Ghostery CEO JP Schmetz talks online privacy in the Manifest V3 era with AP

07 Nov 2024, 21:59 by Chris Thomas · Android Police

Intrusive ads and invasive tracking pervade everything around us, from top-of-the-line smart TVs to common web browsers, and they're increasingly hard to ignore. We recently had the opportunity to sit down with JP Schmetz, CEO of the Ghostery privacy suite. He had some insightful, down-to-earth observations on how average users can protect themselves and why it's a good idea.

What's happening to Chromium browsers?

How the Manifest V3 rules affect day-to-day browsing

Source: uBlock Origin

Per-site controls within the crowd-favorite uBlock Origin Chrome extension.

We started with some background on Chrome and related browsers' in-progress changes. "Manifest V3 contains the rules Google applies to extensions and what they can see and what they can modify," Schmetz explained. "It only applies to extensions, so it has nothing to do with Chrome for Android because it doesn't allow extensions." Schmetz mentioned that you'll need an extension-compatible browser like Kiwi to block ads on Android.

My first question was about the challenges the new extension rules create. "The main problem was when they announced Manifest V3 a couple of years ago, we all knew in the industry that ad blocking and privacy, basically tracker blocking, was going to become impossible," Schmetz recounted.

How to block ads on your Android phone or tablet

Keep those annoying ads away from your Android device

He explained how Ghostery has been fighting for consumers for years. "We lobbied Google quite hard in the beginning, and it turns out a lot of the things Manifest V3 would have prevented actually became possible again." He continued, "But the main difference is that on any Chromium-based browsers, you do not have access to the network layer. So, you're not really able to modify the request the browser makes in the background.

"You can block tracker requests, but only if you know what they look like before they happen. And you cannot do this on the fly like we used to do. That means an overall reduction in privacy and the power of ad blocking."

Ghostery

Ghostery is primarily a Chromum-friendly anti-tracker and ad-blocking extension. It also maintains a full-featured Firefox add-on, in addition to its own customized, privacy-forward Firefox fork, a private search engine, and more tools to aid the privacy-minded user.

See at Ghostery Ghostery Chrome desktop extension Ghostery Firefox add-on

Ghostery's fight against subversive tracking

How its software helps consumers

Source: Android Police

We then moved to what users would most easily notice about the changes. "One thing users might notice is the level of protection and blocking have decreased. We're constantly fighting services like YouTube, for example. At some point, it could become impossible to block YouTube ads or certain trackers from Google. Most users will eventually notice that."

As for what the Ghostery team is working on, he had plenty to say. "We spent two years rewriting everything to be compatible with Manifest V3, and that may not be immediately noticeable to users. But, over the last year and a half, we didn't have time to focus on new features or doing better on our normal goals because we were focused on rewriting things to continue working after the changes. As a developer, now we can finally focus again on features," Schmetz said, which is good news for all of us.

The real-world differences in Manifest V3 browsing

Source: Ghostery

Porting old extensions over to the Manifest V3 standard takes a lot of work, but Ghostery does more than build a single extension. "We do maintain a Ghostery add-on for Firefox that has more performance. And we have our own browser, for that matter," Schmetz points out, referencing the Firefox-based Ghostery Private Browser. "If you want the same level of privacy as before, you have to switch to something like Firefox. Everything Chromium-based will continue to have more difficulties maintaining that level of protection."

I asked Mr. Schmetz if users would readily notice the difference between Ghostery's Chromium plugin blocking and the performance of a Firefox-based browser with the more complete Ghostery add-on. "YouTube would work better, yes," he explained. "We focus on two things. We do ad blocking that users will certainly notice in a side-by-side comparison. Then we do anti-tracking, which is more difficult to notice because, by definition, it's in the background. But you will notice being targeted and re-targeted for things you wouldn't like to be targeted for." That includes products you've searched for or purchased without activating thorough tracking protection.

YouTube's war against third party apps is just as ridiculous as its war on adblockers

YouTube's decaying user experience has a more significant role to play in piracy than ad blocking

"The main symptom is usually Google knowing things about you that you might not even understand how it learned. So, tracker blocking is a bit harder to notice immediately. A lot of our users understand this and will notice targeted information getting through that we cannot block anymore."

How developers work against tracking

The ever-evolving struggle for privacy

Source: Mike Burgess / Android Police

I asked Mr. Schmetz to expand on the difficulties of providing a browser that isn't based on Chromium. "The main problem with smaller, non-Chromium browsers is that web developers don't always test for them. Some websites are noticeably different on various browsers."

If you really care about privacy, you should care about search. We believe people should have the ability to stay private without changing browsers. —JP Schmetz

"All the meaningful browsers have the same background as Chrome, and Microsoft isn't going to spend resources on powerful ad blocking for Edge. But Brave will implement a lot of features."

I asked Mr. Schmetz how well working against Manifest V3 will work and how viable it is in the long term. "They will be able to do it for a while because Google needs to maintain Chromium longer for some enterprises that are very slow to adapt. But, at one point, it will become virtually impossible to support an older Manifest because of the programming and security challenges.

"Eventually, there's no real advantage to that. It will be months before Manifest V2 apps completely drop out of the picture, but with some browsers, you never know when you'll lose access to Manifest V2 extensions. Maybe it will still work in a year or two or if you refuse to update your browser, but at some point, you have to update."

