Personally I'd love to support more websites through ads if two conditions could be met:
- A way to ensure that ads don't try to harm me by e.g. leading me to websites serving malware or abusing my computer's resources (e.g. miners)
- A way to keep my privacy and control what data is collected about me (and who has access to that data)
Currently I simply can't turn off the ad-blocker even if I wanted as most sites become completely unusable and outright obnoxious by showing large, blinking or content-hiding ads, videos, popups or fake overlays. That's why most people use ad-blockers (IMHO). If ads are decent, relevant and non-obtrusive I personally would be happy to see them.
Also, go to any large website these days (without ad-blocker enabled) and check how many third-party trackers they load. There are many sites that send my data to more than 50 (!) different ad networks and partners, which is just insane.
BAT in Brave is opt-in -- each user consents before anything local happens with data or zero-knowledge/blind-token attestations -- and users can get _gratis_ BAT grants right now using the stable desktop browser (this is coming to mobile in about a month). The anonymous contribution system is the basis for the also-opt-in Brave Ads system, which uses local data only, local machine learning agent, and no cookies or user tracking by any server (even ours). Ads match against a catalog fixed daily or less frequently for a large set of users in a region who speak the same language. Attribution and confirmation use Chaumian blind tokens.
Users get 70% of revenue for opt-in, user-private (in tab), high quality ads at user-configurable frequency. We are working with publishers to provide user-opt-in ads for sites too, 70% revenue to the publisher, 15% to the user. User ad trial is under way right now, ping me if you want to be included. System should be available in Brave 1.0 in a couple of months.
Imho the beauty of your BAT system (the way it is envisioned) is it's independency from the current model of monetizing the web, which is ads, gradually evolving towards direct transmission between publisher and consumer.
Ads in the way they work on the web are just a very inefficient system of transferring this value, and they don't serve the original function of marketing anymore. It turned into a big game of psychological warfare.
The system is so inefficient that it finances almost the complete operation of Alphabet/Google.
As a user I don't know how the system works in the background, and when I read the recent news about Brave attacking Google for GDPR violation it was the first time I read about RTB and the technical aspects in the media. People need to know, so they can decide if they want to feed such a system!
Funding Choices seems to be a part of Google's answer to the growing problem of ad-blockers, but it can also bee seen as Google's answer to competition like Brave/BAT.
I read somewhere that under the umbrella of Funding Choices Google is also experimenting with subscriptions like BAT, but without the token.
I don't know how successful Google is with this, but this might be a tough competition for Brave, they will fight tooth and nails, and they control the Android ecosystem.
BAT is attractive for power users as you ride on the wave of privacy-friendliness which Google can't, but I think the real challenge will be the average user that wants a standardized, seamless cross-platform solution that can be used as the main payment gateway for accessing content, which is increasingly via gated Apps.
With Google controlling so much of the market with Android and Chrome, I wonder how they will react to BAT if it ever becomes successful, as they could theoretically quickly scale any competitive project.
I think the biggest advantage of BAT would be if big players could acknowledge it as a de-facto standard for decentralized transfer of micro-payments and privacy friendly ad networks. For this to happen it would be necessary to be somewhat "Open-Source", i.e. not strictly tied to a singly company controlling much of the tokens. I am thinking in line of an open consortium with different players holding a significant part of the BAT tokens each.
Do my ip-address, sites-i-visited, date/time of visit, geo-location ever gets stored in on a server outside (eg outside my phone or my computer I am browsing on)?
When I was at Middleware2017 I saw a poster/demo about this, MoCA+: https://koreauniv.pure.elsevier.com/en/publications/demo-moc...
I guess the problem is the same as with privacy techniques in general. If you ask companies to restrict their access to data, they just tell you no(1), as it might be worth a lot of money or open up new business oportunities they haven't thought about yet.
(1) This is anecdotal from projects of my colleagues in privacy research
I think this is a interesting model. To as society come to the conclusion that more connection of devices, smarter AI is not the right solution. That what works best is the right amount of connection and AI
Out of curiosity, how familiar are you with how ad systems work? Generally there's a huge inventory of ads, each with different criteria attached to them and metadata about bids. When a request comes in, ads whose criteria are met are selected out and an instant auction takes place. The resulting ads are then shown.
I cannot think of a way that allows for both honoring the ad criteria and keeping personal interests and preferences solely client-side. You can't even take advantage of any form encryption here, as the results of the filtering would allow the server to infer the private data. This means you'd almost certainly have to get all the data to the client to allow querying locally.
OK, fine, that's workable. Then you just track impressions and so on to figure out when advertisers get charged. A potential drawback is that it's very possible that with impression and click data it could be possible to reconstruct most or all of the data a user might wish to protect. And there's no way to get away from this, either - pretty much all online advertising models rely on tracking one of impressions, clicks, and actions.
