Skip to content

Ghostery

yokoffing edited this page Aug 9, 2020 · 50 revisions

Ghostery

Last updated: 8 August 2020 | download

Ghostery helps you browse smarter by giving you control over ads and tracking technologies to speed up page loads, eliminate clutter, and protect your data.

❤️ Why Betterfox Loves Ghostery

  • Blocks ads and trackers effectively. Annoyances, too!
  • Deploys AI and heuristics to catch trackers not on popular blocklists. (And if a tracker isn't blocked, then the request is modified and anonymized to prevent site breakage.)
  • Enables language-specific filters automatically based on your browsing habits (without any data leaving your browser).
  • Plus, your data usage is reduced by more than 100x. Instead of always downloading the complete filter lists after an update, only the entries that have actually changed are updated.

Import the Betterfox recommended setup for Ghostery!

FAQ

Extension Comparisons

Privacy

Human Web

Rewards Program

Partners and Owners


Extension Comparisons

Why would I use Ghostery over uBlock Origin?

uBlock Origin is an amazing extension, no question. There are still differences with Ghostery, though, which would make people use one or the other. Putting the UI aside (some people really like the Ghostery UI and the way it allows to gain insight about what was blocked for example), there are differences in the privacy protection built-in.

Ghostery extension contains multiple features aiming at preventing tracking, blocking ads, etc. There are three main mechanisms for this, layered and complementary:

  1. A network request blocking mechanism based on a list of known trackers, categorized, which are shown in the UI as they are detected and blocked on each page visited (e.g.: tracking, advertisement, etc.).

  2. An adblocker feature similar to uBlock Origin, AdGuard, or Adblock Plus. It uses the usual blocklists (such as Easylist and a few more by default) to identify requests to block to prevent ads from loading as well as some tracking. It also supports cosmetic filtering (aka elements hiding) and scriptlet injections.

  3. An anti-tracking technology, which blocks third-party cookies and also detects and prevents fingerprinting attempts. The methodology we use to power this feature is unique and you will not find it anywhere else.

Around May 2020, Ghostery added the option to block annoyances as well. Ghostery uses a mix of community-driven lists such as uBlock filters — Annoyances or EasyList cookie, as well as some custom filters.

uBlock Origin is a content blocker (and a very good one, Gorhill is doing an amazing work with uBO), but blocklists have well-known limitations which make them an imperfect privacy protection tool (i.e. because of slow updates, limited coverage and exceptions for some domains/requests to not break websites), which is why an approach like (3) is desirable.

Of course it depends on how you setup uBlock Origin, the more you block the better, but it also increases breakage and you will never be able to block everything (this would break a lot of websites and you would have to whitelist some requests, leaving your privacy un-protected).

On top of the part actively protecting privacy like anti-tracking and content blocking, there are other features to clear cookies from tracker domains to keep a "clean slate", etc. (A bit like what Safari and Firefox have implemented). For example, Ghostery clears cookies from tracking domains that you did not visit as first parties after an hour or so, hardening the protection further. ^1

"Ghostery does not have much customization or fine-grained controls (dynamic filtering, medium mode, element picker etc.)."

This is an interesting point and I think it is worst pointing out that Ghostery is aiming at providing the best privacy protection out-of-the-box. This also means that IMO there is less of a need for dynamic filtering and medium mode, which are (I think), mostly needed because of the limitations of content blocking (e.g. not all requests can be blocked otherwise websites are broken, so there needs to be a way to fine-tune the behavior manually).

On the other hand, in Ghostery we introduced (alongside the traditional content blocker or adblocker), an anti-tracking feature which is not based on blocklists, and is able to remove unsafe datapoints (e.g. fingerprints, third-party cookies, unique identifiers, etc.) from requests without having to block them, drastically reducing breakage.

It's great to offer customization options, but this does not automatically translate into better privacy (and there are other ways to increase the privacy protection and reduce breakage). In the end these features are targeted at power users, but I would argue that they are not necessarily increasing the privacy offered by the extension (e.g., Ghostery anti-tracking does not require any customization but still allows to remove unsafe data points from all requests with lower breakage rate than content blockers).

