21 votes

The asymmetry of nudges

20 comments

  1. Wes
    Link
    I think technical users really underestimate the number of bad extensions that are out there. There's over 100,000 extensions available for Chrome alone. Extensions with even a small number of...
    • Exemplary

    I think technical users really underestimate the number of bad extensions that are out there. There's over 100,000 extensions available for Chrome alone. Extensions with even a small number of users begin to receive pressure from bad actors, to sell the extension, or to partner in some way. See Temptations of an open-source browser extension developer.

    The best method browser vendors have to curb this problem is their review process. They use a mixture of automated and manual approvals to check the code when it hits their servers. The problem is that extensions can push silent updates, loading and running code from third-party sources. This is the chief mechanism by which extension malware is spread.

    Regular users (that is, the majority of Chrome's userbase) have been the primary target of these attacks. They don't understand why their search results are suddenly going through weird-looking redirects, or they why their CPU usage is 5% higher because something is running in the background. Google has been fielding these issues for years, and it's largely from bad code that is bypassing their review process. MV3 is a direct response to that problem.

    Yes, the new API is more limiting. It disallows some features that were possible before. On the flip side it's also safer and faster. Whether this is an improvement depends on your own perspective. These articles are usually written by and for the power user, but rarely is the regular user given much consideration. This article is one of the few to do so.

    Regarding ad blocking, which is only a small portion of the greater MV3 changes, I'm mostly annoyed at the misinformation in this area. The change from webRequest to declarativeNetRequest leaves intact 95% of current blocking capabilities. The new API is clearly designed to allow ad blocking. Google has been updating the API from feedback (see rule limits and dynamic rules), participated in the Ad Filtering Dev Conference, worked with popular ad blocking companies, and added automatic approvals in the review process for adblockers with static rule changes. There's been a handful of great MV3 ad blockers in the extension store for over a year now, including ones by uBlock Origin and AdGuard. So the idea that they've "declared war on adblockers" is really unfounded. In many ways, they've bent over backwards to accommodate them.

    Of course, I did say 95% intact. Sophisticated adblockers do rely on some of the dynamic code functionality discussed above for complex ads. This might be used on sites like Twitch and YouTube where it's not simply a network request, but needs dynamic logic to determine where the ad is. YouTube (under Google) has been fighting against adblockers recently, and it's reasonable to assume they will take advantage of any restrictions in the adblocking code to further their aims. So I don't completely give Google the benefit of the doubt here, even if the decisions are primarily coming from the Chrome team.

    Still, I think MV3 will be a positive change on the whole of it. It plugs all the major holes that bad actors have been abusing to take advantage of people. It prioritizes performance with the removal of background pages. It still makes it trivial to block the vast majority of ads, and does so in a more privacy-preserving way. The "MV3 adpocalypse" has been largely overstated, and I'm not sure that blocking that remaining 5% really justifies all the problems that comes with it.

    24 votes
  2. [18]
    skybrian
    Link
    From the article:

    From the article:

    In reality, Manifest V3 was meant to solve a real problem — and did so pretty well. I know this because about eight years ago, we set out to conduct a survey of the privacy practices of popular browsers extensions. We were appalled by what we uncovered. From antivirus to “privacy” tools, a considerable number of extensions hoovered up data for no discernible reason. Some went as far as sending all the URLs visited by the user — including encrypted traffic — to endpoints served over plain text. Even for well-behaved extensions, their popularity, coupled with excessive permissions, opened the doors for abuse. The compromise of a single email account could have given the bad guys access to the digital lives of untold millions of users — exposing their banking, email, and more.

    In short, we concluded that the extension ecosystem matured to the point where the old architecture was an indefensible security and privacy risk. There was no way to fix this while keeping extensions simple to write and publish, easy to install, and capable of doing whatever the heck they want. From this angle, Manifest V3 was close to the optimal fix. It wasn’t the brainchild of a sociopathic executive; it came from concerned, well-meaning engineers on the Chrome team. In fact, our earlier investigation might have played some role in getting it off the ground.

    But another thing is also true: although MV3 provides robust facilities for URL-based ad filtering, it ultimately puts ad blockers at a disadvantage in the escalating arms race with content publishers. Indeed, Google threw its own hat into the ring not long after, cracking down on ad-blockers on YouTube — and one has to note that URL-based filters are far easier for them to rein in than an old-school, unconstrained content script. In other words, the changes might have unintentionally helped Google’s long-term business goals.

