I find myself doing this a lot, and I’m sure even more slips without my notice.

Would you like me to suggest some AI summarizer tools you could use to more efficiently read AI generated content in the meantime?

What's next? "There's punctuation in the sentence, must be AI" ?

It's no different from when you visit an Islamist or anti-Zionist website that has analytics/trackers/ads on it.

It's bad, but this "massive violation of trust" is happening everywhere and has been for decades. There's nothing that's unique to Microsoft here.

What's tiring is a comment like this. If you don't like the article don't read it -- and don't comment.

This is not. To violate trust, there should have been some.

Here is what the article says:

Method 1

    async function c() {
      const e = [],
        t = r.map(({id: t, file: n}) => {
          return fetch(`chrome-extension://${t}/${n}`)
        });
      (await Promise.allSettled(t)).forEach((t, n) => {
        if ("fulfilled" === t.status && void 0 !== t.value) {
          const t = r[n];
          t && e.push(t.id);
        }
      });
      return e;
    }

    async function(e) {
      const t = [];
      for (const {id: n, file: i} of r) {
        try {
          await fetch(`chrome-extension://${n}/${i}`) && t.push(n);
        } catch(e) {}
        e > 0 && await new Promise(t => setTimeout(t, e));
      }
      return t;
    }

    chrome-extension://${store_id}/${file_name}

It looks like the user has the freedom to manage this by launching chrome with this flag: --disable-extensions

It also seems there is an extension for extension management to deny extension availability by web site: https://superuser.com/questions/1546186/enable-disable-chrom...

Those profiling tools don't really care which features are going to be used for predictions. It's just machine learning, and it's indiscriminate. So if you have an extension that correlates with you being Muslim, it will be used for whatever ML predictions they give to other companies, and the worst case will be another "oh we didn't do this intentionally".

Of course, that's not the first time this ever happened in human history, so even if it's not "something inherently sinister", it's just "criminal negligence".

You may be interested in Qubes OS. My daily driver. Can't recommend it enough.

What matters is the content!

If you mean the _browser_, then I agree in principle, but - it is a browser offered to you by Alphabet. And they are known to mass surveillance and use of personal information for all sorts of purposes, including passing copies to the US intelligence agencies.

But of course, this is what's promoted and suggested to people and installed by default on their phones, so even if it's Google/Alphabet, they should be pressured/coerced into respecting your privacy.

extensions choose on which site they're active and if they provide any available assets (e.g. some extensions modify CSS of the website by injecting their CSS, so that asset is public and then any website where the extension is active can call fetch("chrome-extension://<extension_id>/whatever/file/needed.css" if it knows the extension ID (fixed for each extension) and the file path to such asset... if the fetch result is 404, it can assume the extension is not installed, if the result is 200 it can assume the extension is installed.

This is what LinkedIn is doing... they have their own database of extension IDs and a known working file path, and they are just calling these fetches... they have been doing it for years, I've noticed it a few years back when I was developing a chrome extension which also worked with LinkedIn, but back then it was less than 100 extensions scanned, so I just assumed they want to detect specific extensions which break their site or their terms of use... now it's apparently 6000+ extensions...

When you're literally the company that invented Kafka for your clickstreams, "everything looks like a nail."

(More likely, though, this is an anti-scraping initiative, since headless browsers are unlikely to randomize their use of extensions, and they can use this to identify potential scrapers.)

No. Don't need extensions for that. See how Cloudflare Turnstile does it, recently popped up at https://news.ycombinator.com/item?id=47566865 cause ChatGPT uses it now:

Layer 1: Browser Fingerprint WebGL (8 properties): UNMASKED_VENDOR_WEBGL, UNMASKED_RENDERER_WEBGL, WEBGL_debug_renderer_info, getExtension, getParameter, getContext, canvas, webgl

Screen (8): colorDepth, pixelDepth, width, height, availWidth, availHeight, availLeft, availTop

Hardware (5): hardwareConcurrency, deviceMemory, maxTouchPoints, platform, vendor

Font measurement (4): fontFamily, fontSize, getBoundingClientRect, innerText. Creates a hidden div, sets a font, measures rendered text dimensions, removes the element.

DOM probing (8): createElement, appendChild, removeChild, div, style, position, visibility, ariaHidden

Storage (5): storage, quota, estimate, setItem, usage. Also writes the fingerprint to localStorage under key 6f376b6560133c2c for persistence across page loads.

Scanning for 6000 extensions is anti-competitive, surveillant and immoral.

They also logically don’t need to fingerprint these users because those people are literally logging in to an account with their credentials.

By all appearances they’re just trying to detect people who are using spam automation and scraping extensions, which honestly I’m not too upset about.

If you never install a LinkedIn scraper or post generator extension you wouldn’t hit any of the extensions in the list they check for, last time I looked.

Expecting and accepting this kind of thing is why everyone feels the need to run an ad-blocker.

An ad-blocker also isn’t full protection. It’s a cat and mouse game. Novel ideas on how to extract information about you, and influence behavior, will never be handled by ad-blockers until it becomes known. And even then, it’s a question of if it’s worth the dev time for the maker of the ad-blocker you happen to be using and if that filter list gets enabled… and how much of the web enabling it breaks.

If I had to guess: I sought that automatic content blurrer, neurodivergent website simplifier, or anti-Zionist tagger actually work. They’re all just piggybacking on trending topics to get users to install them and then forget about them, then they exfiltrate the data when you visit LinkedIn.

I run a site which attracts a lot of unsavoury people who need to be banned from our services, and tracking them to reban them when they come back is a big part of what makes our product better than others in the industry. I do not care at all about actually tracking good users, and I am not reselling this data, or anything malicious, it's entire purpose is literally to make the website more enjoyable for the good users.

It's pretty wild that we live in a world where the actual FBI has recommended we use ad blockers to protect ourselves, and if everyone actually listened, much of the Internet (and economy) as we know it would disappear. The FBI is like "you should protect yourself from the way that the third largest company in the world does business", and the average person's response is "nah, that would take at least a couple of minutes of my time, I'll just go ahead and continue to suffer with invasive ads and make sure $GOOG keeps going up".

Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.

> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)

They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.

The code filters out non-chrome browsers: >The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.

I'm happy to see that this doesn't hit firefox. I wonder if safari is impacted.

Second not having a ton of extensions. Extensions can do fishy things.

This is Chrome’s broken model. Before installing an extension, one should be able to see all the domains an extension talks to.

The domains should be listed in manifest. But that’s not how it works.

In Android, every app you open needs a gazillion default permissions.

well done

I'm not convinced by their page explaining "Why it's illegal and potentially criminal" [0]. It's written by security researchers and non-attorneys.

For example, this characterization seems overly broad:

> The Court of Justice of the European Union has ruled, in three separate cases, that data which allows someone to infer or deduce protected characteristics is covered by this prohibition, regardless of whether the company intended to collect sensitive data.

[0] https://browsergate.eu/why-its-illegal/

Considering the goal is to identify people, this is undeniably PII. As the article demonstrates, it also pertains sensitive information.

⇒ which Chrome allows sites to do.

> 'the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;'

The problem, of course, is that by clicking on a LinkedIn link, you agree to a non-negotiated contract that can change at any time, and that you have never seen. If that weren't allowed, then this sort of crap would correctly be considered "unauthorized access":

https://www.law.cornell.edu/uscode/text/18/1030

https://www.eeoc.gov/prohibited-employment-policiespractices

LinkedIn's scanning for browser extensions used by protected groups allows them to provide illegal services to US-based recruiters. I have no idea if they actually do it or not, and am not a lawyer, but common sense suggests there's enough here for a class action suit to move into discovery.

The point was more that the headline frames this as some major revelation about LinkedIn, while the reality is that we’re getting probed and profiled by far more sites than most people realize.

The language is natural. Normal. Human. Who could question its authenticity?

The original example isn't the worst offender, but even small offenders stick out when you can't escape seeing this kind of thing everywhere.

There are people who actually enjoy using LinkedIn?

Indeed, so I gather all of you have canceled your LI account over this?

I never made one in the first place because it was pretty clear to me that this company - even before the acquisition - had nothing good in mind.

I get it... I'm not a good writer. It just sucks that now people are going to assume the stuff I said isn't even me.

I guess I always scored pretty low on the Turing test and never even knew it.

It's also heavily scraped by businesses for lead generation for sales and recruiting. Either before their API became available or to not pay them or to get around the restrictions of their API.

For the broader issue of not wanting to give even the information you'd need to choose to share to LinkedIn? Network the good ol' fashioned way: talking to random strangers in San Francisco bars.

I am a little surprised something like CORS doesn't apply to it, though.

It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so.

edit: I answered before I go fully through the article but it does say it's only Chrome based.

> The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.

> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.

* Anti-Zionist Tag (directly inferring political opinion)

* PordaAI (Islamic content filter)

* simplify (browsergate.eu specifically called out as a neurodivergent accessibility tool. Job search autofill that markets itself as particularly useful for people who struggle with forms)

* No more Musk ("Hides digital noise related to Elon Musk")

* Political Circus ("Politician -> Clown AI Filter")

* Job application trackers and utils ("Job Follow-Up Tracker" etc)

* Various "Distraction Blocker" type addons

LinkedIn scanning for tools that scrape LinkedIn:

* LinkedIn Cookie Sync for Headhunting Agent

* LinkedIn Cookie importer for Derrick (lol "for Derrick")

* MailMatics Cookie Grabber

* LinkedIn Fake Job Post Detector. Yes, they're detecting an addon that exposes fake job postings on their own platform.

*NOT* in the list, if you were wondering:

* Shinigami Eyes

* Dark Reader

* Adblockers

* Password managers

* FoxyProxy

* User-Agent spoofers, request modification tools, etc

* Most privacy/security tools (no uBO, no Privacy Badger, no FoxyProxy, no NoScript, etc.

For the latter category, the most interesting things there we found *were* searched-for are BuiltWith Technology Profiler, and some browser addons bundled from scanners (e.g. "Malwarebytes Browser Guard Beta").

My point isn’t that this is acceptable or that we shouldn’t push back against it. We should.

My point is that this doesn’t sound particularly surprising or unique to LinkedIn, and that the framing of the article seems a bit misleading as a result.

The list of extensions they scan for has been extracted from the code. It was all extensions related to spamming and scraping LinkedIn last time this was posted: Extensions to scrape your LinkedIn session and extract contact info for lead lists, extensions to generate AI message spam.

That seems like fair game for their business.

They're scanning your extensions to make sure you aren't using third party tools to scrape LinkedIn.

It's stupid, but they're trying to stop people from making money on LinkedIn when they feel like they're the only ones that should be able to do that.

I get why Chrome doesn't, and that's why you should not use it. But Netscape? Edge? What is stopping them?

Browsing the web without an ad blocker is a miserable experience. Users who have never tried or don't know how to set one up would be delighted.

The real reason is that the average person neither suffers with ads nor finds ads invasive, despite what a vocal online minority would have you believe. We just ignore them and get on with life. ::shrug::

As a data point I, a technical person who tweaks his computer a lot, was against adblocking for moral reasons (as a part of perceived social contract, where internet is free because of ads). Only later I changed mi mind on this because I became more privacy aware.

The same way taking a photo of a house from the street is not the same as investigating the contents of your pantry.

>Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm.

When I read that, I think they have escaped the browser and checking which applications I have installed on my computer. Not which plugins the browser has in it. Just my 2cents.

Would it really? It seems to me that most normal users spend most of their time and attention on apps, not in browsers.

While "scanning your browser" would be more accurate and would exclude the interpretation that it scans your files.

The reason the latter is not used is that, even though more precise and more communicative, it would get less clicks.

Your browser is a subset of your computer and lives inside a sandbox. Breaching that sandbox is certainly a much more interesting topic than breaking GDPR by browser fingerprinting.

A lot of Zionists claim -- incorrectly -- that all Jews as Zionists. But certainly the major groups of Zionists are Christian zionists and Jewish Zionists. I would say there is a very very high chance that if you use the Anti-zionist Tag Chrome extension, that you are Jewish.

So it seems quite likely that Linkedin is actually tracking Jews with this.

By this logic we could also say that LinkedIn scans your home network.

I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.

But this is not happening. What actually is happening is still a problem. But the hyperbole undermines what they’re trying to communicate and this is why I objected to the title.

> They chose to put that particular extension in their target list, how is it not sinister?

Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.

If we step back for a moment and ask the question: “I’ve been tasked with building a unique fingerprint capability to combat (bots/scrapers/known bad actors, etc), how would I leverage installed extensions as part of that fingerprint?”

What the article describes sounds like what many devs would land on given the browser APIs available.

To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.

But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.

Is that enough blocking, I wonder?

Uh what.

This is fair from Linkedin IMO as I've seen loads of different extensions actually scraping the linkedin session tokens or content on linkedin.

>Political opinions

>LinkedIn scans for Anti-woke (“The anti-wokeness extension. Shows warnings about woke companies”), Anti-Zionist Tag (“Adds a tag to the LinkedIn profiles of Anti-Zionists”), Vote With Your Money (“showing political contributions from executives and employees”), No more Musk (“Hides digital noise related to Elon Musk,” 19 users), Political Circus (“Politician to Clown AI Filter,” 7 users), LinkedIn Political Content Blocker, and NoPolitiLinked.

>Each of these extensions reveals a political position. If LinkedIn detects any of them, it has collected data revealing that person’s political opinions. Article 9 prohibits this.

If you're on Android, Firefox supports many full desktop extensions, including uBlock Origin.

Which is weird, because that is undeniably the hard way. Lobby Google to add protections to Chromium.

It’s common for malware extensions to disguise themselves as something simple and useful to try to trick a large audience into installing them.

That’s why the list includes things like an “Islamic content filter” and “anti-Zionist tagger” as well as “neurodivergent” tools. They look for trending topics and repackage the scraper with a new name. Most people only install extensions but never remove them if they don’t work.

