Subscribe: Don Marti
Added By: Feedage Forager Feedage Grade B rated
Language: English
advertising  data  don  futures  make  metrics  open source  open  people  privacy  sites  software  tracking  users  web  work 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Don Marti

Don Marti

personal blog feed

Last Build Date: Sun, 10 Dec 2017 18:07:56 GMT


Are bug futures just high-tech piecework?

Sat, 09 Dec 2017 08:00:00 GMT

Are bug futures just high-tech piecework, or worse, some kind of "gig economy" racket? Just to catch up, bug futures, an experimental kind of agreement being developed by the Bugmark project, are futures contracts based on the status of bugs in a bug tracker. For developers: vist Bugmark to find an open issue that matches your skills and interests. Buy a futures contract connected to that issue that will pay you when the issue is fixed. Work on the issue, in the open—then decide if you want to hold your contract until maturity, or sell it at a profit. Report an issue and pay to reward others to fix it For users: Create a new issue on the project bug tracker, or select an existing one. Buy a futures contract on that issue that will cost you a known amount when the issue is fixed, or pay you to compensate you if the issue goes unfixed. Reduce your exposure to software risks by directly signaling the project participants about what issues are important to you. Invest in futures on an open source market Bug futures also open up the possibility of incentivizing other kinds of work, such as clarifying and translating bug reports, triaging bugs, writing failing tests, or doing code reviews—and especially arbitrage of bugs from project to project. Bug futures are different from open source bounty systems, what have been repeatedly tried but have so far failed to take off. The big problem with conventional open source bounty systems is that, as far as I can tell, they fail to incentivize cooperative work, and in a lot of situations might incentivize un-cooperative behavior. If I find a bug in a web application, and offer a bounty to fix it, the fix might require JavaScript and CSS work. A developer who fixes the JavaScript and gets stuck on the CSS might choose not to share partial work in order to contend for the entire bounty. Likewise, the developer who fixes the CSS part of the bug might get stuck on the JavaScript. Because of how bounties are structured, if the two wanted to split the bounty they would need to find, trust, and coordinate with each other. Meanwhile, if the bug was the subject of a futures contract, the JavaScript developer could write up a good commit message explaining how their partial work made progress toward a fix, and offer to sell their side of the contract. A CSS developer could take on the rest of the work by buying out that position. Futures trading and risk shifts But will bug futures tend to shift the risks of software development away from the "owners" of software (the owners don't have to be copyright holders, they could be those who benefit from network effects) and toward the workers who develop, maintain, and support it? I don't know, but I think that the difference between bug trackers and piecework is where you put the brains of the operation. In piecework and the gig economy, the matching of workers to tasks is done by management, either manually or in software. Workers can set the rate at which they work in conventional piecework, or accept and reject tasks offered to them in the gig economy, but only management can have a view of all available tasks. Bug futures operate within a commons-based peer production environment, though. In an ideal peer production scene, all participants can see all available tasks, and select the most rewarding tasks. Somewhere in the economics literature there is probably a model of task selection in open source development, and if I knew where to find it I could put an impressive LaTeX equation right around here. Of course, open source still has all kinds of barriers that make matching of workers to tasks less than ideal, but it's a good goal to keep in mind. If you do bug futures right, they interfere as little as possible with the peer production advantage—that it enables workers to match themselves to tasks. And the futures market adds the ability for people who are knowledgeable about the likelihood of completion of a task, usually those who can do the task, to profit from that knowledge. Rather than [...]

three kinds of open source metrics

Thu, 07 Dec 2017 08:00:00 GMT

Some random notes about open source metrics, related to work on CHAOSS, where Mozilla is a member and I'm on the Governing Board.

As far as I can tell, there are three kinds of open source metrics.

Impact metrics cover how much value the software creates. Possible good ones include count of projects dependent on this one, mentions of this project in job postings, books, papers, and conference talks, and, of course sales of products that bundle this project.

Contributor reward metrics cover how the software is a positive experience for the people who contribute to it. Job postings are a contributor reward metric as well as an impact metric. Contributor retention metrics and positive results on contributor experience surveys are some other examples.

But impact metrics and contributor reward metrics tend to be harder to collect, or slower-moving, than other kinds of metrics, which I'll lump together as activity metrics. Activity metrics include most of the things you see on open source project dashboards, such as pull request counts, time to respond to bug reports, and many others. Other activity metrics can be the output of natural language processing on project discussions. An example of that is FOSS Heartbeat, which does sentiment analysis, but you could also do other kinds of metrics based on text.

IMHO, the most interesting questions in the open source metrics area are all about: how do you predict impact metrics and contributor reward metrics from activity metrics? Activity metrics are easy to automate, and make a nice-looking dashboard, but there are many activity metrics to choose from—so which ones should you look at?

Which activity metrics are correlated to any impact metrics?

Which activity metrics are correlated to any contributor reward metrics?

Those questions are key to deciding which of the activity metrics to pay attention to. I'm optimistic that we'll be seeing some interesting correlations soon.

Purple box claims another victim

Sat, 02 Dec 2017 08:00:00 GMT

Linux Journal Ceases Publication. If you can stand it, let's have a look at the final damage.


40 trackers. Not bad, but not especially good either. That purple box of data leakage—third-party trackers that forced Linux Journal into an advertising race to the bottom against low-value and fraud sites—is not so deep as a well, nor so wide as a church door...but it's there. A magazine that was a going concern in print tried to make the move to the web and didn't survive.

Linux Journal is where I was working when I first started wondering why print ads tend to hold their value while web ads keep losing value. Unfortunately it's not enough for sites to just stop running trackers and make the purple box go away. But there are a few practical steps that Internet freedom lovers can take to stop the purple box from taking out your other favorite sites.

Asking sites to do something about surveillance marketing

Sat, 18 Nov 2017 08:00:00 GMT

This might get the privacy activists mad at me, but as far as I can tell it's still counterproductive to ask a web site you visit to remove its third-party trackers.

Of course, third-party trackers are probably helping to support a political cause that most sites don't agree with, and, as Zeynep Tufekci says, "We're building a dystopia just to make people click on ads". This stuff needs to get fixed. So this is about productive next steps.

Right now, advertising on the site you're writing to probably isn't saleable without the creepy trackers. (User tracking as Chesterton's Fence) So what can privacy people productively ask sites for? Some good ones are:

  • Fix any "turn off your ad blocker" scripts to detect ad blockers only, and not falsely alert on privacy tools.

  • Remove links to the the confusing and broken "YourAdChoices" site. Adtech opt-outs don't cover all trackers, and are much less effective than real privacy tools. (I have never had all the opt-outs work on that site, even from a fresh, pristine browser. Somehow I get the sense that the adtech firms don't exactly put their best people on it.)

  • Link to the privacy pages for the third parties the site uses. If the advertising on the site is set up so that this is hard to do, and users might see a tracker from an unknown domain, say so.

  • Fix up the privacy page to add links to appropriate privacy tools based on the user's browser. Better to have users on privacy tools than get enrolled in a paid whitelisting scheme.

  • If you maintain a privacy tool, offer to do a campaign with the site. Privacy tool users are high-quality human traffic. Free or discounted privacy tools might work as a subscription promotion. Where's the win-win?

Asking a site to walk away from money with no credible alternative is probably not going to work. Asking a site to consider next steps to get out of the current web advertising mess? That might.

More: What The Verge can do to help save web advertising

Time-saving tip for Firefox 57

Mon, 13 Nov 2017 08:00:00 GMT

(updated 21 Nov 2017: made the words "even faster" a link to an article with graphs.)

Last time I recommended the Tracking Protection feature in Firefox 57, coming tomorrow. The fast browser is even faster when you block creepy trackers, which are basically untested combinations of third-party JavaScript.

But what about sites that mistakenly detect Tracking Protection as "an ad blocker" and give you grief about it? Do you have to turn Tracking Protection off?

So far I have found that the answer is usually no. I can usually use NJS to turn off JavaScript for that site instead. (After all, if a web developer can't tell an ad blocker from a tracking protection tool, I don't trust their JavaScript anyway.)

NJS will also deal with a lot of "growth hacking" tricks such as newsletter signup forms that appear in front of the main article. And it defaults to on, so that sites with JavaScript will work normally until I decide that they're better off without it.

Entering the Quantum Era—How Firefox got fast again and where it’s going to get faster by Lin Clark

How to turn Tracking Protection on

I'm taking a Bitcoin risk even though I don't hold Bitcoin. Please regulate me.

Mon, 13 Nov 2017 08:00:00 GMT

In the country where I live, kidnapping for ransom is not a very common crime.

That's because picking up the ransom is too risky.

It's easy to kidnap someone, and easy to let the person go when the ransom is paid, but picking up the ransom exposes you. Wannabe kidnappers who are motivated by money tend to choose other crimes.

As the [family relationship redacted] of a [family member information redacted], I'm happy that kidnapping is difficult here. High transaction costs for some kinds of transaction are a good thing.

Now, here comes Bitcoin.

As we're already seeing with ransomware, harder-to-trace ransom drops are now a thing.

So, even though I don't actually hold Bitcoin, someone could grab my family member (low risk), demand that I exchange some of my conventional assets for Bitcoin (low risk) and send the Bitcoin as ransom (low risk). The balance between risk and reward for the crime of kidnapping for ransom has changed.

IMHO this is a bigger problem than any of the reasons that Charles Stross wants Bitcoin to die in a fire.

So what to do about it?

Move the risks where the profits are.

Make the Bitcoin business eat the costs of payments made under duress.

New rule: If I ever trade any assets for Bitcoin in order to comply with a threat, and then transfer the Bitcoin under duress (kidnapping, ransomware, whatever), then I can go back to whoever I gave the assets to with a copy of the police report on the incident and get my original assets (and any fees) back.

Yes, that makes it harder for regular people to trade assets for Bitcoin. Exchanges would have to hold the money for a while, check that I'm not under duress, and probably do all kinds of other pain-in-the-ass, possibly costly, work. But I'd rather have that than the alternative.

my Firefox 57 add-ons

Sat, 11 Nov 2017 08:00:00 GMT

Firefox 57 is coming on Tuesday, and as you may have heard, add-ons must use the WebExtensions API. I have been running Firefox Nightly for a while, so add-on switching came for me early. Here is what I have come up with. The basic set Facebook Political Ad Collector reports sneaky Facebook ads to ProPublica. I'm still not quitting Facebook entirely, even with the whole "medium to heavy treason" problem and other issues, but I do mostly let handle Facebook for me. Help ProPublica with stories like this. (Bonus: open source project opportunity for people interested in browser add-ons or writing server code in Rust) HTTPS Everywhere. This is pretty basic. Use the encrypted version of a site where available. Link Cleaner. Get rid of crappy tracking parameters in URLs, and speed up some navigation by skipping data collection redirects. NJS. Minimal JavaScript disable/enable button that remembers the setting by site and defaults to "on". Ever notice how the sites that use JavaScript for real web applications are different from the sites that use JavaScript for "growth hacking" such as newsletter popups? This add-on keeps JavaScript working normally for most sites, and lets me revoke the JavaScript privileges of wannabe growth hackers. Privacy Badger is not on here just because I'm using Firefox Tracking Protection. I like both. Blogging, development and testing blind-reviews. This is an experiment to help break your own habits of bias when reviewing code contributions. It hides the contributor name and email when you first see the code, and you can reveal it later. Right now it just does Bugzilla, but watch this space for an upcoming GitHub version. (more info) Copy as Markdown. Not quite as full-featured as the old "Copy as HTML Link" but still a time-saver for blogging. Copy both the page title and URL, formatted as Markdown, for pasting into a blog. Firefox Pioneer. Participate in Firefox user research. Studies have extremely strict and detailed privacy policies. Test Pilot. Try new Firefox features. Tracking Protection was on Test Pilot for a while. Right now there is a new speech recognition one, an in-browser notepad, and more. Advanced (for now) nerdery Cookie AutoDelete. Similar to the old "Self-Destructing Cookies". Cleans up cookies after leaving a site. Useful but requires me to whitelist the sites where I want to stay logged in. More time-consuming than other privacy tools. PrivacyPass. This is new. Privacy Pass interacts with supporting websites to introduce an anonymous user-authentication mechanism. In particular, Privacy Pass is suitable for cases where a user is required to complete some proof-of-work (e.g. solving an internet challenge) to authenticate to a service. Right now I don't use any sites that have it, but it could be a great way to distribute "tickets" for reading articles or leaving comments. Note on ad blocking If you run an ad blocker, the pre-57 add-ons check is a good time to make sure that you're not compromising your privacy by participating in a paid whitelisting scheme. As long as you have to go through your add-ons anyway, it's a great time to ditch AdBlock Plus or Adblock. They're taking advantage of users to shake down web sites. What to use instead? For most people, either the built-in Firefox Tracking Protection or EFF's Privacy Badger will provide good protection. I would try one or both of those before a conventional ad blocker. If sites have a broken ad blocker detector that falsely identifies a tracking protection tool as an ad blocker, you can usually get around it by turning off JavaScript for that site with NJS. If you still want to get rid of more ads and join the blocker vs. anti-blocker game (I don't), there's always uBlock Origin, which does not do paid whitelisting. The project site [...]

Welcome Planet Mozilla readers

Fri, 10 Nov 2017 08:00:00 GMT

Welcome Planet Mozilla readers. (I finally figured out how to do a tagged feed for this blog, to go along with the full feed. So now you can get the items from the tagged feed on Planet Mozilla.)

The main feed has some items that aren't in the Mozilla feed.

Anyway, if you're coming to Austin, please mark your calendar now.

Two more links: I'm on Keybase and Mozillians. And @dmarti on Twitter.

World's last web advertising optimist tells all!

Fri, 03 Nov 2017 07:00:00 GMT

It's getting hard to explain still taking web advertising seriously in 2017, so I had better write something down. To start with, what is web advertising exactly? Threat to democracy and mental integrity? (Zeynep Tufekci says, "We're building a dystopia just to make people click on ads.") Fraud shitshow where intermediaries make enough money from fraud to be understandably uninterested in fixing it, and react with hostility when one browser does something to make a difference? Fallback business model for sites that can't do anything else? Advertising is to web companies as scrap value is to machine tools. Even originally ad-supported sites are getting into other businesses. Doesn't sound good so far. Maybe I'm a fool to be the last advertising optimist on the web. (See, for example: me, running my mouth about how great advertising is, to an audience of web publishers looking to write it off and move on.) From the point of view of users, web advertising has failed to hold up its end of the signal for attention bargain, and substituted nasty attempts at manipulation. No wonder people block it. From the point of view of clients, web advertising has failed to meet the basic honesty standards that any third-rate print publication can. And every web advertising company is calling fraud an industry-wide problem, which is what business people say when they really don't care about fixing something. From the point of view of publishers, web advertising has failed to show the proverbial money. It's stuck at a fraction of the value per user minute that print can pull in, which means that as print goes away, so does the ad money. Web advertising has failed the audience, the advertisers, and the people who make ad-supported news and cultural works. Maybe I should go be a fan of something else, like securitizing bug trackers or something. Web advertising just is that annoying, creepy thing that browsers are competing to block in different, creative, ways. [T]he online ad sector transitioned from a creative-led industry to a data and algorithms-led industry, wrote venture capitalist Adam Fisher, who is understandably proud of not investing in it. Some new companies, such as Scroll, are all about making it easier for readers to buy out of seeing advertising. Advertising is to web sites as annoying "UNREGISTERED SHAREWARE" banners and dialogs are to computer software. On Twitter, what does the "verified" blue checkmark get you? A ticket out of Twitter's world-classedly crappy advertising. At least search advertising is working. Bob Hoffman calls it a "much better yellow pages." But any kind of brand-building, signal-carrying advertising, where most of the money is? Not there. Ever notice how much of the evidence for "data-driven" advertising is anecdotal? Is anyone speaking up for web advertising? Not really. Where advertising still has a policy voice, it's a bunch of cut-and-paste anti-privacy advocacy that sounds like what you might get from eighth grade Libertarians, or from people who are so bad at math they assume that it's humanly possible to read and understand Terms of Service from 70 third-party trackers on one web page. The Interactive Advertising Bureau has become the voice of schemes that are a few pages of fine print away from malware and spam. By expanding to include members whose interests oppose those of legit publishers and advertisers, and defending every creepy user privacy violation scheme that the worst members come up with, an organization that could have been a voice for pro-advertising policy positions has made itself meaningless. Right now the IAB is about as relevant to web advertising policy as the Tetraethyl Lead Industry Association is relevant to transportation policy. Bad news all the way [...]

