Ever felt that a few big tech companies are following you around the internet? That's because ... they are A new extension for Google Chrome has made explicit how most popular sites on the internet load resources from one or more of Google, Facebook, Microsoft and Amazon. The extension, Big Tech Detective, shows the extent to which websites exchange data with these four companies by reporting on them. It also optionally blocks …
both spellings are valid but, for consistency, ElReg should use only one of them throughout the article
NoScript is currently blocking the following on this site:
doubleclick.net (ad spewer)
google-analytics.com (creepy tracker)
googletagmanager.com (also creepy tracker)
As far as the number of things to block to avoid tracking, El Reg is by no means the worst of the news sites. The Independent, for example, has a good two dozen various domains it pulls things from, some of which are obvious advertisers/trackers (there's not a lot of difference between the two any more), some are more opaque.
As a rule, I have everything blocked by default, and then if the web site doesn't work, I allow domains one-by-one. If it won't work without me allowing a domain I have previously explicitly blocked (such as doubleclick), then it's pretty obvious that the purpose of the site is to get advertising revenue, and not to provide any useful information, and I go elsewhere. The same goes for any site that has an "ad-blocker" popup. If it can't be easily removed by hitting F12 and setting the display attribute to none, then I'll go elsewhere.
I'm certainly not going to let any scripts run from such dubious sites as the Daily Heil, the Scum, or the Ex-press, so if something directs me to one of them, I figure I can find the actual information elsewhere anyway, without having to read past the right-wing editorial and interpretation of the facts.
I bought a Chromebook. Utter total shite.
I want to use Firefox and NEVER Chrome. Nope, not possible. OK, I don't want any annoying adverts so I'll stick an ad blocker on my browser. 'You need to get one from the Chrome webstore, log in and...' Fuck off, you mean I have to log in with an account that means you know who I am (I can't get an anonymous account without an associated phone number -- did I say fuck off?)
So the Chromebook went back to Amazon. What an utter total load of shite.
my anti-tracker method is a lot easier on my end.
* assume that browser history and stored cookies are a huge part of the problem
* For "those" sites, run a browser without 'noscript' in a different security context, such as a different login entirely (i use DISPLAY=localhost:0.0 or similar and authorize via "xhost +localhost" - make sure X server runs with -listen_tcp or similar for this to work).
* The separate login's browser settings either delete history on exit, or you have a script (needed for Chrome) that deletes everything that's persistent.
* close all browser instances for that login and erase history between web sites.
Normally when I find these sites I have nothing to do with them. But occasionally an online store or even gummint resource (Cali-forn-you is bad about this) will have a CAPTCHA or some other scripty thing you can't avoid using. So I run it from "that" browser. Firefox has a setting to erase all history on exit, and that is helpful.
This as an alternative to "temporarily allow all for the current tab"
(understandably clever trackers can track you without cookies, and then put 2 and 2 together to associate that web page with everything about you, from your real name and e-mail and cell phone number, to personal data you entered for a social media account like age, sex, likes/dislikes, education and work history, and so on, and then SELL IT or use it to target ads, etc.)
What I see on the page displaying the story, courtesy of the SixOrNot Firefox extension:
www.googletagmanager.com
cdn.bibblio.org
www.google-analytics.com
pj.l.admedo.com
static.ads-twitter.com
api.bibblio.org
adservice.google.com
safefra.googlesyndication.com
tpc.googlesyndication.com
I agree, by no means the worst, and how is a free site supposed to make a crust anyway?
My uBlock Origin/Ghostery/Privacy Badger/AdBlock Plus combo shows blocked when I'm on el reg:
doubleclick.net, pubads.g.doubleclick, securepubads.g.doubleclick.net, googletagmanger.com, www.googletagmanager.com, two remote fonts, admedo.com, ads-twitter.com, six instances of javascript and whatever is blocked with cosmetic filtering disabled in uBO, 8 items blocked in AdBlocker.
I also have various media/pics blocked to the extent that I almost have a text based interwebtube!!!
As mentioned elsewhere, when on sites such as youtube, I allow the bare minimum for functionality or just use 4K VideoDownloader to copy/paste video link from youtube without having to watch it on the site itself.
Works for me but your mileage may vary ¯\_(ツ)_/¯
Edited to add AdBlock Plus info.
It already HAS happened, they're just keeping it quiet. Remember that furor a couple months ago where Google suddenly shut down their servers and Microsoft services went offline? That was the emergency cleanup being done... which they're saying NOTHING about because then people would realize the risk is REAL, not just theoretical.