Your point of "I think we’d find that many websites we use are doing this" doesn't make LinkedIn's behavior ok!

By your logic, if our privacy rights are invaded which is illegal in most jurisdiction, and then it become ok because many companies do illegal things??

If it has the ability to scan your bookmarks, or visited site history, that would lend more credence to using the term "computer".

The title ought to have said "linkedIn illegally scans your browser", and that would make clear what is being done without being sensationalist.

Ads are a symptom of the problem that people want human generated content for free; they either do not value the content enough to pay for it, or cannot afford it. Ads do not solve for those problems.

To take a step back further: what you're saying here is that gathering more data makes it less sinister. The gathering not being targeted is not an excuse for gathering the data in the first place.

It's likely that the 'naive developer tasked with fingerprinting' scenario is close to the reality of how this happened. But that doesn't change the fact that sensitive data -- associated with real identities -- is now in the hands of MS and a slew of other companies, likely illegally.

> But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.

The article is not hyperbolizing by exploring the ramifications of this; and it's true that this sort of tracking is going on everywhere, but neither is it alarmist to draw attention to a particularly egregious case. What wrong things does it focus on?

That is exactly how I interpreted it, and that is why I clicked the link. When I skimmed the article and realized that wasn't the case, I immediately thought "Ugh, clickbait" and came to the HN comments section.

> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.

100% Agree.

So, in summary: what they are doing is awful. Yes, they are collecting a ton of data about you. But, when you post with a headline that makes me think they are scouring my hard drive for data about me... and I realize that's not the case... your credibility suffers.

Also, I think the article would be better served by pointing out that LinkedIn is BY FAR not the only company doing this...

> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.

These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."

To put it more extreme: If a developer's boss said "We need to build software for a drone that will autonomously fly around and kill infants," The developer's natural reaction should not be: "OK, interesting problem. First we'll need a source of map data, and vision algorithm that identifies infants...." Yet, our industry is full of this "OK, interesting technology!" attitude.

Unfortunately, for every developer who is willing to draw the line on ethical grounds, there's another developer waiting in the recruiting pipeline more than willing to throw away "doing the right thing" if it lands him a six figure salary.

Yes, but I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox. The fact that there's no getAllExtensions API is deliberate. The fact that you can work around this with scanning for extension IDs is not something most people know about, and the Chrome developers patched it when it became common. So I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.

But at the end of the day, the browser is likely where your most sensitive data is.

Which they would, if they could.

They are scanning users' computers to the maximum extent possible.

If that's all it takes to fool you then its pretty trivial way to hide your true intentions.

No, LinkedIN has much more sensitive data already. Combined with which the voracious fingerprinting, this stands out as a particularly dystopian instance of surveillance capitalism

Checking for extensions is barely anything when you consider the amount of system data a browser exposes in various APIs, and you can identify someone just by checking what's supported by their hardware, their screen res, what quirks the rendering pipeline has, etc. It's borderline trivial and impossible to avoid if you want a working browser, and if you don't the likes of Anubis will block you from every site cause they'll think you're a VM running scraper bot.

function a() { return "undefined" != typeof window && window && "node" !== window.appEnvironment; }

function s() { return window?.navigator?.userAgent?.indexOf("Chrome") > -1; }

if (!a() || !s()) return;

Not according to the website which says:

The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify). Under GDPR Article 9, processing data that reveals religious beliefs, political opinions, or health conditions requires explicit consent. LinkedIn obtains none.

It also scans for every major competitor to Microsoft’s own products — Salesforce, HubSpot, Pipedrive — building company-level intelligence on which businesses use which software. Because LinkedIn knows your name, employer, and role, each scan aggregates into a corporate technology profile assembled without anyone’s knowledge.

Ads are a weird game. People say you're ripping off the website if you adblock, but aren't you ripping off the advertiser if you don't buy the product? If I leave YouTube music playing on a muted PC, someone is losing.

I think Android’s ‘permissions’ early on (maybe it’s improved?) and Microsoft’s blanket ‘this program wants to do things’ authorisation pop up have set a standard here that we shouldn’t still be following.

For other capabilities, like BlueTooth API, rather than querying the browser, assume that the browser can do it and then have the browser inform the user that the site is attempting to use an unsupported API.

If websites could charge 5.99/month, they would.

If a website was charging 5.99/month, they would not stop spying on you.

This is highly debateable. I wouldn't mind paying a bit for the websites I am using as there are just a few platforms and some blogs that I would be happy to pay a small amount for.

There is a story of this PlentyOfFish founder (who exited to Match.com for 500m cash) that in the beginning he got 3-4 USD per click

The suffering isn't acute, it's death by a thousand cuts as your mind erodes into a twitchy mess. Look at the comment section of a nice youtube video and see people outraged at getting blasted with an ad at the wrong moment.

Most people don't like ads, but we love the stimulation of the screen more so we suffer them, regardless of the damage done.

You'd say that's a ridiculous and illegal thing to do without you explicit consent, right?

Maybe you personally don't mind and would be happy to offer that consent. But they're doing it without your consent, regardless of whether you want it or not.

You'll have to do better than "Probably."

What is it about the tech bubble that compels people to proactively apologize for and excuse the bad behavior of trillion-dollar companies?

Yes. Resistance puts the possibility of hugs on the stool, so to speak.

I wasn’t contesting that they query extensions that can be used for that purpose, or that they use query results for that purpose, but indicated that the fact that they make such queries doesn’t necessarily imply that they try to do such profiling.

1. Do a request to `chrome-extension://<extension_id>/<file>`. It's unclear to me why this is allowed.

2. Scan the DOM, look for nodes containing "chrome-extension://" within them (for instance because they link to an internal resource)

It's pretty obvious why the second one works, and that "feels alright" - if an extension modifies the DOM, then it's going to leave traces behind that the page might be able to pick up on.

The first one is super problematic to me though, as it means that even extensions that don't interact with the page at all can be detected. It's unclear to me whether an extension can protect itself against it.

Everyone from the suit that made the ultimate calls down to the lowest code monkey who bugfixed such features are responsible for their choice to target the good, common user of the internet. I'm not asking for altruism, I just think people shouldn't choose to do evil, and that those who do anyway should be recognized as such.

I think people think ads give way, way more money than they actually do. If you're visiting a website with mostly static ads then you're generating fractions of a cent in revenue for that website. Even on YouTube, you're generating mere cents of revenue across all your watch time for the month.

Why does YouTube premium cost, like, 19 dollars a month then? I don't know, your guess is as good as mine.

Point is, you wouldn't be paying 5.99. You could probably pay a dollar or two across ALL the websites you visit and you'd actually be giving them more money than you do today.

Its nothing to do with the specific house you live in, and everything to do with the activity being grouped together with all other activity you have done, which they know from fingerprinting and IP addresses.

They dont need to know where you live to have a very accurate personal and psychological profile opn you, and switching browsers is not going to help that in the slightest Im afraid.

We’ve known for a long time that advertisers/“security” vendors use as many detectable characteristics as possible to constrict unique fingerprints. This seems like a major enabler of even more invasive fingerprinting and that seems like the bigger issue here.

