Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Next step (please): block all 1x1 sized images.

The transparent pixel tracking trick is common enough now that it should be blocked by default in all 'Private' modes.



>Next step (please): block all 1x1 sized images.

If you're not aware, the HTTP protocol specification[1] doesn't have a technical way of knowing ahead of time if it's a 1x1 tracking pixel.

So the remaining realistic options are:

(1) block ALL <img> tags downloads which then blocks any 1x1 tracking pixels

(2) allow <img> tags but block some (and maybe most but not all) 1x1 pixels via a blacklist of url domains (e.g. doubleclick.net) ... and/or heuristics based on the "style" attribute

The (1) already happens in many email clients that render HTML.

The (2) is happening with the ongoing cat & mouse game with AdBlock, EasyList, etc

[1] https://www.google.com/search?q=http+protocol+request+get+sy...


Or Firefox could crowdsource the building of a bloom filter of the URLs for images that are 1x1. Or you could learn 1x1 tracking locally since the set of pages you visit will probably be similar if you just want some more general protection.

The bigger problem is that anything like this and the providers go up in size 1px at a time until it’s harder to distinguish from real content (at first transparent, then positioned off-screen, then overlays hiding it, then visible in a part of the page that doesn’t get as many views, dual-purposed with images/ads already on-screen, etc).

A better way is if Firefox just bundled an ad blocker and pushed ad blocking technology forward (eg more hooks to do expensive processing natively to save on power like Safari does). The challenge though is that something like 100% of their funding comes from an ad company.


Bloom filter wouldn't work. The bloom filter will tell you that a particular URL is "possibly" in the list. What do you do then? Reject it because it might be a tracking image?

[edit] Also, this ignores being able to:

  <iframe src="any-old-tracking-url"></iframe>
  <script src="any-old-tracking-url">
  <link rel="stylesheet" type="text/css" href="any-old-tracking-url">
  <img src="100px-width-tracking-image">
etc


Google pays mozilla in order to avoid a monopoly lawsuit. Just because it is good for mozilla, it doesn’t put any sort of incentive for them to follow.


What we probably need is a client-side neural net within the browser to notice that certain high information-content IMG URLs (i.e. those with random-looking garbage in the URL) from certain domains tend to result in very low information-content imagery. And that's the signature of a likely tracker.


How about this:

- The browser does not load any images by default. <img> tags are replaced by gray rectangles

- User must click on the placeholder rectangle to load the image

- User can add image URLs to a whitelist so they load by default


I can't tell if you're being serious. Is "no images without clicks" something you think most people who use the web would prefer?


Of course not, it would have to be an opt-in feature. I'm sure some people who are worried about 1x1 tracking might use it though.

In the same way that a lot of people browse the web with noscript


I remember loving that feature in Opera.

Of course, that was during dial-up days, so it was a huge quality of life feature.


You can get most of that with uBlock Origin right now! "Block large media elements" and set the limit ridiculously low. You now have to click to view images. Control this via settings and filter lists.


Enable resources from the origin domain by default, and any Reasonable(tm) web page should have no problem with this.


Ublock Origin does this.


uBlock does not know the size until the file is requested. At that point it is too late, you have accessed the tracking file. That feature in uBlock is meant for people trying to save bandwidth/CPU. uBlock is great though, I would never browse the web without it.


What does file size have to do with anything?

Edit: I forgot the grandparent mentioned them. Ublock Origin implements the parent's proposal,so I mentioned it.

Focussing on file size is a mistake because you can just make the tracking image display something decorative or whatever. I was referring to a solution for not loading third party resources without manual approval, which would need to be more general than just blocking single pixels to be robust (although hueristics might be good enough for some cases)


(1) happens in relatively few email clients. Every major client loads images by default except Thunderbird and it is not common.


I always wondered why mail providers don't load all images automatically the moment the mail is received and present a cached image to the users. Wouldn't that make tracking useless?


...and Outlook


Nope, Outlook definitely loads images unless you or your administrator changed the setting.


>Outlook definitely loads images unless you or your administrator changed the setting.

I just installed a fresh copy of Office 2019 in a vm and Outlook's default setting doesn't load images. This block-downloading-images-default behavior matches what I read here: https://support.microsoft.com/en-us/office/block-or-unblock-...


