Subscribe: Don Marti
http://zgp.org/~dmarti/blosxom/index.rss
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
advertising  make  mozilla  people  privacy  sites  tracking protection  tracking  user  users  web advertising  web  work 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Don Marti

Don Marti



personal blog feed



Last Build Date: Mon, 13 Nov 2017 20:13:31 GMT

 



Time-saving tip for Firefox 57

Mon, 13 Nov 2017 08:00:00 GMT

Last time I recommended the Tracking Protection feature in Firefox 57, coming tomorrow. The fast browser is even faster when you block creepy trackers, which are basically untested combinations of third-party JavaScript.

But what about sites that mistakenly detect Tracking Protection as "an ad blocker" and give you grief about it? Do you have to turn Tracking Protection off?

So far I have found that the answer is usually no. I can usually use NJS to turn off JavaScript for that site instead. (After all, if a web developer can't tell an ad blocker from a tracking protection tool, I don't trust their JavaScript anyway.)

NJS will also deal with a lot of "growth hacking" tricks such as newsletter signup forms that appear in front of the main article. And it defaults to on, so that sites with JavaScript will work normally until I decide that they're better off without it.

Entering the Quantum Era—How Firefox got fast again and where it’s going to get faster by Lin Clark

How to turn Tracking Protection on




I'm taking a Bitcoin risk even though I don't hold Bitcoin. Please regulate me.

Mon, 13 Nov 2017 08:00:00 GMT

In the country where I live, kidnapping for ransom is not a very common crime.

That's because picking up the ransom is too risky.

It's easy to kidnap someone, and easy to let the person go when the ransom is paid, but picking up the ransom exposes you. Wannabe kidnappers who are motivated by money tend to choose other crimes.

As the [family relationship redacted] of a [family member information redacted], I'm happy that kidnapping is difficult here. High transaction costs for some kinds of transaction are a good thing.

Now, here comes Bitcoin.

As we're already seeing with ransomware, harder-to-trace ransom drops are now a thing.

So, even though I don't actually hold Bitcoin, someone could grab my family member (low risk), demand that I exchange some of my conventional assets for Bitcoin (low risk) and send the Bitcoin as ransom (low risk). The balance between risk and reward for the crime of kidnapping for ransom has changed.

IMHO this is a bigger problem than any of the reasons that Charles Stross wants Bitcoin to die in a fire.

So what to do about it?

Move the risks where the profits are.

Make the Bitcoin business eat the costs of payments made under duress.

New rule: If I ever trade any assets for Bitcoin in order to comply with a threat, and then transfer the Bitcoin under duress (kidnapping, ransomware, whatever), then I can go back to whoever I gave the assets to with a copy of the police report on the incident and get my original assets (and any fees) back.

Yes, that makes it harder for regular people to trade assets for Bitcoin. Exchanges would have to hold the money for a while, check that I'm not under duress, and probably do all kinds of other pain-in-the-ass, possibly costly, work. But I'd rather have that than the alternative.




my Firefox 57 add-ons

Sat, 11 Nov 2017 08:00:00 GMT

Firefox 57 is coming on Tuesday, and as you may have heard, add-ons must use the WebExtensions API. I have been running Firefox Nightly for a while, so add-on switching came for me early. Here is what I have come up with. The basic set Facebook Political Ad Collector reports sneaky Facebook ads to ProPublica. I'm still not quitting Facebook entirely, even with the whole "medium to heavy treason" problem and other issues, but I do mostly let dlvr.it handle Facebook for me. Help ProPublica with stories like this. (Bonus: open source project opportunity for people interested in browser add-ons or writing server code in Rust) HTTPS Everywhere. This is pretty basic. Use the encrypted version of a site where available. Link Cleaner. Get rid of crappy tracking parameters in URLs, and speed up some navigation by skipping data collection redirects. NJS. Minimal JavaScript disable/enable button that remembers the setting by site and defaults to "on". Ever notice how the sites that use JavaScript for real web applications are different from the sites that use JavaScript for "growth hacking" such as newsletter popups? This add-on keeps JavaScript working normally for most sites, and lets me revoke the JavaScript privileges of wannabe growth hackers. Privacy Badger is not on here just because I'm using Firefox Tracking Protection. I like both. Blogging, development and testing blind-reviews. This is an experiment to help break your own habits of bias when reviewing code contributions. It hides the contributor name and email when you first see the code, and you can reveal it later. Right now it just does Bugzilla, but watch this space for an upcoming GitHub version. (more info) Copy as Markdown. Not quite as full-featured as the old "Copy as HTML Link" but still a time-saver for blogging. Copy both the page title and URL, formatted as Markdown, for pasting into a blog. Firefox Pioneer. Participate in Firefox user research. Studies have extremely strict and detailed privacy policies. Test Pilot. Try new Firefox features. Tracking Protection was on Test Pilot for a while. Right now there is a new speech recognition one, an in-browser notepad, and more. Advanced (for now) nerdery Cookie AutoDelete. Similar to the old "Self-Destructing Cookies". Cleans up cookies after leaving a site. Useful but requires me to whitelist the sites where I want to stay logged in. More time-consuming than other privacy tools. PrivacyPass. This is new. Privacy Pass interacts with supporting websites to introduce an anonymous user-authentication mechanism. In particular, Privacy Pass is suitable for cases where a user is required to complete some proof-of-work (e.g. solving an internet challenge) to authenticate to a service. Right now I don't use any sites that have it, but it could be a great way to distribute "tickets" for reading articles or leaving comments. Note on ad blocking If you run an ad blocker, the pre-57 add-ons check is a good time to make sure that you're not compromising your privacy by participating in a paid whitelisting scheme. As long as you have to go through your add-ons anyway, it's a great time to ditch AdBlock Plus or Adblock. They're taking advantage of users to shake down web sites. What to use instead? For most people, either the built-in Firefox Tracking Protection or EFF's Privacy Badger will provide good protection. I would try one or both of those before a conventional ad blocker. If sites have a broken ad blocker detector that falsely identifies a tracking protection tool as an ad blocker, you can usually get around it by turning off JavaScript for that site with NJS. If you still want to get rid of more ads and join the blocker vs. anti-blocker game (I don't), there's always uBlock Origin, which does not do paid whitelisting. The project site has more info). But try either the built-in tracking protection or Privacy Badger first. Bonus links New Fire[...]



Welcome Planet Mozilla readers

Fri, 10 Nov 2017 08:00:00 GMT

Welcome Planet Mozilla readers. (I finally figured out how to do a tagged feed for this blog, to go along with the full feed. So now you can get the items from the tagged feed on Planet Mozilla.)

The main feed has some items that aren't in the Mozilla feed.

Anyway, if you're coming to Austin, please mark your calendar now.

Two more links: I'm on Keybase and Mozillians. And @dmarti on Twitter.




World's last web advertising optimist tells all!

Fri, 03 Nov 2017 07:00:00 GMT

It's getting hard to explain still taking web advertising seriously in 2017, so I had better write something down. To start with, what is web advertising exactly? Threat to democracy and mental integrity? (Zeynep Tufekci says, "We're building a dystopia just to make people click on ads.") Fraud shitshow where intermediaries make enough money from fraud to be understandably uninterested in fixing it, and react with hostility when one browser does something to make a difference? Fallback business model for sites that can't do anything else? Advertising is to web companies as scrap value is to machine tools. Even originally ad-supported sites are getting into other businesses. Doesn't sound good so far. Maybe I'm a fool to be the last advertising optimist on the web. (See, for example: me, running my mouth about how great advertising is, to an audience of web publishers looking to write it off and move on.) From the point of view of users, web advertising has failed to hold up its end of the signal for attention bargain, and substituted nasty attempts at manipulation. No wonder people block it. From the point of view of clients, web advertising has failed to meet the basic honesty standards that any third-rate print publication can. And every web advertising company is calling fraud an industry-wide problem, which is what business people say when they really don't care about fixing something. From the point of view of publishers, web advertising has failed to show the proverbial money. It's stuck at a fraction of the value per user minute that print can pull in, which means that as print goes away, so does the ad money. Web advertising has failed the audience, the advertisers, and the people who make ad-supported news and cultural works. Maybe I should go be a fan of something else, like securitizing bug trackers or something. Web advertising just is that annoying, creepy thing that browsers are competing to block in different, creative, ways. [T]he online ad sector transitioned from a creative-led industry to a data and algorithms-led industry, wrote venture capitalist Adam Fisher, who is understandably proud of not investing in it. Some new companies, such as Scroll, are all about making it easier for readers to buy out of seeing advertising. Advertising is to web sites as annoying "UNREGISTERED SHAREWARE" banners and dialogs are to computer software. On Twitter, what does the "verified" blue checkmark get you? A ticket out of Twitter's world-classedly crappy advertising. At least search advertising is working. Bob Hoffman calls it a "much better yellow pages." But any kind of brand-building, signal-carrying advertising, where most of the money is? Not there. Ever notice how much of the evidence for "data-driven" advertising is anecdotal? Is anyone speaking up for web advertising? Not really. Where advertising still has a policy voice, it's a bunch of cut-and-paste anti-privacy advocacy that sounds like what you might get from eighth grade Libertarians, or from people who are so bad at math they assume that it's humanly possible to read and understand Terms of Service from 70 third-party trackers on one web page. The Interactive Advertising Bureau has become the voice of schemes that are a few pages of fine print away from malware and spam. By expanding to include members whose interests oppose those of legit publishers and advertisers, and defending every creepy user privacy violation scheme that the worst members come up with, an organization that could have been a voice for pro-advertising policy positions has made itself meaningless. Right now the IAB is about as relevant to web advertising policy as the Tetraethyl Lead Industry Association is relevant to transportation policy. Bad news all the way around, right? But some of us have been somewhere like this before. Remember the operating systems market in [...]



