James Cridland

Please could the privacy zealots get real?

I’m quite fanatical about user privacy.

Cory Doctorow seems like a man you can trust - and he proudly claims “we don’t collect or retain any data at all ever period” on his blog, but his website, pluralistic.net, makes calls to a number of other domains, including his own craphound.com, Wordpress’s c0.wp.com and i0.wp.com, and secure.gravatar.com, all of whom are able to collect data on his visitors, and correlate it with other websites that they visit. A lot of people visit a lot of other Wordpress websites, after all. pluralistic.net sets a cookie, as do the two Wordpress websites he includes - no consent is sought.

His “About” link takes you - surprisingly - to craphound.com, which makes calls to jquery, Google fonts, Bootstrap’s CDN, and those Wordpress domains, plus two more suspicious Wordpress domains called pixel.wordpress.com and stats.wp.com - which monitor every click you make on a website that includes them. His website drops two cookies - no consent is sought.

He doesn’t have a (real) privacy policy on either website either.

View the network traffic for this website, for example, and you’ll see no third-party calls. At all. The privacy policy - I’ve got one! - is three short paragraphs. So, you’ll forgive me for repeating that I’m quite fanatical about user privacy. Seemingly, more fanatical than Cory Doctorow, even.

With that in mind…

A chap called Alexander Hanff is currently claiming that the EU says ad-blocking detection software is illegal, and is trying to get the Irish Data Protection folks to take YouTube to court.

I run ad-blocking detection software on a website I run - ironically, on a page where you are buying ads on the website.

It’s JavaScript, and the code, in its entirety, is this:

<script>var adBlockEnabled = false;
  var testAd = document.createElement('div');
  testAd.innerHTML = '&nbsp;';
  testAd.className = 'adcopy';
  document.body.appendChild(testAd);
  window.setTimeout(function() {
    if (testAd.offsetHeight === 0) {
      adBlockEnabled = true;
      document.getElementById('message').innerHTML='<P style="border:3px solid red;margin:22px;padding:22px;"><B>You are running an ad blocker</B> which is cool, but they also block parts of this ad system, so it won&rsquo;t work properly. Please either turn it off or try incognito mode. Our actual classified ads aren&rsquo;t normally blocked, by the way.</P>';
    }
    testAd.remove();
  }, 100);
  </script>

In short - it tries to make something that looks like an ad on a webpage. It then tests the height of that ad - if it’s zero, then it knows that the ad has been blocked; and pops up a message, just saying that you’re running an ad blocker.

Alexander Hanff says that the EU has “confirmed in writing that ad-blocking detection software is illegal”. I asked him on Mastodon whether my approach was acceptable. He told me it was illegal, because it was accessing information on a user’s computer without consent. Apparently, I should be asking for consent to run JavaScript, and not run it until someone has given consent. I queried this, and he got a bit rude and huffed off.

Someone else expressed slight surprise: saying that Hanff appeared to be suggesting that all JavaScript couldn’t be run on a web page without express consent. He uses JavaScript to work out the size of a user’s screen and configures part of the webpage accordingly. Hanff’s proclamation appears to make this illegal, too.

It turns out that Hanff is relying on this letter from the EU, which is a response to a question we don’t know, but is summarised as “you asked about storage of scripts to detect if users have installed adblockers in their computers”. The EU representative then says storage of things is only fine with user consent. But neither of these approaches store information.

Hanff doesn’t like YouTube’s adblocking detection script. It might be that YouTube is reporting back to YouTube whether a user has adblocking software on their computer - and that might not be within the terms of the GDPR. But, for Hanff to suggest that JavaScript cannot be run without consent is a disingenous misreading of the electronic privacy directive. (Not least because privacy is not impacted by a standalone script running on someone’s machine without any feedback mechanism.)

Taken at face value, Hanff’s proclamation seems to suggest that we need user consent to run any form of JavaScript - or, even, user consent to even process an HTML document. This is clearly nonsense; but he’s relying on a poor misreading of a badly drafted letter from the EU to hoodwink developers.

Just as the cookie consent form has done almost nothing to actually manage user privacy - I saw one yesterday asking on behalf of “128 companies we use” - so this kind of bad misreading would do nothing to stop bad actors from abusing peoples’ privacy either. Just imagine the kind of internet we’d get if we required consent before every piece of JavaScript!

Let’s fix the kind of privacy-washing that people like Cory Doctorow try on instead - pretending all is fine, even while their websites share visitor data with third parties. That’s rather worse for everyone than a simple, self-contained JavaScript test.

Previously...

Next...