Today I filed a formal complaint against #YouTube with the Irish Data Protection Commissioner for their illegal deployment of #adblock detection technologies.
Under Article 5(3) of 2002/58/EC YouTube are legally obligated to obtain consent before storing or accessing information already stored on an end user's terminal equipment unless it is strictly necessary for the provisions of the requested service.
In 2016 the EU Commission confirmed in writing that adblock detection requires consent.
It about device detection and privacy. Websites in the EU aren’t allowed to scan your hardware or software without your permission, to protect the users privacy. Adblockers fall under this.
If thats how it works, they could very easily just check if the ad ever got loaded and refuse to serve you content until it does. Going after the way they prevent people from abusing their services doesn’t stop them from preventing them - it just gives them a new hurdle and that’s not a very big one.
Well many adblockers can be clever enough to load the asset, but then just drop it. As in yeah the ad image got downloaded to browser, but then the page content got edited to drop the display of the add or turn it to not shown asset in css.
This is age old battle. Site owners go you must do X or no media. However then ad blocker just goes “sure we do that, but then we just ghost the ad to the user”.
Some script needs to be loaded, that would display the ad? All the parts of the script get executed and… then CSS intervention just ghosts the ad that should be playing and so on.
Since the browser and extension are in ultimate control. As said the actual add video might be technically “playing” in the background going through motions, but it’s a no show, no audio player… ergo in practice the ad was blocked, while technically completely executed.
Hence why they want to scan for the software, since only way they can be sure ad will be shown is by verifying a known adhering to showing the ad software stack.
Well EU says that is not allowed, because privacy. Ergo the adblocker prevention is playing a losing battle. Whatever they do on the “make sure ad is shown” side, adblocker maker will just implement counter move.
From my understanding, they embed the ad in the video stream itself so that it’s indistinguishable from the actual content. I imagine Google could serve ads from the same servers that serve videos and integrate them in a way that would be hard to detect, just like Twitch.
I guess the one difference is that I don’t think twitch ads are skippable while youtube’s ads are. I assume embedding the ad into the video would prohibit that. Hopefully youtube doesn’t do that because while the current ad situation is annoying, having only unskippable ads would be pretty unbearable.
So then Google just refuses to play the video until the appropriate time expires. Or they embed it in the video feed itself. There are more ways around this than you’re making there out to be.
Your car comment makes me think of Googles new DRM protocol, and then about Ken Thompsons compiler hack, combined with most DRM get hacked eventually.
This gives me hope that even if Googles DRM becomes standard, it will be hacked and YouTube thinks it’s showing ads on a unmodified signed page, but I am not seeing any ads.
As I understand it, detecting an adblocker is a form of fingerprinting. Fingerprinting like this is a privacy violation unless there is first a consent process.
The outcome of this will be that consent for the detecting will be added to the TOS or as a modal and failing to consent will give up access to the service. It won’t change Youtube’s behavior, I don’t think. But it could result in users being able to opt out of the anti-adblock… just that it also might be opting out of all of YouTube when they do it.
I’m all for this protection but for the sake of argument isn’t use of the service consent to begin with? Or is that the American argument around these types of regulation?
I’m a pihole, vpn, adblock and invidious user ftr… 😂
That’s how the corporate-written laws in the USA handle it most likely. The EU actually has some amount of consumer protection. Burying it in a 100 page terms of service document doesn’t count as consent either.
So is this basically saying youtube isn’t allowed to detect an adblocker?
I’m not sure I really follow why that specifically is something they’re policing.
It about device detection and privacy. Websites in the EU aren’t allowed to scan your hardware or software without your permission, to protect the users privacy. Adblockers fall under this.
If thats how it works, they could very easily just check if the ad ever got loaded and refuse to serve you content until it does. Going after the way they prevent people from abusing their services doesn’t stop them from preventing them - it just gives them a new hurdle and that’s not a very big one.
Well many adblockers can be clever enough to load the asset, but then just drop it. As in yeah the ad image got downloaded to browser, but then the page content got edited to drop the display of the add or turn it to not shown asset in css.
This is age old battle. Site owners go you must do X or no media. However then ad blocker just goes “sure we do that, but then we just ghost the ad to the user”.
Some script needs to be loaded, that would display the ad? All the parts of the script get executed and… then CSS intervention just ghosts the ad that should be playing and so on.
Since the browser and extension are in ultimate control. As said the actual add video might be technically “playing” in the background going through motions, but it’s a no show, no audio player… ergo in practice the ad was blocked, while technically completely executed.
Hence why they want to scan for the software, since only way they can be sure ad will be shown is by verifying a known adhering to showing the ad software stack.
Well EU says that is not allowed, because privacy. Ergo the adblocker prevention is playing a losing battle. Whatever they do on the “make sure ad is shown” side, adblocker maker will just implement counter move.
Twitch seems to have figured out adblock blocking. Any idea what they’re doing that’s different?
From my understanding, they embed the ad in the video stream itself so that it’s indistinguishable from the actual content. I imagine Google could serve ads from the same servers that serve videos and integrate them in a way that would be hard to detect, just like Twitch.
I guess the one difference is that I don’t think twitch ads are skippable while youtube’s ads are. I assume embedding the ad into the video would prohibit that. Hopefully youtube doesn’t do that because while the current ad situation is annoying, having only unskippable ads would be pretty unbearable.
There are ways to get Twitch adblock as well. I use PurpleTV
So then Google just refuses to play the video until the appropriate time expires. Or they embed it in the video feed itself. There are more ways around this than you’re making there out to be.
Your car comment makes me think of Googles new DRM protocol, and then about Ken Thompsons compiler hack, combined with most DRM get hacked eventually.
This gives me hope that even if Googles DRM becomes standard, it will be hacked and YouTube thinks it’s showing ads on a unmodified signed page, but I am not seeing any ads.
It can load into my pihole and they can shove it up a different hole.
Good, make them jump through that hoop and respect user privacy.
It’s not even a hoop. It’s a slight side step. And they wouldn’t be breaking anymore of your privacy. They’d still know you’re not loading ads.
But they wouldn’t know how, or with what software. That is indeed protecting one’s privacy.
As I understand it, detecting an adblocker is a form of fingerprinting. Fingerprinting like this is a privacy violation unless there is first a consent process.
The outcome of this will be that consent for the detecting will be added to the TOS or as a modal and failing to consent will give up access to the service. It won’t change Youtube’s behavior, I don’t think. But it could result in users being able to opt out of the anti-adblock… just that it also might be opting out of all of YouTube when they do it.
I’m all for this protection but for the sake of argument isn’t use of the service consent to begin with? Or is that the American argument around these types of regulation?
I’m a pihole, vpn, adblock and invidious user ftr… 😂
That’s how the corporate-written laws in the USA handle it most likely. The EU actually has some amount of consumer protection. Burying it in a 100 page terms of service document doesn’t count as consent either.
It depends on the context, but generally you require explicit permission for data-related stuff which means something like a checkbox or a signature.