Always run a shell script from the directory it lives in

Wed, 01 Nov 2017 07:00:00 GMT

Always run a shell script in the directory in which it appears, and change back to the directory you were in when you ran it even if it fails.

trap popd EXIT
pushd $PWD
cd $(dirname "$0")

Works for me in bash. The pushd command does a cd but saves the directory where you were on a stack, and popd pops the saved directory from the stack. The trap ... EXIT is a bash way to run something when the script exits, no matter how, and dirname "$0" is the directory name of the script.

(Taken from the deploy.sh script that rebuilds and deploys this blog, so if you can read this, it works.)




Fun with the spawn of Git and NoSQL

Thu, 26 Oct 2017 07:00:00 GMT

Hey, kids, check out the latest progress on the Attaca version control system.

What's this? It's basically the spawn of Git and a NoSQL database. So why would anybody want to make that? For Science, of course. A lot of research produces huge data files, and people would like to have a resilient way to collaborate on them, using commands they already know—but have it scale horizontally across large numbers of nodes, NoSQL style.

Git has the advantage that a lot of people know it, but it doesn't really handle huge files that well. There are add-on solutions to make it work by connecting to another system for handling large files, but then you have to set up and trust two systems. And one of my favorite properties of Git is that any authorized user of a project can check the integrity of the entire project back to the beginning.

So what Attaca does is to consistently split huge files across a cluster, using cluster nodes that can be cheap VPSs, low-end servers with spinning disks, whatever. (In the test environment, nodes are just Linux containers.)

More: The architecture of Attaca, milestones, and current progress.

Next steps are to test it out with some scientific data (genomes, medical imaging, and so on), implement some more Git commands so that people can check files out and not just in, and build a (Raspberry Pi?) demo cluster.




See you in London

Wed, 25 Oct 2017 07:00:00 GMT

Coming to Mozfest in London?

Please stop by our demo of Trading futures, fixing bugs: a live Smart Contracts installation.

What is it?

Bugmark is a market that connects people who want better software to the people who can build it.

In order to make open collabration more effective, we are using simple market mechanisms to add incentives to do useful work.

Bugmark allows you to

  1. Put financial value directly in the hands of the people who can fix the software issues that are most important to you.

  2. Discover which issues really matter to your project's users.

  3. Work with open source practices and not against them.
    Solve part of a problem and still get paid, instead of contending to claim credit for a bounty payment.

Find an issue, fix it, and earn money

Vist Bugmark to find an open issue that matches your skills and interests. Buy a futures contract connected to that issue that will pay you when the issue is fixed. Work on the issue, in the open—then decide if you want to hold your contract until maturity, or sell it at a profit.

Report an issue and pay to reward others to fix it

Create a new issue on the project bug tracker, or select an existing one. Buy a futures contract on that issue that will cost you a known amount when the issue is fixed, or pay you to compensate you if the issue goes unfixed. Reduce your exposure to software risks by directly signaling the project participants about what issues are important to you.