How to disable Google Chrome's targeted ad tracking

Turn off Google's Topics API to preserve your privacy

Ghostery's multi-faceted software offers effective, easy-to-use privacy tools. I asked Mr. Schmetz to explain the team's work on that suite. "In order to do a good job finding and blocking trackers, you need a very deep knowledge of the web and how it works. We don't really have any knowledge about what our users do," the CEO acknowledges, bringing the main point of the struggle to light. "We do know how many trackers are on a page and whether a page has important information, which lets us approach search from a privacy standpoint."

Private search is the keystone to protection

Source: Android Police

AI: Probably the least private way to search the web.

Here, we got into the crux of the issue. "Except for Brave search," Schmetz argued, "there are very few private search engines. Some would say DuckDuckGo is private, but it essentially sends all its queries to Microsoft for ad service. It's private from Google, but still not private. If you really care about privacy, you should care about search, which is why we've always included a search engine in the package."

"We are first and foremost an extension. We believe people should have the ability to stay private without changing browsers. But we understand that people who do want maximum privacy will switch browsers, so we developed the Ghostery Private Browser to provide that choice."

How privacy affects security

Less about browsers and more about real-world scams

Mr. Schmetz was also happy to talk about the impact of privacy on security. "Most security issues in the real world come from someone doing something they shouldn't have done," he pointed out. "You get an email that looks like it's from your boss at work. You click on a link in the email, and it opens a PDF file that infects your computer."

People would be surprised to see how many signals they give the advertising industry without actually talking. —JP Schmetz

He went on to explain how tracking creates different security problems. "Take an elderly, rich person," he provided as an example. "They might go to the AARP website, which is full of trackers. Those trackers can tell if someone pays property tax in a certain state, which can allow third parties to microtarget them with scams focused on their demographic. Effective privacy stops that kind of microtargeting and mitigates social engineering, which can lead people to do things they shouldn't, like sending money or exposing login details."

Android security patches don't matter as much as you think

You're not that screwed when they stop

What else users can do to stay safe

It all starts with the right extension

Source: Android Police

I asked if the average user needs to do anything specific other than activate a reputable privacy tool, and Mr. Schmetz was confident. "In a lot of ways, the extension is a great first step. You should always have a password manager instead of relying on written notes or memory, which is the biggest problem. But if you have a good tracker and ad blocker, and a password manager, then you can choose to use something like Brave search. Then you're at a pretty safe level."

I pivoted to VPNs and how important they might be to privacy today. "They used to help a lot at the beginning of WI-Fi when it wasn't encrypted," he began. "But since 2013, most internet traffic is encrypted. So, the encrypted channel a VPN provides doesn't necessarily add to that. It can change your location information, so you'll get targeted for ads in your VPN region instead of your actual location. But simply hiding your IP address like VPNs do isn't super useful in most cases. They only add to privacy if you constantly move countries."

How browser fingerprint bypasses anti-tracking efforts

Not that kind of fingerprint.

We moved on to one of the most pervasive tracking methods today, browser fingerprinting. "Historically, cookies have been the primary means of tracking," Schmetz explained. "The cookie stored on your computer contains an identifier, which is a very convenient way for sites to know who you are each time you visit.

"Many times in the past, different browsers threatened to kill third-party cookies. Firefox, Safari, and most recently, even Chrome tried to turn them off. This forced advertisers to figure out an alternative." Schmetz continued on the basics of fingerprinting, "It's basically generating a number on the fly that will always be the same for you," even though it isn't stored on your computer. "Check your computer's time to the millisecond," he provided as an example, "may be unique enough to always represent you," especially when combined with other specific information about your system.

"Privacy browsers can prevent that, but it's quite difficult for extensions to alter the fundamental ways a browser works. Ghostery has a system for identifying fingerprint creation, but it doesn't work anymore under Manifest V3," he acknowledged. "In a nutshell, this is what we're focusing on for the next 12 months: providing the most protection possible without users noticing anything breaking. That's exactly the work we have to do."

Do smartphones actively spy on our conversations?

The question everybody's always asking

Finally, I asked Mr. Schmetz for an opinion on everybody's favorite bugbear, whether phones spy on personal conversations. "I think people would be surprised to see how many signals they give the advertising industry without actually talking, with phones or desktop PCs. The additional benefit of a company spying, listening to that data, transforming it into text, and removing all the noise would be a much more difficult way to extract less data," he offered reassuringly. "Obviously, Alexa listens, maybe more than it should, as do things like Siri or Google Gemini. They definitely send training data back," he promised. "But I don't think it's particularly useful for the advertising industry to go to that extent."

He continued to explain the apparent spying phenomenon. "People think they have evidence their phone is spying because they had a conversation and soon see a similar ad. But it's amazing how bad our memory can be in terms of what we just did with our devices. Most people don't even know what page will load when they re-open their browser. And before they talk about something, they will most likely have searched for it a couple of times and forgotten."

I went a week without an adblocker to stop being such a hypocrite

Don't try this at home. Really

Maintaining privacy in a Manifest V3 world

It's harder but not impossible

There you have it, folks. Your phone isn't spying on you, but advertisers are still tracking your every move. Ghostery's up-to-date Manifest V3-complaint extension for Chromium browsers can minimize how much data they gather. Its more full-featured Firefox add-on, or its Firefox-based private browser, can elevate concerned users to the best level of privacy. And whatever you do, don't install fishy side-loaded software, click on sketchy links, or open email attachments from people you don't know.