NoScript vs RequestPolicy vs Ghostery

[justenough]

Pinga thank you for suggesting NoTrace, but it's for Firefox and I use Chrome. From what you linked it looks like Evidon is doing well financially. I'm still not understanding why we shouldn't trust Ghostery.

[Pinga]

Justenough, whom you should trust is of course totally up to you. I don't believe that Evidon/Ghostery is interested in protecting anyone's privacy but their own. As a privately held company, they don't have to publish what they are doing. Evidon is actively seeking to avoid regulation, their business model depends on it. So by using Ghostery, it could be argued, you are supporting a network of organisations that are actively pursuing the commodification and privatisation of the internet.

[justenough]

Pinga, I see what you are saying, I'm still thinking it over. From what I can tell Ghostery provides good protection from tracking and you can block usage information from being collected by Evidon, but they are also working to make tracking less of a problem so that restrictive tracking laws aren't passed. So maybe on principle one shouldn't use Ghostery, but is Evidon doing anything worse behind the scenes than say Google or even Microsoft?

[fixanoid]

Quote:

Originally Posted by Pinga

Justenough, whom you should trust is of course totally up to you. I don't believe that Evidon/Ghostery is interested in protecting anyone's privacy but their own. As a privately held company, they don't have to publish what they are doing. Evidon is actively seeking to avoid regulation, their business model depends on it. So by using Ghostery, it could be argued, you are supporting a network of organisations that are actively pursuing the commodification and privatisation of the internet.

Hi Pinga, I'm one of the few developers of Ghostery. I'll try to address your concerns in my reply.

I'd say that a dose of paranoia is always healthy when your security or privacy is concerned, but what it comes down to is (1) what can you verify yourself and (2) who do you trust?

I'll leave the trust issue for others to talk about, but the verification of your concerns is relatively easy for anyone able to read and understand javascript. Ghostery collects data in only a single case: when you enable GhostRank. GhostRank is off by default on all browsers and is designed to send us statistics about trackers you find on the webbernets. Now, to verify this, you would need to download the extension you want (Chrome, Firefox, whatever) and rename it to a .zip file. Extract it and go through the code to see how it works. Additionally, you may want to install a proxy temporarily (http://www.charlesproxy.com/ or http://www.fiddler2.com/) on your machine to see if Ghostery actually claims to do what it says. If you have any other questions about Ghostery, please ask.


Next, I'll try to explain a bit about Evidon's mission. I started with Better Advertising before we were renamed to Evidon. The goal of what we wanted to do was very simple: expose that there is an invisible business on the webbernets that turns data everyone unintentionally leaks into profiles that are then sold or used in advertising or in other digital marketing ways. ( to this day, most people are ignorant of this. )

What we have done is now very visible to all of you: its the AdChoices icon across most of the advertising and web sites that you see and visit. The icon may not be served / powered by our platform, but Better Advertising Project (and now Evidon) was one of the only set of people sitting there at the start and figuring out that this was needed and that this would lead to a more transparent and happier web. This is now called self regulation effort (at least in US) and you may read about it on http://aboutads.info. This is direct result of our work, and if this work have not been accomplished, there may have been nothing to tell users anything -- pretty much what was there before AdChoices icons began to show up.

We've never been sure that this would work or would be accepted by industry and then US regulators. We still don't know about regulators, though the signs are positive, but the industry loved this solution, this is why you are seeing the icons everywhere. Regardless of the industry solution though, we've been aware from the start that we should provide a way to protect the users on their own as well -- this was why we have bought and continuously improved Ghostery. Ghostery now serves a dual purpose:
- To educate and protect your privacy
- To make sure that industry follows self-regulation efforts by providing data for enforcement

We try to be as transparent as possible and build a business as well. We have various efforts for Ghostery as well, for example, we're working on releasing it with an open source license in the near future, open the database for use in other applications, and other projects along similar lines, for example: http://www.knowyourelements.com/. If you have a question, please feel free to ask.

-fixanoid

P.S. The other tools mentioned in the thread are definitely worth using if you don't mind hand-holding they may need. I like Ghostery, but if you feel that its wrong for you, NoScript and RequestPolicy (and to a lesser degree, NoTrace) would also work well, just be somewhat more fussy and painful to set up initially.

[Pinga]

Interesting story, and well-spun. The question remains why would someone in their right mind would want to be 'educated and protected' by a 'self-regulated' - that is, unregulated - industry?

If you are serious about being 'as transparent as possible', why not publish annual reports, current lobbying efforts, strategic partners and revenue streams, to name a few? I guess the 'as possible' part prevents that.

