We Are the Ghostery team! AskUsAnything (especially if it's about web privacy, tracking, ad technology, etc)

First, I love Ghostery. Second, do you make any kind of money off of this free plug-in I install everywhere or is it a project of passion?

Thanks for the love!

Ghostery is supported by Ghostrank, our 100% opt-in feature that collects information about the trackers you see and the sites on which you see them. Our parent company, Evidon, packages that information and sells it back to sites who use it for privacy, performance, and security audits; and also ad tech companies who use it for competitive intelligence about each other.

That information is totally anonymous - it's all intelligence about the tracking industry, none about our users. And Ghostery works exactly the same whether you choose to share that with us or not.

We hope you'll opt-in, but we're committed to delivering a good product for user transparency whether you choose to or not.

So with Ghostery you've kind of given us our own opt-out button for tracking whether data-hungry corporations like it or not?

That's pretty much it, yeah. Except that when you block with Ghostery, you're disabling all communication with data collection companies (as opposed to opt-out, which sends a request for them not to track you). It's a subtle difference, but we think it's an important distinction.

as opposed to opt-out, which sends a request for them not to track you

So the companies don't have to follow your request and can still track you?

Most companies won't blatantly ignore the request, but how they interpret the request is wholly up to them. For example, they could agree not to use the data, but continue to collect it. Or they may honor your opt-out request for a single session, while maintaining your tracking cookie for use the next time you log in. The FTC wouldn't be happy about anything outright deceptive, but without a legitimate opt-out standard, companies can pretty much do whatever they want.

[deleted]

Helping users simply doesn't conflict with revealing data about advertisers to themselves. We're extremely sensitive to anything that might indicate a conflict of interest, and there has never been a situation where we decided not to include a feature or make an improvement to Ghostery because we thought we'd make the ad industry uncomfortable.

See also: http://www.reddit.com/r/IAmA/comments/1c4wjz/we_are_the_ghostery_team_askusanything_especially/c9d1aho

And: http://www.reddit.com/r/IAmA/comments/1c4wjz/we_are_the_ghostery_team_askusanything_especially/c9d1dpw

How do you address conflict of interest claims in regard to Evidon working with advertising companies?

From our perspective, there's no real conflict. We collect information about those companies and help them audit themselves and each other, but we do not help them by giving them any user information at all.

We like the model we've created - selling data about ad tech companies to ad tech companies to fund a tool that helps users keep close watch on ad tech companies. There's no incentive for us to somehow modify Ghostery to give those companies an advantage - that would undermine the quality of data they count on us to provide.

Thanks for the answer. I think the model makes sense, but once the code is opened it will go a long way to win over the more paranoid users out there, like myself.

While not released under an open source license (yet), the code is totally unobfuscated. You can unpack any of our extensions and see exactly how we work. If you speak JS, give it a go.

EDIT: Heh, yeah, what Felix said.

The OS initiative has been taking a while for us simply because Ghostery, while looking the same for all releases is not in fact the same codebase.

That said, our code isn't obfuscated or hidden in any way, so if you're interested in taking a look under the hood, feel free to download whichever version you're interested in, renaming it to .zip and extracting the contents, and cracking it open with your favorite editor.

[deleted]

It's a fair point, for sure. And we're not suggesting that availability of the code is a substitue for an actual open source license.

But neither our code architecture nor our current license keeps you from digging around in the code and keeping us accountable for what we claim, so please do that if it's a worry.

We're not threatened by potential forks... it's actually the opposite. Hopefully we'll be able to get a collaborative, open-source effort around Ghostery in the near future so we can can take advantage of the time and dedication from like-minded folks out there.

Same question. I installed your plugin when you first came out. then read that you were owned by Evidon. so I quickly uninstalled and really never gave you a second thought. please clear the air as I'm sure there are a lot of people out there like me.

Hopefully that answer made sense. See also this comment: http://www.reddit.com/r/IAmA/comments/1c4wjz/we_are_the_ghostery_team_askusanything_especially/c9d1chg

Thanks for the reasonable consideration, it's really appreciated.

What other privacy tools/extensions do you recommend to supplement Ghostery for day-to-day internet use?

This depends on the level of paranoia and your own involvement in controlling what third parties may know about you. That said, heres a starter list.

RequestPolicy & NoScript -- both extensions are superb for privacy and security because they operate on a whitelist premise: nothing is allowed unless you personally review it and allow it. Its also the biggest drawback from my opinion: controlling them and setting them up correctly takes weeks.

LastPass -- this extension is a locker for all your passwords. Its very secure and generates passwords that are strong. Its portable and very useful.

I just started using DashLane, which is another password/personal info manager (like LastPass). I dig it.

You might also try Duck Duck Go as an alternative search engine. It's built with privacy at its core, and I've become so used to using the "bang syntax" I can't go back to the Googs.

https://duckduckgo.com/about

Thanks guys. Password reuse seems to be an issue that is getting more and more problematic for web security in general, so I'll be sure to check those services out.

re: DDG: What's the difference between a Google bang on DDG and a regular Google search? I note that it defaults to an encrypted search, but what information specifically is stripped out to make it safer?

The bang syntax is just a shortcut search so: !w Ghostery would search wikipedia for Ghostery !ug Ghostery would search Ultimate Guitar for the tabs/chords from songs called Ghostery, etc etc

!g redirects to a secure google search, for sure - but DDG privacy goes deeper than that - if you search directly on DDG it doesn't use your search history to refine your results (bubbling) or inform its advertising long-term (tracking).

i have your extension and it always lists the websites that are following where i'm going. i just don't really understand how it works exactly. can you explain a bit please. also, the websites have a strike through the names. does that mean they can't track me? noob hereeeeee.

Great question. Ghostery is a type of extension that carries a database with itself (that is updated daily) and using this database, Ghostery compares traffic requests going out from your browser to see if they are a known app (this is called black-listing btw). On top of that, if you happen to set up your Ghostery to block some or all applications through Ghostery options or the panel, then Ghostery will also prevent some of those requests from ever occurring. When Ghostery blocks something, the purple alert box will have the name of the application crossed out to let you know that Ghostery has blocked it on this page.

I'll admit that I have no technical knowledge of how Ghostery works, but why does it seem to only block about 50% of trackers?

I'm not sure where the 50% comes from, please elaborate.

Ghostery carries a database with itself that currently consists of over 1300 different applications. We broadly categorize them into categories such as Advertising, Beacons, Widgets and so on. You may choose to select the companies you want to block, or you may block all of them, or you may leave everything unblocked -- up to you. We also offer explanation about what each app does (or should do).

I meant this; http://imgur.com/d9bxPI6

And please don't take it as a negative critique, like I said it's merely curiosity.

Ahh, well, you are looking at Ghostery options page. Now, if you take a closer look, you will see the "Select All" button. If you press it, all the apps will be selected to be blocked, don't forget to press "Save". Also, you can click on each category name and it will expand to show you the entire list. You will also see checkbox next to each name, thats the toggle that signifies if you want to keep this company blocked or not.

[deleted]

This is something we discuss all the time, should we block stuff at install or not? Currently, we do not block anything simply because there is too much stuff that once blocked will render websites you're on look and behave differently. This would also not fit well with out dogma of educating user rather than making decisions for them. We're adding features into Ghostery that make the decision easier, so the user may discover the services that are running on page, their purpose, and whether one should keep them away or not.

If you have ideas for us, please feel free to drop us a line on our support board or support email (support at ghostery)

[deleted]

Ahh, you may be refering to the newly added trackers sent to you through Ghostery database updates. There is an option in Ghostery Options-> Advanced-> Auto Update Library that will allow you to auto-block all new trackers.

On top of this, Ghostery on a newly installed browser will give you a wizard type of a page that walks the user through immediate setup and allows selection of apps to be blocked or unblocked at the first install.

Hi Ghostery! Love your Firefox add-on along with AdblockPlus, are there any plans to make Ghostery available on the Firefox mobile version as well as surely the trackers aren't just staying on the desktop?

Next major version of Ghostery for Firefox (v3) is implemented using the new addon SDK (jetpack). This makes it portable to Firefox Mobile and its currently on track for release in the next month or so. If you really want to get before everyone else, contact us through our support board (getsatisfaction.com/ghostery/) and I'll send you a copy.

Thanks for all the great conversations! If you have more questions or would like delve deeper, please feel free to contact us at [email protected] or start a thread on our forum: https://getsatisfaction.com/ghostery

Have a great weekend and as always.. Happy browsing!