To summarize, I agree that uBlock Origin gives more customization options, but I don't think this is necessarily the most relevant metric to compare extensions. I would rather focus on the privacy protection offered (especially out-of-the-box, since most users will likely not change the settings). ^4

Be sure to check out the Betterfox recommended setup for Ghostery!

Limitations of conventional content blockers

How can you be sure that all trackers are blocked by static lists? How long does it take to create a filter when a new tracker domain is created? As far as I can see, there are a lot of exception filters to unbreak sites, what happens if these request send unsafe datapoints which can track users?

Take some random domains and look for cases of requests containing unsafe data being sent while having uBlock Origin enabled (default settings). Check lesnumeriques.com, visit a few pages and look for ultimedia.com: it tries to set a tracking cookie. Same for economist.com (check tinypass, not blocked but sets a tracking cookie, Ghostery removes the cookie from request), same on msn.com, visit a few pages and check platform.twitter, tries to send tracking cookie (blocked by Ghostery but not uBlock Origin), etc. Of course, you could arbitrarily harden the settings of your content blocker, block all third-party cookies, etc., but this comes with breakage; and unless you block everything, you will never be sure that all trackers are blocked.

My point is not that uBlock Origin is doing a bad job; in fact, I think that this is an amazing content blocker. But there are some fundamental limitations to content blocking which prevent it from being able to perfectly protect privacy, for few reasons:

  • Not all requests can be blocked (or you break websites, login workflows, etc.), so you need to create exceptions and whitelist requests, which leaves privacy of users at risk.
  • It can take time for maintainers to create rules for new trackers. For some less known websites, rules might not even exist (yet).
  • It is not necessarily possible to identify what a tracker even is by just looking at requests, without having a way to know if the values sent (e.g. cookies, query params, etc.) are unique to a specific users or shared by many. ^5

Do I still need Privacy Badger?

Privacy Badger is, to the best of my knowledge, the only other popular extension which uses some kind of heuristics to block tracking. There are some fundamental differences in how Privacy Badger and Ghostery work, though.

For example, Privacy Badger will try to learn over time which domains are "tracking" you then block these in the future, based on locally analyzed information. In contrast, Ghostery's anti-tracking is working out-of-the-box and privacy protection is derived from a global knowledge of trackers on the Web.

Another big difference is that Privacy Badger will block requests, but Ghostery's anti-tracking is able to drop unsafe data-points from requests without having to block them completely (e.g. fingerprints, tracking cookies, unique ids, etc.); this in turn leads to much lower breakage of websites. To be clear, Ghostery also employs a traditional content blocker, but the privacy of our users does not depend on us blocking all requests (which is impossible by the way, unless you want to break lots of websites). So the anti-tracking will sanitize any request which was not already blocked, to ensure privacy is not at risk.

Also, a heuristic approach like Privacy Badger is limited by just having local knowledge. In many cases it will not know if data sent is unique to a user (this can only be tested by opening another browser and checking if a different value would be sent). Thus some kind of collaboration is required between users to determine what data is safe, and what is not—and this is the method Ghostery's anti-tracking uses.

We do identify potential user-identifiers (i.e. any value which would allow to identify a user uniquely over time) if only one user is sending such data. The assessment is done as a quorum, where only data that a lot of users are sending is considered safe, since it could not be used as a way to link records by a third-party, hence track. To do this only with local information is impossible, and while it can offer a good degree of protection, the collaborative effort implemented as part of Ghostery is much stronger.

Screenshot-2020-08-08-at-12-31-10-PM.jpg
https://s3.amazonaws.com/cdncliqz/wp-content/uploads/2016/07/08101643/cliqz_whitepaper_tracking1.pdf

Also, all messages are anonymized and no record linkage can be done on the server side (we have no way to know if two messages come from the same users). We wrote extensively how this is possible in our two blog posts about Human Web and our anonymization network layer. Of course, this means that there is no unique identifier attached to messages.

Last but not least, yes the data you mention is useful for building features that are yet to come. For example, we needed data before we could launch the tracking protection feature few years back. There is a chicken and egg problem. Some seem to be very focused on the data part, without attempting to evaluate if that data compromises the privacy of the users in any way. Sorry, but it is not always the case that data implies lack of privacy, we wrote about it here. ^6


Privacy

Does Ghostery collect and sell my data?