Ads won't go away. They'll just move from infesting websites to infesting AI chatbots.

Of course Google is going to back door their browser.

Something Awful is a one time fee of ten bucks (a few bucks more to get rid of ads).

I wouldn’t really mind a one-time fee for a lot of sites if it meant that they didn’t have to do a bunch of advertising bullshit,

Do people really not remember scandals like Cambridge Analytica, and realise that these ads combined with social media feeds can be used to literally control and manipulate peoples decisions and behavoir?

Theres a reason Facebook and Youtube just got sued for being intentionally addictive attention machines.

I'm not trying to be mean I'm just trying to historically parse your sentence/belief.

Because for me this is a simplified analogy of what happened on the internet:

a) we opened a club house called the internet in the early 1990s, just after the time of BBSs

b) a few years later a new guy called commercial business turned up and started using our club house and fucking around with our stuff

c) commercial business started going around our club house rearranging the furniture and putting graffiti everywhere saying the internet is here and free because of it. We're pretty sure it might have even pissed in the hallway rather than use the toilet and the whole place is smelling awful.

d) the rest of us started breaking out the scrubbing brushes and mops (ad blockers, extensions, VPNs, etc) trying to clean up after it

e) some of its friends turned up and started repeating something about social contracts and how business and ads built this internet place

f) the rest of us keep crying into our hands just trying to meet up, break out the slop buckets to clean up the vomit in the kitchen and some of us now have to wear gloves and condoms just to share things with our friends and stop the whole place collapsing

I am exhausted by so many people calling writing out as AI without sufficient proof other than writing style. Some things are more obvious, sure... maybe I'm just too stupid to see a lot of the rest of it? But so much of what gets called out seems incredibly familiar to me compared with traditional print media I've been reading my entire life.

I'm starting to wonder if a lot of people just have poor literacy skills and are knee-jerk labeling anything that looks well written as AI.

Not sure on that. It was far, far better before what drives ads today. I've gotten more value from random people's static HTML pages in 1999, than I ever have from something in the last 25 years.

This just led me to think of news sites, and how they've turned mostly into click-bait farms in the last decade to 15.

Gives me pause. Didn't the king of "doing it online" buy a newspaper, but the end result wasn't an improvement on its fate? If there is any way to make cash from news, shouldn't Bezos have been able to do it??

But ads are all of those things now, so I feel no obligation. I only got an ad blocker around the time ads were becoming excessively irritating.

also, having a PQC enabled extension doesnt seem like a good "large user base capture" tactic.

the source code is as usual obfuscated react but that doesnt mean its malicious...

EDIT: i debuged the extension quickly and it doesnt seem to do anything malicious. it only sends https://pqc-extension.vercel.app/?hostname=[domain] request to this backend to which it has permissions. it doesnt seem to exfiltrate anything else. it might get triggered later but it has very limited permissions anyway so it doesnt seem to be a malicious extension. (but im no expert)

I’m saying that the framing of the article makes this sound like LinkedIn is the Big Bad when the reality is far worse - they’re just one in a sea of entities doing this kind of thing.

If anything, the article undersells the scale of the issue.

I do not think that this is a workable model. Firstly, because it leads inevitably to monopolization, because you don't want to pay 50,000 people for content, you want to pay 10 people for content. Secondly, because most content is bad and a waste of time and you don't find out until after you've bought it. Thirdly, and most importantly, is that there's no actual, clear separation between "news" and "advertising."

Content is generated because people who want that content generated sponsor it beforehand, and dictate the conditions under which the delivery of that content will be accepted as a fulfillment of that sponsorship. The people sponsoring that content can have any number of reasons for doing it; it can make them money directly (i.e. I have articles about cats, people who like cats subscribe to my cat website), which if you're a linear thinker you think is the only way, or it can make them money indirectly, maybe by leading consumers to particular products or political stances that they have a stake in.

This is simply the truth. Your preferences don't matter, and it's not a moral question. If you pay for content, you're more valuable to advertise to, not less. A lot of work is put into producing trash that you regret having read or watched, and was really intended to make you support Uganda's intervention in a Zambian election (or whatever.) If you "value" reading it, you've failed an intelligence test. Its value is elsewhere for the people to paid for it to be written.

What's recently shown itself to scale is small groups of people sponsoring journalists and outlets who put out tons of content for free. The motivation of those sponsors is usually to spread the points of view of the journalists they sponsor widely, because they believe them to be good.

There was never a pay model that supported things that people didn't feel passionate about or entertained by. Newspapers cost less than the paper they were written on. Television news was always a huge money loser that was invested in to raise the social status and respectability of the network. If you feel passionately about anything, you're far better off paying people to listen, to give you a chance, than to lock away content. Journalism as a luxury good can work, but only for Bloomberg terminals and Stratfor, when it is used to make other lucrative decisions by its buyers.

> orgs like Wikipedia, the Internet Archive, and others who have an endowment behind them

This is simply sponsorships by governments and billionaires. Never ever been any significant shortage of that (the patron saint of this is King Alfonso X.*) All of those people have wide interests that can often be served by paying for media to be produced or distributed. It's where we got our first public libraries from.

For me, the fact that Substack and Patreon almost work is more important, and is something that wouldn't have been as easy without the benefits that the internet brings for the collaboration of distant strangers.

-----

[*] https://en.wikipedia.org/wiki/Alfonso_X_of_Castile#Court_cul...

In the 19th century, economist William Stanley Jevons found that, as coal became more readily and easily available, demand for it went up. This was counter to the theories of others, and the principle became known as Jevons Paradox.

Jevons Paradox (a concept that is widely misunderstood, especially when it comes to tech and finance bros talking about AI) demonstrates that, a resource becomes more abundant and easily accessible, demand for that resource rises. As the web took off, people hungered more and more for digital content -- especially as internet accessibility became faster and cheaper.

To keep up -- and to pay for being able to keep up -- increasingly sophisticated monetization models were introduced.

In any case, ad models are one thing. But it's the data brokering that's even more insidious.

The irony is that if internet content were harder to access, the population on the whole wouldn't want it as much.

Now, the culmination of Jevons Paradox has spun itself around a bit in this case. We now live in a world where those profiting off of ad models and data brokering actively try to get people to demand internet content more. (Look no further than the recent social-media-addiction lawsuits.)

all of the browser extensions I'm aware of are on planet earth, so i guess you'd have it linkedin is searching the planet for your browser extensions?

I think using LinkedIn is pretty much agreeing to participate in “fingerprinting” (essentially identifying yourself) to that system. There might be a blurry line somewhere around “I was just visiting a page hosted on LinkedIn.com and was not myself browsing anyone else’s personal information”, but otherwise LinkedIn exists as a social network/credit bureau-type system. I’m not sure how we navigate this need to have our privacy while simultaneously needing to establish our priors to others, which requires sharing information about ourselves. The ethics here is not black and white.

I think that’s a far more reasonable framing of the issue.

> I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.

