I don’t know anyone that works at Meta, so I’m hoping that someone here could answer this for me-
What makes employees there feel good (or at least okay) about doing stuff like this? You're spying on people, no? Surveilling ordinary people, not enemy combatants or foreign militaries? Perhaps a friend of a friend or even a family member? This kind of thing is so creepy and disturbing to me, not that it’s anything new…
There are many industries which are inherently hostile to users, insurance, betting, marketing, etc. If you ask people if they feel good about enabling the kind of things these companies tend to do, you probably won't get an answer. I don't think Meta is an outlier here nor are they the only one. Even across other industries you will find many questionable practices in usual operations. If pushing the boundaries of ethics gives a business an advantage, you can guarantee that someone will be doing it, and eventually most will be doing it. It's simply the natural tendency of any system with competing entities. The question we should rather be asking is, how do we tweak the system. What can be done to disincentivize pushing the boundary like this?
In principle, I think most people believe their morals would prevent them from working at a company like Meta.
On the flip side, how much are morals worth if you have the opportunity to be financially free?
There's also the opportunity to work on interesting problems.
Anecdotally, of course, I know a Meta engineer at the L7 level (generally staff engineer in these large tech companies). He makes over seven figures a year, 75% of that being from stocks. The money is there.
> What makes employees there feel good (or at least okay) about doing stuff like this?
I got this exact thought IMMEDIATLY (yet again) and posted on it here as well, putting my two cents in.
This is totally unacceptable for a software engineer to implement features like this simply because their company told them to, doing what the company tells them to makes them money, so they do it.
No apparent thought into whether they are creating is harmful, or caring about it.
I've given up on any anger directed towards the company itself. They will make money any way they can. Now, the engineers who actually implement it bothers me, because it is clearly not something that should be built.
To me, I don't care how much I'm being paid or how bad it would be to lose my job at that time.
I would resign before working on features like this and deal with the consequences.
History suggests there is no shortage of people who will throw all semblance of morality away as long as they are surrounded by people who they believe have done the same. I almost think the people who are not willing to cave in this way are the rare ones.
You’re not wrong, but there was a time many of olds remember when editorial content and commercial concerns were firewalled. It used to be outrageous, and usually wrong, to suggest an editorial position was contingent upon a business benefit for the media outlet.
Getting privacy advice from an adtech funded outlet sounds like reading democracy advice from the Chinese ruling party or vegetarianism advice from lions to be honest.
It might be correct-and-incomplete but they just have no credibility on the topic.
They're more tightly bound than that. They're dependent on Google Display Ads. Which really makes their whole diatribe that much more pathetic.
Any media company that decided to traffic the ads themselves, from their own servers, and inline with their own content, would effectively be immune from ad blocking.
> Ditching these deeply invasive products remains a good idea
While still allowing random third party javascript to run unchecked on a parent website.
> While still allowing random third party javascript to run unchecked on a parent website.
Lol, why are you commenting as if somehow allowing it to run negates the other good ideas in some way? Obviously some is better than none, and all is better than some, but each step takes more effort.
It’s odd that orgs like NYT don’t run their own ad services. I’m sure they have a dedicated department for ad sales for physical copies. They’re large enough that companies would work directly with them. And they would have at least some editorial control on what is displayed on their site.
I've worked for a few companies that had ad placements. I wasn't too deep into that side of things, and it was a long time ago, but as I recall, at reddit there was an in house ad auction platform. If there wasn't any ads sold for the period, we'd either show in house ads (think the old reddit merch store, pics of animals, a pic of one of the reddit staff with a paper tube on his forehead to resemble a narwhal, etc) or ads from a network like AdSense. Once upon a time this actually caused issues because there was malware being served from one of those and networks
Hosting the ads on the same server as the content is done in some cases, but doesn’t result in any immunity. If the ads are sufficiently annoying, it only leads to a merry little game with the adblocker annoyance list community, where they figure out new regexen to block the content, deploying daily. Bypass the blocks too effectively, and the adblocker will accidentally start blocking website content. Users will assume the website itself is broken, and visit less.
Self-hosting ads is not really a winning game unless your ads are non-animated, non-modal static text and images.
But I am glad they are pushing people toward other browsers because that is the biggest step. Once you have taken that step, installing the most popular extensions is trivial.
Does the ad blocker prevent leaks of your information?
I know it blocks a use of your information against you (targeted ads). And any external source is a potential leak (e.g. the kinds of things that CORS is supposed to reduce).
But does an ad blocker specifically leak more, or just reduce the incentive to collect that information?
A full-featured ad blocker (uBlock Origin original, not the neutered Lite version that runs on Chrome now) will intercept requests at the network level and prevent your browser from requesting the advertisers' JavaScript code. Your browser not only won't show the ads, it won't run the code that was supposed to show them or even send a request to the advertisers' servers.
This blocks most existing tracking methods. The only thing you're not protected from is first-party tracking by the site you're actually visiting, which is impossible to fully protect against.
>prevent your browser from requesting the advertisers' JavaScript code. Your browser not only won't show the ads, it won't run the code that was supposed to show them or even send a request to the advertisers' servers.
Incidentally, just blocking JavaScript with NoScript kills quite a lot of ads (obviously, not first-party ones if you've white-listed their JavaScript for site functionality; but I try to avoid that when there isn't real demonstrated value) without any need for an explicit ad blocker.
NoScript is indeed very effective at blocking tracking, but it also breaks a lot of websites.
If that is an acceptable compromise, you could also try ditching the Internet altogether, as that not only blocks all online tracking, it also blocks a lot of fraud, misinformation and all kinds of harmful content.
Except for non-negotiables (eg: bill paying, government websites, etc.) a website that fully breaks when blocking js is just a worthless site which is not worth my time.
That’s always my problem with NoScript being suggested. For some people who consume stuff off RSS feeds or static sites and Wikipedia that probably works. But for literally anything more than that you can’t do that.
> NoScript is indeed very effective at blocking tracking, but it also breaks a lot of websites.
Sure, images may no be present without JS lazy-loading them. Accidentaly, NoScript also fixes a lot of websites. Publishers are often paywalling posts via JS and initial HTML is served with full articles.
1st-party would likely be prevented by disabling cookies? Obviously they could fingerprint every visitor on every request, but most just set an ID cookie and check it on subsequent pages I think, since that's good enough for tracking most people (who aren't actively trying not to be tracked). Of course, that breaks things that need a session (like a cart), but depending on what you want from a site, it could be fine.
Those things help, yes. I say that it's impossible to fully block first party tracking because you must interact with the server in order to accomplish anything and those interactions can be tracked. But a third party can be cut entirely out of the loop.
they don't load up the ads at all so they can't know your information in the first place at least from the ads themselves. if the website is sharing information directly there's nothing you can do outside of some kind of vpn and never logging on to any services.
I think there was a Defcon where they showed that some ad networks let the advertiser themselves provide the image/video. By targeting only people who first visited a given website, they know who you are. And by adding selectors on the ad, they extract your characteristics, including location.
It looks very stretched, but the real magic happens when this data is sold in bulk. It allows recouping who is where. Your target person may or may not be in each dataset, their location isn’t known like clockwork, but that allows determining where they work, where they sleep and who they’re with. One ad is useless as a datapoint, but recouping shows reliable patterns. And remember most people on iPhone still don’t have an adblocker.
That may not be viable for many non-technical users, which is their audience. On HN, it would be an error to omit ad blockers; the Washington Post has a different audience. I expect that most would find installing and learning a new browser to be too much effort and too hard to understand.
I would bet money that the techie they asked to put the list together included "use an adblocker." And then the higher-up who approves articles like this said "shit! wait... no, no, no, delete that one!!" These corporations are deeply deceptive.
If any software engineers out there are working on things like this I can only pray they STOP and think about why what they are doing. Implementing features by having to jump through hoops, just so that their employer can better spy on people and make more money.
That is so wrong, on so many levels ... I personally couldn't do it.
I hate this even more than NSO Group's Pegasys, which could easily get people killed. I'm ok with my reasoning, and I really hate that one as well.
Here, with Meta and Yandex, you see what you always see.
As soon as people catch on, they immediately remove it. But they will keep using it until that day comes.
For money, while trying to hide it from the users they are spying on.
It's greedy and evil and whoever in these companies think up these ideas should be let go. Immediately, in a perfect world.
Instead they'll just try another approach.
While everyone else has to clean up this latest one.
"Following public disclosure, Meta ceased using this method on June 3, 2025. Browser vendors like Chrome, Brave, Firefox, and DuckDuckGo have implemented or are developing mitigations, but a full resolution may require OS-level changes and stricter enforcement of platform policies to prevent further abuse."
What about the other app ? Now that this trick is known, either it’s completely fixed, including in system webview, or all the other usual spyware ,that the play store is full of, are going to use it to track their user.
Google still hasn’t fixed the issue of app being able to list all other installed app on your phone without requiring permission despite having been reported months ago. They didn’t even provide an answer.
I believe Google isn’t interested in Android user privacy in any way, even when it’s to their own benefit.
At this point either use iPhone, grapheneos or no phone at all.
I believe it is good form to keep work and personal machines completely separate, including phones. If you ever have to hand over your devices for discovery in a law suit I think you will come to the same conclusion.
I very much agree. Retired now but I used to have a separate phone for each major client for HIPAA compliance but it's good advice everywhere (and $50 year-old android phones and $15/month Tracfone accounts aren't just for criminals!)
Remove lock-ins that forces people to use a specific chat app. Move private communication away from "platforms" to interoperable protocols. That is the only way for us to regain control over our own private communications.
Zen Browser (FF) on Win and Firefox on iOS (for sync) works well for me. Edge for all M365 related stuff. Still use Chrome for web dev. Not sure what to move on in that regard...
I'm a relatively new web dev and I've been quite happy with Firefox's Web Dev tools. What does Chrome's dev tools give someone that Firefox's doesn't? I can edit css on the fly, see where a css rule is being overwritten, debug javascript, etc.
""
Millions of websites contain a string of computer code from Meta that compiles your web activity. It might capture the income you report to the government, your application for a student loan and your online shopping.
""
If I read that correctly then they are capturing all https web content you
access in clear text and uploads it all to Meta? Then Meta
I thought the exploit was used to track where you visited,
not the full data of each webpage.
It does sound fantastical. A piece of code that can violate the same origin policy would be a huge vulnerability. Meta could be working with other sites to share data on users via code running on both sites, but snooping on tax data without the IRS helping? Unlikely.
I can only assume they're suggesting that companies like Intuit and H&R Block are sharing this data with Meta, but that seems like a huge violation of privacy and with tax data it might even be illegal.
Basically, they created a channel between the browser and a localhost webserver running in their native apps, by abusing the ability to set arbitrary metadata on WebRTC connections. That way, they were able to exfiltrate tracking cookies out of the browser's sandbox to the native app, where they could be associated with your logged-in user identity.
I've noticed that recent Chrome version does not allow me to download the pdf I'm viewing. I had to open it in Firefox. The Chrome browser only allowed me to save it to drive (cloud)
You can absolutely download PDFs on the all Chrome versions including the most recent. You need to do is set chrome to download them instead of open them.
I am a developer but have to deal with questions on this regularly from people's at my company due to the IT department being small.
I have the opposite problem: I want to simply render the pdfs so I can, you know, read them. not download them like they are data to be fed into another app.
Maybe even a "start using Internet Explorer again" movement ;-)
For all the hate it got, IE was nowhere near as privacy-invasive as any of the "modern" browsers now, even Firefox. If you configured it to open with a blank page, it would quietly do so and make zero unsolicited network requests.
The future of Google as Chrome’s owner is genuinely in question now due to Google’s antitrust losses, in case you weren’t aware.
There’s a few different cases, one recent one Google has lost and is now in the “remedy” phase. Meaning the court has officially decided Google did bad, and is now considering what to make Google do about it. And splitting up Google into separate Chrome, search, etc companies is completely on the table.
No, that was Firefox. Chrome's spread was fueled by literal malware or spyware bundling it to get some of Google's sweet money and some of the most aggressive advertisement campaigns for any online product ever.
Was it Firefox? I remember Firefox existing at the time but I don't think it's ever really had dominant market share, perhaps when it was Netscape? I do remember the IE campaign went on quite a long time to where eventually Chrome showed up to the party and people shifted over as well as shifted their family and friends over. You don't see that kind of active effort for Firefox ever.
If we truly lived in a democracy which 'obeyed' the overwhelming will of the people, there would be laws with 'horrific' penalties for any effort to track devices or people online.
For most people in the west, using yandex and chinese alternatives would be better than local ones, because neither china nor russia has any auhority over you, while your local agencies do.
It's sort of interesting that Brave was not affected by this because they already blocked the technique used by the Yandex app. I wonder if Brave devs were aware of that specific abuse, or if they just thought that localhost traffic was distasteful categorically.
That's one opinion from one columnist. Also, the full phase was "dirty war," by which they seem to mean one dominated by covert operations by intelligence services rather than conventional forces, on both sides.
Web browsers should become outmoded soon. It was fine for bootstrapping the web, but now to keep up a browser must emulate the operating system and more in a single app. This pressure is the centralizing factor in browser dominance. Ditch the features, drop the spy protocol (http), just get the files.
Turn what off? HTTP is how you receive the web page in the first place. It is not, in itself, causing data to be sent from your computer to others. That happens either because of a script on the page or because you request a web page (i.e. the browser sends headers).
I can't speak for the user who you are responding to, but an AI maxi might believe that an AI powered interface will take over all information retrieval.
Full time Firefox user. I run hundreds of tabs for days on end and need to restart it every week or so. Well worth it to not use Chrome. Need to open a site in Chrome about once a month
Firefox? Weird question. I haven't even installed Chrome in the past 7 years. Firefox is fast (but I obviously don't know if Chrome is faster) and it never crashes.
Chrome does feel faster to me; I remember someone here saying that was because of some kind of procedural loading shenanigans or something.
But the main hook for me is how websites look. I do a lot of reading on the browser, and fonts on Chrome always look better than on Firefox. I would switch to Firefox in a heartbeat if only things started looking the same on it.
I use Chrome for Google workspace, Firefox for ongoing personal logins, and Brave incognito for other browsing (restarting completely for a new session when changing gears).
Last week's discussion on a profile management tool offered several insights into how others a bit further down this path use their browsers of choice: https://news.ycombinator.com/item?id=44132752
I mean those aren't real controversies though, it's more like "we added a VPN feature and included the VPN, but have now removed it". A real controversy would be like Mozilla who was pushing for censorship and silencing "bad actors" in the years after the first Trump election.
Zen Browser works well for me. It's a Firefox fork but privacy-focused whereas Mozilla recently became an ad company and published hostile TOS changes. No issues I had when I was evaluating LibreWolf.
JavaScript Chrome developers did a good job of convincing people that Safari is the new IE.
I love Safari on macOS. I love the pinch/zoom with the tabs. I love that private browsing mode, at least seems to, keep things contained to the tab they started with. e.g. if I open facebook in a private tab then open new tab and go to facebook, it’s going to make me login.
Chrome’s developers didn’t have to say anything. Anyone who’s been trying to build on the latest web features (for me, particularly WebGL, WebRTC, WebGPU and IndexedDB) over the past decade has been bitten by Safari over and over again. They usually come around after being raked over the coals by the web dev community, but they’re still usually years behind.
When “Safari is the new IE” was first published, they absolutely were. They’ve gotten a bit better since then, but all the same it was hilarious to see people who used to rail against IE for flaunting web standards (cough John Gruber cough) suddenly start saying that web standards were a bogus racket once Apple decided to stop keeping up with them.
Safari is far from perfect, but I’m glad they don’t implement everything Chrome does. Many of the complaints come down to “Safari doesn’t even support RunBitcoinMinerInBackground.js. It sucks!”
And on the plus side, it’s vastly better at power efficiency, meaning I can use my laptop longer without being plugged in.
sure if you want to live a life stuck in the App Store and Play Store walled gardens... having a decent web browser is the way towards a truly open web
Safari is the new IE not because they refuse to implement questionable new web “standards”, but because
- It has all sorts of random quirks in their supposedly supported features;
- Mobile Safari has even more quirks;
- No other major browser introduces random serious bugs like Safari does (remember the IndexedDB one?);
- Version updates are tied to OS updates meaning it’s the only major browsers that’s not evergreen, and coupled with the previous points you have to carry workarounds for bugs forever, and of course can’t use new features;
- Extensions are 10x harder to develop and more than 10x more expensive to publish since they’re tied to Xcode, Apple Developer Program and MAS, because fuck you;
- Like another commenter said, it’s the only browser that crashes on me (random “this page has experienced a problem and reloaded” or something like that);
- PWA is another kind of hell in Safari but opinions are divided so whatever. At the very least it’s not conducive to an open web.
It’s a piece of hot garbage, like a lot of other Apple software these days. Sure, maybe it’s battery efficient or something. I don’t give a shit because I work plugged in.
Oh and developer tools in Safari are crap but who cares.
Developers don't convince anyone of anything! They just build stuff according to standards (which are inevitably set not by standards orgs, but by the most popular browsers), and then they expect all browsers to follow those standards and "just work".
When a browser like Safari fails to adhere to those standards, sites will break ... but you can't expect developers (of most sites; I'm not talking about the top 100 or anything) to test in every possible browser ... and then change their code to accommodate them. Certainly not in ones with single-digit percentages of market share, that require their own OS to test (like Safari).