I recently became aware of the ETag trick for preserving cookies even after people delete or block them, and was simultaneously impressed and disturbed. But that was the state of the art two years ago.

If Ghostery works the way I think, it will stop this approach. Does it? And what is the state of the art in the arms race between trackers and blockers?

Ghostery does not specifically strip eTags from the headers tho its potentially possible to do so. Maybe its something we'll look into, but remember, etags use for caching is legitimate. Using eTags for respawning of cookies and local storage is considered bad practice, so you do not see legitimate or big players use this technique, but occasionally we do run into the use of them.

As far as the race, Ghostery has a team of people and automated tools to crawl around the webbernet to see whos doing what and to discover new methods of tracking collection. The last big deal was evercookie and now we're just monitoring whos implementing parts of it on their larger networks.

you do not see legitimate or big players use this technique, but occasionally we do run into the use of them.

A number of popular sites, including Hulu and Slideshare, were caught using KISSmetrics, which used this technique. Presumably the bigger players could just buy the data from KISSmetrics, maintaining a level of deniability.

Part of the reason why bigger players avoid use of this stuff now is because of the mentioned companies. Once the re-spawning was found and exposed, those companies removed it from their arsenal and since using them may carry a penalty they are not commonly used, or at least we don't see it as very common.

Do you ever get contacted by pissed-off ad agencies or websites? Have they tried to intimidate you in any way? If so, how?

Actually, it's the opposite. Ad tech professionals and website owners use Ghostery to look for the tracking tags they've placed and keep an eye on what's appearing on their sites, so they want to be in Ghostery's library.

Occasionally someone will approach us about what they view as inaccurate representation or categorization, but those issues have always been sorted out without anybody getting salty.

Nice! I'd heard of Ghostery but wasn't quite sure what exactly it did. Definitely seems worth getting.

And now for something totally unrelated: how do you like your sandwiches? What kind of bread? Favorite lunch meat? Best condiments? Stuff like that. I've gotta ask the burning questions, PolkaPatrol.

I'm a big fan of the everything bagel as a sandwich bun. Pretty much anything but boiled eggs or artichokes can go between an everything bagel and I'll eat it. Honey mustard also makes my panda puppet clap, as it were.

If I'm running Ghostery, why does the Collusion plugin still show that I'm being tracked?

This actually depends on the browser since the content policies (parts that do detection & blocking) work in different manners. In Firefox, once Ghostery or another addon stopped a tracker, other addons do not receive information about this tracker, so they usually do not show it.

In Chrome, all content policies are notified of the tracker, and only a single one may actually decide to block it, so in Chrome with Collusion and Ghostery you will see both reporting similar results even tho only one of them blocked anything.

We wrote an article on this a little while ago, here it is: http://purplebox.ghostery.com/?p=1016022865 it has a bunch more explanations if you're interested.

Can you tell me how Ghostery compares to DoNotTrackMe? Does it accomplish the same thing in the same ways? How does it differ from that product?

DNTMe and Ghostery accomplish similar things, but there are a few differences as well. Heres a short list:

• Ghostery database is much larger
• Ghostery does not make default choices for the user, DNTMe does
• Ghostery is not an advertising product, DNTMe is an adware

In terms of technology, the products use the same APIs and thus work the same way.

I'd never heard of Ghostery before and naïvely aware about tracking so I'm reading your website. Can you recommend how I can learn/find out more about tracking and how it works? I'm interested. Thanks for the AMA!

The Wall Street Journal has built a series of reporting about tracking (web, and otherwise) that is probably a good place to start: http://online.wsj.com/public/page/what-they-know-digital-privacy.html

You can also check out this amusing explanation of search tracking from DuckDuckGo: http://donttrack.us/ - its specifically about search but the concepts apply all over the web. If you have any specfic questions, let us know here or via email - info [at] ghostery [dot] com.

What is the "half life" of user data? That is, how long do companies keep their tracking data for an individual? At what point is it too stale? Actually, as a related question - is there anything you can do after the fact to flush your data? Let's say I've been a dumb user for years, surfing the web - and then I install Ghostery and NoScript and all that... is it too late? I guess I'm hoping that my old data will eventually get stale and be thrown away.

Industry standard is to let a cookie live for 5 years, but that doesn't mean that the data in there is 5 years old. Cookies are routinely updated as the cookied user browses around, so they get refreshed on a regular basis.

It's only too stale if an ad tech company can't get extra money for matching an ad to a particular data set - so staleness varies a lot by the type of data. Things like your shopping habits, entertainment interests, etc are almost always valuable because they tend not to change very frequently. Same with a lot of demographic data - your gender and ethnicity don't change (often); and even your age is easy to follow along though it changes every year.

So if an ad company has a good idea that you're an 18-24 year old guy who likes baseball and tech gadgets, they're going to hold onto that information for as long as they can tie it back to you.

Is there any way for me, as a private citizen, to get a hold of my online profile - to see what is known (or speculated) about me?

Not on the whole, no. But there are a couple of ways you can see what individual companies know about you.

You can check out several of those lists at our parent company's site: http://www.evidon.com/consumers-privacy/manage-your-online-profile

See also Google's Preference Manager (https://www.google.com/settings/u/0/ads/)

and the Yahoo! version (http://info.yahoo.com/privacy/us/yahoo/opt_out/targeting/details.html)

[deleted]

I've got a background in ad technology - working with Ghostery was such an awesome opportunity to build on my industry knowledge in a new and responsible way. I've been a part of the team for over 3 years now and I haven't once considered doing anything else during that time.

Driving force in my life? Learning new stuff and explaining that stuff to new people. Professionally this manifests when I get crazy at a markerboard and in how /r/dataisbeautiful makes me feel kinda funny (like when we used to climb the rope in gym class).

Hopefully you'll revisit this thread at some point in the future and be happy to learn that someone laughed hysterically at the Wayne's World reference.

Party time. Excellent.

What's the best way to completely erase a trackable online presence?

Oh boy. This is a really tough question and there is no good answer since once you are online, you will leak all kinds of data whether you want to or not. That said, short of disconnecting from the internet, there are some really good practices to maintain:

• Limit the amount of real info you provide to any social network such as Facebook.
• When using sensitive websites such as your bank, try to stick to your browser private browsing mode. For extra tin foil, install Tor on your browser.
• Obviously, adding extensions such as Ghostery is a good start, but for the seriously paranoid, RequestPolicy and NoScript combination may be better.

So, I'm flirting with the idea of Adblock plus and tracker lists because I notice that ghostery slows down my firefox experience on mac. ABP uses lots of RAM, ghostery is better but it significantly slows down rendering. This does not seem to be as prominent on windows machines. Why is this the case?

Ghostery tries to do a bunch of content replacement that may be slowing down your system. If you are in Firefox, Ghostery Advanced options will give you ability to turn some of them off, try disabling Click-to-play options to see if this makes it faster for you. Also, do look over the performance settings section as well.

How did you both find and get hired by Evidon?

Here you go! Mention that you saw us on reddit :)

http://www.evidon.com/jobs

Thank you all for this great plugin, I love it for blocking that super annoying "Share This" (or whatever it's called) widget that opens and fills 1/4th of the screen with sharing options.

One question: Is there a way to find a item that breaks an entire site if it's not loaded or make it easier to locate? a few times when I open sites (especially from reddit due to the number of random websites) a site simply breaks or won't load because one or more items is blocked.

Sadly, there is no good way to find what exactly broke what, tho Ghostery is adding features that will help you find what happened. We do offer site whitelisting and no, selective unblocking, so at least handling of a site like that should be straight forward.

I absolutely love ghostery and its "install-and-forget" feature. I don't have any specific questions other than how do you guys manage to earn revenue? Also it seems like the new version supports ad-blocking. Is it safe to say that it will replace ad-block plus sometime in the near future as an all in one solution?

Edit: What advantages does ghostery have over DNT?

We make money thusly: http://www.reddit.com/r/IAmA/comments/1c4wjz/we_are_the_ghostery_team_askusanything_especially/c9d1chg

Ghostery's supported blocking of tracking scripts for a long time (since 2009), including advertising. AdBlock Plus is a tool with a slightly different agenda - but it serves its purpose well and is incredibly popular, so I don't suspect we'll see it go away anytime soon.

DNT sends a message to a server (embedded in the header of the HTTP request) that indicates you'd rather not be tracked. It's up to the company receiving the message to honor it - and how they honor that request can vary from organization to organization. It's an elegant technical solution but it lacks the standard business practice to really offer meaningful choice. Ghostery blocks the scripts from ever sending communication in the first place, so it doesn't matter if the company acknowledges your request or responds how you expected, because you never communicated with them at all.