As for your two conditions:
> - A way to ensure that ads don't try to harm me by e.g. leading me to websites serving malware or abusing my computer's resources (e.g. miners)
Policing the contents of ads can be quite the task. Ensuring the contents of arbitrary external websites is next to impossible. There are no good ways to do this in a fully automated system at scale when someone else controls the other server and can change what content it serves at their discretion.
The best way I can think of to ensure this is to limit access to this hypothetical advertising platform to entities with the expertise and resources to protect themselves and anyone who comes into contact with their servers. Works for me, but being shut out of access to the biggest and best advertising systems might be a problem for many groups.
> - A way to keep my privacy and control what data is collected about me (and who has access to that data)
You know what? I think I know exactly what you want. You want the newspaper model. Collects no data from you, preserving your privacy. Only accepts advertising from partners that can be trusted, ensuring your safety. Doesn't need to closely track impressions, views, or actions.
I think what he is describing is a future where the ONLY criteria ads are selected on is the standard user data set. Basically I open my browser settings, go to its "relevant ads"-section, enter some basic ad targeting info such as my age group, gender, and 2 hobbies.
Then because I entered "fishing" as an interest, I'll see a lot of fishing gear ads. Great!
If I'm NOT willing to enter any targeting info into my browser, or if I enter bogus info (or install a plugin that randomizes the info) then sites will not show me relevant ads.
I don't mind seeing ads for fishing gear if I told the site I'm interested in fishing. That's completely fine. I do mind seeing ads for hotels in San Francisco just hours after I searched a different sites for cheap flights there, or ads for that exact shoe I made an incomplete checkout of in a webhop store last week etc.
They had a product for Windows computers that provided a caching, prefetching web proxy. The deal with it was that if you let it show you adds occasionally (I think it was whenever you launched your browser to your homepage or once a day if you visits to your homepage were less frequent) you could download all of the company's other Windows programs and use them free as long as your browser was configured to go through the proxy. These were programs that normally were sold on floppy or CD-ROM for $20-40 each.
The way the ad delivery worked is that the proxy would download ads, which consisted of an HTML page and some additional data. When you went to your homepage the proxy would serve up one of the ads instead, with a link inserted to take you to your real homepage.
There was a Forth-like language built into the proxy. The additional data for an add could include code written in this language, which would be run when the proxy was choosing an ad to show. The code had access to various things the proxy knew about the local system and user. It did not have any access to the internet. The code would decide how strongly the ad would like to be shown at this time.
The only thing that went back to the internet in regard to ads, as far as I remember, was counts of how many times each ad was shown. (Not that it would have mattered much if more went back. As far as I know the proxy didn't really know much about you other than the physical characteristics of your computer and your internet connection. I don't think they had gotten to the point of trying to infer interests from browsing habits).
This particular approach would probably not be feasible today. They only had a handful of ads available at any one time, with the inventory changing slowly by today's standards. It did not take much resources, even for modem users, to download the entire ad inventory and keep it up to date.
Can you imagine trying to put Google's entire ad inventory on every PC, and keep it up to date, so that the client can choose the ad entirely locally?
The entire Google ad supply does not need to be downloaded, just a relatively brief catalog (which compresses well) of live edge URLs and metadata (keywords, essentially), updated as new deals for a given region with large enough user base come online, and old deals expire.
https://www.cnet.com/news/mozilla-officially-kicks-off-ads-i...
And it looks like Mozilla is trying it again, though this is from a few months ago. What happened to it?
https://blog.mozilla.org/futurereleases/2018/04/30/a-privacy...
1. To really leverage the personal data, you need to run it through a model and correlate it with ad inventory. Those are two things you don’t tend to want to deliver to an insecure client. Then you need to collect data on how those ads performed to update the model.
2. For all that, it’s still more convenient to manage GDPR opt-in. Don’t underestimate the convenience of centralized management.
Mozilla did this for Firefox, except a step better: the client pulled the same set of ads from the server regardless of the user preferences, but decided (client-side) what to display, so the server could never even infer behavior about the client from the requests.
Unfortunately, people didn't care, and they complained that this was an intrusion of privacy regardless, so they dropped it.
It turns out, there just really isn't market for privacy-focused advertising. People who care about privacy generally dislike advertising in all forms and block it, without regards to whether the advertising actually is an invasion of privacy or not.
It reports click through so this isn't true.
> there just really isn't market for privacy-focused advertising
My impression was that people just didn't understand it and Mozilla's communication about it was poor. That doesn't mean that there's not a market.
Correct me if I'm wrong, but isn't that the idea behind Brave? Blocks ads and (assuming you opt-in) replaces them with less obnoxious ads chosen by the client?