It would be really hard to interrupt the routing to all four. Each has a bunch of places where they can reroute traffic, so you can't attack a physical place to interrupt their service. Meanwhile, if you tried something like a BGP hijack, you'd have trouble getting all the networks to go through you and those which did would quickly realize their mistake when everything breaks. Also, if you did interrupt service, a lot of the world would be annoyed but many things wouldn't break. Take El Reg. There are Google and Facebook URLs in their pages, so they'd get blocked by this plugin. However, if Google and Facebook go down, their site still works. It's not hosted on AWS or Azure either, so you could cut all four and the only thing that would change is that there wouldn't be so many ads and the Facebook share button would go away. I've emulated that on my network on purpose anyway.
If Akamai went down, it would probably affect everybody (well non China anyway).
The Internet is held together with gaffer tape, and at some point it will break. Although of course its meant to be resilient, but if all the traffic ends up being routed under some road in Africa / India / Basingstoke (delete as appropriate) ....
Advertising companies just make things worse - I'll be glad when 3rd party cookies are fully banned, although not via Google's intended method please.
Not really. A lot of sites don't use those providers, and some others use multiple providers. It's true that the big three are quite large, but if they all went down simultaneously, which is unlikely, there'd still be a lot of stuff online. In order to take down large chunks of the internet, you need to take down cloud providers, at least AWS and Azure, but you also need to take CDNs like Cloudflare and Akamai out of the equation. Even without those, lots of large institutions host their own services and small cloud providers would still run. My website, for example, would be fine. So would El Reg once they routed around the downed Cloudflare.
The structure of the internet is indeed fragile, but not in the way you think. It's not fragile in the sense that one big hit will take it down. One big hit will cause some grumbling while people repair the damage, but a lot of things will work fine. It's fragile because each individual part of it can be disrupted with some ease. Still, while things are strong, those breaks will be repaired, undoing your destructive work.
That's not how that works.
"If you use any cloud provider, all that is needed to push you out of business is for that provider to cancel you as a customer."
If you are afraid they will do that, then you can take steps to insulate yourself from it. Have two cloud accounts which are redundant. If one cloud closes your account, the other one can take the traffic. If you're afraid that multiple cloud providers will simultaneously reject you, maybe you should be hosting yourself but you can have some self-hosting while still using the cloud so you have stuff to fall back on if they deny you service.
"Just like Amazon did to Parler. And apparently there is no law that prevents them to do it any time they want."
Correct, there is no law saying people can break the terms of service and the company has to keep giving them the service. Good idea to read those before you start using a service since they are binding on you.
From the images, it appears this extension blocks a site entirely if detects a single thing anywhere on the page attempting to load anything from Google, etc. Meanwhile, I block Google, Facebook, and the rest using things like Noscript, and most sites remain perfectly useable. So it's simply not true that the web becomes unusable without them. Lots of sites use them for tracking and analytics, but still work perfectly if you block that part of things while allowing their first party things to run.
So I'm not sure I really see the point of this. Either you use it to block virtually the whole internet because it won't just block the tracking parts of a page. Or you use it to collect statistics without actually doing anything useful at all. Why would you not just use Noscript, ublock, Privacy Badger, or any of the wide variety of other plugins which let you block the important bits and collect statistics at the same time? And are all happily available as official extension without needing sideloading via dev mode. It appears to be much more a publicity stunt rather than something intended to be actually useful.
Plus, of course, there's no way of knowing whether the site in question is passing any or all of that tracking information onto other companies through the back-end; this only applies to things they try to load into your browser, which, as you correctly point out, anyone with any sense is blocking already.
> Why would you not just use Noscript, ublock, Privacy Badger, or any of the wide variety of other plugins which let you block the important bits and collect statistics at the same time? And are all happily available as official extension without needing sideloading via dev mode. It appears to be much more a publicity stunt rather than something intended to be actually useful.
The answer to this is actually hinted at in the article
> The release of the new extension is timed to coincide with US government hearings on digital competition, drawing on research from last year.
It's to draw attention to the issue and highlight just what an issue it is at a time when (US) lawmakers are considering the impacts of the lack of digital competition. In that context, the fact that it *breaks* sites in block mode is probably a positive - most lawmakers won't understand a nuanced technical discussion, but they will understand the ramifications of "it breaks if you turn these sources off".