Invest in futures on an open source market

Development isn't the only task required to make a software project a success. You can trade futures to earn a profit from other vital tasks, such as clarifying and translating bug reports, triaging bugs, writing failing tests, or doing code reviews.




ICYMI: AdLeaks

Wed, 25 Oct 2017 07:00:00 GMT

Looking for a way to get dedicated readers to un-block some of the ads on your site? One way could be to update and integrate the AdLeaks system:

Our ads contain code that encrypts an empty message with the AdLeaks public key and sends the ciphertext back to AdLeaks. This happens on all users' web browsers. A whistleblower's browser substitutes the ciphertext with encrypted parts of a disclosure. The protocol ensures that an adversary who can eavesdrop on the network communication cannot distinguish between the transmissions of regular browsers and those of whistleblowers' browsers.

More info in the paper: That link goes to the Arxiv Vanity version of the paper. Now that we can read more Science on our phones I'm expecting the rate of progress toward the Singularity to increase by quite a bit. A Secure Submission System for Online Whistleblowing Platforms

Naturally sites would want to encourage whistleblowers (and others) to block the regular creepy ad trackers—but building post-creepy ads and hooking this up to them could be a way to encourage the dedicated readers to treat the high-reputation ads differently from the low-reputation ones.




Tofu, hogs, and brand-safe news

Sun, 22 Oct 2017 07:00:00 GMT

(I work for Mozilla. None of this is secret. None of this is official Mozilla policy. Not speaking for Mozilla here.)

The following is an interesting business model, so I'm going to tell it whether it's true or not. I once talked with a guy from rural China about the tofu business when he was there. Apparently, considering the price of soybeans and the price you can get for the tofu, you don't earn a profit just making and selling tofu. So why do it? Because it leaves you with a bunch of soybean waste, you feed that to pigs, and you make your real money in the hog business.

Which is sort of related to the problem that (all together now) hard news isn't brand-safe. It's hard to sell travel agency ads on a plane crash story, or real estate ads on a story about asbestos in the local elementary schools, or any kind of ads on a disturbing, but hard to look away from, political scene.

In the old-school newspaper business, the profitable ads can go in the lifestyle or travel sections, and subsidize the hard news operation. The hard news is the tofu and the brand-friendly sections are the hogs.

On the web, though, where you have a lot of readers coming in from social sites, they might be getting their brand-friendly content from somewhere else. Sites that are popular for their hard news are stuck with just the tofu.

This is one of the places where it's going to be interesting to watch the shift from unpermissioned user data collection to user data sharing by permission. As people get better control of how they share data with sites—whether that's through regulation, browsers scrambling for users, or both—how will a site's ability to deliver trustworty hard news give it an advantage?

The browser may have to adapt to treat trustworthy and untrustworthy sites differently, in order to come up with a good balance of keeping sites working and implementing user norms on data sharing. Will news sites that publish hard news stories that are often visited, shared, and commented on, get a user data advantage that translates into ad saleability for their more brand-safe pages? Does better user data control mean getting the hog business back?