But it's irrelevant to 99% of the viewers, and it's impossible to tell them from the 1%: among other things, because the viewers are not keen to share too much data about themselves.
I think we should see ads as the (annoying) cost of commercially-produced free content. I wish a micropayment solution would take off to allow for easy and reliable paid opt-out on multiple sites I might visit. (I already have Youtube Red, and it's great.)
I'm pretty sure iAd works like this no? Also it wouldn't be massive advantage, you'd be serving less relevant ads (so losing out to competitors) and you can still track which ads a device requests.
> The ICO also said that, while "GDPR does not specifically ban opt-out boxes," that method of communication is "essentially that same as pre-ticked boxes, which are banned"
If this is correct, using the product as shown on the screenshot (and as used by several websites) is in violation of the GDPR.
I wonder if Google will pick up your legal defense costs if you get sued for using their product.
(Edit: I tried to find answers to these questions, but apparently the only way is contacting my Google representative, which I don't have)
Anecdotally, a third of these cookie dialogs are violating those principles, either preselecting all third party advertisers, or claiming all 60+ third parties are necessary for the functionality of the site so Allow or Go Away. Or having only one OK/Agree button.
It's not just little guys. Slate.com for example:
Slate’s Use of Your Data
By clicking “Agree,” you consent to Slate’s Terms of Service and Privacy Policy and the use of technologies such as cookies by Slate and our partners to deliver relevant advertising on our site, in emails and across the Internet, to personalize content and perform site analytics. Please see our Privacy Policy for more information about our use of data, your rights, and how to withdraw consent.
[Agree]
https://slate.com/gdpr?redirect_uri=%2F%3Fvia%3Dgdpr-consent...
The privacy policy generally says you're welcome to go opt out of each individual third party then delete their individual cookies from your browser, beat yourself up.
Slate for example, says, "You may choose whether to receive interest-based advertising by submitting opt-outs..."
The justification appears to be "EU doesn't tell us what to do":
"Please note that the Services are directed towards users who reside in the United States. By using the Services, you consent to the collection, storage, processing, and transfer of your information in and to the United States, or other countries and territories, pursuant to the laws of the United States. Some of these countries may not offer the same level of privacy protection as your own."
This Privacy Policy also features dynamic legalese:
"Slate tracks when EU readers grant consent for Slate to collect and process data through the use of an identifying cookie on your browser. The browser through which you are currently viewing Slate does not currently have such an identifying cookie. If you are an EU reader this means that Slate is not collecting or processing data from your current browser session."
// I am currently reading from EU -- a good time to clear your cookies.
If you consider financial needs underpinning the site operation, it's technically true - without the 60+ 3rd parties, they could run out of funds to host the site, after which the site would not function at all.
It's just as easy to opt-in as to opt-out. Just tap the checkmark or the X and then Save your preferences.
In your example, Site X would be the Controller. Google or Facebook may be a Processor, or they may not be involved at all. If the JavaScript in question sends data to Facebook/Google then they are a Processor, whereas if it's purely a client-side library or something that helps Site X send data to itself then the situation is more ambiguous.
Vendors could arrange the relationship in such a way as to be joint controllers instead of processors if they wanted to. Most companies seem to want to avoid this set-up if possible.
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Generally speaking, site X is the data controller and the third party JS providers are the data processors. GDPR applies to both, with the controller being the party primarily responsible for ensuring compliance.
But in 2017 it was shut down for a few months, and relaunched as a program which would omit all ads from the target site if the site was a partner, and the user has marked that site in their account. The amount charged for each pageview is set by the site [2]. Only a handful of websites are supported, although most are news sites -- local papers or TV channels.
This new Funding Choices program aims to greatly expand the list of sites that use Contributor by offering a managed solution that solves a better-than-before subset of two pain points at once: regulatory compliance and monetization.
[1] https://hn.algolia.com/?query=niftich%20google%20contributor... [2] https://support.google.com/contributor/answer/7359560
If/when it hits a critical mass of users, suddenly it will become a lot easier to justify the cost of implementation.
Hopefully tools like this can help get some sites to implement contributor or something like it so paying for access can get a foothold and become a viable option.
That's the same reason why you wouldn't want to ask an alcoholic to guard a warehouse full of vodka at night, as you'd probably find a few empty bottles the next day. Same thing with an advertising company, even if they claim to respect your privacy, nothing guarantees they're not secretly looking at it anyway (and using it to adjust their ad tracking in a way that's undetectable from the outside, as to not be sued for it). It's even worse, because at least with alcohol you can count the bottles and find the empty ones. With data collection, if they're careful, you have no way to know whether your privacy has been violated.
