does not have one of the permitted use codes, but that seems long winded. A "D" would be simpler.
> 
> So either the TSV includes:
> 
> { "tracking": "D", ... }
> 
> Or there is a response header "Tk: D"
> 
> I am writing an implementers guide to DNT (for the TPWG) that will include that suggestion.
> 
> Mike
> 
> - -----Original Message-----
> From: PrivacyBadger [mailto:privacybadger-bounces+michael.oneill=baycloud.com at eff.org] On Behalf Of Cooper Quintin
> Sent: 12 April 2016 02:56
> To: privacybadger at eff.org; Don Marti <dmarti at zgp.org>
> Subject: Re: [PrivacyBadger] Pushing Privacy Badger's buttons, part 2
> 
> Actually this seems like a pretty good solution to Don's problem and one
> that we should maybe adopt anyway. There are other benefits to reading
> the TSR as well such as getting a list of first parties. I would likely
> support this change.
> 
> - - Cooper
> 
> On 04/09/2016 11:31 AM, Mike O'Neill wrote:
> > Why not agree on a "block me" signal. Any reference to a third-party marked in a particular way will cause the request to be blocked by tracking protection i.e. PrivacyBadger
> > 
> > The Do Not Track (candidate) recommendation contains such a signal. A TSR (a JSON resource at //ad.aloodo.com/.well-known/dnt ) with Tracking set to "T" ( { "Tracking": "T", ... } when accessed with the DNT set (DNT:1), would signal refusal to stop tracking, i.e. block me. You could also do it by returning a Tk: T to any ad.aloodo.com  resource.
> > 
> > 
> > 
> > 
> > -----Original Message-----
> > From: PrivacyBadger [mailto:privacybadger-bounces+michael.oneill=baycloud.com at eff.org] On Behalf Of Don Marti
> > Sent: 09 April 2016 18:48
> > To: privacybadger at eff.org
> > Subject: [PrivacyBadger] Pushing Privacy Badger's buttons, part 2
> > 
> > Still working on tools that a web site can use to
> > notify users when they're vulnerable to third-party
> > tracking.
> > 
> > Here's the problem.
> > 
> >  * If the script warns the user when a third-party
> >    iframe loads, it will falsely notify some users
> >    of an "untrained" Privacy Badger.
> > 
> >  * If we wait to notify until we're sure that a
> >    third-party cookie can be set and read on three
> >    sites, then we miss a chance to notify some users
> >    of list-based protection who haven't been to enough
> >    sites that include the iframe.
> > 
> > One solution is...put the https://ad.aloodo.com/track/
> > iframe everywhere!!1!1  Even if you don't want to run
> > tracking notifications on your own site, the iframe
> > will train Privacy Badger to block it, so the cookie
> > test will work when the user goes to a site that does
> > do notifications.  Still looking for other solutions.
> > 
> > Anyway, more here:
> > 
> >   http://blog.aloodo.org/posts/track-js-script/
> > 
> > Comments and suggestions welcome.
> > 
> > 
> > _______________________________________________
> > PrivacyBadger mailing list
> > PrivacyBadger at eff.org
> > https://lists.eff.org/mailman/listinfo/privacybadger
> > 
> _______________________________________________
> PrivacyBadger mailing list
> PrivacyBadger at eff.org
> https://lists.eff.org/mailman/listinfo/privacybadger
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using gpg4o v3.5.54.6734 - http://www.gpg4o.com/
> Charset: utf-8
> 
> iQIcBAEBAgAGBQJXEmX3AAoJEOX5SQClVeMP1hkP/jxYepxjFAwZe0k4Q6o2F1ny
> xbNRJ9i2AqggxOwwG8+SofVaSFsrNboF7iAq2kvR0t5hdOJZOCUFEhE4AVJtevQG
> gbjpBm4sxcecoroTbop1DVRAJ3zMkvt1sWBsi857uo2qR2uqivnDi3g7eyw/FKuP
> C8ySGKpnS2BBE1cTIbvaoIk7FX1joBJHn1UXL2ESfPAkt747d6Kq/g40/Cr/nIA7
> u60MHB5BRDInHYNj+ZgHpZD6ChzTrWhbhSsde0qZnv7MHn7G5dfcUmNrC7kWG4yk
> q0MiRQ7eEFeYLgttvVUFO4qj/9Wr3SJLazi1EusIIFgBugX9mqSM8EfGjOcF2+WP
> M99AlM8c1ijaFZfBYkuwMepMlEjPv77JuvIZLbItZZilcfsGrao4KKBEV4ogEbsl
> 3CxDWkPcTG/0z4A8grLuhrECWD37PMRk4/bMWexo5GlMJ4k4wx9dHS2Hh3Is/5sg
> 8NjQlKNL4O0SnTQECo4l9/A3xVfLRKI1HdrlIbcZuIPSsuGAzuXN0HnYn9XkUxIu
> Isd/+iE4+YavZ9e+ijQu/hYPsUHnjH+AxYas0C8yocMP6lQ8cO6O+hiB7hFZekBA
> nLXJu2CU6msx7d7h/tqIMnxeCc8jMqN8g/Sg+fb7EwvCll5WF3Dz00WunmI1SCxC
> jK1ecbHjKGsByZWOWZ/l
> =VmiJ
> -----END PGP SIGNATURE-----
> 

- -- 
Don Marti <dmarti at zgp.org>                   
http://zgp.org/~dmarti/
Are you safe from 3rd-party web tracking?  http://www.aloodo.org/test/
-----BEGIN PGP SIGNATURE-----
Comment: Using gpg4o v5.0.1.7428 - http://www.gpg4o.com/
Charset: utf-8

iQIcBAEBAgAGBQJX1rnhAAoJEOX5SQClVeMPXwwQAItENCeiTxJiz8u1BocYLhf1
HBk/z/cftQpMPhr8nIn4FV6VBTy5NKZsTcDTO2kH25q76gMjuAlRA7YwtuoWpm4t
d+4GoLDv3wmpewlXjibDcONmqtIG+fmksYSmKZAS/88A+4YuV2ldLqDmi+altGF1
dckXUMfCzMtjQwmF0ABZtLv5xs/sdS5hNx6JTMvpofq2Ueq7N05AyadD/wfvhtwE
VPMGMICVEDhIi+gJs44K9JRYbQrLrqM6hvaOMKGxjMSI5pCiFIu6bQJSePYRNzG3
9NtggvgzzdpwltNzeLRG7X2dsXesMYN9e3Pe9Eogq+QRpUmwXapWTczTSNSw5md8
5dZIZ2wX51R6vw0jG1x83wiIbGuZB5l7uyry8kqKFc0M9kLMfwdi3DxuaXBoLQMg
kHx3/n8bj1cUNwVsGyn6NYxd2c5rWgublyhckXo4VCfIbx5AqJhAzQUNGiiSfeIM
eMcQnQFnc2WWKGZJfVOab+pIuC/ud01idbcjGVIIlMt+eA+iB3ynAhbGV0NkJ/EP
Iyfrbom4IpveFJPuD8Lbau7kCGnocer19JbhQ7XkSbXZvwEVcwFXj+mh5YNaz5vR
wJGGEJ8GURbLOmgwuFdIVe4u+uv8KCCljwYp1s1eWjoflKTZJ4sG8GHY2URYify0
MDA6352tg6o8RBEHt1OV
=wA7a
-----END PGP SIGNATURE-----

More information about the PrivacyBadger mailing list