Ghostery neither collects nor sells data about users or trackers. In fact, we even open the insights we have about the tracking landscape via https://whotracks.me/, so that everyone can benefit from it. ^3

But I've heard that Ghostery couldn't be trusted...

You might be referring to the pre-2017 era where Ghostery belonged to a company named Evidon (which had a business model of collecting and selling data to other companies). It was then acquired by Cliqz (which builds a private and independent search engine as well as privacy-focused browsers). Since then the business model has been dropped, code has been open-sourced and Ghostery is now exploring ways to monetize through paid products, as well as client-side offers targeting called rewards. ^2

Human Web

What is the Human Web?

The Human Web is an open-source technology built by our parent company, Cliqz, that uses the power of anonymous group data create innovative browser technologies to make the internet more private. Users that participate in the Human Web contribute anonymous information related to trackers, websites, and search queries that are then analyzed and evaluated for relevance and safety. This data is used to create anonymous group models that power the private quick-search, anti-tracking, anti-phishing technologies featured in Cliqz products and which will soon be featured in Ghostery.

The Human Web is built using world-leading privacy-by-design practices that ensures that any data that is collected is done completely anonymously without any personally identifiable information. To achieve this, the Human Web implements two core components: its data collection framework and its proxy network.

The Human Web data collection framework requires that the data points contributed by users are evaluated only as a single, aggregated event, disentangling these signals from any personally-identifiable information such as timestamps or user IDS. Furthermore, The Human Web filters out any sensitive or personal information from URLs that are deemed unsafe (e.g., twitter.com/username) that can be used to identify an individual person. Thus, we are neither able to combine data from multiple entries or multiple visits to websites, nor to link this information with any personal information, like email addresses or user IDs, that can be used to identify an individual.

As a further safety precaution, this information is sent through the Human Web proxy network, a series of peer-to-peer proxies that remove information like the user IP addresses, making it virtually impossible to determine who or where the data comes from. The proxy network itself is blind to the content of the data its sending, adding a further security measure to the process. Consequently, all data we collect is virtually unidentifiable by anyone, including ourselves, so that even if our security were breached by a hacker our outside organization, there would be absolutely no way to tie this information to individuals.

The specific data contributed through the Human Web includes:

  • Non-Private URLs
  • Search queries along with Search Engine Results Pages
  • Suspicious URLs that are potential phishing websites
  • Information related to safe and unsafe trackers
  • Information related to the prevalence and performance of trackers

Though the Human Web is more powerful as more Cliqz and Ghostery users join it, participation in it is completely optional. If you do not want the Human Web to collect anonymous statistical data about your searches and website visits, you can adjust your settings in the Ghostery Menu.

If you’d like to dive into the weeds and learn more about the Human Web, you can check out the source code in our open-source Github repo.

Is my data truly anonymous?

Concerning Ghostery still collecting some data on users: I would like to give some more insights about why we think this is not a black or white situation. Ghostery does collect some anonymous data from users, which is not the same thing as collecting "user data". This usually takes the form of anonymous statistics which cannot be linked back to users on the backend, we make sure of that using Human Web and our network anonymization layer.

The anonymous data is always collected in such a way that it is specific to a use case: for example powering the anti-tracking feature, and cannot be re-purposed for anything else (which basically makes the data useless except for the purpose it was initially intended for).

Detailing the anti-tracking use case a bit more, these anonymous statistics are used to learn about trackers throughout the Web and allow to protect all users in real time. It allows us to go beyond the usual blocklist approach (used by all adblockers) which requires humans to look at websites and create new rules (this can take days, putting privacy at risk); in contrast, our anti-tracking can detect new trackers in real time thanks to Ghostery users monitoring the internet and reporting new threats. We also open up these statistics to power https://whotracks.me/ so that anyone can learn about the tracking landscape (this is possible because the data is only about the trackers, not the users).

Of course, all of this can be turned-off if desired, but we make sure that there is no negative privacy side-effect if you don't. In fact, this helps protect the privacy of users (e.g. such as with anti-tracking described above which is made more powerful thanks to statistics contributed by users). ^10

Is the Human Web opt-in or opt-out?

I would like to point out that when you install Ghostery on Firefox, the Human Web is opt-in and not opt-out as I read in this thread (you can verify this by installing Ghostery on Firefox). But I would also like to address the "data collection vs. privacy" argument, which is in my opinion, a false dichotomy.