If Apple wanted more web devs to support Safari they should port it to Linux and Windows. The web is supposed to be an open standard, you shouldn't need a devices and software from a specific manufacturer to develop for it (I say that posting from a Mac).
I continually try, but Safari is the only browser where I routinely experience crashes once or twice a month. There are also some random incompatibilities with certain websites (related to the CORS issue as mentioned in another comment) that force me back into another browser anyway.
I tend to use Safari on my mac, but I will say that it evaluates CORS slightly differently than other browsers so that sometimes I have to disable CORS protection to get a site to work that works fine in Chrome or Firefox, and it's the only browser I've used where I expect to have it crash hard with a SEGFAULT or something every once in a while.
Is it easier to build a browser for MacOS? Arc was Mac only for the longest time, until they released a crippled Windows version. DuckDuckGo browser started Mac only.
I'm pretty worried about the security of Brave and stopped using it. I'd like to be wrong. But years old patches missing in Chromium not ported over until recently makes me nervous (referring to a recently addressed long time websocket bug in Brave). What else is missing? It just seems to risky to use for me.
I don’t know anyone that works at Meta, so I’m hoping that someone here could answer this for me-
What makes employees there feel good (or at least okay) about doing stuff like this? You're spying on people, no? Surveilling ordinary people, not enemy combatants or foreign militaries? Perhaps a friend of a friend or even a family member? This kind of thing is so creepy and disturbing to me, not that it’s anything new…
There are many industries which are inherently hostile to users, insurance, betting, marketing, etc. If you ask people if they feel good about enabling the kind of things these companies tend to do, you probably won't get an answer. I don't think Meta is an outlier here nor are they the only one. Even across other industries you will find many questionable practices in usual operations. If pushing the boundaries of ethics gives a business an advantage, you can guarantee that someone will be doing it, and eventually most will be doing it. It's simply the natural tendency of any system with competing entities. The question we should rather be asking is, how do we tweak the system. What can be done to disincentivize pushing the boundary like this?
In principle, I think most people believe their morals would prevent them from working at a company like Meta.
On the flip side, how much are morals worth if you have the opportunity to be financially free?
There's also the opportunity to work on interesting problems.
Anecdotally, of course, I know a Meta engineer at the L7 level (generally staff engineer in these large tech companies). He makes over seven figures a year, 75% of that being from stocks. The money is there.
> What makes employees there feel good (or at least okay) about doing stuff like this?
I got this exact thought IMMEDIATLY (yet again) and posted on it here as well, putting my two cents in.
This is totally unacceptable for a software engineer to implement features like this simply because their company told them to, doing what the company tells them to makes them money, so they do it.
No apparent thought into whether they are creating is harmful, or caring about it.
I've given up on any anger directed towards the company itself. They will make money any way they can. Now, the engineers who actually implement it bothers me, because it is clearly not something that should be built.
To me, I don't care how much I'm being paid or how bad it would be to lose my job at that time.
I would resign before working on features like this and deal with the consequences.
History suggests there is no shortage of people who will throw all semblance of morality away as long as they are surrounded by people who they believe have done the same. I almost think the people who are not willing to cave in this way are the rare ones.
Without the suggestion to install an adblocker, this is not credible advice.
A media outlet which depends on ad revenue as a primary income source is unlikely to suggest this.
Ditching these deeply invasive products remains a good idea, independent on any decision to use ad blockers or not.
The Meta/Yandex incident in particular is straight-up malware and everyone should remove their apps.
You’re not wrong, but there was a time many of olds remember when editorial content and commercial concerns were firewalled. It used to be outrageous, and usually wrong, to suggest an editorial position was contingent upon a business benefit for the media outlet.
I miss those days.
Getting privacy advice from an adtech funded outlet sounds like reading democracy advice from the Chinese ruling party or vegetarianism advice from lions to be honest.
It might be correct-and-incomplete but they just have no credibility on the topic.
Many HN commenters work for "adtech funded outlets". Do they have any credibility on the issue of privacy.
Individually they might, but I wouldn't take advice from their employers.
Is it true that, individually, Washington Post "tech" journalists might be credibie but their employers would not be credible.
WaPo is dependent on subscription revenue, not ads. They limit the number of articles non subscribers can read.
They're also owned by one of the richest men in the world...
Maybe, but they they refused to offer an ad-free subscription tier last time I asked. NYT and Chicago Sun Times also refused.
Of course it's dependent on ads, what are you talking about, nothing prevents showing ads to subscribers to the tune of 180 mil/year
https://cbsaustin.com/news/nation-world/washington-post-lost...
> which depends on ad revenue
They're more tightly bound than that. They're dependent on Google Display Ads. Which really makes their whole diatribe that much more pathetic.
Any media company that decided to traffic the ads themselves, from their own servers, and inline with their own content, would effectively be immune from ad blocking.
> Ditching these deeply invasive products remains a good idea
While still allowing random third party javascript to run unchecked on a parent website.
> While still allowing random third party javascript to run unchecked on a parent website.
Lol, why are you commenting as if somehow allowing it to run negates the other good ideas in some way? Obviously some is better than none, and all is better than some, but each step takes more effort.
lol, because ads pay for the content you're reading. it pays salaries.
what I _don't_ want is to be _tracked_. show me ads all day if you want.
They'd like to show you personalised ads, for more effective manipulation, which implies tracking.
It’s odd that orgs like NYT don’t run their own ad services. I’m sure they have a dedicated department for ad sales for physical copies. They’re large enough that companies would work directly with them. And they would have at least some editorial control on what is displayed on their site.