I wish I had a smart netsec-y question, but I don't. I just love Ghostery!

Well here's a smart(ish) netsec-y answer, anyway:

Your love of Ghostery (LOVE^g )is likely derived from some combination of your desire for transparency across the web(D^t), your trust of services that have demonstrated a valuable service (T^vs), and your particular level of awareness of web tracking (A^wt). Thus:

LOVE^g = D^t + T^vs + A^wt, allowing for factors of each variable to denote relative strength.

Our love for you just = a whole lot.

Outside of outright paranoia or a sense of being violated by ad-tracking, what do you view as the strongest reasoning behind using something like Ghostery?

Phrased another way, is there something nefarious going on in ad-tracking that I haven't been made aware of?

In my view, they problem is really mostly about the lack of transparency - both in collection and in use of data.

For example, consider the pizza place down the street from my house. If I walk in and the pizza chef says "Hey Andy! Pepperoni and onions, right?" - no problem at all... it's great for me that the pizza chef understands my pizza preferences.

But if I walk into a pizza shop in a different town and THAT pizza chef says "Hey Andy! Pepperoni and onions, right?" - that creeps me out. Not because of the data - it's the same as before, and I'm not all that sensitive about my pizza preference - but it's because I don't know how he got that information. It's the lack of transparency in data collection that bothers me.

Similarly, if a health insurance company says "Wow, this dude Andy eats a LOT of pizza!" - and uses that information to adjust my rates or deny a claim - that bothers me. Not because of the decision they made... it's not especially nice, but it's well within their rights to take my eating habits into account. But if I have no visibility into the use of that data, I can't decide to eat less pizza, nor do I have any opportunity to defend myself (like, what if I was buying that pizza for my son's Cub Scout troop every week?). The lack of transparency in the use of data is the problem there.

I think the web is the same way - if it were more obvious what was going on, we could make informed choices as users, and the whole thing could run much more smoothly. For an example of how that could work, check out our recent blog post about the ad practices our our beloved reddit: http://purplebox.ghostery.com/?p=1016023185

How come when I downloaded Ghostery I got all these ads appearing as hyperlinks on words that weren't even hyperlinked?

Ghostery itself would not have caused something like that to happen. Where did you get your copy from? Which browser are you using and which site did you see this on?

I'm using Google Chrome and I think I just went to the extension shop place and downloaded it from there.

Well, why don't you remove it by going inot Manage Extensions in the wrench/three line settings in Chrome, and then install a copy from https://www.ghostery.com/download

Once installed, configure it to block everything in the advertising category and you should not see any underlined advertisements going forward.

I like your service, use it everyday. How long did it take to learn the imprints of each tracker to be able to block them effectively?

We have an automated process in which we have a crawler that walks top 1000 domains every week or two and records new third parties. this lets us know that there are new trackers to evaluate at which point we do. Generally, the process of entering a new tracker is quick, so post discovery it takes us a day or two.

Will Ghostery ever be available for IE 10?

We really, really, really hope so. IE10 is a very challenging platform to develop an extension like ours - but we're actively working on it. I just stuck my head out and asked your question to Jose, who owns that project on our dev team, and he told me we're just a few issues away from a release.

Fingers crossed that we can update you with good news really soon.

Any plans for Ghostery to integrate with safari/iOS?

Just downloaded for the iPad going to add bookmarks and try out, thank you for the browser.

We do have a release for iOS available already but due to Apples policies we are not allowed to integrate with the native browser on iOS, so currently, Ghostery is its own app. That said, its a full featured browser with Ghostery built in. Try it out: https://itunes.apple.com/us/app/ghostery/id472789016

Do you ever get angry letters or attempted take downs from some of the tracking companies you block? How do you guys usually respond?

See http://www.reddit.com/r/IAmA/comments/1c4wjz/we_are_the_ghostery_team_askusanything_especially/c9d1dpw

TL;DR No, not really. Everybody's pretty chill.

[deleted]

All derivatives of Chrome/Chromium are supported by Ghostery. That said, not all derivatives will allow you to install Ghostery from official Chrome Web Store. If you run into an issue like this, just post on our support board (https://getsatisfaction.com/ghostery/) and we will give you a direct download link.