After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 739631 - Improve tracking protection
Improve tracking protection
Status: RESOLVED FIXED
Product: epiphany
Classification: Core
Component: General
3.14.x (obsolete)
Other Linux
: Normal enhancement
: ---
Assigned To: Michael Catanzaro
Epiphany Maintainers
: 750759 755188 (view as bug list)
Depends on: 697329
Blocks: 755292
 
 
Reported: 2014-11-04 18:52 UTC by Michael Catanzaro
Modified: 2017-01-24 14:39 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Michael Catanzaro 2014-11-04 18:52:52 UTC
We should add EasyPrivacy [1] tracking protection to Epiphany. It should be implemented by adding it as an additional filter to our existing list of adblock filters if and only if the setting "Tell web sites I do not want to be tracked" is active. That setting should be renamed to something like "Attempt to prevent tracking by advertisers" and it should only be selectable when adblocking is enabled (which means moving the adblock setting to the privacy page, unfortunately) as the list would otherwise not be effective. (Alternatively we could add this as a new setting, but I don't think there's any value in having a setting that controls only the useless do not track header.)

Another dependent setting, "Also block social media tracking buttons" should add a third subscription to Fanboy's Social Blocking List to stop tracking by Facebook and Google as well, but we need to think more about how to name that to make it clear that the like and +1 buttons are themselves trackers... and also consider completely merging it to the tracking prevention setting, as having three levels of dependent settings seems like too much.

[1] https://easylist.adblockplus.org/en/
Comment 1 Bastien Nocera 2014-12-10 16:34:20 UTC
(In reply to comment #0)
> We should add EasyPrivacy [1] tracking protection to Epiphany. It should be
> implemented by adding it as an additional filter to our existing list of
> adblock filters if and only if the setting "Tell web sites I do not want to be
> tracked" is active. That setting should be renamed to something like "Attempt
> to prevent tracking by advertisers" and it should only be selectable when
> adblocking is enabled (which means moving the adblock setting to the privacy
> page, unfortunately) as the list would otherwise not be effective.
> (Alternatively we could add this as a new setting, but I don't think there's
> any value in having a setting that controls only the useless do not track
> header.)

How does it compare to the pruning we do on tracking URLs?
Comment 2 Michael Catanzaro 2014-12-10 18:14:07 UTC
They're orthogonal. Some trackers will be foiled by URL pruning, but many (most?) won't be. Try the Ghostery Firefox extension, it will show you which trackers it is blocking and you can see which URLs have tracking parameters -- I guess it's usually roughly half.
Comment 3 antistress 2015-05-20 13:14:57 UTC
Hi, note that Firefox now includes Disconnect tracking sites list as port of their Polaris project, although it's not active bu default

Maybe Web could use the same list for tracking protection ?

Thanks

See :
- http://tuxdiary.com/2015/04/10/firefox-tracking-protection/
- https://blog.mozilla.org/privacy/2014/11/10/introducing-polaris-privacy-initiative-to-accelerate-user-focused-privacy-online/
Comment 4 Michael Catanzaro 2015-05-20 13:34:26 UTC
That looks like the same thing, just a different list. The EasyPrivacy list is an Adblock Plus list, so adding support should be super easy. I'm not sure about the relative quality of the lists, though.
Comment 5 antistress 2015-05-20 17:41:46 UTC
Note that adblock include tracking protection but the opposite is not true.
We could imagine 2 different functionalities, depending whether the user wants (non tracking) ads or not
Tracking protection could be ON by default
Comment 6 Michael Catanzaro 2015-05-20 17:46:46 UTC
That's not true: you can't have effective tracking protection unless you also block ads. The ad companies are tracking you.

Our ad blocking sometimes does not work reliably (we need to track down why), but it's been at least two years since I've noticed it breaking any pages, so I think it's safe to enable by default.
Comment 7 Michael Catanzaro 2015-09-23 00:41:03 UTC
*** Bug 750759 has been marked as a duplicate of this bug. ***
Comment 8 Michael Catanzaro 2015-09-23 00:41:15 UTC
*** Bug 755188 has been marked as a duplicate of this bug. ***
Comment 9 Mattias Eriksson 2016-03-31 10:06:09 UTC
I suggest to use the Privacy Badger (https://www.eff.org/privacybadger) model for tracking protection and build on their work. They have a model that learns and auto detect trackers. 
I like to block trackers, but not ads (unless they are tracking me). I have no problems with seeing ads, but I don't like to be tracked. Ok, I hate intrusive ads, but it seems that they all try to track the user also... so privacy badger works like a bad ad blocker also.... :)
Comment 10 Michael Catanzaro 2016-03-31 20:10:20 UTC
FYI: I looked at Privacy Badger, but it broke the first sites I tried it on. We're gonna have to use a human-curated list (e.g. Disconnect or EasyPrivacy) rather than a heuristic-based approach, because we want this to be enabled by default, so we have to minimize the number of sites we break.
Comment 11 Mattias Eriksson 2016-03-31 21:48:01 UTC
Well, the broken pages are fewer and fewer. I think they added a human-curate whitelist, so it is now a hybrid of heuristic and a whitelist if I understand it correctly. 
However, I guess some sites may always be broken if they require tracking to work, and that is the correct way I guess since the alternative is to allow tracking. To fix that it would be possible to have some option to open the broken site in a private sandbox tab without the privacy badger, where there are no facebook/google aso cookies.
Comment 12 Michael Catanzaro 2016-04-01 03:22:48 UTC
(In reply to Mattias Eriksson from comment #11)
> Well, the broken pages are fewer and fewer.

We could certainly evaluate it again....

Still, realistically, something on the scope of PrivacyBadger would take months to implement, whereas something like EasyPrivacy would be an afternoon hack to get working as we already support Adblock Plus filters; probably we should start simple, so we can get *some* real tracking protection in place.
Comment 13 courthicks1 2016-04-01 21:57:20 UTC
I think one thing I like about the Privacy Badger implementation would be how it handles social media share icons. The icons have tracking built in and one thing PB does is keep the icon there (with a little PB icon watermarking it) but blocks the tracking, that way if you choose, you can click it. I'm not entirely sure if EasyPrivacy blocks these tracking features? I know Fanboy's Enhanced Tracking List blocks this behavior, but it also removes the icon which could be an inconvenience for some users.
Comment 14 Michael Catanzaro 2017-01-23 19:31:10 UTC
Implemented using EasyPrivacy. For now it's enabled by default; let's see if websites break.
Comment 15 Mattias Eriksson 2017-01-24 08:24:31 UTC
How are things like social media sharing icons handled with this implementation?
Comment 16 Michael Catanzaro 2017-01-24 14:32:11 UTC
They're not. For that we need to subscribe to Fanboy's social blocking list, but I hesitate to hide that under "try to block web trackers" since most users expect social features to actually work. But maybe that's the right thing to do; maybe trying to block web trackers is useless if you're not willing to block social media buttons too. Feel free to file another bug and we can figure it out there.
Comment 17 Michael Catanzaro 2017-01-24 14:39:52 UTC
(In reply to Michael Catanzaro from comment #16)
> Feel free to file another bug and we can figure it out there.

(Options for this cycle would be adding yet another preference, or more likely just having the existing preference control social blocking too and adding a warning to the preferences dialog. Next cycle we want to add a real adblock configuration dialog, which will simplify this.)