Re: [projectvrm] The marketing/cybercrime symbiosis

[Don Marti < >]

begin T.Rob quotation of Mon, Sep 22, 2014 at 12:46:32AM -0400:

> I'm also finding it difficult to draw the line that designates public versus
> private space on the Internet because there is no opt-out of malvertising.
> The deal we are offered is to either accept the adtech or else don't use the
> site.  But even though "the site" might arguably be public, the ads that are
> being served aren't coming from the site you are visiting.  So it's not like
> "I went to wsj.com and all these ads were there."  A more accurate
> description would be "I went to wsj.com and they silently gave access to my
> browser session to 35 non-WSJ domains who then downloaded 200 scripts to my
> PC and executed them without my knowledge or consent, and without any
> accountability as to what exactly those scripts do to my PC or what
> information they collect."  

This is mixing up the subject and object of the
sentence.  Normally I try not to be a grammar nerd,
but in this case, the way that we communicate about
the problem is interfering with getting an answer.

The web browser is the active side here.  The
developers of the browser can decide the policies
for how to handle security and privacy issues.
The browser makes a request of the web server on
behalf of the user.  Then the browser has the option
of following up on it, to ask the same server or other
servers for additional resources that were mentioned
on the page the user asked for.

The more that we try to make the server side into
the subject of the sentence, the more that the
problem tends to look like "please, please, big bad
example.com, stop tracking poor little passive us".
That way lies petitions, meetings, long arguments,
and failure.

When we make the browser into the subject of the
sentence, then it's more natural to say, oh, I have
software on my computer with a bug in it.  What can
I do to switch to something better (Apple Safari
blocks third-party tracking by default, and MSIE has
Tracking Protection Lists) or install a workaround
(Disconnect or Privacy Badger)?

> Would you be OK with it if you went to the mall and while you were inside 35
> different companies put GPS trackers on your car then broke in and slathered
> the dashboard and windshield with advertising printed on adhesive stickers?
> Because what you see in context of the WSJ page is one thing.  Downloading
> scripts onto your PC, causing your PC to execute them, and then exfiltrating
> data from your PC back to the mother ship is a whole lot more like finding
> your car bugged and covered in ads than it is seeing a billboard while
> walking in the park.

I like analogies as much as the next person.  But
let's stick with analogies that are closer to how the
web works.  The browser isn't an inert parked car.

Imagine a nosy timeshare sales rep hanging out in the
lobby of your bank, asking all kinds of personal
finance questions.  (You don't know why the bank
decided to let him in.)

Now imagine that the bank advertises ride-through
banking. You decide that would be a great time-saver,
saddle up your horse, and ride in to do your bank
business.

But this time, the sales rep starts asking your
_horse_ the questions, and your horse answers -- clop,
clop, clop with a front hoof on the marble floor of
the bank.

The partly trained horse is like today's web browser.
Some of them are making progress, though.

-- 
Don Marti                    
http://zgp.org/~dmarti/