Hm, I stand corrected


This is simply not true. Out of the box Outlook install does not display images for senders not marked safe, nor does Outlook Web App.


And except gmail's web interface, which is one of the biggest email clients these days.


Gmail made changes years ago to proxy images to prevent leaking info like this.

https://gmail.googleblog.com/2013/12/images-now-showing.html


This helps in that you don't connect directly to the image so it doesn't leak your IP and other info that would be available from the connection.

Marketing emails still send unique URLs for each recipient so they can associate your email address with opening any images and links. Google's proxy doesn't remedy this.


Won't the image proxy make it look like all emails to Gmail addresses are always opened, essentially making the tracking useless?


As far as I know, Gmail doesn't load the images until the first time the user opens the message, so it unfortunately doesn't make the tracking as useless as you could hope.


Gmail's web interface does load images by default.


It does not load them from 3rd parties. It cached them and loads them from Google's servers. Open your network tab and see

https://arstechnica.com/information-technology/2013/12/gmail...


This protects your IP address and user agent string from being read by the sender, but otherwise doesn't change anything


Technically it loads all images through a Google proxy[0] which in theory prevents third parties from using images for tracking. The third parties only get a 'hit' when Google pulls the image into their cache, which is not when you open the mail.

Google can still track you, but if you really care about that then you're probably not using Gmail anyway.

[0]: https://gmail.googleblog.com/2013/12/images-now-showing.html


Gmail won't load remote images when you open the mail. It will load images from Google servers that have been cached.


it doesn't pre-cache them, Google requests them in real-time when you view them


Fairmail on Android blocks trackers.


Apple Mail on iOS doesn’t.


I don't think it does. Perhaps you changed the default. Or if you're on a managed device, perhaps your administrator did.


https://blog.mozilla.org/security/2021/01/26/supercookie-pro... partitions the image cache by the site being visited.


Yes the origin of tiny images is more important (and is dealt with now)


... and tracking pixels would become 1x2, meanwhile actual 1x1 images used for formatting would stop working


> 1x1 images for formatting

Huh? People still do this? Designers, I swear.


That is how indentation is implemented on HN!


Wow, you're not kidding!

https://i.imgur.com/5dg068V.png


Awesome


> actual 1x1 images used for formatting would stop working

I see that as a feature


Is that something used on web sites? I've only heard of that in emails. What purpose would that server to a site you're already visiting?


Look into Facebook pixel. Your browser is hitting this almost everywhere.

https://blog.hootsuite.com/facebook-pixel/


And it's the only realistically working pixel. Others aren't as pervasive.


Concrete-ish but still simple simple version: If you visit example.com, close the tab, and then load a page with an ad on it, both parties would love to show you an ad for whatever example.com is selling. If example.com has a tracking pixel for the ad domain, then this is trivial to make happen.


OK, I understand privacy concerns with actually private information like name/address/email/etc. But a tracking pixel for ads? Why is this a concern? Since when?

Would it be so bad if people actually worked their brains a bit and got smarter with online advertising (and lots of other stuff)?

This looks suspiciously like the situation with obesity. Instead of eating less to lose weight, and eating fresh to stay healthy, people just blame "the corporations" for all their troubles.

Seems to me like it's counterproductive. Just put up safety nets for people because they can't control themselves. What do you end up with? A bunch of impulsive idiots and a few organizations with way too much control over them.

This is reality as I see it. You can be offended if you want, but I'd suggest you learn not to be offended by some words on a screen. That of course requires responsibility, which is free but I can sell it to you for $99/month if you want.


No one is suggesting advertisers tracking you is bad because people "can't control themselves." People don't like being tracked because, over time, private information can be inferred from your viewing history. Things like your age, gender, relationship status, income, ethnicity, education, hobbies, health concerns, diet, voting preferences, family names, etc. can all be known about you with high certainty simply by having trackers on the sites you visit. Ironically, this is exactly the kind of data you understand being concerned about before making several bad faith assumptions about why people don't want to be tracked.


The images are on other domains used by advertiser or adtech company tracking, not for the website actually showing the ads.


It’s just another way to do third party tracking, and could be loaded from a third party site.


Not sure if it is the default setting on Firefox, but they show up as something like 'tracking image' for me.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: