Panopticlick 3.0

Today we’re launching a new version of Panopticlick, an EFF site which audits your browser privacy protection. Conceived to raise awareness about the threat of device fingerprinting, Panopticlick was extended in December 2015 to check for protection against tracking by ads and invisible beacons. This new update adds a test for trackers whitelisted by the so-called "Acceptable Ads" initiative. Acceptable Ads is a program involving the popular adblockers Adblock Plus and Adblock, whereby companies can have their ads deemed "acceptable" if they meet certain format criteria. These ads are then unblocked and any company operating above a certain threshold must agree to pay Eyeo, the owner of Adblock Plus, a fee of 30% of the resulting revenue from the ads for administering the process. This revenue is divided between the participating ad blockers.

By default, Panopticlick will now check browsers for trackers from the Acceptable Ads list by testing against a real tracker. If the browser fails, that tracker will receive some information about the user, but this minimal leakage is necessary to diagnose the problem. If you are uncomfortable with this, it is possible to opt out of the test. If Panopticlick detects inadequate protection, the user is linked to instructions to disable Acceptable Ads and fix their configuration.

What is Acceptable Ads?

Acceptable Ads is a whitelist of "non-intrusive" ads that meet requirements relating to format, size and placement on the page. The process has been operated on a for-profit basis since late 2011 by Eyeo. Large advertising companies like Amazon, Criteo, and Google make significant payments to this program, though the exact amounts are not public. Acceptable Ads serves an important policy purpose by identifying types of ads that are not visually intrusive. However, the payments that Eyeo demands for listings, and the fact that Eyeo has implemented Acceptable Ads in such a way that it silently overrides users' privacy settings, are huge problems.

The Problem with Ad Blockers as Privacy Tools

Many users install blockers not just to block obtrusive advertising but also for privacy and security reasons. Unlike tracker blockers (like Brave, Disconnect, Privacy Badger, or uBlock Origin), ad blockers offer only limited privacy protection by default. This functionality is easily extended through the addition of filters such as EasyPrivacy, a blacklist of invisible trackers. But since the launch of the Acceptable Ads Initiative in late 2011, the Acceptable Ads whitelist has been turned on by default for Adblock Plus users, as it has been for Adblock users since late 2015. The Acceptable Ads whitelist allows numerous tracking domains. Content blockers like Adblock Plus and Adblock function based on both whitelists and blacklists. When there is a conflict, the whitelist wins. This means that even though EasyPrivacy is intentionally installed and Acceptable Ads is enabled by default, whitelisted domains will not be blocked from tracking the user. With more than 10,000 domains on the Acceptable Ads whitelist, that’s a lot of tracking.

Who Benefits?

EasyPrivacy's protection is only effective if users disable the default Acceptable Ads whitelist, but the blockers offer no warning regarding the incompatibility of the two lists. This is despite the fact that tracker blocking was offered by ABP as an explicit option during installation until recently, and Adblock offers EasyPrivacy in the list of filters available for activation in its user settings. Because the Acceptable Ads whitelist is enabled by default, some EasyPrivacy users are likely unaware that Acceptable Ads is even enabled, never mind undermining their preferences. As a consequence, we believe millions of users have been unwittingly exposed to tracking.

In reality, the co-existence of Acceptable Ads and EasyPrivacy could only be logically consistent were EasyPrivacy to restrict the domains al