I've worked for a few companies that had ad placements. I wasn't too deep into that side of things, and it was a long time ago, but as I recall, at reddit there was an in house ad auction platform. If there wasn't any ads sold for the period, we'd either show in house ads (think the old reddit merch store, pics of animals, a pic of one of the reddit staff with a paper tube on his forehead to resemble a narwhal, etc) or ads from a network like AdSense. Once upon a time this actually caused issues because there was malware being served from one of those and networks
The NYT does have a direct-sold ads business and first-party data platform for targeting them: https://open.nytimes.com/to-serve-better-ads-we-built-our-ow...
That used to be how print newspapers worked.
Hosting the ads on the same server as the content is done in some cases, but doesn’t result in any immunity. If the ads are sufficiently annoying, it only leads to a merry little game with the adblocker annoyance list community, where they figure out new regexen to block the content, deploying daily. Bypass the blocks too effectively, and the adblocker will accidentally start blocking website content. Users will assume the website itself is broken, and visit less.
Self-hosting ads is not really a winning game unless your ads are non-animated, non-modal static text and images.
The advice is fine, just incomplete.
It is better than nothing and definitely for the more "normies" advice. Let's start there and then we can get them onto adblock and other stuff.
Btw, the ArsTechnica article they link offers more advice[0]
[0] https://arstechnica.com/security/2025/06/meta-and-yandex-are...
The FBI recommends using an adblocker: https://news.ycombinator.com/item?id=41483581
They will not bite the hand that feeds them.
But I am glad they are pushing people toward other browsers because that is the biggest step. Once you have taken that step, installing the most popular extensions is trivial.
Guess what the highest rated extensions are?
Does the ad blocker prevent leaks of your information?
I know it blocks a use of your information against you (targeted ads). And any external source is a potential leak (e.g. the kinds of things that CORS is supposed to reduce).
But does an ad blocker specifically leak more, or just reduce the incentive to collect that information?
A full-featured ad blocker (uBlock Origin original, not the neutered Lite version that runs on Chrome now) will intercept requests at the network level and prevent your browser from requesting the advertisers' JavaScript code. Your browser not only won't show the ads, it won't run the code that was supposed to show them or even send a request to the advertisers' servers.
This blocks most existing tracking methods. The only thing you're not protected from is first-party tracking by the site you're actually visiting, which is impossible to fully protect against.
>prevent your browser from requesting the advertisers' JavaScript code. Your browser not only won't show the ads, it won't run the code that was supposed to show them or even send a request to the advertisers' servers.
Incidentally, just blocking JavaScript with NoScript kills quite a lot of ads (obviously, not first-party ones if you've white-listed their JavaScript for site functionality; but I try to avoid that when there isn't real demonstrated value) without any need for an explicit ad blocker.
NoScript is indeed very effective at blocking tracking, but it also breaks a lot of websites.
If that is an acceptable compromise, you could also try ditching the Internet altogether, as that not only blocks all online tracking, it also blocks a lot of fraud, misinformation and all kinds of harmful content.
Except for non-negotiables (eg: bill paying, government websites, etc.) a website that fully breaks when blocking js is just a worthless site which is not worth my time.
That’s always my problem with NoScript being suggested. For some people who consume stuff off RSS feeds or static sites and Wikipedia that probably works. But for literally anything more than that you can’t do that.
It's not about living like a caveman. You can enable 1st party JS without JS from 20 ad/tracking hosts.
> NoScript is indeed very effective at blocking tracking, but it also breaks a lot of websites.
Sure, images may no be present without JS lazy-loading them. Accidentaly, NoScript also fixes a lot of websites. Publishers are often paywalling posts via JS and initial HTML is served with full articles.
1st-party would likely be prevented by disabling cookies? Obviously they could fingerprint every visitor on every request, but most just set an ID cookie and check it on subsequent pages I think, since that's good enough for tracking most people (who aren't actively trying not to be tracked). Of course, that breaks things that need a session (like a cart), but depending on what you want from a site, it could be fine.
Those things help, yes. I say that it's impossible to fully block first party tracking because you must interact with the server in order to accomplish anything and those interactions can be tracked. But a third party can be cut entirely out of the loop.
There are ways to maintain a session without a cookie, but cookie is very convenient so that is mostly what is used.
they don't load up the ads at all so they can't know your information in the first place at least from the ads themselves. if the website is sharing information directly there's nothing you can do outside of some kind of vpn and never logging on to any services.
Yes they block tracking
I think there was a Defcon where they showed that some ad networks let the advertiser themselves provide the image/video. By targeting only people who first visited a given website, they know who you are. And by adding selectors on the ad, they extract your characteristics, including location.
It looks very stretched, but the real magic happens when this data is sold in bulk. It allows recouping who is where. Your target person may or may not be in each dataset, their location isn’t known like clockwork, but that allows determining where they work, where they sleep and who they’re with. One ad is useless as a datapoint, but recouping shows reliable patterns. And remember most people on iPhone still don’t have an adblocker.
That may not be viable for many non-technical users, which is their audience. On HN, it would be an error to omit ad blockers; the Washington Post has a different audience. I expect that most would find installing and learning a new browser to be too much effort and too hard to understand.
This is provably wrong since Google has been pushing Chrome installs for over a decade.
They suggest Brave browser, which has an adblocker built in and on by default.
It’s still good advice
I would bet money that the techie they asked to put the list together included "use an adblocker." And then the higher-up who approves articles like this said "shit! wait... no, no, no, delete that one!!" These corporations are deeply deceptive.
Source article: https://www.washingtonpost.com/technology/2025/06/06/meta-pr...
> Source article
Thx. Even the source in the slashdot article links to msn...
Written by the same person who wrote Washington Post article.
All very confusing.
MSN is all rehosted articles I believe. Several times I've searched major paper headlines to read the full story on MSN.
No idea what kind of deal these places have with Microsoft.
I like the MSN articles. My ad blocker cleans them up nicely, and they never ask me to subscribe.
If any software engineers out there are working on things like this I can only pray they STOP and think about why what they are doing. Implementing features by having to jump through hoops, just so that their employer can better spy on people and make more money.
That is so wrong, on so many levels ... I personally couldn't do it.