Always run a shell script from the directory it lives in

Wed, 01 Nov 2017 07:00:00 GMT

Always run a shell script in the directory in which it appears, and change back to the directory you were in when you ran it even if it fails.

trap popd EXIT
pushd $PWD
cd $(dirname "$0")

Works for me in bash. The pushd command does a cd but saves the directory where you were on a stack, and popd pops the saved directory from the stack. The trap ... EXIT is a bash way to run something when the script exits, no matter how, and dirname "$0" is the directory name of the script.

(Taken from the script that rebuilds and deploys this blog, so if you can read this, it works.)

Fun with the spawn of Git and NoSQL

Thu, 26 Oct 2017 07:00:00 GMT

Hey, kids, check out the latest progress on the Attaca version control system.

What's this? It's basically the spawn of Git and a NoSQL database. So why would anybody want to make that? For Science, of course. A lot of research produces huge data files, and people would like to have a resilient way to collaborate on them, using commands they already know—but have it scale horizontally across large numbers of nodes, NoSQL style.

Git has the advantage that a lot of people know it, but it doesn't really handle huge files that well. There are add-on solutions to make it work by connecting to another system for handling large files, but then you have to set up and trust two systems. And one of my favorite properties of Git is that any authorized user of a project can check the integrity of the entire project back to the beginning.

So what Attaca does is to consistently split huge files across a cluster, using cluster nodes that can be cheap VPSs, low-end servers with spinning disks, whatever. (In the test environment, nodes are just Linux containers.)

More: The architecture of Attaca, milestones, and current progress.

Next steps are to test it out with some scientific data (genomes, medical imaging, and so on), implement some more Git commands so that people can check files out and not just in, and build a (Raspberry Pi?) demo cluster.

See you in London

Wed, 25 Oct 2017 07:00:00 GMT

Coming to Mozfest in London?

Please stop by our demo of Trading futures, fixing bugs: a live Smart Contracts installation.

What is it?

Bugmark is a market that connects people who want better software to the people who can build it.

In order to make open collabration more effective, we are using simple market mechanisms to add incentives to do useful work.

Bugmark allows you to

  1. Put financial value directly in the hands of the people who can fix the software issues that are most important to you.

  2. Discover which issues really matter to your project's users.

  3. Work with open source practices and not against them.
    Solve part of a problem and still get paid, instead of contending to claim credit for a bounty payment.

Find an issue, fix it, and earn money

Vist Bugmark to find an open issue that matches your skills and interests. Buy a futures contract connected to that issue that will pay you when the issue is fixed. Work on the issue, in the open—then decide if you want to hold your contract until maturity, or sell it at a profit.

Report an issue and pay to reward others to fix it

Create a new issue on the project bug tracker, or select an existing one. Buy a futures contract on that issue that will cost you a known amount when the issue is fixed, or pay you to compensate you if the issue goes unfixed. Reduce your exposure to software risks by directly signaling the project participants about what issues are important to you.

Invest in futures on an open source market

Development isn't the only task required to make a software project a success. You can trade futures to earn a profit from other vital tasks, such as clarifying and translating bug reports, triaging bugs, writing failing tests, or doing code reviews.

ICYMI: AdLeaks

Wed, 25 Oct 2017 07:00:00 GMT

Looking for a way to get dedicated readers to un-block some of the ads on your site? One way could be to update and integrate the AdLeaks system:

Our ads contain code that encrypts an empty message with the AdLeaks public key and sends the ciphertext back to AdLeaks. This happens on all users' web browsers. A whistleblower's browser substitutes the ciphertext with encrypted parts of a disclosure. The protocol ensures that an adversary who can eavesdrop on the network communication cannot distinguish between the transmissions of regular browsers and those of whistleblowers' browsers.

More info in the paper: That link goes to the Arxiv Vanity version of the paper. Now that we can read more Science on our phones I'm expecting the rate of progress toward the Singularity to increase by quite a bit. A Secure Submission System for Online Whistleblowing Platforms

Naturally sites would want to encourage whistleblowers (and others) to block the regular creepy ad trackers—but building post-creepy ads and hooking this up to them could be a way to encourage the dedicated readers to treat the high-reputation ads differently from the low-reputation ones.

Tofu, hogs, and brand-safe news

Sun, 22 Oct 2017 07:00:00 GMT

(I work for Mozilla. None of this is secret. None of this is official Mozilla policy. Not speaking for Mozilla here.)

The following is an interesting business model, so I'm going to tell it whether it's true or not. I once talked with a guy from rural China about the tofu business when he was there. Apparently, considering the price of soybeans and the price you can get for the tofu, you don't earn a profit just making and selling tofu. So why do it? Because it leaves you with a bunch of soybean waste, you feed that to pigs, and you make your real money in the hog business.

Which is sort of related to the problem that (all together now) hard news isn't brand-safe. It's hard to sell travel agency ads on a plane crash story, or real estate ads on a story about asbestos in the local elementary schools, or any kind of ads on a disturbing, but hard to look away from, political scene.

In the old-school newspaper business, the profitable ads can go in the lifestyle or travel sections, and subsidize the hard news operation. The hard news is the tofu and the brand-friendly sections are the hogs.

On the web, though, where you have a lot of readers coming in from social sites, they might be getting their brand-friendly content from somewhere else. Sites that are popular for their hard news are stuck with just the tofu.

This is one of the places where it's going to be interesting to watch the shift from unpermissioned user data collection to user data sharing by permission. As people get better control of how they share data with sites—whether that's through regulation, browsers scrambling for users, or both—how will a site's ability to deliver trustworty hard news give it an advantage?

The browser may have to adapt to treat trustworthy and untrustworthy sites differently, in order to come up with a good balance of keeping sites working and implementing user norms on data sharing. Will news sites that publish hard news stories that are often visited, shared, and commented on, get a user data advantage that translates into ad saleability for their more brand-safe pages? Does better user data control mean getting the hog business back?

