WingNews logo WingNews
top | item 20289590

(no title)

Nick-Craver | 6 years ago

I just wanted to chime in from Stack Overflow here and let people know: we are aware of the issue. And we're NOT okay with it. We're trying to sort out how to kill the audio behavior now. It's not very straightforward to find where it's coming from, but we are working on it. We've also reached out to Google for their assistance in tracking it down. If anyone can offer advice, we'll more than happily take it.

- Nick Craver, Architecture Lead at Stack Overflow

discuss

order

coldpie|6 years ago

Why are you allowing arbitrary javascript to be served to your users?

nerdponx|6 years ago

Wish I could upvote this 1,000 times.

It's ridiculous. It's a text-based ad. At worst, it's a clickable image. At what point did it become okay in your minds to let advertisers run arbitrary code?

I've left ads turned on specifically on StackOverflow because 1) I want to support StackOverflow, and 2) I trust them not to run malicious ads.

I don't even care that they're running ads network-wide. But if they're going to be running these kinds of ads anywhere on the site, they're going right on the ad block list along with everyone else.

Ajedi32|6 years ago

I think this comment[1] on the linked Meta question explains it pretty well:

> To the people confused why ads need to run their own Javascript (even ones that are just static images): The short answer is that Ad Networks do not and cannot trust website operators. They need to run their own JavaScript served from their own servers in order to verify that a real user saw the ad and for how long, and they can't trust the website operator to tell them. And these pieces of JavaScript tend to be more invasive and privacy-destroying than the website's JS because they care, far more than the actual website does, that the "user" is not a bank of iphones in a sweatshop in China.

[1]: https://meta.stackoverflow.com/questions/386487/why-is-stack...

wlesieutre|6 years ago

Not just arbitrary JavaScript, arbitrary JavaScript where they can’t easily even see where it came from! Sheesh.

Could we require advertisers to sign their ad code to have a trail of where it came from, prevent tampering, and make it easier to pull the plug on bad actors?

The people bearing the costs of the internet ad economy aren’t the people in any position to do anything about it. So there’s very little pressure to fix anything.

Maybe if the US government started threatening to enact something like GDPR unless the a democratic industry gets its shit together.

_eht|6 years ago

Why are you allowing arbitrary JavaScript to run on your device?

zhangjunphy|6 years ago

Revenues are important. The users will not notice unless something happens. And when something happens they forget fast.

runn1ng|6 years ago

More money that way

gotodengo|6 years ago

From the post:

"The ad is attempting to use the Audio API as one of literally hundreds of pieces of data it is collecting about your browser in an attempt to "fingerprint" it... Your browser may be blocking this particular API, but it's not blocking most of the data."

Seems like killing the audio is the metaphorical putting a finger in the dyke of serving arbitrary JavaScript to your users.

Benjammer|6 years ago

Maybe in the dyke holding back user outrage, but the dyke of serving arbitrary JavaScript was never built in the first place.

Coding_Cat|6 years ago

> we are aware of the issue. > We're trying to sort out how to kill the audio behavior now.

Are you really aware of the issue? The issue people have here is not the fact that the ad is trying to access the audio api per se but that it is trying to fingerprint the users.

wtmt|6 years ago

If you're "NOT okay with it", how about stopping ads completely until you resolve this problem? That should give a bigger impetus to solve it ASAP as the bottom line gets hit for multiple stakeholders.

This is not just ads, but about fingerprinting and tracking users somehow or the other by third parties. It's plain evil, and not a decent thing to continue foisting on your unsuspecting users after you've known it. Tell management to take an ethical stance and preserve the reputation of SO.

stevenjohns|6 years ago

Probably not his call. By "we" he's probably talking about the engineering team, which in many cases is nothing more than a conduit for whims of the marketing and sales teams.

The only time they'd do that is if the marketing team decided that the value-add from taking ads off cancelled out the profit loss from taking the ads off.

MzHN|6 years ago

So, we have:

- Stack Overflow makes a blog post about not using dynamic ads.

- Dynamic ads found on Stack Overflow, with aggressive fingerprinting.

- Architecture Lead doesn't know how this happened and is getting serious.

I have so many questions. I hope this gets a post-mortem.

amluto|6 years ago

The fundamental problem seems to be that you are including non-sandboxed JavaScript that you don’t control.

Perhaps you should stop doing that.

geocar|6 years ago

Hi Nick,

If you're serious about this, I've built tools for the publisher side for stopping exactly this.

My email address is in my profile.

Nick-Craver|6 years ago

I’m very interested and very serious. Email sent.

JeremyBanks|6 years ago

I just saw this post, where an potential justification was provided for a similar script in the past: https://meta.stackoverflow.com/questions/335956/adzerk-servi...

It's hard to read the obfuscated code and be sure what's being done with the browser environment information. This script seems to generate some hash and put in some global variables, presumably for some other script to consume. I don't know whether such scripts send it to a server, compare it locally to a previously-known value, or ignore it.

jf|6 years ago

I would pay for an ad-free version of Stack Overflow. Take my money, please.

minitoar|6 years ago

I think the data in aggregate is worth more than people like you would pay for an ad-free service.

detaro|6 years ago

Not sure how that plays with rules about how you can place ads etc, but <iframe> with a feature policy can stop access to audio I think.

IloveHN84|6 years ago

Why don't you block all the JavaScript not coming from your origin and just display a simple link+PNG as advertising?

colek42|6 years ago

This is exactly why I block third party advertisements for myself and everyone that uses my network.

Pimpus|6 years ago

[deleted]

komali2|6 years ago

Hey don't drag satanism into this, Lucifer doesn't serve His followers arbitrary JavaScript!

ragerino|6 years ago

I hear from multiple sides people reporting, to receive ads about topics thy only talked to friends about but never entered in a search engine.

Google has is currently as far away from their previous world famous "don't be evil" corporate culture.

Other examples are AMP where Google wants to make it harder to de-individualise URL's. This is being driven to an extend where Chrome on Android makes it harder to edit the URL.

Or games like Egress or PokemonGo, which in my opinion helps Google constantly update their WiFi SSIDs-To-GPS-location database.This database is rhen furthermore being used to track users location through a little permission called "WiFi Control", which also can not be found in the regular App Permissions settings entry.

To me WiFi-Control sound nothing like location tracking. But I have to admit, I am not a native speaker. Therefore I might be misunderstanding something.

tjpnz|6 years ago

"Don't be evil" was replaced by "Do the right thing" years ago. Great piece of corporate speak right there.