    12 votes
    1. [17]
      Deely
      (edited )
      Link Parent
      Its the same story again, and again: lets slightly move control from user to corporation that definitely know what is better for user in the end. Microsoft, Google, Mozilla, Apple, they all do...

      Its the same story again, and again: lets slightly move control from user to corporation that definitely know what is better for user in the end. Microsoft, Google, Mozilla, Apple, they all do this. Implementing strict API with permissions that are clear for user and customizable is hard and takes resourses. Resourses to implement and to support. So, lets Google control what you can do and can't with extensions, that for bigger users good.

      Upd: ThrowdoBaggins explained is so much better.

      12 votes
      1. [16]
        ThrowdoBaggins
        Link Parent
        The worries about what extensions are capable of is no different than the worries about executable files that someone might download and run. Big tech companies will always say that the solution...

        The worries about what extensions are capable of is no different than the worries about executable files that someone might download and run.

        Big tech companies will always say that the solution is to hand them control over what can and can’t run, completely missing the point that if there were reliable, trusted, safe, auditable, open-source executables that build a reputation, then you don’t really need Big Daddy Microsoft to step in and stop you downloading executables unless you download it from their own store (oh and whoops, I guess they can profit from that action while they’re at it, no big deal)

        Also the handwringing that “these extensions are hoovering up data” like your web browser and operating system aren’t already heading in that direction is pretty appalling too...

        21 votes
        1. [2]
          Minori
          Link Parent
          I think a major concern is malicious extensions that act like a virus. The kind of thing your grandmother accidentally installs. By handicapping extensions, there's a hard limit on the kind of...

          I think a major concern is malicious extensions that act like a virus. The kind of thing your grandmother accidentally installs. By handicapping extensions, there's a hard limit on the kind of mischief an extension can cause.

          Is that worth the trade-offs? Well everyone reading this comment is already above the line for tech literacy, so it's probably not for us. For Grandma? It's arguable.

          15 votes
          1. ThrowdoBaggins
            Link Parent
            From that perspective, then, I think a default locked down environment that has an opt-out option for people who know where to go digging would be an acceptable compromise

            From that perspective, then, I think a default locked down environment that has an opt-out option for people who know where to go digging would be an acceptable compromise

            3 votes
        2. [13]
          skybrian
          Link Parent
          They’re not just worries. The Internet is not safe. There are bad guys out there and there are real attacks that are going on all the time. You may not like it, but OS vendors do have a...

          They’re not just worries. The Internet is not safe. There are bad guys out there and there are real attacks that are going on all the time. You may not like it, but OS vendors do have a responsibility here.

          I like that Android is pretty locked down, and also that you can side-load your own apps if you turn on developer mode, which is sufficiently hidden away that non-technical users aren’t likely to turn it on. It seems like that’s the way to go. The devices that ordinary people buy in stores and that they depend on every day need to be pretty locked down out of the box because your crazy aunt has no idea where to find safe, reliable, trustworthy third-party extensions and they really do need to be protected from themselves. This is something that anyone who does tech support for non-technical relatives knows.

          It’s also something more technical users benefit from, so we don’t need to be too vigilant when doing ordinary but sensitive stuff like banking.

          But if there’s an escape hatch, we can still write our own apps and reuse old devices for our tinkering. Google is sometimes pretty good about this. You can reuse old Chromebooks, too.

          Open source developers are, for the most part, not ready to shoulder the responsibility of protecting millions of non-technical users from themselves, and furthermore, if they’re at all sensible, this is work that they shouldn’t want to do for free forever. There is inevitably be going to be some professional organization, like Signal or Mozilla to name a couple of the more trustworthy ones. Even for Linux, distros are doing necessary work, and many of them aren’t really suitable for the masses. Building an organization that can take that on isn’t easy.

          As always, governance is hard and messy. Who decides which organizations are trustworthy? Most users aren’t really in a position to decide whether TikTok is an acceptable risk. If you never heard of Mullvad, how do you know whether it’s trustworthy or a scam? Do you just take the word of anonymous commenters in forums? What do they know and how did they learn it?

          In practice, stores decide what products to offer, but they often don’t do a good job of vetting (Amazon). And governments try to make sure that stores don’t sell bad stuff. Sometimes they don’t do a good job either, for example on supplements in the US.

          9 votes
          1. [12]
            Tiraon
            Link Parent
            It's not even that I disagree, exactly. I simply come down on the side of the end users having control over their devices. If they actually, consciously chose to hand over that control with the...

            It's not even that I disagree, exactly. I simply come down on the side of the end users having control over their devices.

            If they actually, consciously chose to hand over that control with the full understanding of what that means for the benefit of security, with the option of getting that control back, there would be no problem.

            Even if it was the other way around and the end user could reclaim control over their own devices instead, that would be no problem too(technically you sometimes can battling the os all the way, fighting the os is not what I mean here).

            That is not the situation we are in. Concern for users is laudable but adding security against the user instead of for the user is not that.

            There are plenty of massively harmful approved and algorithmically favored sw packages on say PlayStore, or AppStore or wherever. They are simply harmful in a different way.

            4 votes
            1. [11]
              skybrian
              Link Parent
              You’re right, the stores have their own agendas so they’re not entirely trustworthy either. I think that can be countered by having more competition among app stores, but this is a sensitive...

              You’re right, the stores have their own agendas so they’re not entirely trustworthy either. I think that can be countered by having more competition among app stores, but this is a sensitive position of trust, so it should be more like competition among TLS certificate issuers where there are basic standards and shadowy entities can still be kicked off.

              (In practice, browsers and OSes vet the certificate issuers. They have trusted lists. It’s another messy governance process. They’re in charge because that’s how the technology evolved.)

              Regarding “your own device,” hobbyists can still get that by buying a Raspberry Pi or by going through the right incantations for an Android phone or Chromebook, but it’s probably for the best if hacker devices are a separate market and a router or a microwave that you buy in a retail store, plug in and forget about, is more hard-coded. This is another way of empowering the user, by making sure that they understand what they buy and it just does what it’s told, that your microwave is just a microwave and not also a node in a botnet.

              That is, it’s your device, but how do you control it, and what sort of controls should you have? Ownership isn’t enough.

              Computers can be extremely complicated. Things need to be simple and safe by default. Retail customers and small businesses simply aren’t going to and mostly can’t vet these things and someone needs to do it.

              Also, I think “users should be in control” is using a simple model of the user as “someone like me” rather than “someone I care about, but don’t entirely trust.” Kids for example. Students in education. Also, employees and contractors. If you’re a retail business, your customers are people you serve but are also strangers that you need to be wary of, which is why kiosks need to be locked down.

              The big tech vendors have ways of configuring devices so they belong to an organization and the organization can safely hand them out. For families there are parental controls. These are hierarchical systems of control, at least while you’re in the system.

              Guest networks for WIFi are another example that’s a bit less formal.

              7 votes
              1. [3]
                EgoEimi
                Link Parent
                I've always found the "users should be in control" model to be the tech equivalent of the libertarian's "rational consumer". Technical people vastly overestimate the average user who barely knows...

                Also, I think “users should be in control” is using a simple model of the user as “someone like me” rather than “someone I care about, but don’t entirely trust.” Kids for example. Students in education. Also, employees and contractors. If you’re a retail business, your customers are people you serve but are also strangers that you need to be wary of, which is why kiosks need to be locked down.

                I've always found the "users should be in control" model to be the tech equivalent of the libertarian's "rational consumer". Technical people vastly overestimate the average user who barely knows what a URL is.

                9 votes
                1. [2]
                  tauon
                  Link Parent
                  100%. Experience (both outward and inward, lol) shows this is a widespread phenomenon. As well as the relevant XKCD, of course.

                  Technical people vastly overestimate the average user who barely knows what a URL is.

                  100%. Experience (both outward and inward, lol) shows this is a widespread phenomenon. As well as the relevant XKCD, of course.

                  2 votes
                  1. Tiraon
                    (edited )
                    Link Parent
                    The difference with tech being of course that it is a direct large part of life of an average person. Expecting a trivial amount of knowledge should be a given(no more than would be needed to run...

                    The difference with tech being of course that it is a direct large part of life of an average person. Expecting a trivial amount of knowledge should be a given(no more than would be needed to run say Windows XP).

                    Edit: to clarify - even if it is sadly not

                    1 vote
              2. [7]
                admicos
                Link Parent
                Counterpoint: "Specialized hacker editions" are out of reach for many people outside the US and "Mainstream Europe". Even if I had the resources to buy something along the lines of a Framework or...

                but it’s probably for the best if hacker devices are a separate market and a router or a microwave that you buy in a retail store, plug in and forget about, is more hard-coded. This is another way of empowering the user,

                Counterpoint: "Specialized hacker editions" are out of reach for many people outside the US and "Mainstream Europe". Even if I had the resources to buy something along the lines of a Framework or a Pinephone/Fairphone/Librem 5/Google Pixel/"Whatever hip hacker phone is out there" they are impossible to find locally and extremely overpriced if imported (and in the case of phones, completely prohibited! [as of recently, it was only Ridiculously Expensive before])

                3 votes
                1. [2]
                  skybrian
                  Link Parent
                  Yes, and this is why it’s very useful when used devices can be unlocked and used for miscellaneous hacking. More manufacturers should do that. I was thinking more along the lines of a Raspberry...

                  Yes, and this is why it’s very useful when used devices can be unlocked and used for miscellaneous hacking. More manufacturers should do that.

                  I was thinking more along the lines of a Raspberry Pi, though. How available are those where you live?

                  3 votes
                  1. admicos
                    (edited )
                    Link Parent
                    Raspberry Pi's themselves have an official local partner they distribute through, and I've definitely seen a handful of tech stores have the odd counter with Pis and stuff (I myself had a Pi 3...

                    I was thinking more along the lines of a Raspberry Pi, though. How available are those where you live?

                    Raspberry Pi's themselves have an official local partner they distribute through, and I've definitely seen a handful of tech stores have the odd counter with Pis and stuff (I myself had a Pi 3 until the USB port broke and I ended up losing it afterwards before I could get it fixed), and while I'm sure online stores would probably have some of the other SBC brands out there, it's not a guarantee like it seems to be in other places.

                    4 votes
                2. [3]
                  Minori
                  Link Parent
                  I could be wrong, but I think most cheap Chinese devices are easily rooted and modified? Its also never been easier to make your own micro computer from scratch! Some countries setting stupidly...

                  I could be wrong, but I think most cheap Chinese devices are easily rooted and modified? Its also never been easier to make your own micro computer from scratch! Some countries setting stupidly high import tariffs seems like another issue altogether...

                  1 vote
                  1. [2]
                    admicos
                    Link Parent
                    Not really...? Assuming you're talking about phones: anything Mediatek is basically a no go aside from janky GSIs if they even let you unlock the bootloader. Huawei is quite common here and...

                    I could be wrong, but I think most cheap Chinese devices are easily rooted and modified?

                    Not really...? Assuming you're talking about phones: anything Mediatek is basically a no go aside from janky GSIs if they even let you unlock the bootloader. Huawei is quite common here and unlocking them either requires paying some shady Telegram group some money and probably send them your IMEI or something to have them generate you an unlock code, or brute force it by disassembling the phone and soldering to test points on the board.

                    For my current phone, a Poco F1, I had to do a not insignificant amount of research to find something that was both available locally, reasonably priced, and unlockable. I can't just go into a store, pick a phone off the shelf, and have it be unlockable. (Funnily enough, after finding out about this model I did end up doing essentially that)

                    Its also never been easier to make your own micro computer from scratch!

                    I'm not sure how accessible that'd be to anybody not already deeply invested in this tech thing (and a reasonable income)

                    2 votes
                    1. Minori
                      Link Parent
                      Well I was indeed wrong, thanks for the info. I wasn't aware Huawei locked their boot loaders nowadays. I only run unlocked Pixels, and it hasn't been an issue. Pixels aren't really cheap budget...

                      Well I was indeed wrong, thanks for the info. I wasn't aware Huawei locked their boot loaders nowadays. I only run unlocked Pixels, and it hasn't been an issue. Pixels aren't really cheap budget phones though.

                      1 vote
                3. public
                  Link Parent
                  Or their QC isn't as good as the mass market models, or they're janky for no discernable reason. I'll care about the regular users when the enthusiast crowd has Apple-like build quality at prices...

                  Or their QC isn't as good as the mass market models, or they're janky for no discernable reason. I'll care about the regular users when the enthusiast crowd has Apple-like build quality at prices no more inflated than official fruity MSRP.

  3. Odysseus
    Link
    This really highlights the importance of incentives and disincentives in systems. I think at the end of the day, very few people set out to selfishly cause harm or do bad things, but over time,...

    This really highlights the importance of incentives and disincentives in systems. I think at the end of the day, very few people set out to selfishly cause harm or do bad things, but over time, all of the small, seemingly minor actions of the many actors in a system will trend that way if that's where the incentives lie.

    8 votes