Open practices and tracking protection

Thu, 19 Oct 2017 07:00:00 GMT

(I work for Mozilla. None of this is secret. None of this is official Mozilla policy. Not speaking for Mozilla here.) Browsers are going to have to change tracking protection defaults, just because the settings that help acquire and retain users are different from the current defaults that leave users fully trackable all the time. (Tracking protection is also an opportunity for open web players to differentiate themselves from mobile tracking devices.) Before switching defaults, there are a bunch of opportunities to do collaboration and data collection in order to make the right choices and increase user satisfaction and trust (and retention). Interestingly enough, these tend to give an advantage to any browser that can attract a diverse, opinionated, values-driven user base. So, as a followup on applying proposed principles for content blocking, some ways that a browser can prepare to make a move on tracking protection. Build APIs that WebExtensions developers can use to change privacy-related behaviors. (WebExtension API for improved tracking protection, API for managing tracking protection, Implement browser.privacy.trackingProtection API). Use developer relations with the privacy tools scene. Do innovation challenges and crowdsourcing for tracking protection tools. Use the results to expand the available APIs and built-in options. Develop a variety of tracking protection methods, and ship them in a turned-off state so that motivated users can find the configuration and experiment with them, and to enable user research. Borrow approaches from other browsers (such as Apple Safari) where possible, and test them. For example: avoid blocklist politics, and increase surveillance marketing uncertainty, by building Privacy-Badger-like tracker detection. Enable tracking protection without the policy implications of a top-down list. This is an opportunity for a crowdsourcing challenge: design better algorithms to detect trackers, and block them or scramble state. Ship alternate experimental builds of the browser, with privacy settings turned on and/or add-ons pre-installed. Communicate a lot about capabilities, values, and research. Spend time discussing what the browser can do if needed, and discussing the results of research on how users prefer to share their personal info. Only communicate a little about future defaults. When asked about specifics, just say, "we'll let the user data help us make that decision." (Do spam filters share their filtering rules with spammers? Do search engines give their algorithms to SEO consultants?) Build functionality to "learn" from the user's activity and suggest specific settings that differ from the defaults (in either direction). For example, suggest more protective settings to users who have shown an interest in privacy—especially users who have installed any add-on whose maintainers misrepresent it as a privacy tool. Do research to help legit publishers and marketers learn more about adfraud and how it is enabled by the same kinds of cross-site tracking that users dislike. As marketers better understand the risk levels of different approaches to web advertising, make it a better choice to rely less on highly intrusive tracking and more on reputation-driven placements. Provide documentation and tutorials to help web developers develop and test sites that will work in the presence of a variety of privacy settings. "Does it pass Privacy Badger" is a good start, but more QA tools are needed. If you do it right, you can force up the risks of future surveillance marketing just by increasing the uncertainty of future user trackability, and drive more mar[...]

Notes and links from my talk at RJI

Fri, 06 Oct 2017 07:00:00 GMT

This is OFF MESSAGE. No Mozilla policy here. This is my personal blog. (This is the text from my talk at the Reynolds Journalism Institute's Revenue Models that Work event, with some links added. Not exactly as delivered.) Hi. I may be the token advertising optimist here. Before we write off advertising, I just want to try to figure out the answer to: why can't Internet publishers make advertising work as well as publishers used to be able to make it work when they were breathing fumes from molten lead all day? Has the Internet really made something that much worse? I have bought online advertising, written and edited for ad-supported sites, had root access to some of the servers of an adtech firm that you probably have cookies from right now, and have written an ad blocker. Now I work for Mozilla. I don't have any special knowledge on what exactly Mozilla intends to do about third-party cookies, or fingerprinting, or ad blocking, but I can share some of what I have learned about users' values, and some facts about the browser business that will inform those decision for Mozilla and other browsers. First of all, I want to cover how new privacy tools are breaking web advertising as we know it. But that's fine. People don't like web advertising as we know it. So what don't they like? A 2009 study at the University of Pennsylvania came up with the result that "most adult Americans do not want advertisers to tailor advertisements to their interests." When the researchers explained how ad targeting works, the percentage went up. We have known for quite a while that people have norms about how they share their personal information. Pagefair study That Pennsylvania study isn't the only one. Just recently a company called Pagefair did a survey on when people would choose to share their info on the web. Research result: what percentage will consent to tracking for advertising? | PageFair They surveyed 300 publishers, adtech people, brands, and various others, on whether users will consent to tracking under the GDPR and the ePrivacy Regulation. Some examples: The survey asked if users would allow for tracking on one site only, and for one brand only, in addition to “analytics partners”. 79% of respondents said they would click “No” to this limited consent request. And what kind of tracking policy would people prefer in the browser by default? The European Parliament suggested that “Accept only first party tracking” should be the default. But only 20% of respondents said they would select this. Only 5% were willing to “accept all tracking”. 56% said they would select “Reject tracking unless strictly necessary for services I request”. The very large majority (81%) of respondents said they would not consent to having their behaviour tracked by companies other than the website they are visiting. Users say that they really don't like being tracked. So, right about now is where you should be pointing out that what people say about what they want is often different from what they do. It's hard to see exactly what people do about particular ads, but we can see some indirect evidence that what people do about creepy ads is consistent with what they say about privacy. First, ad blockers didn't catch on until people started to see retargeting. Second, companies indirectly reveal their user research in policies and design decisions. Back in 1998, when Google was still "" I wrote an ad blocker. And there were a bunch of other pretty good ones in the late 1990s, too. WebWasher, AdSubtract, Internet Junkbuster. But none of tha[...]

