Are unblockable web trackers truly unblockable?

We saw the following article pass by on a reputable technology news website: “Bad news: ‘Unblockable’ web trackers emerge. Good news: Firefox with uBlock Origin can stop it. Chrome, not so much. Ad-tech arms race continues: DNS system exploited to silently follow folks around the web” (from The Register)

When we read about this, we immediately looked into whether or not these ‘unblockable’ trackers are indeed al they are cracked up to be: unblockable or not?

We performed a variety of tests and can confirm that IvyDNS blocks these so-called unblockables by default and has been blocking them for a while already. IvyDNS was able to do so automatically and independently (i.e. without any need for us to teach it about this scheme), was a pleasant surprise to us, but then again, IvyDNS’ Artificial Intelligence was designed and deployed to anticipate these types of bad actors. It did exactly what it was supposed to: learn, adapt, overcome! And thus, Betteridge’s Law applies to this post.

As an aside: the linked article provides a lot of information and is, mostly, factually correct, after all, The Register is known for quality journalism. However, we think that it is limited in its world-view: it pretends that browsers are the only thing that matter in the world of the Internet.

While it is true that this is how most individuals interact with the Internet, there’s more to the Internet than browsers. In the end, browsers still need to resolve domain names, and that’s where IvyDNS lives: on a deeper, more fundamental, networking level. (And we’ll talk about DoH – DNS-over-HTTP[S] in another blog post.)

Google has quietly dropped ban on personally identifiable web tracking

Google has reversed an earlier made promise on privacy and will now allow personally identifiable web tracking:

We may combine personal information from one service with information, including personal information, from other Google services — for example to make it easier to share things with people you know. […] Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google. […]

Read more or more

IvyDNS blocks tracking that is done by these large players.

The fallacy of personalized advertising

When peddlers of on-line advertising talk about their product, they hail ‘personalized advertising’ as a good thing, something you should actively want because, so they claim, “it is relevant content”.
But if you think carefully about it, you soon realize that this framing of the situation starts from an incorrect premise, namely that it is OK to be abused by adverts and that personalization of these ads is a cherry on top of the cake.

We disagree with this for at least the following reasons:

  • By definition, advertising is manipulative. Its sole purpose is to change your behavior or opinion in favor of the advertised product or service.
  • Advertising interferes with what you are doing. Think about the last time you said to yourself “I’d love to watch some (on-line) ads now instead of doing what I set out to do”. Take your time…
    Almost no-one likes ads or is eagerly anticipating whatever they are trying to do or accomplish, to be interrupted by an ad.
  • Most people reluctantly accept advertising as a necessary evil, a way to fund things that would otherwise not get funded. This in itself is a huge indemnification of advertising and shows that, fundamentally, it is not something we desire, instead, we endure it… (even though there are ways to pay for these things; just search for the “(digital) subscription” link on, for instance, your favorite on-line news provider)
  • Personalized advertising, by definition, requires an invasion of your privacy: it only works if and when you tell third parties things about you that you would otherwise never reveal. This is so that the system can get to know you, can learn about you and figure out which impulses you are most vulnerable to.
  • Personalized advertising works against you: it finds your weaknesses by following you everywhere and then exploits what it finds in order to cajole you into performing actions you would otherwise not perform, namely spending your hard-earned money.
  • Personalized advertising is not acceptable and is really nothing more than an admission that “we realize everyone hates ads, we’re going to make the pill less bitter by trying to serve you ads that our system thinks you will object to the least“.

A pill less bitter, is still a bitter pill.

IvyDNS protects from abuse by advertisers and other miscreants, whether it is theft, exposing you to malware or an invasion of your privacy.

Advertisers know exactly who you are… the data is NOT anonymized

Advertisers know who you are, where you go, when you go there and how much time you spend where you are: Advertisers will be able to upload email lists to target customers and similar audiences with ads on search, Gmail and YouTube.

This shows, yet again, that the claims about the data being anonymized, are false. This capability enables advertisers and those buying advertising time/space from (in this case) Google, to say “here’s an individual I want to show my ads to”(*).

What was that about “we don’t know who you are, you’re just an anonymous number to us“, you say? When the number is you, uniquely you, then you’re not anonymized, instead, you’ve been given an (additional) alias which makes it easier to be identified, not harder.

