Completely disable blocking on optout.aboutads.info

[strugee]

I recently got linked to http://optout.aboutads.info/ from a Google opt-out page. Privacy Badger seems to have blocked 65 requests to advertisers participating in that page.

Obviously it's doing its job pretty well, but in this particular case we actually probably want to allow those requests through since for once requests to these domains are for a privacy-protecting purpose, not the other way around ;)

[ghostwords]

The problem may go deeper than just allowing third-parties on the advertising industry's opt-out page since even if we allowed the setting of opt-out cookies on that page, we would still block the sending of these opt-out cookies elsewhere.

As opt-out cookies are, at least in my view, an inferior alternative to Do Not Track (which Privacy Badger aims to promote), it doesn't seem to make sense for Privacy Badger to attempt to support opt-out cookies.

[ghostwords]

We may want to do something specifically on the optout.aboutads.info page though, like show a message about opt-out cookies and DNT. It looks this situation happens regularly for Privacy Badger users:

+----------+---------+
| count(*) | ym      |
+----------+---------+
|        2 | 2018-02 |
|        2 | 2018-01 |
|        1 | 2017-11 |
|        1 | 2017-10 |
|        6 | 2017-09 |
|        1 | 2017-08 |
|        4 | 2017-07 |
|        4 | 2017-06 |
|        2 | 2017-05 |
|        2 | 2017-04 |
+----------+---------+

Targeting new domains in the manifest might be blocked by #1619.

[ghostwords]

Some error report messages:

131 out of 132 opt outs failed.

half of advertising opt out requests not successful while badger working. opt outs successfil if badger disabled.

I can't opt out of ad tracking on DAA webchoices for some advertisers regardless of whether I disable this program for this page or not.

privacy badger works, and therefore breaks this site

This is an ad opt-out site, it is supposed to send around cookies to all the domains to cross check if that domain is tracking the current browser, hence

Must be disabled for opting out to work

I think Privacy Badger was blocking the addition of "opt out" cookies from the Digital Advertising Alliance website. Running their Opt Out failed with >half of the sites with Privacy Badger active, and succeeded on almost all of them with PB inactive.

Trying to block advertiser cookies through DDA site so I think they should be allowed through (so the opt-out can be registered.

Clearly, this cannot set the opt-out cookies if Privacy Badger is enabled.

Stops DAA Webchoices from successfully completing opt-out requests.

This site is for opting-out of online ad tracking. Privacy Badger appears to interfere with its operation.

Default settings block third-party cookie check.

Some ad preferences fail to load when Privacy Badger is enabled.

Prevents some of the DAA WebChoices opt out cookies from being accepted

[regier21]

I was looking into this. Would adding a red badge to the icon when visiting the site (see here) and some information in the popup be enough?

[ghostwords]

Hi @regier21!

I was looking for some good reference text to base our messaging on or an article to link to. Here are a few relevant paragraphs from a 2017 article about Twitter dropping support for Do Not Track:

...[The self-regulatory program of the Digital Advertising Alliance (DAA)] is toothless because the only choice it allows users is to opt out of “customizing ads,” when most people actually want to opt out of tracking. Many DAA participants, including Twitter, continue to collect your information even if you opt-out, but will hide that fact by only showing you untargeted ads. This is similar to asking someone to stop openly eavesdropping on your conversation, only to watch them hide behind a curtain and keep listening.

...[The DAA's "WebChoices" tool] is broken; it’s incompatible with other privacy tools, and it requires constant vigilance in order to use. It relies on setting a third-party opt-out cookie on 131 [as of 2017, more now?] different advertising sites. ... Even if you allow third party cookies, your opt-out only lasts until the next time you clear cookies, another common user strategy for protecting online privacy. And new advertising sites are created all the time. When the 132nd site is added to WebChoices, you need to go back and repeat your opt-out...

So, DAA's WebChoices:

• Doesn't actually opt you out of tracking
• Only opts out of "targeted" ads, and then only for advertisers that were on WebChoices at the time you used it last
• Depends on you both allowing third-party cookies and never clearing cookies
• Depends on you not using any privacy tools or ad blockers

[ghostwords]

We could style the badge to draw attention to the popup and then communicate the above points somewhere in the popup.

