Developers, we can clean the Web of Google surveillance one site and one service at a time. What do you say?


but, Aral, they gave us a lot of money

are we SURE they're evil? I mean, like, evil's relative, right, and like if people are nice and give you money how could they be evil?


(seriously though, cut the leash the corps have on the internet)

@aral What do you think about creating an "ethical ads service"?

Which from my perspective would be some kind of json file or API and a JS snippet people can embed on their pages which would provide ads for ethical companies and products. Just a picture, a link and a little text.

This would be privacy friendly as every page could host themselves and I think informing people about a product, which was the original idea behind "ads", would help to spread them :)

@sheogorath @aral This is (pretty much) how ads once worked, and is something I am also totally ok with. I don't mind being advertised to, I mind my digital self being dissected and inspected to determine how I should be advertised to!

@Chris @sheogorath @aral I also mind being infected and trojaned by ads that are allowed to do too much on my machine.

@daniel_bohrer @sheogorath @aral
Good point well made - I think I'd also care more about my system being pwned than the surveillance, if I had to choose.

Thankfully if ads aren't tightly coupled to huge amounts of data processing and analytics then there's no reason for them to be any more complex than just passive content, images/text/video, so moving to a much safer means of displaying ads is totally possible.

Sheogorath's suggestion was "Just a picture, a link and a little text" after all!

@Chris @daniel_bohrer @aral

Yes, this suggestion was pretty much by this reason.

Active content always causes problems. That's why I suggested to use passive one. Also self-hosting to make it more privacy friendly.

In my initial idea it is not mandatory to sell ads. Instead everyone can decide for themselves what kind of ads they want to show. The original project would just provide a repository of possible ads which hopefully has ethical standards.

But maybe monetizing it, would also help.

@daniel_bohrer @sheogorath @aral

According to #Mozilla "this is the #Web functioning as designed".

To mitigate the risks for users, browsers' vendors could make several simple modifications to their software.

The problem is that one of these fixes is to make the execution of #JavaScript opt-in on a per website bases, by default.

@Shamar @Chris @daniel_bohrer @aral

There is one major problem which you are definitely aware of: It would break the entire modern web.

And "opt-in" especially for security topics is not more secure for a majority of users. Ever seen users visiting an intercepted HTTPS page? Guess why HSTS forces browsers to remove "opt-in" for insecure connections…

Security has to come by design, not by enduser decision.


Except that now we have Opt-out #JS on all major browsers (with #Google giving users fine grained control over which websites you trust, while to #Firefox you either enable or disable #JavaScript everywhere!) that means an inconvenient and clumsy opt-in #security.

I agree that the mitigations described in the bug report don't fix the issue. A redesign of the #Web as per @alcinnz's #Memex would.

@Chris @daniel_bohrer @aral

@sheogorath @alcinnz @Chris @daniel_bohrer @aral

To fix the issue we need to completely separate the #Web as a content distribution platform (aka the #HyperText in #HTTP and #HTML) and the Web as a distributed application platform: nobody should be able to embed a #surveillance application inside a journal article (thus no #JS nor #WASM should be allowed).

As for this breaking the Web, sorry but this is #FUD: even #GMail (!!!) works fine without JS!

@Shamar @alcinnz @Chris @daniel_bohrer @aral

I guess my definition of "breaking the web" is different than yours. To me It's about designing a webpage following modern web standards (which definitely includes JS) and it looks and behaves in all major browsers basically in the same way.

Which is no longer true, as soon as you remove JS out of this. Which in conclusion means it's broken.


Yes definitely a different definition.

To me "looks the same ON ALL MAJOR BROWSERS" means it's broken, as all major browsers are controlled by what 2 US corporations? #Google controls #Chromium and #Firefox and is going to control #Microsoft's default browser too. #Apple controls #Safari. Together they render over 90% of the _world_ #Web traffic.

That's REALLY broken, don't you think?


@alcinnz @Chris @daniel_bohrer @aral

@sheogorath @alcinnz @Chris @daniel_bohrer @aral

To me, the definition of NOT broken would be "usable and accessible on every browser", in a world where a single person could aspire to implement a standard compliant browser alone from scratch in a couple of year.

Today everybody complains because the #Web is centralized on the server side.

But what about the client side?
The situation is even worse!

But nobody want to see this.

@sheogorath @Shamar @Chris @daniel_bohrer @aral Must say I'm not particular pleased with the warning messages most sites have.

The security opt-out button should be labeled "I don't trust _ anyways", people in general won't read the rest of your message so have the button they're looking for instruct them how to behave.

@alcinnz @Shamar @Chris @daniel_bohrer @aral

My point is more that there shouldn't be a button to opt-out from security. (which is the case for HSTS)

And the same should be done to whatever solution comes up to make JS more secure/replaces it. I recently saw a talk about USB-Guard stating that asking the user security questions, results in more than 50 percent wrong decisions. Means you can throw a coin to get a better quote.

@sheogorath @Shamar @Chris @daniel_bohrer @aral Yes. While realistically the transition time would require it, there ultimately shouldn't be opt-in/out of JS. It just shouldn't work.

@sheogorath @Chris @daniel_bohrer @aral

Sure, no code should be automatically executed from unknown third parties.

However, as of today, the mitigations we are talking about (of which disabling #JS by default is just one and absolutely not enough, even if the most controversial) are cheap and fast to introduce.

#Chromium and #Firefox could leverage their market share to protect people but they choose to leave them vulnerable instead.

@sheogorath @aral
Project Wonderful used to be a thing, though I think they still hosted ads on a central server. But they shut down 😦

I know of at least one blog which has "sponsors", which just show up as a little text banner at the top.

@sheogorath @aral heard of Carbon?

How close is it to what you're describing?

If you ask me, you don't need analytics or advertising to have a successful website and business. Here's an example of such a business:

@aral @switchingsocial

@revkellyn @dublinux @aral @switchingsocial I have done this on my blog !

If you still need stats, you can use something like - it's absolutely great!

@aral how do you all feel about matomo? Is that an acceptable analytics solution?

I don't see anything wrong with anonymized analytics by a company why has neither abused nor leaked personal data

Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!