> they will understand the ramifications of "it breaks if you turn these sources off
Simplification is great until you simplify to the point of lying. Many of the sites this extension flags as sending data to BIG IT are not doing so. All it takes is one half intelligent techy to point out a site is hosted on Azure / AWS but not sending data to MS / Amazon and everything from the extension is then suspect and can't be trusted.
I'm all for blocking trackers and preventing Google and FB from doing their creepy thang but this extension is not helping.
This post has been deleted by its author
You can have your site hosted on Azure, sure. You'll probably be using your own domain name as well, so nothing need be loaded from any Microsoft domain, certainly not any other than the azure domain(s).
The same goes for AWS - you might need to load some "cloudy" stuff from an AWS domain, if that's where your hosting is, and you don't have something sat in-between on your own domain, but you sure as hell don't need to be doing so from an Amazon one.
The whole point of these hosted environments, is that it's your data in your environment, hosted by Azure, or AWS, or whatever. If MS or Amazon started poking around in those environments then people would stop using them and involve the lawyers pretty quickly.
As I said in another post, there's nothing to stop the web back-end of any site from sending your data on to anyone else they like in a technical sense. In the EU, there's GDPR to make it a very expensive mistake to do so, and in the UK as well, for the time being, until the extreme free-marketers in government take those protections away.
"You can have your site hosted on Azure, sure. You'll probably be using your own domain name as well, so nothing need be loaded from any Microsoft domain, certainly not any other than the azure domain(s)."
First, I'm not sure whether they also check IP addresses to block anything coming from MS or AWS subnets. Let's assume they don't. There are many reasons one might have an Azure or AWS domain in their HTML. Here's one reason: they're using the CDN functions. I've seen lots of sites which host themselves on local hardware or a smaller cloud provider but use AWS to host big files. Their site will be loaded from elsewhere, but when people click the download link, it will go to s3.amazonaws.com. Now there is an Amazon-controlled link in the source, so the site gets flagged.
The site could of course specify a CNAME so their domain is seen in the source, but the plugin should be checking where that resolves because trackers do the same as reported yesterday. Once again, Amazon's pulling the strings. Except they're not. They're just providing servers to store the big files. Someone from Amazon could point this out. Someone from Google will point out that people use YouTube as essentially the same thing for videos they've made so they don't have to write a video player or host the big file. They will show what happens when their sites are removed, namely that the page with download links looks the same and the page with a video looks the same except for the video box. Those arguments could convince people that the plugin's report on trackers or control is simply a lie, and thereby destroy its purpose.
I suspect this comes from the same thought process as the one in Australia which puts Facebook's nose out of joint.
Continual chatter about these companies and their net presence tends to numb people to just how big they are and it takes an activity like this to shock people into resetting the marker for what big really means on the web
The "big tech" are obviously to blame. However the individual web developers who drag all this stuff in needlessly are also causing this.
I.e rather than host a custom font on the web site, they instead opt to use an external reference to Google's font server. They do even worse things for ads, social media, and the millions of dependencies they cram into their site to do trivial things.
Web developers just need to get better and start showing some discipline like their close developer relatives.
It's not just the web developers. Most of the time they are NOT the ones DECIDING to pull in page assets from specific location.
Typically it is someone higher up saying "I want to see stats via tag manager, Make it happen or get another job" Rinse and repeat for Ad's, page optimization tools (marketing departments wanting to make content / layout change without involving dev teams), ratings sites etc
Much the same thing with custom fonts. Why have them? They've been proven to be a feasible vector for malware. It's the crayon department mandating them but even the OP seems to accept they're OK if you host them yourself. That might be an even more dangerous option than letting Google police them.
Will do things that are easiest for them and don't care about privacy of visitors.
But this is something that the ICO should clamp down on: it is a privacy breach, data is being taken without users' knowing - this is a flagrant breach of the GDPR as must be specific and informed and freely given. But: the ICO is asleep on the job.
The EU courts have already determined that IP addresses are private data. Therefore, connecting to places that are not explicitly agreed upon may be considered a breach of the consent rule in the GDPR.
We need a ruling that no third-party content may be loaded until explicit consent is given. And, here the same rule should apply as with cookies, where a blanket take-it-or-leave-it approach is not an acceptable way to handle consent.
Any breach should be very expensive for both web-site owner/operator. Also, the web-site designer(s) and hoster(s) should also be liable if they were not (contractually) instructed to embed third-party content by default in breach of the GDPR.