Maintaining a free and open internet is important. Corporate interests, notably those of the advertising industry, pose a major threat to it. As it is, I see absolutely no reason to give Evidon the benefit of the doubt.

[Tong]

Seems that Pinga's real problems are with free, for-profit markets in general, not Ghostery. Only a person with that mindset can seriously propose, that more regulation is a positive thing for internet freedom.

Ghostery does what it promises and Evidon has been open about their business model, while Pinga has failed to substantiate his original claim, that Ghostery provides a "mere illusion of control". In my opinion the case is closed, unless Pinga has something less vague to offer.

[Pinga]

Sorry to disappoint you, Tong, I don't have 'real problems'. My 'mindset' is irrelevant here - and none of your business. So please don't try to make this personal - it is not - or discredit my arguments by reducing them to a control issue.

This is about Evidon's corporate practices, about their lack of transparency and accountability while playing an increasingly important role in shaping the internet of the future. The fact that they are selling Ghostery user data to their corporate clients is but one aspect.

[Pinga]

Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, Preliminary Staff Report
File No. P095416

Quote:

Evidon (formerly the Better Advertising Project) was founded specifically to support the Online Behavioral Advertising (“OBA”) self-regulatory program.

Quote:

When advertisers feel the pressure, everyone in the ad ecosystem is incented to cooperate, lest their access to revenue dry up. Advertisers and ad networks thus both have strong incentives to address perceived privacy concerns with OBA in order to capitalize on its increased efficiency and revenue potential.

Quote:

If the FTC supports industry self-regulatory efforts actively and publicly, we remain confident that the industry’s initial progress will accelerate. If, however, the FTC supports Do Not Track, or other, browser-based and more proscriptive measures, in a manner that does not recognize the substantial efforts now underway, it can only hinder the continued progress of the industry’s self-regulatory efforts.

http://www.ftc.gov/os/comments/priva...0391-58045.pdf

[justenough]

Pinga let me ask again, how is this any different from what's going on behind the scenes with all the major companies involved with the internet. They are all collecting data one way or another and using that data to make money, aren't they? Seems like Evidon's business model might be even less predatory than some others.

Unless you have some evidence that Ghostery can't really be blocked from collecting personal usage data (which was my original concern), then I'm not seeing the logic of your dislike for Evidon in particular, especially if you are using all the other companies software necessary to use the internet fully.

[ComputerSaysNo]

Don't install Ghostery, it's just a data harvester in a privacy app skin.

[justenough]

Quote:

Originally Posted by ComputerSaysNo

Don't install Ghostery, it's just a data harvester in a privacy app skin.

Ghostery comes with the "GhostRank" box unchecked. Is it a data harvester if you don't check that box?

[kupo]

Quote:

Originally Posted by justenough

Ghostery comes with the "GhostRank" box unchecked. Is it a data harvester if you don't check that box?

Nope

[Kees1958]

So what is the conclusion NoScript, RequestPolicy, Ghostery, Do not Track, AVG Do not track

Browsers are getting better themselves in regulating tracking protection, for instance Chromium
start Chromium with the --no-referers switch

In advanced Privacy settings choose
a) disable webservice for navigation errors
b) disable prediction service for searching through address bar
c) netwerk prediction (to DNS service of your ISP/DNS provider, usage data is stored becuase DNS servers have to rank and cache requests), paranoids should turn this off and use an alternative search engine/service (e.g. startpage), I have it enabled
d) enable do not track request to browser traffic

In content settings choose
#Cookies
a) Enable: Only use session data (2nd option)
b) Enable: Block indirect cookies (4th option)
==> click manage cookie exceptions
add "http://*" choose block (https cookies will still be allowed for session)

When a cookie is blocked, the blocked cookie sign appears, choose to allow and change it afterwards to "session only" in the managed exceptions

#Pictures
a) allow

#Javascript
b) choose deny
==> click manage javascript exceptions
add the high level domains you want by [*.]xxx were xxx is extension or country code, I have
added [*.]com choose allow
added [*.]nl choose allow

When a script is blocked, the blocked script sign appears, choose to allow On sites with com domain and NL (Netherlands) flash is played automatically, all other domains need my permission to add as an exception. It is not a road block, more like a speed bump for sites with a questionable origin. Chrome's javascript handling (within the sandbox with hidden classes) provides sufficient protection.