I agree that most people would not expect their extensions to be visible. I agree that browsers shouldn’t allow this. I, and most privacy/security focused people I know have been sounding the alarm about Chrome itself as unsafe if you care about privacy for awhile now.

This is still a drastically different thing than what the title implies.

But the language of "your computer" also implies software on your computer including but not limited to Chrome extensions.

No disagreement there, except the early web was not about scale. The sites you visited may have been created by someone as a hobby, a university professor outlining their courses or research, a government funded organization opening up their resources to the public, a non-profit organization providing information to the public or other professionals, or companies providing information and support for their products (in the way they rarely do today).

> people need to eat, pay for rent

Those people were either creating small sites in their spare time, or were paid to work on larger sites by their employer.

There were undoubtedly gaps in the non-commercial web. On the other hand, I'm not sure that commercializing the web filled those gaps. If anything, it is so "loud" that the web of today feels smaller and less diverse than the web of the 1990's.

I'm not signing up for a subscription for that journal, but paying a small amount for access to that one article is a no brainer. I don't subscribe to a newspaper either, but I'll happily buy one.

The New European did this a decade ago using "agate" (named after the smallest font you'd get in a newspaper), top up with a few quid, then pay for each article.

Sadly didn't catch on. TNE dropped it in 2019[0]. Agate still exists, having been renamed to "axate", but consumers aren't willing to pay with anything other than their time.

[0] https://pressgazette.co.uk/news/new-european-drops-micro-pay...

I’m not saying it is. My point is that they appear to be trying to accomplish something like getInstalledExcentions(), which is meaningfully different from a small and targeted list like isInstalled([“Indeed.com”, “DailyBibleVerse”, “ADHD Helper”]).

One could be reasonably interpreted as targeting specific kinds of users. What they’re actually doing to your point looks more like a naive implementation of a fingerprinting strategy that uses installed extensions as one set of indicators.

Both are problematic. I’m not arguing in favor of invasive fingerprinting. But what one might infer about the intent of one vs. the other is quite different, and I think that matters.

Here are two paragraphs that illustrate my point:

> “Microsoft reduces malicious traffic to their websites by employing an anti-bot/anti-abuse system that builds a browser fingerprint consisting of <n> categories of identifiers, including Browser/OS version, installed fonts, screen resolution, installed extensions, etc. and using that fingerprint to ban known offenders. While this approach is effective, it raises major privacy concerns due to the amount of information collected during the fingerprinting process and the risk that this data could be misused to profile users”.

vs.

> “Microsoft secretly scans every user’s computer software to determine if they’re a Christian or Muslim, have learning disabilities, are looking for jobs, are working for a competitor, etc.”

The second paragraph is what the article is effectively communicating, when in reality the first paragraph is almost certainly closer to the truth.

The implications inherent to the first paragraph are still critical and a discussion should be had about them. Collecting that much data is still a major privacy issue and makes it possible for bad things to happen.

But I would maintain that it is hyperbole and alarmism to present the information in the form of the second paragraph. And by calling this alarmism I’m not saying there isn’t a valid alarm to raise. But it’s important not to pull the fire alarm when there’s a tornado inbound.

I don't care about how much spying is going on in ESPN. I can ditch it at the shadow of a suspicion. Not so with LinkedIn.

This is very alarming, and pretending it's not because everyone else does it sounds disingenuous to me.

In short, you are not going to solve this problem blaming developer ethics. You need regulation. To get the right regulation we need to get rid of PACs and lobbying.

Fighting against these kinds of directives was a large factor in my own major burnout and ultimately quitting big tech. I was successful for awhile, but it takes a serious toll if you’re an IC constantly fighting against directors and VPs just concerned about solving some perceived business problem regardless of the technical barriers.

Part of the problem is that these projects often address a legitimate issue that has no “good” solution, and that makes pushing back/saying no very difficult if you don’t have enough standing within the company or aren’t willing to put your career on the line.

I’d be willing to bet good money that this LinkedIn thing was framed as an anti-bot/anti-abuse initiative. And those are real issues.

But too many people fail to consider the broader implications of the requested technical implementation.

One reason your boss is eager to replace everyone with language models, they won’t have any “ethical backbone” :’)

That involves integrating with tracking providers to best recognize whether a purchase is being made by a bot or not, whether it matches "Normal" signals for that kind of order, and importantly, whether the credit card is being used by the normal tracking identity that uses it.

Even the GDPR gives us enormous leeway to do literally this, but it requires participating in tracking networks that have what amounts to a total knowledge of purchases and browsing you do on the internet. That's the only way they work at all. And they work very well.

Is it Ethical?

It is a huge portion of the reason why ecommerce is possible, and significantly reduces credit card fraud, and in our specific case, drastically limits the ability of a criminal to profit off of stolen credit cards.

Are people better off from my work? If you do not visit our platforms, you are not tracked by us specifically, but the providers we work with are tracking you all over the web, and definitely not just on ecommerce.

Should this be allowed?

I don't think so, because most people understand that extensions necessarily work inside of the sandbox. Accessing your filesystem is a meaningful escape. Accessing extensions means they have identification mechanisms unfortunately exposed inside the sandbox. No escape needed.

It's extremely unfortunate that the sandbox exposes this in some way.

Microsoft should be sued, but browsers should also figure out how to mitigate revealing installed extensions.

This is better than forcing the extension to announce it's presences on every web site.

And has roughly 2.7 billion monthly active users. This means the average YouTube user brings in around $1.23 per month. When you consider that CPM's can easily swing by 20X based on how wealthy the user demographic is, and willingness to pay a subscription is a strong signal for purchasing power, I would not be at all subscribed if a YouTube premium subscription was revenue-neutral for Google.

Realistically you're probably exposed and identified. But if you're meticulous and careful, you might not be, or at least not as completely as someone who is unaware or not careful. But it's not at all the same as if, say, a state actor was motivated to spy on you specifically.

And I don't think Google would lightly give up being the default search engine on the dominant mobile platform in the USA, and significantly more dominant among upper-income users.

> Of course Google is going to back door their browser.

Aside from the fact that other browsers exist, this makes no sense because Google would stand to gain more by being the only entity that can surveil the user this way, vs. allowing others to collect data on the user without having to go through Google's services (and pay them).

Quantity is a quality in itself. Your BBS was never going to support a million users. Once people figured out the network effect it was over for the masses. They went where the people are, and we've all suffered since.

Even back in the 1990s the internet was awash with popups, popunders and animated punch-the-monkey banner ads. And with the speed of dial up, hefty images slows down page loads too.

You must be a true Internet veteran if you remember a time ads weren’t annoying!

If all Android users did this, something would change.

Most people, including folks on here, think cookie banners are a problem, but they are just an annoying attempt to phish your agreement. As long as these privacy loopholes exist, we will keep hearing such stories even from large corporations with much to loose, which means the current privacy regulations do not go far enough.

PayPal, Spotify, Stripe, LinkedIn, Airbnb, Facebook, ResearchGate, Flexport, Nubank, Rippling, Asana, Luft, Tesla, Microsoft, Apple, SpaceX

You can’t trust anything these days!

