Today I filed a formal complaint against #YouTube with the Irish Data Protection Commissioner for their illegal deployment of #adblock detection technologies.
Under Article 5(3) of 2002/58/EC YouTube are legally obligated to obtain consent before storing or accessing information already stored on an end user's terminal equipment unless it is strictly necessary for the provisions of the requested service.
In 2016 the EU Commission confirmed in writing that adblock detection requires consent.
It about device detection and privacy. Websites in the EU aren’t allowed to scan your hardware or software without your permission, to protect the users privacy. Adblockers fall under this.
If thats how it works, they could very easily just check if the ad ever got loaded and refuse to serve you content until it does. Going after the way they prevent people from abusing their services doesn’t stop them from preventing them - it just gives them a new hurdle and that’s not a very big one.
Well many adblockers can be clever enough to load the asset, but then just drop it. As in yeah the ad image got downloaded to browser, but then the page content got edited to drop the display of the add or turn it to not shown asset in css.
This is age old battle. Site owners go you must do X or no media. However then ad blocker just goes “sure we do that, but then we just ghost the ad to the user”.
Some script needs to be loaded, that would display the ad? All the parts of the script get executed and… then CSS intervention just ghosts the ad that should be playing and so on.
Since the browser and extension are in ultimate control. As said the actual add video might be technically “playing” in the background going through motions, but it’s a no show, no audio player… ergo in practice the ad was blocked, while technically completely executed.
Hence why they want to scan for the software, since only way they can be sure ad will be shown is by verifying a known adhering to showing the ad software stack.
Well EU says that is not allowed, because privacy. Ergo the adblocker prevention is playing a losing battle. Whatever they do on the “make sure ad is shown” side, adblocker maker will just implement counter move.
So then Google just refuses to play the video until the appropriate time expires. Or they embed it in the video feed itself. There are more ways around this than you’re making there out to be.
Personally, I’d prefer waiting 15s to start the video than watching 15s of ad before atching the video, ads have been proven to have an effect on your brain that’s why they keep showing them to you. It’s not about the delay in video watching, it’s about the ad itself.
Your comment makes me think of Googles new DRM protocol, and then about Ken Thompsons compiler hack, combined with most DRM get hacked eventually.
This gives me hope that even if Googles DRM becomes standard, it will be hacked and YouTube thinks it’s showing ads on a unmodified signed page, but I am not seeing any ads.
From my understanding, they embed the ad in the video stream itself so that it’s indistinguishable from the actual content. I imagine Google could serve ads from the same servers that serve videos and integrate them in a way that would be hard to detect, just like Twitch.
I guess the one difference is that I don’t think twitch ads are skippable while youtube’s ads are. I assume embedding the ad into the video would prohibit that. Hopefully youtube doesn’t do that because while the current ad situation is annoying, having only unskippable ads would be pretty unbearable.
As I understand it, detecting an adblocker is a form of fingerprinting. Fingerprinting like this is a privacy violation unless there is first a consent process.
The outcome of this will be that consent for the detecting will be added to the TOS or as a modal and failing to consent will give up access to the service. It won’t change Youtube’s behavior, I don’t think. But it could result in users being able to opt out of the anti-adblock… just that it also might be opting out of all of YouTube when they do it.
I’m all for this protection but for the sake of argument isn’t use of the service consent to begin with? Or is that the American argument around these types of regulation?
I’m a pihole, vpn, adblock and invidious user ftr… 😂
That’s how the corporate-written laws in the USA handle it most likely. The EU actually has some amount of consumer protection. Burying it in a 100 page terms of service document doesn’t count as consent either.
It’s “consent” from the POV of the law and the corporation, but I say fuck 'em. Do you really consent to everything? Did you read their ToS and Privacy Policy every time it’s amended? In the plain everyday use of the word “consent” I mean. Not in the legal constructions we’ve created.
Thus, since I do not consent to everything in any ToS or Privacy Policy, I use adversarial tech. My use of adversarial tech is how I enforce my lack of consent to everything these platforms expect from me.
If they don’t want us to use adversarial tech anymore, they can change their platforms so it’s no longer necessary.
So is this basically saying youtube isn’t allowed to detect an adblocker?
I’m not sure I really follow why that specifically is something they’re policing.
It about device detection and privacy. Websites in the EU aren’t allowed to scan your hardware or software without your permission, to protect the users privacy. Adblockers fall under this.