I hate this even more than NSO Group's Pegasys, which could easily get people killed. I'm ok with my reasoning, and I really hate that one as well.
Here, with Meta and Yandex, you see what you always see.
As soon as people catch on, they immediately remove it. But they will keep using it until that day comes.
For money, while trying to hide it from the users they are spying on.
It's greedy and evil and whoever in these companies think up these ideas should be let go. Immediately, in a perfect world.
Instead they'll just try another approach.
While everyone else has to clean up this latest one.
"Following public disclosure, Meta ceased using this method on June 3, 2025. Browser vendors like Chrome, Brave, Firefox, and DuckDuckGo have implemented or are developing mitigations, but a full resolution may require OS-level changes and stricter enforcement of platform policies to prevent further abuse."
Text-only, no Javascript:
https://assets.msn.com/content/view/v2/Detail/en-in/AA1GecPs
What about the other app ? Now that this trick is known, either it’s completely fixed, including in system webview, or all the other usual spyware ,that the play store is full of, are going to use it to track their user.
Google still hasn’t fixed the issue of app being able to list all other installed app on your phone without requiring permission despite having been reported months ago. They didn’t even provide an answer.
I believe Google isn’t interested in Android user privacy in any way, even when it’s to their own benefit.
At this point either use iPhone, grapheneos or no phone at all.
Hmm how can I use being forced to use Chrome for work, for me tax wise…
If I’m a contractor forced to use Chrome and mobile devices, can I deduct a separate work phone?
I really hate having it my iPhone, at least maybe I can claw something back this way?
I believe it is good form to keep work and personal machines completely separate, including phones. If you ever have to hand over your devices for discovery in a law suit I think you will come to the same conclusion.
I very much agree. Retired now but I used to have a separate phone for each major client for HIPAA compliance but it's good advice everywhere (and $50 year-old android phones and $15/month Tracfone accounts aren't just for criminals!)
Anyone have tips on how to avoid having the WhatsApp app on your phone?
Remove lock-ins that forces people to use a specific chat app. Move private communication away from "platforms" to interoperable protocols. That is the only way for us to regain control over our own private communications.
Give your WA contacts alternative contact method. Uninstall. Stop using WhatsApp.
Use telegram
Why telegram instead of signal?
Telegram is a privacy downgrade from WhatsApp. WA is at least end to end encrypted; Telegram is not.
Telegram is not a downgrade in this instance.
It's not encrypted by default, WhatsApp is.
Zen Browser (FF) on Win and Firefox on iOS (for sync) works well for me. Edge for all M365 related stuff. Still use Chrome for web dev. Not sure what to move on in that regard...
I'm a relatively new web dev and I've been quite happy with Firefox's Web Dev tools. What does Chrome's dev tools give someone that Firefox's doesn't? I can edit css on the fly, see where a css rule is being overwritten, debug javascript, etc.
FF dev tools just don’t work sometimes, notably with iframes, sometimes with source maps, and other edge case types things.
I use FF for 99% of dev, open Chrome maybe once a quarter. It’s a better browser.
Funny, I find Chrome Dev tools doesn't save some response bodies, while Firefox consistently does.
One an develop in FF, but has to test in Chrome. (Same with developing in Chrome and also testing in FF.)
firefox doesnt have Workspaces. I do 100% of my CSS in Chrome Workspaces
I dont yet understand this attack.
The WP article says:
"" Millions of websites contain a string of computer code from Meta that compiles your web activity. It might capture the income you report to the government, your application for a student loan and your online shopping. ""
If I read that correctly then they are capturing all https web content you access in clear text and uploads it all to Meta? Then Meta
I thought the exploit was used to track where you visited, not the full data of each webpage.
It does sound fantastical. A piece of code that can violate the same origin policy would be a huge vulnerability. Meta could be working with other sites to share data on users via code running on both sites, but snooping on tax data without the IRS helping? Unlikely.
I can only assume they're suggesting that companies like Intuit and H&R Block are sharing this data with Meta, but that seems like a huge violation of privacy and with tax data it might even be illegal.
It's effectively malware—this article has some more detail: https://arstechnica.com/security/2025/06/meta-and-yandex-are...
Basically, they created a channel between the browser and a localhost webserver running in their native apps, by abusing the ability to set arbitrary metadata on WebRTC connections. That way, they were able to exfiltrate tracking cookies out of the browser's sandbox to the native app, where they could be associated with your logged-in user identity.
Is there any way to fix it within Android? damn...
Yes, don't install their native apps.
I've noticed that recent Chrome version does not allow me to download the pdf I'm viewing. I had to open it in Firefox. The Chrome browser only allowed me to save it to drive (cloud)
I downloaded a PDF within updated Chrome earlier this morning without problems. I would be looking at your setup to see what makes it unique.
You can absolutely download PDFs on the all Chrome versions including the most recent. You need to do is set chrome to download them instead of open them.
I am a developer but have to deal with questions on this regularly from people's at my company due to the IT department being small.
Seems weird. I'm in Chrome right now and I can right-click on PDFs and click save as.
I have the opposite problem: I want to simply render the pdfs so I can, you know, read them. not download them like they are data to be fed into another app.
Did you try finding a print button?
To… save? I get that you can print to a file and it’ll save it that way of course, but damn that strikes me as really confusing for non-techies
Save or export would make more sense but printing to pdf has been the way to do it forever.
This is how I get around that same issue, but it truly is a hacky workaround.
right-click save-as?
Thirty months old but I'm guessing they haven't improved! https://www.techradar.com/news/nearly-half-of-all-online-tra...
Source: https://www.washingtonpost.com/technology/2025/06/06/meta-pr...
Related discussion: https://news.ycombinator.com/item?id=44169115
And stop using Alexa (of course Bezos' paper wouldn't say that!)
I hope people can get a "Stop Using Chrome" movement going, like we did with Internet Explorer long ago.