It does suggest that’s what they’re collecting. That is per se a violation in many jurisdictions. It should trigger investigations in most others to ensure it wasn’t mis-used.

Firefox runs great 99.99% of the time. It’s easy to add extensions. So we should be pushing people to adopt it.

I don't want to defend ads, but whatever replaces them is going to be very disruptive. Maybe better, but very different.

Big +1 to that.

The charitable interpretation is that this behavior is simply an oversight by Google, a pretty massive one at that, which they have been slow to correct.

The less-charitable interpretation is that it has served Google's interests to maintain this (mis)feature of its browser. Likely, Google or its partners use similar to techniques to what LinkedIn/Microsoft use.

This would be in the same vein as Google Chrome replacing ManifestV2 with ManifestV3, ostensibly for performance- and security-related purposes, when it just so happens that ManifestV3 limits the ability to block ads in Chrome… the major source of revenue for Google.

The more-fully-open-source Mozilla Firefox browser seems to have had no difficulty in recognizing the issues with static extension IDs and randomizing them since forever (https://harshityadav.in/posts/Linkedins-Fingerprinting), just as Firefox continues to support ManifestV2 and more effective ad-blocking, with no issues.

I think it’s kind of funny that HN has gone so reactionary at tech companies that the comments here have become twisted against the anti-spam measures instituted on a website that will never trigger on any of their PCs, because HN users aren’t installing LinkedIn scrape and spam extensions.

There would need to be a way for ISPs to know which websites are getting my traffic in order to know who to distribute the money to, which I'm not a fan of. But I think something along those lines, with anonymized traffic data, would work a treat.

But this is about major corporation sneakily abusing this to ilegally extract specific sensitive data which they are abusing.

Such as news and magazine sites, many of which are actively dying due to a lack of revenue.

I personally wish these sites could all switch to paid models, because I also don’t like ads.

But absent that, I’d like to support the sites I use so that they don’t go out of business.

I would pay money for that.

Facebook was a party, but not the protagonist.

- a Cambridge researcher (Aleks Kogan) created a personality quiz FB app advertised as academic research

- users had to consent to download the app

- the app nefariously scraped users' friends' data (300k users unlocked 87 million users' data)

- the information was sold to Cambridge Analytica

- who then used the information to profile American voters

LinkedIn already has all of this information from the information you feed it. Scanning for more information provides more refined views, but LinkedIn already has your graph.

"we" is doing a lot of work here. No clubhouse got optical switching working and all that fiber in the ground for example. Beyond POC, the Internet was all commercial interests.

News only made money when the newspapers could leverage their circulation numbers to run their own ads network. The classifieds section was a money machine. I remember full-page ads in the Washington Post from local car dealerships showing every model they were selling. They likely ran different ads for distribution in other regions, probably 10Xing their money. Google and Facebook killed that.

What Bezos bought was a corpse of a business, but one with strong journalistic credibility known for historic investigative analyses such as the Watergate cover-up that earned public goodwill. He was buying that goodwill and slowly asphyxiating it to align with his own interests.

I don't think I've personally seen a single false positive on HN. If anything, too much slop goes through uncontested.

We had a browser extension for our product. A couple times a month someone would clone it, add some data scraping or other malware to it, and re-upload it with the same or similar name.

We set up automated searches to find them. After reporting it could take weeks to get them removed, some times longer. That’s for extensions with clear copyright problems!

The extensions may not be breaking any rules of the extension stores if they’re just scraping a website. Many of the extensions on the list are literally designed to do that as their headline feature.

If you think sending data from a page to a server would disqualify an extension from an extension store then think again. Many of the plugins listed even have semi-plausible reasons for uploading the scraped data, like the “anti-Zionist tagger” extension on the list or the ones that claim to blur things that are anti-Islam. Manufacturing a reason to send data to their servers gives them cover.

Like OP, I don't consider behavior confined to the browser to be my computer. "Scans your browser" is both technically correct and less misleading. "Scans your computer" was chosen instead, to get more clicks.

How does HN exist? Wealthy benefactors. Do I appreciate it any less? I do not, I am very grateful. But solutions are needed where a wealthy benefactor has not stepped in or does not exist, a commercial business model is untenable, the government does not or will not fund it, and the scale is beyond a single person spending a few hours a week on it for free.

https://xkcd.com/2347/

Like everyone else on this thread, I’m not condoning it or saying it’s a good thing, but this post is an exaggeration.

Edit: typos

Same with LLMs. This is a race. Competent people are in demand.

I’m not defending the act of scanning for these extensions, and I’m of the opinion that such an API shouldn’t even exist, but just pointing out that there are perfectly legitimate APIs that reveal information that could be framed as “files installed on your computer” that are clearly not “searching your computer” like the title implies.

In my experience, most people - even most tech people - are unaware of just how much information a bit of script on a website can snag without triggering so much as a mild warning in the browser UI. And tend toward shock and horror on those occasions where they encounter evidence of reality.

The widespread "Facebook is listening to me" belief is my favorite proxy for this ... Because, it sorta is - just... Not in the way folks think. Don't need ears if you see everything!

Having sensationalist titles should be called out at every opportunity.

Eg, someone could use the phrase "Won't someone think of the children?" to describe a legitimately bad thing like bank fraud, but the solutions that flow from the problem that "children are in danger" are significantly different from the solutions that flow from "phishing attacks are rampant".

The two issues in this case aren't quite as different as child-endangerment and bank fraud. But if the problem was as the original title describes, the solution is quite different (better sandboxing) than what the actual solution is. Which I don't know, but better sandboxing ain't it.

> Sadly you are atypical and the vast majority are freeloaders

Citation needed.

> who even without ads or tracking will try and find another way not to pay

Why is this relevant? People try to get free stuff all over the place and I don't find it makes my life difficult.

Does something like running the duckduckgo extension not help?

Will you do the same for your kids ? WOuld you let the government decide for you whats right, and what's wrong ?

That data sounds like it would be very valuable.

But I think if I sell widgets and a prospective customer browsers my site, telling my competitors (via a data broker) that customer is in the market for widgets is not a smart move.

How do such tracking networks get the cooperation of retailers, when it’s against the retailers interests to have their customers tracked?

No, yes

Yes, giving these people short (or long, mēh) prison sentences is the only thing that will stop this.

No, the obvious grassroots response is to not use LinkedIn or Chrome. (You mean developers not consumers, I think. The developers in the trenches should obey if they need their jobs, they are not to blame. It is the evil swine getting the big money and writing the big cheque's...)

Based on their privacy policy, it looks like Sift (major anti-fraud vendor) collects only "number of plugins" and "plugins hash". No one can accuse them of collecting the plugins for some dual-use purpose beyond fingerprinting, but LinkedIn has opened themselves up to this based on the specific implementation details described.

- do these people understand the principles of making good products?

- is anyone clearly working towards a microtransaction system that could replace advertising and subscription models?

After attending two conferences, hundreds of conversations and hours spent researching, my conclusion to both questions was no. The community felt more like an ouroboros. It was disappointing.