"[...] as with cookies, where a blanket take-it-or-leave-it approach is not an acceptable way to handle consent."
Some sites itemise the people they share the data with - down a tree where you have an endless list already ticked to accept. In some cases each one is a link to another site's tree of permissions options. They rarely give a blanket "No" option.
It's about time the GDPR enforcement authorities began wielding the big stick over this. They have the power to fine offenders damn near into bankruptcy, depending on what their profit margins are like.
A few '4% of gross' headlines should concentrate minds quite nicely. Not against Google, but the lazy f...f...fornicators who feed their own customers to the damn creeps. Then we should see a nice riot. Or maybe a stampede.
It's about time the GDPR enforcement authorities began wielding the big stick over this.
Well: let's do it then. All that it should take is a few of us complaining to the ICO (or whatever you have in your country) to get them looking into this. Unfortunately I suspect that a cattle prod will be needed to wake our supposed protectors out of their slumber.
There is a heck of a lot more tracking and data collection that that going on, not all very precise but enough to gather what is known as "atmospherics" - think of it as signalling trends. A simple example: fonts. Out of a 1000 Wordpress sites you may find 5 (and that's optimistic) which are not using themes side loading Google fonts, and Adobe runs a racket like that as well for professional designers (Adobe Typekit).
Going back to Google for a bit, their most audacious scam is asking people to install something from them to prevent being tracked by them..
I find the bleating about "monitoring" most amusing. The web was never designed to be secure. Ever. It was designed with all the "security" possible when routing "calls" based on the callers and senders IP numbers: NONE.
But the ignorant masses keep thinking their wishful dreams can be made reality. The same kind of people that think you can legislate science and technology to make it bend to your will regardless of what reality has to say. *LOL*
Just because you can do something does not mean you should be allowed to do it.
It is not difficult to stalk someone but the person being stalked can get a court order against the stalker. The stalkers ability to stalk that person has not changed it is not harder. But the punishment for breaking that court order will act as a deterrent and if it does not then if caught they will be punished.
Most homes have not been built to be that secure it would be easy for most people to enter an empty home and take what they want, break a window kick in a door. Most don’t because they and society believe it to be wrong. For those that don’t care it is wrong we have laws against it which will deter some the rest well if caught they suffer the punishment.
So if we want something to stop, moaning can work because maybe if we moan loud enough it may be legislated against.
So I don't need to explain the value of each of these at avoiding tracking...
- Run a Pi-Hole. It is so cheap & easy, there is no reason not to. Shocking how much crap is coming from a home network, especially all the IoT devices. Just what is my SmartTV sharing when the input is set to HDMI1?
- Use a VPN. Some of them allow a DD-WRT router to make the tunnel - so one device license and everything else funnels through.
- Presearch.org I started using it two weeks ago. It is surprisingly good. Built on blockchain and is decentralized. So it is impossible for big tech's "Censorship Culture" to tamper with.
I love the comments section on this site as it’s always a mix of sarcasm, wit and intelligent diagolgue.
Why then, do so many people sound like conspiracy theorists whenever there’s an article such as this one?
I’m keen to protect my privacy but I’ve already accepted that before I became more aware of the implications of my actions I probably shared more than I should have with the tech giants already.
I’ve no big issue with being tracked to provide more appropriate advertising, develop personal profiles of my habits etc.
So I get more advertising? I use various ad-blockers.
So companies know more about me? Are they going to use it against me? Increase my insurance premium perhaps because I like motor sport hence I must drive too fast?
Tracking is pervasive - don’t want your shopping habits scrutinised? Go in store then. Oh, they’ve already got multiple levels of tech to know where I am in the store, how long I looked at certain products, what products get bought together....the list goes on....
We are never going to escape from it all. Unless I become a criminal mastermind I’m really not overly fussed whether someone wants to buy data on when I last looked something up on t’web.
Anonymous because I’m more fussed about my opinions being tracked and ridiculed by you lot
Unless I become a criminal mastermind I’m really not overly fussed whether someone wants to buy data on when I last looked something up on t’web.
In the words of a Westminster authoritarian politician: "The innocent will have nothing to fear from being investigated by the police". IIRC as Home Secretary he was advocating powers for random household searches of anyone's PC.
The quote attributed to Cardinal Richelieu has the ring of truth for any agency trying to justify their actions. "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."
Current case of the "Freshwater Five" appeal.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