Ghostery does indeed collect some anonymous data from users, which is not the same thing as collecting "user data". This takes the form of anonymous statistics which cannot be linked back to users on the backend (i.e. record linkage is impossible), we make sure of that using Human Web and our network anonymization layer.

The anonymous data is always collected in such a way that it is specific to a use case: for example powering the anti-tracking feature, and cannot be re-purposed for anything else (which basically makes the data useless except for the purpose it was initially intended for).

Detailing the anti-tracking use case a bit more, these anonymous statistics are used to learn about trackers throughout the Web and allow to protect all users in real time. It allows us to go beyond the usual blocklist approach (used by all adblockers/content blockers) which usually requires humans to look at websites and create new rules (this can take days, putting privacy at risk); in contrast, our anti-tracking can detect new trackers in real time thanks to Ghostery users monitoring the Internet and reporting new threats. We also open up these statistics to power https://whotracks.me/, so that anyone can learn about the tracking landscape (this is possible because the data is only about the trackers, not the users).

Again, all of this can be turned ON or OFF at any time from settings, but we make sure that there is no negative privacy side-effect if you don't. In fact, this helps protect the privacy of users (e.g. the anti-tracking system described above is made more powerful thanks to statistics contributed by users). ^15

I'm not really comfortable with the supposedly anonymous data being collected.

Totally fair, not everyone has to be. This is also a tricky matter for us because we have to get some data in order to build a competitive search engine 1. But we really do not want to collect any personal information at all about users. For this reason, we spent years coming up with a system to achieve this goal: Human Web. We wrote at length about its implementation on our tech blog 2 as well as the network anonymization layer that we built to ensure anonymity at the network level 3 (HPN). ^13

Rewards Program

What is Ghostery Rewards?

Ghostery Rewards is an optional, private-by-design feature that delivers you high-value offers as you browse and make purchases online. Rewards can be viewed, managed, and turned on or off at any time within the Ghostery extension or Ghostery Tab. It is powered by our sister company, MyOffrz.

How does it work?

All Rewards come pre-loaded within your local Ghostery extension, where they remain passive until unlocked. A Reward is unlocked when you complete a set of action triggers that indicate your active interest in making a purchase for which a related offer exists. These triggers funnel potential Rewards based on a set of logic criteria until a match is found and displayed.

How is my data kept private in this process?

Ghostery Rewards operates locally, meaning it is completely contained within your browser and does not transmit personal information back to Ghostery, Cliqz, or any other third party companies. Because your data never leaves your device, it remains in your possession and under your control – we do not collect, process, or store it centrally on a server. We cannot profile you or share your data with anyone else. In this way, Rewards is fully private-by-design, making it a powerful new way to gain real value by completely anonymous means.

How is this program different from advertisements?

Firstly, I understand that trust is something that takes time to build, but we try hard to be transparent, by having all code being open-source and visible to anyone with the time and skills to dig in (and I know not everyone can do it but this is something communities can do collectively; and they already do it, for example on Reddit); and also communicating openly about what we do and how.

Secondly, there is an on-boarding process for this feature. Here I installed Ghostery and on the first visit to a page which could potentially trigger a Reward the following pop-up asks if the user would like to see Rewards in the future or not (screenshot). If the answer is "No", then the feature is disabled. We have also written about it on our blog. It's also part of the "Custom Setup" flow which is accessible from the Ghostery Hub (opens automatically on install).

Lastly, I'd like to challenge the idea that Rewards are juts like ads on the Web. We really took a different approach here (and this made things much harder for us than if we had taken the "usual" path of advertisement; but this would have been totally incompatible with our values so this was a no-go), put aside the trust issue addressed above, the fact that:

  1. Everything happens client-side (there is no server-side aggregation of personal data for targeting or anything like that); the data remains under control of the user, on the device; that's where it belongs.

  2. The Rewards are not shown on random pages (like usual ads), but we try to pick the moment where they would be most relevant. This means that they are shown less often and are hopefully more relevant.

  3. The location where Rewards are shown is always the same and very predictable (top right of the screen, close to Ghostery menu), this also helps reduce the distraction when compared to ads on website which are usually placed they can capture your attention best (and is also where they are potentially the most annoying for users).