#plug-ins
a) choose click to play
==> manage individual plug-ins
b) I allowed Chrome's PDF reader to "allways allow"
So flash has click to play, PDF reader displays automatically

#pop-ups
b) don't allow/block (2nd option)

#location
c) don't allow/block (3rd option)

#desktop messages
c) don't allow/block

#mouse pointer
c) don't allow/block

#web intensions
a) do not allow/block

#media
b) do not provide access to mic and camera

#plug-ins without sandbox
c) don't allow/block


I don't use extensions, just the browser's features

[justenough]

Kees1958, would this work in Chrome? Would it replace AdBlockPlus?

[Kees1958]

1. Should work in Chrome also.

2. Does not replace AdBlock+

I just wanted to show that for non-paranoids the Chrome/Chromium browser also has lots of options to restrict unwanted cookies, plug-in execution and javascript handling, etc. Adblock also filters advertsing content and tracking cookies with a blacklist.

[TomAZ]

How does "Do Not Track Plus" stack up with these three?

[lordraiden]

Quote:

Originally Posted by TomAZ

How does "Do Not Track Plus" stack up with these three?

DNT plus works like Ghostery but Ghostery's database is bigger, customizable and transparent.

[Pinga]

Quote:

Originally Posted by TomAZ

How does "Do Not Track Plus" stack up with these three?

Let's take a look at what it doesn't do:

Quote:

Abine, Inc. except as required by law:

Abine will not track, store or transmit to any server or third party, information regarding users' behavioral data (to include web browsing activity).
will not sell or otherwise work with third parties to market additional software to users (not including Abine software or services).
will not deliver or help others deliver any targeted advertising to users.
will not store users' passwords and login credentials on Abine's servers (or any other remote location other than the user's computer) except when requested to do so and encrypted with a key not known to Abine.

http://www.abine.com/about.php

[inka]

Abine?
Just now, I visited abine.com and clicked products, then DNT+
clicked to download and page reported "we don't have a version to support your browser"
-=-
Paged back, spoofed the user-agent head, reclicked the download
...and the site sent a *.crx file.
-=-
Opened the rules.js file with winrar

Quote:

/*
**********************************************************************************
(C) 2008, 2009 by Abine, Inc. All Rights Reserved.

This software is the confidential and proprietary information
of Abine, Inc. ("Confidential Information"), subject
to the Non-Disclosure Agreement and/or License Agreement you entered
into with Abine. You shall use such Confidential Information only
in accordance with the terms of said Agreement(s). Abine makes
no representations or warranties about the suitability of the
software. The software is provided with ABSOLUTELY NO WARRANTY
and Abine will NOT BE LIABLE for ANY DAMAGES resulting from
the use of the software.

Contact license @getabine.com with any license-related questions.

hxxp://www.getabine.com

*/

What?!? I didn't agree to any "confidentiality agreement" during my clickstream.

Reiterating what I had previously posted
( http://www.wilderssecurity.com/showthread.php?t=318716 )
here's my opinion of DNT

Quote:

I expect "DoNotTrack" is a cruel joke.
Hi, my name is Ben Dover. Here's my (plugin GUID, browser fingerprint, whatever) now please don't track me.

Quote:

Originally Posted by Pinga

http://www.abine.com/about.php

Do you recommend DNT+ instead of Ghostery? I think DNT+ is more user-friendly because the default settings are great, with Ghostery you have to tweak several settings.

[Pinga]

Well I don't usually do recommendations, it's always best to do your own research. That said, I think that software such as this should be open, fully transparent and beneficial to everyone. There appears to be some consensus here that NoScript + RequestPolicy + Adblock Plus (or Adblock Edge) are a solid combination. They currently fulfil all three requirements.

The DNT+ privacy policy looks good. Still, it's a commercial, albeit free, product. I cannot endorse Ghostery as its parent company, Evidon, is essentially a front organisation for the advertising industry. The privacy and security market is booming and both Abine (DNT+) and Eyeo (Adblock Plus) are broadening their product portfolios. It will be interesting to see how they'll develop.

[Mman79]

Commercial or not doesn't really make a difference to me. Everybody has to have food on the table and a roof over their heads. Closed vs Open source doesn't matter either, for as much closed source software there is out there whose code you can't see, there are thousands of open source programs that once you see the code you wished you never had.

Ghostery is a very contradictory service, in my own opinion. DNT+ seems to be a good program, even if I'm not entirely confident in its "opt-out" method of working. I use ABP as a back-up plan though, and don't allow 3rd party cookies to begin with. Programs like RequestPolicy and NoScript require too much "hands on" use and have a tendency to break websites too much for my use and my recommendation to others.