Maybe even a "start using Internet Explorer again" movement ;-)
For all the hate it got, IE was nowhere near as privacy-invasive as any of the "modern" browsers now, even Firefox. If you configured it to open with a blank page, it would quietly do so and make zero unsolicited network requests.
Well IE (Edge) is Chrome now under the covers.
Chrome is fine.
Letting an advertising company own it is not.
I feel like that's like saying "it's fine, except for the bad part that you can't avoid" ;)
The DOJ could literally order their separation. So there's no part of this that's "unavoidable." Ask Ma Bell.
The future of Google as Chrome’s owner is genuinely in question now due to Google’s antitrust losses, in case you weren’t aware.
There’s a few different cases, one recent one Google has lost and is now in the “remedy” phase. Meaning the court has officially decided Google did bad, and is now considering what to make Google do about it. And splitting up Google into separate Chrome, search, etc companies is completely on the table.
Some reading:
https://www.theverge.com/23869483/us-v-google-search-antitru...
https://www.thebignewsletter.com/p/google-found-guilty-of-mo...
I'm aware, but it doesn't change day to day choices for now.
I'm also completely at a loss to imagine how chrome becomes someone else's play thing and is somehow less prone to serving advertisers.
Idk, isn't that how we got Chrome? Isn't this inviting someone else to be the new Internet abuse daddy?
No, that was Firefox. Chrome's spread was fueled by literal malware or spyware bundling it to get some of Google's sweet money and some of the most aggressive advertisement campaigns for any online product ever.
Was it Firefox? I remember Firefox existing at the time but I don't think it's ever really had dominant market share, perhaps when it was Netscape? I do remember the IE campaign went on quite a long time to where eventually Chrome showed up to the party and people shifted over as well as shifted their family and friends over. You don't see that kind of active effort for Firefox ever.
According to Wikipedia, Firefox share peaked around 31%. It was very much taking over and gaining share from IE before chrome appeared.
https://en.wikipedia.org/wiki/Usage_share_of_web_browsers#Ol...
Sounds like something written by a Google employee. Mozilla is a non-profit
Might want to look at who provides most of the funds for Mozilla.
Not for long
Safari reports that it blocked 16 trackers on WaPos home page. So it’s probably best to avoid them for privacy too.
If we truly lived in a democracy which 'obeyed' the overwhelming will of the people, there would be laws with 'horrific' penalties for any effort to track devices or people online.
For most people in the west, using yandex and chinese alternatives would be better than local ones, because neither china nor russia has any auhority over you, while your local agencies do.
This. Separation of concerns is a good thing. In this case "people who spy on you" and "people who kick your door in and shoot your dog".
supermium --ungoogled-supermium
https://win32subsystem.live/supermium/
https://github.com/win32ss/supermium
It's sort of interesting that Brave was not affected by this because they already blocked the technique used by the Yandex app. I wonder if Brave devs were aware of that specific abuse, or if they just thought that localhost traffic was distasteful categorically.
I really wish I was ok, morally, with using Brave.
One of the few that seem to have their shit together
Washington Post also called Ukraines attack on russian bombers "dirty"
That's one opinion from one columnist. Also, the full phase was "dirty war," by which they seem to mean one dominated by covert operations by intelligence services rather than conventional forces, on both sides.
Can you elaborate?
Web browsers should become outmoded soon. It was fine for bootstrapping the web, but now to keep up a browser must emulate the operating system and more in a single app. This pressure is the centralizing factor in browser dominance. Ditch the features, drop the spy protocol (http), just get the files.
> the spy protocol (http)
I'm afraid I can't guess your reasoning.
How do i turn it off?
Turn what off? HTTP is how you receive the web page in the first place. It is not, in itself, causing data to be sent from your computer to others. That happens either because of a script on the page or because you request a web page (i.e. the browser sends headers).
block port 80
What will the alternative to web browsers be after they become "outmoded"?
I can't speak for the user who you are responding to, but an AI maxi might believe that an AI powered interface will take over all information retrieval.
What is the alternative to chrome that doesn’t crash or is not noticeably slower?
Full time Firefox user. I run hundreds of tabs for days on end and need to restart it every week or so. Well worth it to not use Chrome. Need to open a site in Chrome about once a month
The upcoming version has "Unload tabs" built in to the context menu. That should result in restarts limited to updates.
I use the Auto Discard Tabs plug-in, just lets tabs time-out after a set amount of time
I've used Firefox for years and it very rarely crashes. Individual tabs will crash occasionally, but rarely the entire browser.
Firefox? Weird question. I haven't even installed Chrome in the past 7 years. Firefox is fast (but I obviously don't know if Chrome is faster) and it never crashes.
Chrome does feel faster to me; I remember someone here saying that was because of some kind of procedural loading shenanigans or something.
But the main hook for me is how websites look. I do a lot of reading on the browser, and fonts on Chrome always look better than on Firefox. I would switch to Firefox in a heartbeat if only things started looking the same on it.
What's wrong with FireFox?
And if you're not a fan of FireFox, Ladybird is becoming a thing in 2026
I use Vivaldi[1]. Also has built-in ad-blocker although I'm not sure how good it is compared to Ublock or others.
[1] https://vivaldi.com/
seconded. been loving vivaldi since i switched.
I use Chrome for Google workspace, Firefox for ongoing personal logins, and Brave incognito for other browsing (restarting completely for a new session when changing gears).
Last week's discussion on a profile management tool offered several insights into how others a bit further down this path use their browsers of choice: https://news.ycombinator.com/item?id=44132752
Brave Browser: https://brave.com/
Brave has some controversies: https://en.wikipedia.org/wiki/Brave_(web_browser)#Controvers...
I mean those aren't real controversies though, it's more like "we added a VPN feature and included the VPN, but have now removed it". A real controversy would be like Mozilla who was pushing for censorship and silencing "bad actors" in the years after the first Trump election.
I use firefox full time, it works great for me.
Zen Browser works well for me. It's a Firefox fork but privacy-focused whereas Mozilla recently became an ad company and published hostile TOS changes. No issues I had when I was evaluating LibreWolf.
Well, for the past twenty years, Firefox has been a good alternative browser to Chrome, IE, etc.
I feel like people sleep on safari, especially on Macs.
JavaScript Chrome developers did a good job of convincing people that Safari is the new IE.
I love Safari on macOS. I love the pinch/zoom with the tabs. I love that private browsing mode, at least seems to, keep things contained to the tab they started with. e.g. if I open facebook in a private tab then open new tab and go to facebook, it’s going to make me login.
Chrome’s developers didn’t have to say anything. Anyone who’s been trying to build on the latest web features (for me, particularly WebGL, WebRTC, WebGPU and IndexedDB) over the past decade has been bitten by Safari over and over again. They usually come around after being raked over the coals by the web dev community, but they’re still usually years behind.
When “Safari is the new IE” was first published, they absolutely were. They’ve gotten a bit better since then, but all the same it was hilarious to see people who used to rail against IE for flaunting web standards (cough John Gruber cough) suddenly start saying that web standards were a bogus racket once Apple decided to stop keeping up with them.
You're drinking Apple kool-aid if you think Safari isn't holding web back.
Lots of anti-google people dislike Safari. Safari isn't the only non-google option you know.
Safari is far from perfect, but I’m glad they don’t implement everything Chrome does. Many of the complaints come down to “Safari doesn’t even support RunBitcoinMinerInBackground.js. It sucks!”
And on the plus side, it’s vastly better at power efficiency, meaning I can use my laptop longer without being plugged in.
sure if you want to live a life stuck in the App Store and Play Store walled gardens... having a decent web browser is the way towards a truly open web
Apple is slow to adopt new features, sure but Google bulldozes features to be first to market so it can implemented the way they want it implemented.
>Google bulldozes features to be first to market so it can implemented the way they want it implemented
Can you give an example of this?
Safari is the new IE not because they refuse to implement questionable new web “standards”, but because
- It has all sorts of random quirks in their supposedly supported features;
- Mobile Safari has even more quirks;
- No other major browser introduces random serious bugs like Safari does (remember the IndexedDB one?);
- Version updates are tied to OS updates meaning it’s the only major browsers that’s not evergreen, and coupled with the previous points you have to carry workarounds for bugs forever, and of course can’t use new features;
- Extensions are 10x harder to develop and more than 10x more expensive to publish since they’re tied to Xcode, Apple Developer Program and MAS, because fuck you;
- Like another commenter said, it’s the only browser that crashes on me (random “this page has experienced a problem and reloaded” or something like that);
- PWA is another kind of hell in Safari but opinions are divided so whatever. At the very least it’s not conducive to an open web.
It’s a piece of hot garbage, like a lot of other Apple software these days. Sure, maybe it’s battery efficient or something. I don’t give a shit because I work plugged in.
Oh and developer tools in Safari are crap but who cares.
Significantly better battery life too. Like hours.
Developers don't convince anyone of anything! They just build stuff according to standards (which are inevitably set not by standards orgs, but by the most popular browsers), and then they expect all browsers to follow those standards and "just work".
When a browser like Safari fails to adhere to those standards, sites will break ... but you can't expect developers (of most sites; I'm not talking about the top 100 or anything) to test in every possible browser ... and then change their code to accommodate them. Certainly not in ones with single-digit percentages of market share, that require their own OS to test (like Safari).
Wikipedia says Safari’s their #2 browser, with 17% traffic share: https://en.wikipedia.org/wiki/Usage_share_of_web_browsers
Web devs ignore Safari at their own risk, lest 100% of iPhone users be unable to use their site.
If Apple wanted more web devs to support Safari they should port it to Linux and Windows. The web is supposed to be an open standard, you shouldn't need a devices and software from a specific manufacturer to develop for it (I say that posting from a Mac).
At some point there was a Safari for Windows.
I continually try, but Safari is the only browser where I routinely experience crashes once or twice a month. There are also some random incompatibilities with certain websites (related to the CORS issue as mentioned in another comment) that force me back into another browser anyway.
I tend to use Safari on my mac, but I will say that it evaluates CORS slightly differently than other browsers so that sometimes I have to disable CORS protection to get a site to work that works fine in Chrome or Firefox, and it's the only browser I've used where I expect to have it crash hard with a SEGFAULT or something every once in a while.
Safari lags on implementing key web tech
What experiences have you had with crashing, noticeably slower browsers? I haven't seen that in any modern browsers.
I’m using Firefox and Kagi’s Orion browser [1] on my Mac and Safari on iOS.
[1] https://kagi.com/orion/
Is it easier to build a browser for MacOS? Arc was Mac only for the longest time, until they released a crippled Windows version. DuckDuckGo browser started Mac only.
> Is it easier to build a browser for MacOS?
Financially, probably. Apple customers represent a disproportionate share of global consumer disposable income.
Technically, I guess Unix-like, BrowserEngineKit and WebKit (Orion uses this) help. Good question, hope someone knowledgeable chimes in!
Firefox + uBlock Origin
Any browser that lets you block javascript? It is weird how we now call browsers fast because they can quickly render the most cancerous content.
Firefox.
Firefox. It's been my default browser for years but now I'm noticing sites that don't work properly with it. I'm not sure why.
It also has a really annoying 'feature' that its update process will sometimes force you to restart the browser.
Doesn't crash? Firefox/Mullvad Browser is fine.
Not slower? Safari or Orion.
I like Vivaldi myself.
I really like Brave, blocks youtube ads and generally just works where other chrome alternatives don't https://brave.com/download/
I'm pretty worried about the security of Brave and stopped using it. I'd like to be wrong. But years old patches missing in Chromium not ported over until recently makes me nervous (referring to a recently addressed long time websocket bug in Brave). What else is missing? It just seems to risky to use for me.