If thats how it works, they could very easily just check if the ad ever got loaded and refuse to serve you content until it does. Going after the way they prevent people from abusing their services doesn’t stop them from preventing them - it just gives them a new hurdle and that’s not a very big one.
Well many adblockers can be clever enough to load the asset, but then just drop it. As in yeah the ad image got downloaded to browser, but then the page content got edited to drop the display of the add or turn it to not shown asset in css.
This is age old battle. Site owners go you must do X or no media. However then ad blocker just goes “sure we do that, but then we just ghost the ad to the user”.
Some script needs to be loaded, that would display the ad? All the parts of the script get executed and… then CSS intervention just ghosts the ad that should be playing and so on.
Since the browser and extension are in ultimate control. As said the actual add video might be technically “playing” in the background going through motions, but it’s a no show, no audio player… ergo in practice the ad was blocked, while technically completely executed.
Hence why they want to scan for the software, since only way they can be sure ad will be shown is by verifying a known adhering to showing the ad software stack.
Well EU says that is not allowed, because privacy. Ergo the adblocker prevention is playing a losing battle. Whatever they do on the “make sure ad is shown” side, adblocker maker will just implement counter move.
So then Google just refuses to play the video until the appropriate time expires. Or they embed it in the video feed itself. There are more ways around this than you’re making there out to be.
Personally, I’d prefer waiting 15s to start the video than watching 15s of ad before atching the video, ads have been proven to have an effect on your brain that’s why they keep showing them to you. It’s not about the delay in video watching, it’s about the ad itself.
bro just solved the ad blocker problem! google needs to hire this man!!
Your comment makes me think of Googles new DRM protocol, and then about Ken Thompsons compiler hack, combined with most DRM get hacked eventually.
This gives me hope that even if Googles DRM becomes standard, it will be hacked and YouTube thinks it’s showing ads on a unmodified signed page, but I am not seeing any ads.
Twitch seems to have figured out adblock blocking. Any idea what they’re doing that’s different?
From my understanding, they embed the ad in the video stream itself so that it’s indistinguishable from the actual content. I imagine Google could serve ads from the same servers that serve videos and integrate them in a way that would be hard to detect, just like Twitch.
I guess the one difference is that I don’t think twitch ads are skippable while youtube’s ads are. I assume embedding the ad into the video would prohibit that. Hopefully youtube doesn’t do that because while the current ad situation is annoying, having only unskippable ads would be pretty unbearable.
Well, YouTube is no stranger to worsening their platform so it really wouldn’t surprise me if they slowly transitioned to unskipable ads
There are ways to get Twitch adblock as well. I use PurpleTV
Removed by mod
Good, make them jump through that hoop and respect user privacy.
It’s not even a hoop. It’s a slight side step. And they wouldn’t be breaking anymore of your privacy. They’d still know you’re not loading ads.
But they wouldn’t know how, or with what software. That is indeed protecting one’s privacy.
As I understand it, detecting an adblocker is a form of fingerprinting. Fingerprinting like this is a privacy violation unless there is first a consent process.
The outcome of this will be that consent for the detecting will be added to the TOS or as a modal and failing to consent will give up access to the service. It won’t change Youtube’s behavior, I don’t think. But it could result in users being able to opt out of the anti-adblock… just that it also might be opting out of all of YouTube when they do it.
I’m all for this protection but for the sake of argument isn’t use of the service consent to begin with? Or is that the American argument around these types of regulation?
I’m a pihole, vpn, adblock and invidious user ftr… 😂
That’s how the corporate-written laws in the USA handle it most likely. The EU actually has some amount of consumer protection. Burying it in a 100 page terms of service document doesn’t count as consent either.
It depends on the context, but generally you require explicit permission for data-related stuff which means something like a checkbox or a signature.
It’s “consent” from the POV of the law and the corporation, but I say fuck 'em. Do you really consent to everything? Did you read their ToS and Privacy Policy every time it’s amended? In the plain everyday use of the word “consent” I mean. Not in the legal constructions we’ve created.
Thus, since I do not consent to everything in any ToS or Privacy Policy, I use adversarial tech. My use of adversarial tech is how I enforce my lack of consent to everything these platforms expect from me.
If they don’t want us to use adversarial tech anymore, they can change their platforms so it’s no longer necessary.