I don't want to pay NYT a subscription fee, I want to pay them some fraction of a cent per paragraph of article that I load in. Same goes for seconds of video on YouTube, etc.

Apparently I'm alone in this vision, or at least very rare...

I feel like this is obvious and you know that this is the exact mistake being made, but rather than drop an actual correction, you take the insufferable approach of pretending you don't know what's happening and forming the correction as a question.

Ads were the path of least resistance, and once entrenched, they effectively prevented any alternative from emerging. Now that we've seen how advertising scales, and how it's ruined our mediascape, we're finally looking at alternatives. Not dissimilar to how we reacted to pollution, once we saw it at scale.

uBlock Origin Lite (compatible w/ ManifestV3) works quite well for me, I do not see any ads wherever I browse.

The problem is that both the ISP and the websites would then go "Cool, we're getting $10 a month from them!" for about a minute before they started trying to come up with ways to start showing you ads anyways. With the level of customer appreciation ISPs tend to show, I'm sure they'd have no problem ignoring your complaints and would happily revoke your service if you stopped paying the now $10-higher price per month.

Still, I would be willing to pay a bit more for a website that I actually like if it's a one-time fee; I actually paid for the "Platinum" membership for Something Awful so that I would have access to search, and a custom icon, so I think the total damage was around $30.

Dunno, I guess I just feel like people will pay for things if those things don't suck. I think the fact that the only way that companies can really compete for people's time is giving it away for free [1] is a testament that most stuff on the internet is actually kind of shit.

[1] yeah I know something something you are the product something something.

ETA: I hate self-promotion but a friend of mine told me I should mention that I did write a blog post talking about this very specific example: https://blog.tombert.com/Posts/Personal/2026/02-February/Peo...

If a company leaks my sensitive data, I get some nice junkmail offering me some period of time of credit monitoring or whatever so what are browsers doing to prevent this?

The issue should never be 'We want entities to have this data but only use it in some constrained and arbitrary manner that we can't even agree about it's definition.' instead 'This data shouldn't be made available to X'

It's actually insane opening up /r/webdev and similar subreddits and seeing dozens of AI authored posts with 50+ comments and maybe a single person calling it out. Makes me feel crazy. It's not as much of a problem here, but there is absolutely a writing style that suddenly 50% of submissions are using. It's always to promote something and watching people fall for it over and over again is upsetting.

but that doesn't really matter. for the sake of the argument assume the extensions are not malicious (as evidenced e.g. by the PQC one with ?16 users?) does that change the situation?

When I first started out on the internet, ads were banners. Literally just images and a link that you could click on to go see some product. That was just fine.

However, that wasn't good enough for advertisers. They needed animations, they needed sounds, they needed popups, they needed some way to stop the user from just skimming past and ignoring the ad. They wanted an assurance that the user was staring at their ad for a minimum amount of time.

And, to get all those awful annoying capabilities, they needed the ability to run code in the browser. And that is what has opened the floodgate of malware in advertisement.

Take away the ability for ads to be bundled with some executable and they become fine again. Turn them back into just images, even gifs, and all the sudden I'd be much more amenable to leaving my ad blocker off.

Please explain this term. Google was not useful.

It's unfortunate to see folks here who don't support that – interoperability is at the heart of the Hacker Ethic. LinkedIn (along with any other big tech companies locking down and crippling their APIs) is wrong to even try to block it.

Is it an issue of the resources scrapers consume? No: Even ordinary users trying to get API access on a registered persistent account linked to their name are stymied in accessing their own data. LinkedIn simply doesn't want you to access your own data via API, or in any manner that isn't blessed by them. That ain't right.

people with something to share, people with something to say, who share and say it because they want to

that's how pamphleteers worked, that's how the Internet worked

at scale, static (CMS-managed) information sites cost effectively nothing even for arbitrary amounts of traffic, and smoothed across a range of people sharing stuff, it approaches zero per person

publishing used to be free with your ISP, and edge CDN used to be (and still is) free to a point (an incredibly high volume point) as well

having people pay something nominal to say things instead of pay far too much in attention-distraction or money to consume things, would put this all back the right way round

  > distribute to sites I visit, if it meant zero tracking

The fact that the website is doing this is a bigger problem than the browser not preventing it. If someone breaks into a house, it's the burglar who is prosecuted, not the company that made the door.

If you scanned LinkedIn's private network, you'd be criminally charged. Why are they allowed to scan yours with impunity? And why is this being normalized?

The best solution is a layered defense: laws that prohibit this behavior by the website and browsers that protect you against bad actors who ignore the law.

The closest we've come is something like Apple News, which allows me to pay for a selected (by them, not me) subset of features on a selected (by them, not me) subset of news sites. Can't somebody do this right?

This is blatant misinformation. Firefox (and all of its derivatives) also does this.

https://bugzilla.mozilla.org/show_bug.cgi?id=1372288

Such content would also suck with flashy ads too.

It's pretty easy tech I think, it's just never hit a flash point. But it could.

> if they do a better job at showing me an ad that might be relevant to me, how is that disgusting?

To me that signalled that the author of the comment doesnt really care what is gonig on behind the scenes if the result is a better and more relevant ad.

I see this attitude often from people who dont seem to understand the severity and seriousness of online tracking which leads to psychological profiling which leads to manipulation.

> who then used the information to profile American voters

You seem to have missed off the most serious bit at the end. Cambridge Analytica then used the data to profile millions of voters, and purposefully target divisive and flammable political material to specific suggestible people in order to manipulate outcomes.

This same thing is done all the time by all tracking and ad companies. I think this thread has gone beyond just LinkdIn scanning your browser extensions.

How'd that work? If it's in memory, the extensions would vanish everytime I shutdown Chrome? I'll have to reinstall all my extensions again everytime I restart Chrome?

Have you seen any browser that keeps extension in memory? Where they ask the user to reinstall their extensions everytime they start the browser?

For myself, I agree with you: one should quit (and I will)

As I’ve stated clearly throughout this thread, the fingerprinting they’re doing is a problem.

Calling it “searching your computer” is also a problem.

> Defending that action is

Nowhere have I defended what LinkedIn is doing.

> Citation needed.

I think we need to agree upon a definition of freeloader before citing sources to support the claim. I've found that many people who use the word have a much more transactional view of the world than I do.

That is the deal in a state based society. There are alternatives, but are you ready for Council Communism and it's ilk?

> WOuld you let the government decide for you whats right, and what's wrong ?

Yes, in a state based society

In a state based society fight for democracy and civil rights. Freedom must be defended

This includes things like the motion of your mouse pointer, typing events including dwell times, fingerprints. If our providers are scanning the list of extensions you have installed, they aren't sharing that with us. That seems overkill IMO for what they are selling, but their business is spyware so...

On the backend, we generally get the results and some signals. We do not get the massive pack of data they have collected on you. That is the tracking company's prime asset. They sell you conclusions using that data, though most sell you vague signals and you get to make your own conclusions.

Frankly, most of these providers work extremely well.