The capital dynamics are all wrong.

Sun, 01 Oct 2017 07:00:00 GMT

Ben Werdmuller, in Why open source software isn’t as ethical as you think it is: When you release open source software, you have this egalitarian idea that you’re making it available to people who can really use it, who can then built on it to make amazing things....While this is a fine position to take, consider who has the most resources to build on top of a project that requires development. With most licenses, you’re issuing a free pass to corporations and other wealthy organizations, while providing no resources to those needy users. OpenSSL, which every major internet company depends on, was until recently receiving just $2,000 a year in donations, with the principal author in financial difficulty. This is a good example of one of the really interesting problems of working in an immature industry. We have a similar problem in web advertising. We're over-rewarding the ability to collect numbers that show the effectiveness of a marketing project, while under-rewarding the ability to build brand reputation. Web ads also have an opportunity to fix incentives. We don't have our incentives hooked up right yet. Why does open source have some bugs that stay open longer than careers do? Why do people have the I've been coding to create lots of value for big companies for years and I'm still broke problem? How does millions of dollars of shared vigilance even make the news, when the value extracted is in the billions? Why is the meritocracy of open source even more biased than other technical and collaborative fields? (Are we at the bottom of the standings?) Why are we walking away from that many potential contributors? Quinn Norton: Software is a Long Con: It is to the benefit of software companies and programmers to claim that software as we know it is the state of nature. They can do stupid things, things we know will result in software vulnerabilities, and they suffer no consequences because people don’t know that software could be well-written. Often this ignorance includes developers themselves. We’ve also been conditioned to believe that software rots as fast as fruit. That if we waited for something, and paid more, it would still stop working in six months and we’d have to buy something new. The cruel irony of this is that despite being pushed to run out and buy the latest piece of software and the latest hardware to run it, our infrastructure is often running on horribly configured systems with crap code that can’t or won’t ever be updated or made secure. We have two possible futures. People finally get tired of software's boyish antics lethal irresponsibility, and impose a regulatory regime. Rent-seekers rejoice. Software innovation as we know it ceases, and we get something like the pre-breakup Bell System—you have to be an insider to build and deploy anything that reaches real people. The software scene outgrows the "disclaimer of implied warranty" level of quality, on its own. How do we get to the second one? One approach is to use market mechanisms to help quantify software risk, then enable users with a preference for high quality and developers with a preference for high quality to interact directly, not through the filter of software companies that win by releasing early at a low quality level. There is an opportunity here for the kinds of companies that are now doing open source license analysis. Right now they're analyzing relatively few files in a project—the licenses and copyrights. A tool will go through your software stack, and hooray, you don't have anything that depends on something with a[...]

another 2x2 chart

Thu, 14 Sep 2017 07:00:00 GMT

What to do about different kinds of user data interchange:

Data collected without permission Data collected with permission
Good dataBuild tools and norms to reduce the amount of reliable data that is available without permission. Develop and test new tools and norms that enable people to share data that they choose to share.
Bad data Report on and show errors in low-quality data that was collected without permission. Offer users incentives and tools that help them choose to share accurate data and correct errors in voluntarily shared data.

Most people who want data about other people still prefer data that's collected without permission, and collaboration is something that they'll settle for. So most voluntary user data sharing efforts will need a defense side as well. Freedom-loving technologists have to help people reduce the amount of data that they allow to be taken from them without permission in order for data listen to people about sharing data.