I just wanted to chime in from Stack Overflow here and let people know: we are aware of the issue. And we're NOT okay with it. We're trying to sort out how to kill the audio behavior now. It's not very straightforward to find where it's coming from, but we are working on it. We've also reached out to Google for their assistance in tracking it down. If anyone can offer advice, we'll more than happily take it.<p>- Nick Craver, Architecture Lead at Stack Overflow
How We Make Money at Stack Overflow: 2016 Edition: Quality ads. "...we don’t want to use an automated system that selects some ads for us. We looked at this. It didn’t allow us the control we required to maintain the level of quality we want to maintain."<p>How We Make Money at Stack Overflow: 2019 Edition: Taking money from Microsoft and Google fingerprinting our users 100+ ways<p>source: <a href="https://stackoverflow.blog/2016/11/15/how-we-make-money-at-stack-overflow-2016-edition/" rel="nofollow">https://stackoverflow.blog/2016/11/15/how-we-make-money-at-s...</a>
Maybe it's to identify users behind a VPN as this is fingerprinting the device, not the connection.<p>That's why I think the idea of running each site in a container is so effective.<p>And while we're at it the container should just spit out random shit like different resolution, audio api, user agent, once in a while (unless the user turns it off) to thwart such attempts.<p>Unfortunately when the creator and maintener of 67% of all browsers is an ad company who is exploiting this in the firsr place, then there is no chance that this could happen
And this is why, even with the best intentions of site operators, my browser will continue to use the best ad-block tools I can get, and my networks will be protected by tools like PiHole.
It's pretty obvious that the only real fix is to accept money in exchange for putting an image with a hyperlink on your website.<p>Anything involving javascript will do shenanigans for various reasons. Fingerprinting via any means possible is industry standard ad-network behavior at this point. No one in the industry could imagine doing any less - it's impractical, it's absurd. But targeting! But fraud! But the only fix is to just give it all up, go back to how it was done in the 90s.
I wonder if the top brass at alphabet ever worry that their trillion dollar empire is based on fragile foundations like web audio fingerprinting, etc.<p>that sure would keep me up at night.<p>obviously, i know google does more, but it seems like a large chunk of their revenue must be dependent on shady technical tricks like these working.
Why is this surprising to anyone? It is clear that ads use tracking mechanisms and cookies and this is no different.<p>Audio feature detection isn't even a novel techique.<p>I've seen trackers look at download stream patterns to detect whether or not BBR congestion control is used, I have seen mouse latency based on the difference between mouse ups and downs in double clocks and I have seen speed-of-interaction checks in mouse movements.<p>Just checking for the constructor of something an ad might legitimately use (like audio) is relatively benign to be honest and it is naive to expect ads to not do this and it is why I use an ad blocker even on sites without annoying ads
I don’t get the modern ad stuff, any reasonable person uses an adblocker anyway, because ads are often slow, problematic in terms of privacy and security.<p>The fact that even people of a big site like stack overflow <i>don’t know</i> where it comes from <i>instantly,</i> is only further proof that using an adblocker is a resonable decision.<p>Maybe it is naive, but all ads should be in my eyes is a picture and something that counts the page views. And when you are a site that has ads as it’s main income you should have at minimum one employee who knows and tests each ad before it gets accepted and put onto <i>your</i> server.<p>Only then your customers will trust the ads you use and only then any reasonable person can even consider deactivating the adblocker for your site.<p>I am pretty sure somebody explored this idea before me, why doesn’t it work?
Has there been any serious thought / discussion about how the cat and mouse chase of the ads vs ad blockers is going to end?<p>It would be interesting to see where we are in ten years.
It's insane to me the extent to which companies will go in order to prevent cross-site scripting attacks.. and yet they're perfectly happy to include unvetted, potentially malicious JavaScript <i>on the same origin</i> in the form of ads.<p>There is no reason these ads should be <i>anything</i> other than a linked image.
There's something up with my PulseAudio (maybe changing audio output formats?) that means i hear a very loud "pop" when pages try to do this.<p>e.g. Browsing to an arstechnica.com article, with speakers on but nothing else playing.
A little bit of corporate newspeak (and digging):<p>Ad URL: <a href="https://static.adsafeprotected.com/sca.17.4.95.js" rel="nofollow">https://static.adsafeprotected.com/sca.17.4.95.js</a><p>JS Domain: adsafeprotected.com<p>Domain Owner: Integral Ad Science, Inc[0]<p>Google's recent stance on the matter of fingerprinting[2]:<p>>Chrome also announced that it will more aggressively restrict fingerprinting across the web. When a user opts out of third-party tracking, that choice is not an invitation for companies to work around this preference using methods like fingerprinting, which is an opaque tracking technique. Google doesn’t use fingerprinting for ads personalization because it doesn't allow reasonable user control and transparency. Nor do we let others bring fingerprinting data into our advertising products.<p>The important part being: _Nor do we let others bring fingerprinting data into our advertising products._<p>The same company advertises their fingerprinting capabilities:<p>>Browser and Device Analysis: We analyze the technological fingerprints of browsers and devices in order to uncover bots fraudulently posing as human users. We can validate what type of mobile or desktop device a browser is running on, providing additional context with which to identify fraud.<p>And it is this fingerprinting that gets them selected as a Google Brand Safety and Viewability Preferred Measurement Partner[1]<p>>New York, NY – Integral Ad Science (IAS) has been selected as a preferred partner in Google’s Measurement Program for both brand safety and viewability. Partners were selected after meeting rigorous standards for accuracy and using reliable methodologies to measure KPIs that matter for marketers. The program is designed to make it easier for advertisers to source trusted, third-party measurement providers.<p>The gist of it being that Google has heavy cognitive dissonance, with their advertising wing rewarding partners that fingerprint users (against their own policies), and the Chrome team barely managing to introduce some anti-fingerprint measures, which are clearly not enough.<p>[0]: <a href="https://integralads.com/capabilities/ad-fraud/" rel="nofollow">https://integralads.com/capabilities/ad-fraud/</a><p>[1]: <a href="https://integralads.com/news/google-selects-ias-brand-safety-viewability-preferred-measurement-partner/" rel="nofollow">https://integralads.com/news/google-selects-ias-brand-safety...</a><p>[2]: <a href="https://blog.google/products/ads/transparency-choice-and-control-digital-advertising/" rel="nofollow">https://blog.google/products/ads/transparency-choice-and-con...</a>
If you don’t use an ad blocker you should expect your browser to behave in strange ways.<p>If you don’t use an ad blocker you should consider your computer compromised.
Why can't Google come up with an AMP for ads? That will transpile a restricted javascript (or whatever) into a runtime that just doesn't do these things?<p>This would get rid of the greasy ads, and Google could focus on making tools that allow site owners to filter by "features used in ad", and ad developers could actually return to delivering ads, rather than collecting fingerprints?
As a website publisher, is there an ad network available for me to use that doesn’t allow advertisers to run JavaScript?<p>If so, what kind of rates can I get?
I guess it's part of Googles Ads's endless battle against "robot" clicks. A site as big as SO should not use Google ads, but instead use their own ad service. Just make an automated system where people can signup and show an ad. Make it cost 1$ per 100 page views. That would probably earn SO two orders of magnitude more then they get from Google Ads.
Programmers make these tools. When challenging said programmers who work for companies that promote this kind of behavior (G) they suggest that they work for these evil companies because their job is interesting and it pays well.<p>This practice could stop tomorrow if the best and brightest of us decided so.
This issue (along with many others) is due to one simple fact -- the internet is still primarily about <i>presentation and rendering</i> not <i>information</i>. We had both client-side template-based rendering and Semantic Web initiatives -- these failed for various technical and non-technical reasons at the time, but I'm hoping we go in that general direction again at some point. Nobody else should be able to (definitively) decide what information I want and how it should be presented to me. We only get the Internet that the majority are willing to put up with.
Aside from the obvious usability benefits, this kind of thing makes it abundantly clear why much of the web has gone to javascript dependent SPAs. If you need JS to run the site, then you also have to leave it on to be tracked/fingerprinted.<p>Kind of makes sense why companies like Google and Facebook have invested so much in creating open-source front-end frameworks. The ROI is probably phenomenal.<p>I get that stackoverflow isn't an SPA, it just made me think of this point.<p>Side-note: you can block JS on stackoverflow and still view answers. That works for 98% of my usecase for the site.
Gosh, it's incredible the length they will go to de-anomize user data. I guess I will think better next time a website I like ask me to add them to my ad blocker whitelist.
Seems like classic fingerprinting behavior from Google Ads. It's unfortunate and hope they fix it quick but most importantly figure out a way to prevent it in the future
Tangentially related anecdote: I came across a site the other day that requested access to the MIDI API for no apparent reason. Is this a common tracking vector? The available MIDI interfaces can say something about the system but in 99% of cases (the 99% that don't have any physical MIDI interfaces) I don't imagine that you'll discover anything other than operating system family.
this is the time to appreciate uBlock Origin's advanced mode, since 3rd party JS is blacklisted by default <a href="https://github.com/gorhill/uBlock/wiki/Advanced-user-features" rel="nofollow">https://github.com/gorhill/uBlock/wiki/Advanced-user-feature...</a>
If you're a newcomer to this long thread, pls CTRL+F manigandham and read all his comments as a primer. Lots of misinformed couch-comments here. If you'd like to reasonably rant about ad-tech (and that's welcome), understand the value it provides first.
I’ve been noticing horrible battery drain on my iOS devices lately. The battery monitor in settings says the worst offender is “safari audio”. I wonder if it’s something similar.
I don’t get how it can get the fingerprint to be so unique as to attribute ads. Most mobile browsers are exactly the same, you have the same screen resolution and so on. And most desktop browsers when maximized are the same resolution. I mean there must be groups of thousands of users for each combination of fingerprinted features. So it’s not all the way down to the person, right? It’s just correlations?
Ultradisgusting case on StackOverflow: 99.999% top answers are edited by moderators - they just promote yourself with free content.<p>We need a real alternative - without stupid ads and master-slave karma-based community relations.
Is there something I can use to randomly fuzz every tab individually as I browse the web?<p>They can track me through websites and I don't want that. Already using ublock origin.
"It's not very straightforward to find where it's coming from, but we are working on it."<p>This encapsulates the entire problem with the current state of digital advertising in 1 simple sentence.
It's most likely for web scraper detection. State of the art was using video codec availability as fairly reliable data point, and I haven't seen audio being used for this. Quite interesting.