Open practices and tracking protection

Thu, 19 Oct 2017 07:00:00 GMT

(I work for Mozilla. None of this is secret. None of this is official Mozilla policy. Not speaking for Mozilla here.) Browsers are going to have to change tracking protection defaults, just because the settings that help acquire and retain users are different from the current defaults that leave users fully trackable all the time. (Tracking protection is also an opportunity for open web players to differentiate themselves from mobile tracking devices.) Before switching defaults, there are a bunch of opportunities to do collaboration and data collection in order to make the right choices and increase user satisfaction and trust (and retention). Interestingly enough, these tend to give an advantage to any browser that can attract a diverse, opinionated, values-driven user base. So, as a followup on applying proposed principles for content blocking, some ways that a browser can prepare to make a move on tracking protection. Build APIs that WebExtensions developers can use to change privacy-related behaviors. (WebExtension API for improved tracking protection, API for managing tracking protection, Implement browser.privacy.trackingProtection API). Use developer relations with the privacy tools scene. Do innovation challenges and crowdsourcing for tracking protection tools. Use the results to expand the available APIs and built-in options. Develop a variety of tracking protection methods, and ship them in a turned-off state so that motivated users can find the configuration and experiment with them, and to enable user research. Borrow approaches from other browsers (such as Apple Safari) where possible, and test them. For example: avoid blocklist politics, and increase surveillance marketing uncertainty, by building Privacy-Badger-like tracker detection. Enable tracking protection without the policy implications of a top-down list. This is an opportunity for a crowdsourcing challenge: design better algorithms to detect trackers, and block them or scramble state. Ship alternate experimental builds of the browser, with privacy settings turned on and/or add-ons pre-installed. Communicate a lot about capabilities, values, and research. Spend time discussing what the browser can do if needed, and discussing the results of research on how users prefer to share their personal info. Only communicate a little about future defaults. When asked about specifics, just say, "we'll let the user data help us make that decision." (Do spam filters share their filtering rules with spammers? Do search engines give their algorithms to SEO consultants?) Build functionality to "learn" from the user's activity and suggest specific settings that differ from the defaults (in either direction). For example, suggest more protective settings to users who have shown an interest in privacy—especially users who have installed any add-on whose maintainers misrepresent it as a privacy tool. Do research to help legit publishers and marketers learn more about adfraud and how it is enabled by the same kinds of cross-site tracking that users dislike. As marketers better understand the risk levels of different approaches to web advertising, make it a better choice to rely less on highly intrusive tracking and more on reputation-driven placements. Provide documentation and tutorials to help web developers develop and test sites that will work in the presence of a variety of privacy settings. "Does it pass Privacy Badger" is a good start, but more QA tools are needed. If you do it right, you can force up the risks of future surveillance marketing just by increasing the uncertainty of future user trackability, and drive more marketing investment away from creepy projects and toward pro-web, reputation-driven projects. [...]



Notes and links from my talk at RJI

Sun, 03 Sep 2017 07:00:00 GMT

This is OFF MESSAGE. No Mozilla policy here. This is my personal blog. (This is the text from my talk at the Reynolds Journalism Institute's Revenue Models that Work event, with some links added. Not exactly as delivered.) Hi. I may be the token advertising optimist here. Before we write off advertising, I just want to try to figure out the answer to: why can't Internet publishers make advertising work as well as publishers used to be able to make it work when they were breathing fumes from molten lead all day? Has the Internet really made something that much worse? I have bought online advertising, written and edited for ad-supported sites, had root access to some of the servers of an adtech firm that you probably have cookies from right now, and have written an ad blocker. Now I work for Mozilla. I don't have any special knowledge on what exactly Mozilla intends to do about third-party cookies, or fingerprinting, or ad blocking, but I can share some of what I have learned about users' values, and some facts about the browser business that will inform those decision for Mozilla and other browsers. First of all, I want to cover how new privacy tools are breaking web advertising as we know it. But that's fine. People don't like web advertising as we know it. So what don't they like? A 2009 study at the University of Pennsylvania came up with the result that "most adult Americans do not want advertisers to tailor advertisements to their interests." When the researchers explained how ad targeting works, the percentage went up. We have known for quite a while that people have norms about how they share their personal information. Pagefair study That Pennsylvania study isn't the only one. Just recently a company called Pagefair did a survey on when people would choose to share their info on the web. Research result: what percentage will consent to tracking for advertising? | PageFair They surveyed 300 publishers, adtech people, brands, and various others, on whether users will consent to tracking under the GDPR and the ePrivacy Regulation. Some examples: The survey asked if users would allow for tracking on one site only, and for one brand only, in addition to “analytics partners”. 79% of respondents said they would click “No” to this limited consent request. And what kind of tracking policy would people prefer in the browser by default? The European Parliament suggested that “Accept only first party tracking” should be the default. But only 20% of respondents said they would select this. Only 5% were willing to “accept all tracking”. 56% said they would select “Reject tracking unless strictly necessary for services I request”. The very large majority (81%) of respondents said they would not consent to having their behaviour tracked by companies other than the website they are visiting. Users say that they really don't like being tracked. So, right about now is where you should be pointing out that what people say about what they want is often different from what they do. It's hard to see exactly what people do about particular ads, but we can see some indirect evidence that what people do about creepy ads is consistent with what they say about privacy. First, ad blockers didn't catch on until people started to see retargeting. Second, companies indirectly reveal their user research in policies and design decisions. Back in 1998, when Google was still "google.stanford.edu" I wrote an ad blocker. And there were a bunch of other pretty good ones in the late 1990s, too. WebWasher, AdSubtract, Internet Junkbuster. But none of that stuff caught on. That was back when most people were on dialup, and downloading a 468x60 banner ad was a b[...]