🄍

Privacy Badger improves privacy but breaks the web

Privacy Badger is a browser extension available for Firefox and Chromium that blocks third-parties from tracking your behavior on the web. Using an aggressive heuristics approach rather than the usual curated blocklists, Privacy Badger quite often ends up breaking sites.

Months after installing the privacy-enhancing browser extension, it will still randomly break the sites you visit regularly.

Most blocking extensions work by blocking websites matched against distributed blocklists. What sets Privacy Badger apart from all the other blockers is its use of a heuristic blocker that analyzes the third-party resources on the webpages you visit to determine if any of them are tracking your web activities or fingerprinting your browser. When the same third-party is observed to be tracking you across multiple websites, Privacy Badger will start blocking the tracker altogether or stop it from setting cookies.

The heuristics used by Privacy Badger to determine if a third-party site is tracking your activities on a first-party site are very simple and only cover the most common ways used for tracking. The “super-cookies” and other alternative forms of persistent identifiers that have filled headlines over the last few years aren’t being detected.

The project has made it clear that it wants to detect more known tracking methods in the future. As things are looking right now, they’ve got enough of a challenge with delivering a good experience dealing with only the traditional tracking methods.

A heuristic blocker is a very interesting approach and I feel it’s superior to the use of distributed blocklists. These lists are curated to the needs and incentives of others and don’t necessarily represent the best options for the user.

With Privacy Badger, the user must do some surfing before resources start to be blocked, yet it’s only the things affecting the user and the site she normally visits that are blocked. The publishing, tracking, and advertising industries are also being pressured to respect their users’ privacy and reduce their use of persistent tracking, to avoid getting blocked and thus forced out of the market.

The big problem with the heuristic approach is that many websites use Content Delivery Networks (CDN) or dedicated domains across multiple websites for the purposes of delivering images, style sheets, and scripts.

These are also technically third-parties (a first-party is defined as the domain you’re visiting) but their purpose isn’t to track you but to either distribute load across multiple servers, better leverage caching, or circumvent arcane limitations in web browsers on the number of simultaneous browser connections to the same server. Due to a mixture of false positives in Privacy Badger and bad implementations plus sloppy testing on many such delivery servers, these often end up being blocked by Privacy Badger.

Literally the “Images not loaded” fallback graphic seen in web browsers.

Images and style sheets not loading is a daily sight even after using Privacy Badger every day for months.

When these become blocked, websites start to look distinctly broken as some or all of their style sheet and images are blocked from loading. On-page features (“widgets”) delivered from third-parties stop working and much of the fun of browsing a beautiful and functional web start ebbing away. Users can click on the Privacy Badger extension icon and choose to unblock some blocked servers from a long list of third-parties that were detected on the site they’re visiting and possibly blocked.

Guessing which arcane domain name from a long list prevented the images you wanted to see or feature you wanted to use from loading is hard. Privacy Badger offers no assistance when it comes to unblocking third-parties. To make matters worse: you will often have to unblock a set of domains in combination to fully restore the broken pieces of the website you’re trying to bring back to life.

Another troublesome area that I’ve seen many user report bugs to Privacy Badger about is the pervasive blocking of third-party widgets. Widgets provide functionality to websites such as comment sections, social-media share buttons, CAPTCHAs.

These resources are rightfully blocked by Privacy Badger as widgets are well-known for tracking users across the web and selling that data to yet other companies. That users want these features and don’t understand how they affect their privacy is an area where Privacy Badger falls short. There should at least be some educational links if not a full in-context explanation of how a comment widget can track you across the web. From users’ perspective, Privacy Badger just broke a website or feature they love.

To make matters worse still, this affects more websites the more websites you’ve visited: A page may work normally the first few hours or days after installing Privacy Badger, as the extension only blocks third-parties once they’ve been detected on at least three different websites. Something that worked yesterday will mysteriously not function anymore or look broken today.

When using Privacy Badger, I find myself constantly thinking “Is this not loading because something is broken, or is it blocked? Or is the network just slow?” The breakdown seems to be roughly split in the middle between the two options, but you spend more time thinking of it, and even more time unblocking and waiting for slow sites to reload again.

My own website ended up being blocked because I visited some third-party sites (web based feed readers and blogs) that had hotlinked images hosted on my website onto their own pages. As this site sets some cookies for .ctrl.blog, my own site was suddenly considered a tracker and was blocked from loading.

Three years back I made an extension that blocked all third-party content from loading on every website. It completely broke the Web and hardly anything worked. I quickly abandoned it without even publishing it when it became clear it would be entirely unusable as anything but a novelty art project; depicting a less distributed-asset driven web. Without manual intervention to unblock third-parties whose content the sites you love depend on — Privacy Badger kind of feels like the useless extension I wrote years back.

Privacy Badger is available for Firefox and Chromium from the project website. I’d not recommend using this extension to anyone without a firm grasp of how the web works and how resource loading is knotted together.