Maybe I'm naieve, but I feel building automated law breaking systems is not something corporations do. I have no doubt individuals within corporations break laws whenever they feel like they can get away with it, but leaving trails like checked-in source code, and operating services that other services depend on, that just sounds like too much of a liability to me..
Did you already forget the VW diesel scandal? That was exactly that - a huge corporation systematically breaking the law with lots of people even in the highest ranks aware of and supporting it.
1. Virtualbox VM restored to a snapshot after each usage (browser completely clean, never uses my main Google accounts here)
2. Firefox on main machine with clear all cookies set, ublock origin. Rarely logs into my main Google account, if I do, always in incognito.
3. pfsense with block lists for Google & Microsoft
4. Mobile with Disconnect tracking blocker (mobile wide) plus Firefox focus & Firefox set to clear all history on exit.
Still Google manages to track me. Whenever I see those recommendations in YouTube, I feel like Google is mocking me - "ha ha do whatever you want, you can never hide from us".
They did and will do that again because they know whenever they get caught they have to pay several million dollars at most after years of such violations and then they can be on their way to rinse and repeat with something else like that.
By the law, opt-out is the default.
They are proposing an industrialized solution for new and old businesses to transition to EU regulations more easily. Trust Google or not, but in the meantime, they are proposing new services to answer businesses and legals needs.
This analogy falls flat, because unlike an alcoholic which can be satiated at some point, FAANG can never be satiated. More information is always good. Thus taking data from both warehouses is better than restricting yourself to only one.
Secondly it also falls flat because your paying users is often the more juicy targets (from an advertising point of view), since they are already well enough off to pay for ad-free internet services, thus also well enough off to target for more lucrative advertising.
Getting back to the analogy, it is like an alcoholic guards two warehouses, one stocked with free budweiser beer, and the other stocked with the finest scotch, and hoping he wont take a swig from the scotch.
A lot of (primarily US-based) sites now say things like "We need to track you to keep running, consent or click this link to enter a maze of poorly documented ways you can try to opt out, if you decline then goodbye".
Some even let you opt out of tracking (taking several minutes to 'process' this opt out), and then tell you they can't serve you a site that doesn't track you.
I'm OK with those - I don't go there any more.
> With Funding Choices you can automatically identify ad blocking visitors and ask them to disable their ad blocker especially for your site — or give them an alternative way to fund your content via Contributor.
> Contributor lets users buy an ad removal pass for your site, helping you monetize your site's content again.
Great! Now, can I have that for Google? I'd gladly pay in exchange for the added privacy.
People may subscribe for big newspapers and such, but they won't subscribe to a lot of smaller blogs, for example, on various blogging platforms, which do provide value, but they are not big enough to warrant a subscription.
Ads solve this case and I haven't heard any viable alternative for them for small players.
I'm not against ads, but I don't want to be tracked. I don't want a 500 word article to download megabytes of crappy javascript.
Publishers are probably costing their audience more in battery life and bandwidth than they are ever making from the ad they are showing.
Given the security issues involved with ads as a vector, general abusiveness, and poor programming leading to memory leaks and insane waste blocking by default is wise.
Even big ad networks have been caught hosting outright viruses from lack of vetting. There is no right to a business model and they have no right to access client systems.
The entire debate around copyright and online monetisation is trapped in "entitlement" of publishers in the METHOD of extracting value. Have you ever considered that maybe it's not that people don't want to support you financially, but that you're methods are wrong?
So maybe subscriptions don't work, but let's take pirates as an example. Multiple studies have proven that pirates spend more money on the things they pirate than non-pirates. So in actuality piratisation is increasing the amount of money publishers are making since the act of piracy it self actually represents no cost to the publisher.
* Ad blocker detection and a way to ask for funding? Seems nice. We will get a view on the actual market value of the content. As the Internet started out free and hand plenty of content, I assume content producers will get a rude messages about their actual value here.
* A good base platform for the GDPR is also nice. A big player like Google cant flaunt the law too much, and browser plug ins have one big target to block, verify or modify
Some extras to make the ad ecosystem sane again:
* Micro-payments. You could get to choose between an ad, a micro-payment, or no content.
* Content producer vetting and taking responsibility for their ad's. Todays ads are bottom feeders. If, say, a car site would get an image from e.g. a car company, and place ads on their own site, you get a better ad for the customer, no privacy violation, and more respect and use for the ad vendor. This is the stack oveerflow/jobs model.
* A header element like X-Interested-in. Use your browser to set a free-form value, and let the ad vendors get some input to give better ads , while you are completely anonymous to them.
Fine, but there are only two sites that support it, so it's fairly useless. Maybe Funding Choices will make it more useful.
1.7.x is in a long term support, while 1.6.x stopped being supported since July. The version they're running has at least three vulnerabilities: https://snyk.io/test/npm/angular/1.6.0