IvyDNS prevents you from ever being recorded as one of these (non-) ‘anonymous numbers’ in the first place. And even if you were recorded in the past, it makes your future footprints melt away before anyone gets a chance to see them. IvyDNS’ Artificial Intelligence contains comprehensive information about the purpose of domains used in tracking you, serves malware, serves advertising, invades your privacy.

(*) Interestingly, this also opens up a mechanism for those using advertising networks as delivery mechanisms for malware, to target very specific individuals for infection with their malware.

Advertising networks are delivery mechanisms for malware

The Register published an article on how advertising networks used by major and popular sites are (yet once more) being hijacked by malware peddlers. IvyDNS eliminates this attack vector.

It’s just another reason to no longer treat advertising as ‘harmless’ or ‘a minor nuisance’: allowing content from unknown third parties to be downloaded to and executed on your devices is a major security risk that can lead to compromised devices and can include identity theft.

A two-year long, highly sophisticated malvertising campaign infected visitors to some of the most popular news sites in the UK, Australia, and Canada including Channel 9, Sky News, and MSN.

Readers of those news sites, just a portion of all affected (since it also affected eBay’s UK portal), were infected with modular trojans capable of harvesting account and email credentials, stealing keystrokes, capturing web cam footage, and opening backdoors.

The news sites are not at direct fault as they displayed the advertising; the ad networks and the underlying structure of high-pace and low-profit margins is what lets malvertising get its huge impact.

Read the full article here.

Web-of-Trust add-on caught selling out its users

The Web-of-Trust (WoT) add-on for Firefox and/or Chrome has been removed from the add-on repositories for Firefox and Chrome. Some excellent sleuthing(*) by the Norddeutscher Rundfunk revealed that the WoT add-on was selling data which can uniquely identify its users to other parties, without ever asking for consent for this, let alone in a clear and proper way.

On top of this, WoT made claims about anonymizing the data but, as is almost always the case, the data was either not anonymized at all or the anonymization is useless and individual users can be deduced from the data. If the article is correct, then it appears that the latter is the case, that these claims appear to be unsubstantiated and grossly misleading, and that WoT is no different from other privacy-invaders.

This is just another example of the kind of limitations that you face when you try to enhance your privacy through browser add-ons or extensions: they see everything you see and it only takes a single, rogue add-on to compromise you, your privacy and your security. And while most of these tools are valuable and useful, you need a more comprehensive tool to secure you, your on-line safety and your privacy.

This is where IvyDNS comes in: it prevents connections to undesirable domains and it does it on a deeper, more fundamental networking level than browser add-ons. IvyDNS’ Artificial Intelligence contains comprehensive information about the purpose of domains and blocks access to those that are undesirable, whether that is because the domain is used in tracking you, serves malware, serves advertising, invades your privacy, etc.

IvyDNS is also built so that it does not ever receive the kind information that WoT is reselling. This is because IvyDNS receives only DNS requests: ‘What is the IP address for domain X’. It never receives information about which page you are requesting, or even which protocol you will be using to talk to that server. You could be asking for the IP address of a domain because you want to check your e-mail, you want to visit a web page on it, or there’s an app that pulls data from there, etc… IvyDNS does not ever see or receive the purpose of requests (nor requests made to non-IvyDNS servers).

The reason for this is simple. It is none of our business, and it would be wrong to pull ‘stunts’ as described in the linked articles. We built IvyDNS with these considerations in mind. It offers deep protection from top to bottom and it keeps you secure, undisturbed and as private as it can, while you are on-line!

You can read the original article on (in German) about WoT selling out its users, and read about it over at The Register.

Surveillance is creepy!

A person in an unmarked car following your every move and watching you 24/7 is considered creepy or requires a warrant, but replace this with an ever-expanding army of all-seeing machines who pry into everything you do on-line and everyone thinks that this is just dandy.

These all-seeing machines are obviously the tracking pixels, scripts, the browser-fingerprinting, the telemetry-collection, the displayed adverts, and whichever other mechanism or euphemisms used for surveillance, on pretty much every website you use.

We, at Fundamental Software, vehemently reject the idea that this type of surveillance is acceptable and we share insights, tools and conduct research and development to fight back!

IvyDNS is an online service that respects your privacy. It makes it significantly harder for these third parties to track users on-line.

Windows 10 telemetry blatantly disregards user choice and privacy

With Windows 10, Microsoft blatantly disregards user choice & privacy. That’s not (just) us saying this, these are the good folks over at the Electronic Frontier Foundation.