And of course this feature can be disabled, either during the onboarding described above or in the Ghostery settings at any point of time (menu "Opt In / Out"). ^7

I'd rather just pay you for your software, and then we can have mutual trust.

This is great to hear, but you are unfortunately part of a tiny minority of users who would like to pay for a privacy-extension or browser. Our past experience shows that most users are not willing to do so, and this is why Reward became a thing. For everyone else, we invest heavily on paid products such as Ghostery Midnight and Ghostery Insights so that people who are willing to pay to support us can do so. This is definitely the cleanest and most transparent way to support Ghostery, and we would love if more and more people would pick it.

We will continue to work hard to improve the communication and transparency in the future and your feedback is very helpful in this regard. ^8

So if one opts out of the "Rewards" system, no data is collected or stored, neither locally or anywhere else? Or is this data still collected in case user would have a change of mind and turn "Rewards" back on?

This is correct. When opted-out, the Rewards module is completely disabled and no data whatsoever is kept-track-of. The source code does not even run, in fact. ^9

Partners and Owners

Who is Cliqz?

Cliqz GmbH is a German company owned by Hubert Burda Media who has acquired the popular Ghostery brand and consumer products, including the anti-tracking browser extensions and mobile apps, from Evidon, Inc. Cliqz is a provider of innovative, privacy-focused browser technologies with integrated quick-search functionality. By combining algorithmic and blocklist anti-tracking approaches, Cliqz and Ghostery will together raise the benchmark in privacy protection. The acquisition of Ghostery’s 10 million active users around the globe will spur Cliqz’s international growth. ^11

Cliqz experiment with Mozilla

Regarding the experiment, I think it would be more correct to say "Mozilla's experiment with Cliqz" than the other way around, as the idea was for them to explore new ways to provide a more private search experience by default in Firefox (compared to default Google with query suggestions enabled), as well as a potential different way of generating revenue in a private way. Cliqz is just one way they experimented with, since we were building an independent search as well as privacy protection in our browsers already. Before the experiment our technologies were thoroughly audited for security and privacy (on top of the audits that we run regularly). Eventually the experiment ended and Mozilla decided to not proceed, but not because of security of privacy concerns; sadly, the communication about that was fairly bad.

We wrote more about this on our tech blog recently if you are interested. ^12

I heard Cliqz has shut down. Does that mean Ghostery has too?

The Ghostery extension is alive and well.

Hubert Burda Media has a majority share in the company and old German media companies have a history of getting internet related things wrong - should we not be worried about their influence on the company?

First of all, I think it is healthy to be skeptical about any company or community developing a privacy-centric product, in general. I too often see people in "privacy communities" who blindly accept advice about which extension to use/not use, etc. without spending a bit of time to check the facts. It requires time, but scrutiny is pretty important.

That being said, Cliqz has a majority share holder: Hubert Burda Media. To start build a truly independent search engine (own search index with no reliance on another's search engine API; like Bing) with privacy built-in, requires initial funding. Cliqz has been working on it for years, as well as on privacy-preserving technologies (e.g. Anti-tracking) and browsers. I do not personally see Burda starting to ask us to do things which would put our users at risk, or go against our values: I would expect most people working at Cliqz to oppose strong resistance to that.

But, even if something like that would happen, we built our technologies from the ground up to be harmless to our users, even if we turned evil. As an example, if you look at the way Human Web and HPN were built (from the blog articles I shared in my previous answer), any data collected is basically useless for any other use case than the one it was initially intended for; this also means that we cannot track back who sent which data . This non-reusability is primordial, as it means that we know just enough to do what we want to do (e.g. improve our search index or run our anti-tracking technology); but it would be impossible to repurpose the same data for anything else. This also implies that we have no way to know which user sent which data, thanks to the very strict checks implemented client-side to prevent record linkage (see Human Web) and our network anonymization layer (see HPN). ^14


My recommended build

You can import my recommended Ghostery setup by downloading this file and importing it into the Ghostery extension.

  • Ads + trackers + Annoyances blocked
  • (Only four or five exceptions made due to site breakage)
  • Smart Block disabled
  • “Allow trackers created by site owners” (first-party trackers) disabled
  • Purple Box disabled
  • Human Web and additional analytics disabled by default
  • Ghostery Rewards disabled
Clone this wiki locally