Sometimes, one of our tracking vendors gets default blackholed by Firefox's anti-tracking policy. I don't know how they manage to "Fix" that but sometimes they do.

Again, to make that clear, I don't care what you think Firefox's incentives are, they objectively are doing things that reduce how tracked you are, and making it harder for these companies to operate and sell their services. Use Firefox.

In terms of "Is there a way to do this while preserving privacy?", it requires very strict regulation about who is allowed to collect what. Lots of data should be collected and forwarded to the payment network, who would have sole legal right to collect and use such data, and would be strictly regulated in how they can use such data, and the way payment networks handle fraud might change. That's the only way to maintain strong credit card fraud prevention in ecommerce, privacy, status quo of use for customers, and generally easy to use ecommerce. It would have the added benefit of essentially banning Google's tracking. It would ban "Fraud prevention as a service" though, except as sold by payment networks.

Is this good? I don't know.

This seems to be a case where the poison seeps through the cracks. From Google and Chrome to other Chromium-based browsers. In very correct ways, in this case, they are Chrome based.

I looked at crypto currency because it seems like the obvious naive solution. it doesnt work. the cost of the transaction itself far outweighs the value of the transaction when dealing with fractions of a cent. you want an entire network to be updating ledgers with ~millions of records per ~$1000 moved. the fundamental tech of crypto leans towards slower, higher value transactions than high volume, small transactions. Lots of efforts have been made with some coins to bring down the bar of "high value, low volume" to meet everyday consumer usage rates and values - but a transaction history at the scale of every ad impression for every person is a tough ask and would perpetually be in an uphill battle against energy costs.

Ultimately, the conclusion I came to is that the service would need to be centralized, and likely treated as cash by not keeping track of history. Centralized company creates "web credits", user spends $5 for 10,000 credits, these credits are consumed when they visit websites. Websites collect a few credits from each user, and cash out with the centralized company. The issue is that since it would cost more to track and store all the transactions than the value of the transactions themselves, you have to fully trust the company to properly manage the balances.

I started building it and since I would be handling, exchanging, and storing real currency - it seemed subject to a lot of regulations. It is like a combination bank and casino.

i've thought about finishing the project and using disclaimers that buying credits legally owes the user nothing, and collecting credits legally owes the websites nothing, and operating on a trust system - but any smart person would see the potential for a rug pull on that and i figured there would not be much interest.

The alternative route of adhering to all the banking regulations to get the proper insurances needed to make the commitments necessary to users and websites to guarantee exchange between credits and $ seemed like too much for 1 person to take on as a side project for free

Accessing other users' LinkedIn data via the API requires their OAuth consent, as it should be. But you are welcome to access your own data via the API.

But the gist of it is, companies do free to play systems that support themselves by a very small portion of their user base spending a very large amount of money. The free/low paying users find themselves with poor/no service as the companies do anything to attract more whales.

K based economies are somewhat related as you see a very small portion of the participants in an economy make a huge amount of money while everyone else gets poor.

First, I think it’s a major issue that Chrome is allowing websites to check for installed extensions.

With that said, scanning LinkedIn’s private network is not analogous to what is going on here. As problematic as it is, they’re getting information isolated to the browser itself and are not crossing the boundary to the rest of the OS much less the rest of the internal network.

Problematic for privacy? Yes. Should be locked down? Yes. But also surprisingly similar to other APIs that provide information like screen resolution, installed fonts, etc. Calling those APIs is not illegal. I’m curious to know what the technical legal ramifications are of calling these extension APIs.

That can only happen if the extension itself leaks it to the web page and if that happens, scanning isn't necessary since it already leaked what it is to the webpage. It also doesn't tell you what extension it is, unless again, the extension leaks it to the webpage.

The attack on Chrome is far more useful for attackers as web pages can scan using the chrome store's extension ID instead.

Also, I agree that the platforms and paradigms we have are fucked up, but do believe that people who put work into making something deserve to charge for it if there are folks who’d pay.

Apple News remained fantastic until renewal of agreements when publishers demanded rights to insert additional ads.

Apple can't not have premium sources in there, so...

Most publishers of content online are ad supported and struggling, and I want to make sure I’m contributing to their revenue somehow.

I don’t feel bad about blocking ads on sites I pay for though.

My point is that LinkedIn already has enough information (We've willingly given them!) to manipulate outcomes and if they're doing something nefarious, then it's already too late.

Whereas Cambridge Analytica involved bad actors (not Facebook) duping customers and re-selling their data. I don't think those elements are necessarily in play here.

We literally had all of this. We had regular, affordable, high quality printed media for every hobby and interest and industry, that you could get delivered to your home address and collect in your own archive if you want, and your local library could do the same.

Those pieces of paper could not track anything about you. They tried, selling their subscriber lists, but that was the best tracking they could provide! You could easily ignore ads, and in return they had to make ads interesting enough in various ways that you might look at them anyway, or they had to make their ads directed at people who went looking for whatever you were selling.

It was an objectively better system in every way.

The Sears catalog was worlds better than Amazon. You weren't going to buy a fraudulent item for one.

Tech is a failure. It has made so much worse. It has only served to allow businesses to cut costs while extracting money from every single local community that used to allow such cash to circulate locally.

We should ban all internet advertising.

This is sort of like arguing cutlery is a military enterprise. Like yes, that’s where knives came from. But that’s disconnected enough from modern design, governance and other fundamental concerns as to be irrelevant. The internet—and less ambiguously, the World Wide Web—are more commercial than military.

'ignore the facts! ENEMY!!!' generally doesn't end well for anybody

A typical credit is getting paid in, transacted once, and cashed out. And a transaction with a user ID, destination ID, and timestamp only needs 16 bytes to store. So if you want to track every hundredth of a penny individually, then processing a million dollars generates 0.16 terabytes of data. You want to keep that around for five years? Okay, that's around $100 in cost. If you're taking a 1% fee then the storage cost is 1% of your fee.

If your credits are worth 1/20th of a penny, and you store history for 18 months, then that drops the amount of data 17x.

(And any criticisms of these numbers based on database overhead get countered by the fact that you would not store a 10 credit transaction as 10 separate database entries.)

You would have to either self-host your own VPN server somewhere (maybe on a public cloud provider) or if you are truly paranoid, use something like Tor.

Point being: Google will 100% give your info to the police, regardless of whether the police have the legal right to it or not, and regardless of whether you actually committed a crime or not.

Bonus points: the federal court that ruled on the case said that it likely violated the fourth amendment, but they allowed the police to admit the evidence anyway because of the "good faith" clause, which is a new one for me. Time to add it to the list of horribly abusable exceptions (qualified immunity, civil asset forfeiture, and eminent domain coming to mind).

What if we limited advertising to images which don't set tracking cookies, so you would get something sort of like banner headlines. Maybe say the image had to be served from the same place as the rest of the content so you don't get to track readers with image trackers

Source? Not doubting. But I have a friend who was buying airline tickets through CompuServe in the late 80s/early 90s.

The bad guy here is google. And the people that champion data collection by private companies because of free market == good.