Head over to the EFF’s page for the full article, which is most definitely a worthwhile read.

The amount of data that Windows 10 ‘telemetry’ sends back to Microsoft has, without exaggeration, never been greater: which apps you use, how long you use them, when you use which one, which sites you go to, how long you spend on them, even including your text input (yes, that’s what you type), etc… The list of data points that is collected on you and sent back to Microsoft goes on and on and on…

And sadly, one of the main purposes of this all is to profile you and be able to present you with advertising. You can turn if off now if you want, but unfortunately that’s not a guarantee that your devices will obey you nor does it mean that it will stay off when new ‘critical updates’ are pushed onto your devices.

Fortunately, even if you installed Windows 10 (be it willingly or unwillingly), IvyDNS monitors the domains in use by this ‘telemetry collection’ and prevents devices from connecting to them! In fact, IvyDNS keeps a special eye on these telemetry domains… because if your devices can’t reach these domains, they also can’t send the data back to them!

Online advertising is theft of your security

Advertising networks like Google AdSense, DoubleClick, Bing Ads and many others have a huge reach and that makes them very interesting to anyone trying to spread malware. Many mainstream sites give these networks real estate on their pages. When you visit your favorite site, which serves ads from such a network, in effect this network touches you and your device directly.

Advertising is not the only thing that advertising networks serve to passers-by. Increasingly frequently, those with less-than-honorable intentions are and have been using them to distribute drive-by download malware. All you have to do is visit a website where this ‘advert’ is served and if you have no other protection, you get infected without ever having to do a thing: it downloads automatically, infects you automatically, and you would never have known, all you did was visit a site. It could be a virus, spyware or in a worst case scenario, ransomware.

Once again, Google AdSense is being abused to distribute Android spyware. This isn’t the first time that this is happening and it won’t be the last. It’s just too easy for these networks with their huge reach to be exploited this way. The way this works is that someone buys advertising space through the network and submits something that looks and behaves entirely genuine as an ad. Once approved, the benign ad is switched out for the malware which now is served to a very specific set of people, namely those that the advertiser specified as being the target audience. Surprisingly, one can be remarkably specific in who you want to display your adverts to, as specific as saying “here’s a list of e-mail addresses of the people I want to show this specific ad to”. Google calls this particular form of targeting “Google CustomerMatch”.

This is just another reason why it is unwise to just allow any unvetted code coming from the internet to run on your devices. Especially not if it comes from a source that is known to be used as a distribution vector for malware.

IvyDNS protects from these types of attacks. It not only blocks devices from pulling down anything from advertising networks, it also blocks other known malware-related domains, be they exploits, phishing, hijacked domains, scams or other forms of undesirables. IvyDNS specifically hunts these domains down and makes sure you don’t get in contact with them.

More than a traditional ad-blocker

IvyDNS does ad-blocking and while this is not the only thing it does, it is the one that stands out most. With claims, or should we say ‘hopes’, by the IAB (Internet Advertising Board) that usage of ad-blockers is plateauing, they are still trying to get you to absorb as many ads as possible, fortunately IvyDNS is right besides you to protecting against the theft that is on-line advertising.

One of the newest trends that we are observing, and surely you’ve seen this as well, is that certain websites will be passive-aggressive and in most cases just plain aggressive in telling you that you can’t access the site unless you turn off your ad-blocker. How do they even know that you are running an ad-blocker? Well, these websites look for ad-blockers installed as extensions in your browser either by behavior or just by enumerating your extensions and when one is detected, trip the logic that complains to you.

But IvyDNS does not have a detectable footprint on your machine and it is not detectable in the same way ad-blockers are detected. This means that with IvyDNS, you keep flying under the radar, never to be seen by anything that is trying to steal away your attention or your bandwidth.

Traditional ad-blockers run inside your browser and only deal with HTTP/web traffic. Anything outside of that limited space is not something where they are even capable of protecting you. IvyDNS is different from your run-of-the-mill blocker, it works on a much deeper and more comprehensive level than traditional ad-blockers which protects you and your device from ever getting in contact with known advertising networks or domains associated with other undesirable content.

IvyDNS is much more effective in protecting against this undesirable content than regular ad-blockers: it prevents ahead of time instead of dealing with it afterwards!