We could also add a dedicated page content script that constructs and injects a informational banner into optout.aboutads.info. The benefit to this approach as that it should be harder for users to miss.

I suggest making and sharing a mockup of whatever you'd like to try first, before spending too much time on it. Thanks for looking into this!

[ghostwords]

This is similar to #1596 where one idea is to detect anti-adblock messaging and then show our own messaging that explains that Privacy Badger is not an ad blocker and that you should consider getting in touch with the website to communicate your displeasure with its approach.

Both in #1596 and here, we want to communicate some information about the current website, whether in Privacy Badger's popup, directly within the page, or in both places. This notification is higher level than "Privacy Badger blocked X potential trackers"; it's also not routine/not applicable to the majority of visited websites.

[regier21]

Okay here is a quick mockup:

Feedback is welcome!

[strugee]

@regier21 a couple problems with that prose that I notice off the top of my head:

• It assumes the user knows what a cookie is, which may not be true (consider the case where e.g. a privacy-conscious but nontechnical user gets a recommendation from a technical friend to install Privacy Badger)
• It does not clearly indicate that the notice is from Privacy Badger (at least IMHO, the badger icon is not enough, but others can feel free to disagree)
• It does not indicate that Privacy Badger breaks the website. In other words, it says what's wrong with the approach just fine, but doesn't say why that actually matters/why Privacy Badger is telling you this in the first place.

[ghostwords]

Thanks for the mockup!

To add to the points above:

• We should try to minimize the amount of text we show to increase the chances of it actually being read. As little text as possible, with a link to learn more.
• We should provide a way to dismiss the message.
• We should increase the font size to make the message more readable. (Less text makes it easier to do this.)
• We should probably fade out the rest of the page to focus the eye on our warning.

For an example of an existing modal dialog, inspect Privacy Badger's background page, set badger.criticalError to some string value, and open Privacy Badger's popup.

For an example of existing Privacy Badger UI that gets injected into pages, visit a page with embedded widgets (for example) that Privacy Badger can/does replace.

I think the hardest thing about injecting a message directly into pages is making it clear that the message came from Privacy Badger.

[strugee]

I think the hardest thing about injecting a message directly into pages is making it clear that the message came from Privacy Badger.

Agreed. Perhaps we could style it like a popup dialog box, with the background semi-opaque? That would solve a few issues:

• We would put an X button to close it, which users are already used to in dialogs
• It's not overly integrated into the page, so it's easier to tell that it's coming from Privacy Badger
• Users would be forced to actively dismiss the dialog in order to use the page, increasing the chance that they'll read the text

[ghostwords]

See below for a screenshot of the badger.criticalError modal dialog. Note the special "alert" badge styling.

We could take the in-popup modal + "alert" badge approach as was originally suggested, as that is simpler and may be good enough.

[regier21]

Hmm one of my concerns about a pop up is that the site already generates a popup after it checks all the cookies, so it would be a popup on top of a popup. See the image below:

I think doing what PB does with Discus and just covering all of the content until you acknowledge it would be preferable as it would only be a single popup at a time.

Regarding the text: I copy-pasted what @ghostwords said in the thread as placeholder. I agree that just a few words and a link would be great. Do we have a site to link to in mind? Has the EFF written about the DAA that isn't just talking about Twitter?

[ghostwords]

To clarify, when I write "popup" above, I'm talking about Privacy Badger's extension popup.

[ablanathtanalba]

Just chiming in here with some thoughts about the proposed changes to showing messaging on the webpage and/or popup:

I definitely agree with @ghostwords that whatever text that shows up on the actual page should be as brief as possible. It might be worth just telling the user that there is some shady dark-pattern like behavior taking place on this particular site, and then linking to a lengthier description in the FAQ section of the Privacy Badger page

Instead of using the critical error modal in the privacy badger popup, it might be worth adding a section like the ones proposed in #2748 — this could be especially useful if we decide down the road to use Privacy Badger to point out other dark pattern behaviors that sites do to trick users into consenting to being tracked

As for the injected bit on the web page, maybe it ought to be similar to the widget replacement modal that Privacy Badger already does, at least in appearance. The "allow" buttons could be changed to some other text, with the option being to close the message or opt into higher privacy settings.

For reference, here is how the current widget replacement looks: