Request to unblock instant.page

[dieulot]

Filter affected:

||instant.page^$third-party in easyprivacy/easyprivacy_trackingservers.txt, introduced in 6d8f54b by Fanboy (@ryanbr).

1st/3rd-party sites affected:

The 7000+ sites using instant.page to make their site faster. The script is delivered to 76 millions end users per month.

How is it broken?

Pages aren’t instant anymore, which makes for a noticeably poorer experience. instant.page is known to completely transform the experience of a site in some cases.

Description why it should be removed:

I don’t log IP addresses of users that fetch the script (it’s served through Cloudflare Workers, serverless, so I don’t have regular server logs), and even if I did because it’s put in cache for 30 days I couldn’t track which sites using instant.page a user visits.

Some see prefetching in itself as a privacy violation, because it informs the server of which pages the user is going to click next before they have clicked. But that’s 1) a very minor privacy violation, 2) not a common practice, to say the least, it’s in fact unheard of. A marketer has no incentive to make use of this potential data because they already have much more interesting data to look at that are much easier to retrieve (the actual links clicked and heatmaps from users that don’t have a content blocker).

instant.page is a great antidote to today’s slowness of the internet by cheating latency (the main factor in web slowness). It would be sad if it’s killed by content blockers because of a very minor and in fact theoretical privacy kerfuffle.

[ryanbr]

The prefetching and the mouseover stuff is consider monitoring/tracking.

[dieulot]

I know, I addressed that: it’s a theoretical minor violation of privacy, in return you get a much improved experience.

If there was a poll, the vast majority of privacy-oriented people would choose the improved experience over the theoretical privacy violation I’m pretty sure. It’s been popular on Hacker News and Reddit for instance and there’s been very very little complaints about the privacy aspect, it’s a fringe opinion.

[dieulot]

I’m going to list the number of privacy complaints regarding instant.page versus the number of other comments on the privacy-minded Reddit and Hacker News.

[dieulot]

408 comments, 4 complaining about privacy, or about 1%, on forums used by people who generally care about privacy. Please don’t ruin it for the other 99%.

Links below.

Hacker News - 337 comments total, 2 complaining about privacy:

https://news.ycombinator.com/item?id=19126768
https://news.ycombinator.com/item?id=19124857 (downvoted, you can see that it’s greyed if you click on “parent”)
https://news.ycombinator.com/item?id=19123552 (that’s regarding hosting on my CDN, not about prefetching/mouseover, so I won’t count that one)

Reddit:
1 4 comments, 0 complaining about privacy
2 4 comments, 0 complaining about privacy
3 7 comments, 0 complaining about privacy
4 8 comments, 0 complaining about privacy
5 48 comments, 2 complaining about privacy:
https://www.reddit.com/r/programming/comments/crmwpp/instantpage_20_preload_web_pages_when_the_user_is/ex6yua5/ (downvoted)
https://www.reddit.com/r/programming/comments/crmwpp/instantpage_20_preload_web_pages_when_the_user_is/ex88d0j/

You can verify this for yourself with Ctrl + F and “privacy”.

[dieulot]

Note also that detecting pages that are hovered over wouldn’t work from a tracking perspective because on mobile prefetches are done even when the user is only just scrolling, if they started touching their display on a link.

Again, no one tracks people this way.

[ryanbr]

Easyprivacy is a privacy-related list, but this filter isn't being removed. If you don't like it, just don't use this list.

[dieulot]

I’m the author of instant.page, it makes the web faster. It’s not about my use of lists, it’s about 99% of people who use the list preferring to have the web faster than to be (non-)affected by a theoretical privacy risk.

[krystian3w]

Create own list with:

!#if !ext_ublock

! for ABP / AdBlock / Maybe most AdGuard apps
@@||instant.page^$third-party

!#endif

! uBO / AdGuard if support
||instant.page^$third-party,badfilter

[dieulot]

One question: do you consider prefetching in itself a privacy violation (I know uBlock Origin disables prefetching) or is it just when it’s coupled with mouseover or similar? Would a script that prefetches everything in the viewport be okay?

[gijo-varghese]

@ryanbr I agree to what @dieulot said. It's true that these scripts use mouseover and all. But it doesn't send these data to anywhere, nor store in cookies.

I don't think it can be included to the list of 'tracking scripts' just becuase it's tracing mouse or preloading

If the aim of this list is to reduce data/bandwidth usage, then I agree. Otherwise, blocking scripts like instant.page for privacy/ads is a bad idea

[krystian3w]

So What problem detection mouseover with pur JS.

[mayrsascha]

@ryanbr I would like to ask you for a further explanation of why this issue was closed, as I can't find answers to @dieulot 's questions here and I think it's important to answer them to keep this project transparent.

Additionally to the aforementioned arguments by others here, I would argue that this script actually enhances the user's privacy, as AFAIK the server can't differentiate between prefetched and actually rendered requests, therefore obscuring actual usage.

Also, I think it's important that just not using this list isn't really an option for 99% of people out there, as it comes bundled with popular ad blockers and I would guess most of those users never ever change the used lists, as they don't have the time to compare ad blocklists in their free time. So IMHO the most pragmatic approach, therefore, should be the one setting sensible defaults on a list level.

[spirillen]

Intro

I'm not claiming this is done, but it can potentially be done.

Comment

By using mouse-over tracking via prefetch by thumb/mouse over a link, can potentially be used for personally identifying patterns.

I don't see the need for for a "tracking" js script on modern browsers as that is a build-in feature in html5+

Using a script that also prefetch all links is abusive to metered connections, like most mobile devices, and violating to people who have little to almost no internet access (This could be countries like Brazil and a number of African countries)

So my vote goes to @ryanbr decision on this round.

update:

I forgot to mention that I actually believe this is a script written with the very best intention and I believe it works like a charm, when used correctly. For that I'll send my codo to @dieulot for his well meant code.

But as you mention your self in the OP

a very minor privacy violation

and this list is about privacy, therefore my personal conclusion lies with Fanboy

[mayrsascha]

@spirillen Thanks for explaining your reasoning on this! IMHO (and I'm no privacy expert) prefetching isn't a privacy violation at all, as the server AFAIK can't distinguish a prefetched request from a "real" one.

Also, it is worth noting that the script provided is open source, therefore can be easily self-hosted and circumvent this list, I am not sure what the usual take on this fact is.

Also, this script doesn't prefetch all links (that's something which is done by a similar project from Google https://github.com/GoogleChromeLabs/quicklink), but rather just links, which are hovered over.