> These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects.

One reason your boss is eager to replace everyone with language models, they won’t have any “ethical backbone” :’)

I completely agree.

Fighting against these kinds of directives was a large factor in my own major burnout and ultimately quitting big tech. I was successful for awhile, but it takes a serious toll if you’re an IC constantly fighting against directors and VPs just concerned about solving some perceived business problem regardless of the technical barriers.

Part of the problem is that these projects often address a legitimate issue that has no “good” solution, and that makes pushing back/saying no very difficult if you don’t have enough standing within the company or aren’t willing to put your career on the line.

I’d be willing to bet good money that this LinkedIn thing was framed as an anti-bot/anti-abuse initiative. And those are real issues.

But too many people fail to consider the broader implications of the requested technical implementation.

> These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."

I think using LinkedIn is pretty much agreeing to participate in “fingerprinting” (essentially identifying yourself) to that system. There might be a blurry line somewhere around “I was just visiting a page hosted on LinkedIn.com and was not myself browsing anyone else’s personal information”, but otherwise LinkedIn exists as a social network/credit bureau-type system. I’m not sure how we navigate this need to have our privacy while simultaneously needing to establish our priors to others, which requires sharing information about ourselves. The ethics here is not black and white.

You can't actually push back as an IC. Tech companies aren't structured that way. There's no employment protection of any kind, at least in the US. So the most you can do is protest and resign, or protest and be fired. Either way, it'll cost you your job. I've paid that price and it's steep. There's no viable "grassroots" solution to the problem, it needs to come from regulation. Managers need to serve time in prison, and companies need to be served meaningfully damaging fines. That's the only way anything will get done.

I integrate these kinds of systems in order to prevent criminals from being able to use our ecommerce platform to utilize stolen credit cards.

That involves integrating with tracking providers to best recognize whether a purchase is being made by a bot or not, whether it matches "Normal" signals for that kind of order, and importantly, whether the credit card is being used by the normal tracking identity that uses it.

Even the GDPR gives us enormous leeway to do literally this, but it requires participating in tracking networks that have what amounts to a total knowledge of purchases and browsing you do on the internet. That's the only way they work at all. And they work very well.

Is it Ethical?

It is a huge portion of the reason why ecommerce is possible, and significantly reduces credit card fraud, and in our specific case, drastically limits the ability of a criminal to profit off of stolen credit cards.

Are people better off from my work? If you do not visit our platforms, you are not tracked by us specifically, but the providers we work with are tracking you all over the web, and definitely not just on ecommerce.

Should this be allowed?

One works for money. And money is important. Ethics isn’t going pay mortgage, send kids to university and all that other stuff. I’m not going to do things that are obviously illegal. But if I get a requirement that needs to be met and then the company legal team is responsible for the outcome.

In short, you are not going to solve this problem blaming developer ethics. You need regulation. To get the right regulation we need to get rid of PACs and lobbying.

[dead]

But LinkedIn is the one social network many people literally cannot escape to put food on the table.

I don't care about how much spying is going on in ESPN. I can ditch it at the shadow of a suspicion. Not so with LinkedIn.

This is very alarming, and pretending it's not because everyone else does it sounds disingenuous to me.

> Yes, but I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox.

I don't think so, because most people understand that extensions necessarily work inside of the sandbox. Accessing your filesystem is a meaningful escape. Accessing extensions means they have identification mechanisms unfortunately exposed inside the sandbox. No escape needed.

It's extremely unfortunate that the sandbox exposes this in some way.

Microsoft should be sued, but browsers should also figure out how to mitigate revealing installed extensions.

> I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox

I think that’s a far more reasonable framing of the issue.

> I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.

I agree that most people would not expect their extensions to be visible. I agree that browsers shouldn’t allow this. I, and most privacy/security focused people I know have been sounding the alarm about Chrome itself as unsafe if you care about privacy for awhile now.

This is still a drastically different thing than what the title implies.

> The gathering not being targeted is not an excuse for gathering the data in the first place.

I’m not saying it is. My point is that they appear to be trying to accomplish something like getInstalledExcentions(), which is meaningfully different from a small and targeted list like isInstalled([“Indeed.com”, “DailyBibleVerse”, “ADHD Helper”]).

One could be reasonably interpreted as targeting specific kinds of users. What they’re actually doing to your point looks more like a naive implementation of a fingerprinting strategy that uses installed extensions as one set of indicators.

Both are problematic. I’m not arguing in favor of invasive fingerprinting. But what one might infer about the intent of one vs. the other is quite different, and I think that matters.

Here are two paragraphs that illustrate my point:

> “Microsoft reduces malicious traffic to their websites by employing an anti-bot/anti-abuse system that builds a browser fingerprint consisting of <n> categories of identifiers, including Browser/OS version, installed fonts, screen resolution, installed extensions, etc. and using that fingerprint to ban known offenders. While this approach is effective, it raises major privacy concerns due to the amount of information collected during the fingerprinting process and the risk that this data could be misused to profile users”.

vs.

> “Microsoft secretly scans every user’s computer software to determine if they’re a Christian or Muslim, have learning disabilities, are looking for jobs, are working for a competitor, etc.”

The second paragraph is what the article is effectively communicating, when in reality the first paragraph is almost certainly closer to the truth.

The implications inherent to the first paragraph are still critical and a discussion should be had about them. Collecting that much data is still a major privacy issue and makes it possible for bad things to happen.

But I would maintain that it is hyperbole and alarmism to present the information in the form of the second paragraph. And by calling this alarmism I’m not saying there isn’t a valid alarm to raise. But it’s important not to pull the fire alarm when there’s a tornado inbound.

Extensions are files installed on your computer, though?

> but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.

But the language of "your computer" also implies software on your computer including but not limited to Chrome extensions.

Are you defending LinkedIn’s behavior right now or are you just happy to be more technically correct (the best kind of correct!) than those around you? Trying to understand the angle

>Where do browser extensions exist? I've got a dreadful feeling they might be on my computer.

all of the browser extensions I'm aware of are on planet earth, so i guess you'd have it linkedin is searching the planet for your browser extensions?

Beyond just invasive/annoying, ad networks explicitly spread malware and scams/fraud. There's not much incentive for them to clamp down on it, though, as that would cost them money both in lost revenue and in paying for more thorough review.

Figure this: You could plaster a page with the most obtrusive ads imaginable without ever showing a cookie banner, when they collect no private info.

Most people, including folks on here, think cookie banners are a problem, but they are just an annoying attempt to phish your agreement. As long as these privacy loopholes exist, we will keep hearing such stories even from large corporations with much to loose, which means the current privacy regulations do not go far enough.

> The social contract was "your ads aren't annoying or invasive

Even back in the 1990s the internet was awash with popups, popunders and animated punch-the-monkey banner ads. And with the speed of dial up, hefty images slows down page loads too.

You must be a true Internet veteran if you remember a time ads weren’t annoying!

I remember how I felt the first time I saw an ad come across my browser, it seems so long ago - I guess it was more than a quarter century ago now. I knew it was going to be downhill from there, and it has been.

Ya, back when 'we' were fucking around on BBS's there was the equivalent of 10 people online at the time.

Quantity is a quality in itself. Your BBS was never going to support a million users. Once people figured out the network effect it was over for the masses. They went where the people are, and we've all suffered since.

> a) we opened a club house called the internet in the early 1990s, just after the time of BBSs

"we" is doing a lot of work here. No clubhouse got optical switching working and all that fiber in the ground for example. Beyond POC, the Internet was all commercial interests.

This is ignoring things like newspapers that were made obsolete by the internet. At some point someone does need to actually pay for the content we see online. That is if we want that content to actually be good.

not sure why you're talking about "commercial business" being the one inserting ads everywhere when even niche community run forums from the 2000s also had ads to help pay for their server costs. At the end of the day all this costs money. Whether its paid by ads or direct subscriptions. IMO the problem is more about concentration and centralization of the internet into a handful of sites than advertising.

I mean yeah, you pay for the internet. But many sites are free to use only due to ads.

Such as news and magazine sites, many of which are actively dying due to a lack of revenue.

I personally wish these sites could all switch to paid models, because I also don’t like ads.

But absent that, I’d like to support the sites I use so that they don’t go out of business.

Isn't Brave backed by Peter Thiel? That alone would make me not trust it but they also have baked in crypto and other weird stuff.

Firefox on Android has approximately 0.5% market share on mobile, less than Opera. I really doubt it's enough to spark any sort of industry-wide change.

Lite doesn't actually protect you.

Which do you use? I was unaware that Apple even let such apps on the App Store. I always assumed that their ToS would strictly prohibit it.

But there's no method or structure in place to pay a website a fraction of a cent. Ads are the only way we've found that actually implements a form of microtransactions... paying a tenth of a penny for a sliver of attention.

I don't want to defend ads, but whatever replaces them is going to be very disruptive. Maybe better, but very different.

YouTube had an estimated $40 billion in ad revenue in 2025: https://techcrunch.com/2026/03/10/youtube-surpasses-disney-p...

And has roughly 2.7 billion monthly active users. This means the average YouTube user brings in around $1.23 per month. When you consider that CPM's can easily swing by 20X based on how wealthy the user demographic is, and willingness to pay a subscription is a strong signal for purchasing power, I would not be at all subscribed if a YouTube premium subscription was revenue-neutral for Google.

I believe this and it makes a web 3.0 solution seem viable if only we could escape the collective action trap

This may be a hot take but I'd be willing to pay my ISP $10 extra that they would distribute to sites I visit, if it meant zero tracking and ads. I use an ad blocker but I genuinely want to support content creators in a way that doesn't optimize for ads or clicks.

There would need to be a way for ISPs to know which websites are getting my traffic in order to know who to distribute the money to, which I'm not a fan of. But I think something along those lines, with anonymized traffic data, would work a treat.

That'd be ideal because it would mean I could browse the internet without ads and just never use AI chatbots. Unfortunately I think ads are only going to spread and what we'll actually end up with is "more ads everywhere".

Yes, but the Awful registration fee is more like a speedbump to make banned behavior at least a little expensive to the offending users. Most of the revenue comes from completely optional aesthetic purchases: avatars, avatars _for others_, smilies, etc. I suspect it's a whale based economy.

I would love to get something more akin to a monthly print issue of BYTE, Omni, Starlog, Reality Hackers, WIRED and Dr Dobbs Journal without blinky, shouty ads that cause the content to re-render every 10 seconds.

I would pay money for that.

> If there is any way to make cash from news, shouldn't Bezos have been able to do it??

News only made money when the newspapers could leverage their circulation numbers to run their own ads network. The classifieds section was a money machine. I remember full-page ads in the Washington Post from local car dealerships showing every model they were selling. They likely ran different ads for distribution in other regions, probably 10Xing their money. Google and Facebook killed that.

What Bezos bought was a corpse of a business, but one with strong journalistic credibility known for historic investigative analyses such as the Watergate cover-up that earned public goodwill. He was buying that goodwill and slowly asphyxiating it to align with his own interests.

> Free does not scale

No disagreement there, except the early web was not about scale. The sites you visited may have been created by someone as a hobby, a university professor outlining their courses or research, a government funded organization opening up their resources to the public, a non-profit organization providing information to the public or other professionals, or companies providing information and support for their products (in the way they rarely do today).

> people need to eat, pay for rent

Those people were either creating small sites in their spare time, or were paid to work on larger sites by their employer.

There were undoubtedly gaps in the non-commercial web. On the other hand, I'm not sure that commercializing the web filled those gaps. If anything, it is so "loud" that the web of today feels smaller and less diverse than the web of the 1990's.

Newspapers continue to run ads even after the paywalls went up everywhere a decade or so ago. Once "premium" offerings like HBO, which were ad-free on cable TV, now has ads on its paid streaming version. Even with the "premium" subscription tier, there's sponsored/co-branded content. And for some reason, it now has live sports, where they have no control over the ads shown.

The problem was less the scale of supply and more the scale of demand.

In the 19th century, economist William Stanley Jevons found that, as coal became more readily and easily available, demand for it went up. This was counter to the theories of others, and the principle became known as Jevons Paradox.

Jevons Paradox (a concept that is widely misunderstood, especially when it comes to tech and finance bros talking about AI) demonstrates that, a resource becomes more abundant and easily accessible, demand for that resource rises. As the web took off, people hungered more and more for digital content -- especially as internet accessibility became faster and cheaper.

To keep up -- and to pay for being able to keep up -- increasingly sophisticated monetization models were introduced.

In any case, ad models are one thing. But it's the data brokering that's even more insidious.

The irony is that if internet content were harder to access, the population on the whole wouldn't want it as much.

Now, the culmination of Jevons Paradox has spun itself around a bit in this case. We now live in a world where those profiting off of ad models and data brokering actively try to get people to demand internet content more. (Look no further than the recent social-media-addiction lawsuits.)

> I would rather pay people and websites for content.

I do not think that this is a workable model. Firstly, because it leads inevitably to monopolization, because you don't want to pay 50,000 people for content, you want to pay 10 people for content. Secondly, because most content is bad and a waste of time and you don't find out until after you've bought it. Thirdly, and most importantly, is that there's no actual, clear separation between "news" and "advertising."

Content is generated because people who want that content generated sponsor it beforehand, and dictate the conditions under which the delivery of that content will be accepted as a fulfillment of that sponsorship. The people sponsoring that content can have any number of reasons for doing it; it can make them money directly (i.e. I have articles about cats, people who like cats subscribe to my cat website), which if you're a linear thinker you think is the only way, or it can make them money indirectly, maybe by leading consumers to particular products or political stances that they have a stake in.

This is simply the truth. Your preferences don't matter, and it's not a moral question. If you pay for content, you're more valuable to advertise to, not less. A lot of work is put into producing trash that you regret having read or watched, and was really intended to make you support Uganda's intervention in a Zambian election (or whatever.) If you "value" reading it, you've failed an intelligence test. Its value is elsewhere for the people to paid for it to be written.

What's recently shown itself to scale is small groups of people sponsoring journalists and outlets who put out tons of content for free. The motivation of those sponsors is usually to spread the points of view of the journalists they sponsor widely, because they believe them to be good.

There was never a pay model that supported things that people didn't feel passionate about or entertained by. Newspapers cost less than the paper they were written on. Television news was always a huge money loser that was invested in to raise the social status and respectability of the network. If you feel passionately about anything, you're far better off paying people to listen, to give you a chance, than to lock away content. Journalism as a luxury good can work, but only for Bloomberg terminals and Stratfor, when it is used to make other lucrative decisions by its buyers.

> orgs like Wikipedia, the Internet Archive, and others who have an endowment behind them

This is simply sponsorships by governments and billionaires. Never ever been any significant shortage of that (the patron saint of this is King Alfonso X.*) All of those people have wide interests that can often be served by paying for media to be produced or distributed. It's where we got our first public libraries from.

For me, the fact that Substack and Patreon almost work is more important, and is something that wouldn't have been as easy without the benefits that the internet brings for the collaboration of distant strangers.

-----

[*] https://en.wikipedia.org/wiki/Alfonso_X_of_Castile#Court_cul...

I run into occasional articles, often linked from here, for say economist or ft.com or new york times

I'm not signing up for a subscription for that journal, but paying a small amount for access to that one article is a no brainer. I don't subscribe to a newspaper either, but I'll happily buy one.

The New European did this a decade ago using "agate" (named after the smallest font you'd get in a newspaper), top up with a few quid, then pay for each article.

Sadly didn't catch on. TNE dropped it in 2019[0]. Agate still exists, having been renamed to "axate", but consumers aren't willing to pay with anything other than their time.

[0] https://pressgazette.co.uk/news/new-european-drops-micro-pay...

Sadly you are atypical and the vast majority are freeloaders, who even without ads or tracking will try and find another way not to pay.

Yeah, the fact that the only way that these products can survive in the competition of how I spend my time is a testament to how shitty they are.

I think the damage is there even if you don't see the ads. News outlets and organizations that used to be magazine publishers focus on lowest common denominator stories they know will get the highest engagement. That usually means sexy anger-bait.

Sure we had that in the print times, but we had a lot more "slow" content that you could sit with and contemplate over a day, week or month.

Even those of us who don't see ads see the structure that the ad-driven internet economy creates. Listicles, clickbait and AI-generated slop web pages, just trying to get more ad impressions. Sure, with an ad blocker I can see the low-quality content without an ad, but without the ad economy hopefully there'd be less incentive to create low-quality content to begin with.

Nary a month goes by that I don't bemoan the loss of BYTE and Dr Dobbs Journal. WIRED is still hanging on, but it's more of a site where tech warehouses in Shenzhen hawk there latest wares.

There was a time when Boing Boing was a decent little print magazine. And the web site went a decade before turning into... whatever the heck it is now.

And Reality Hackers and Mondo 2000 were "guaranteed unreadable," but they were on the bleeding edge of desktop publishing style and technology.

I'm old enough to remember typing BASIC games from COMPUTE! into my C64 and reading about the latest Star Trek film in Starlog.

I sing the praises of Omni, even though it was clear they were probably snorting a lot of cocaine in their offices.

I can't be the only one who remembers Computer Shopper, but I have to admit it was years before I realized they had a bit of content and were more than just an ad sheet for Micro Center.

PC World wasn't my jam, but I respected the role it played. UnixWorld and Info World were more my thing.

And I even read the stories and articles in Playboy in the 70s. Believe it or not, they had some amazing authors publish stories there.

Apple is worth nearly $4T. I think they can afford to take a principled stand here, especially considering the current mood about big tech.

And I don't think Google would lightly give up being the default search engine on the dominant mobile platform in the USA, and significantly more dominant among upper-income users.

The best browser is either Waterfox or Librewolf since they're Firefox-based but don't steal your data or claim copyright on it.

[dead]

I'd like to install uBlock Origin, when I try, Chrome warns it needs the permission to, "Read and change all your data on all websites". That seems excessive, to give that much power to one extension. I currently use no extensions to keep my security posture high.

Appreciate the clarification, I would clarify to say the origin story of Ad blockers are ads, and the underlying behaviours may not capture everything that fingerprinting may do where people don't advertise.

Ublock is great, but I am finding fingerprinting that gets past it and that's what I'm referring to.

alternatively, css can script quite a bit... :)

I use uBlock Origin with basically every filter list enabled on Brave with their default blocker enabled. I just confirmed that this does not prevent the script from loading and scanning extensions. The browser tools network tab on LinkedIn is absolutely frightening.

According to the EFF fingerprinting website, Firefox + uBlock Origin didn't really make my browser particularly unique.

But turning on privacy.resistfingerprinting in about:config (or was it fingerprintingProtection?) would break things randomly (like 3D maps on google for me. maybe it's related to canvas API stuff?) and made it hard to remember why things weren't working.

Not really sure how to strike a balance of broad convenience vs effectiveness these days. Every additional hoop is more attrition.

> Every time you open LinkedIn in a Chrome-based browser

I thought uBlock Origin was now dead in Chrome?

I remember a few hacks to keep it going but have now migrated to Firefox (or sometimes Edge…) to keep using it.

Go try it with fingerprint.com. Even post-sanitization, pi-hole, you name it, it will be surprising.

Well it would be more appropriate headline if it would be about broken browser behavior.

But this is about major corporation sneakily abusing this to ilegally extract specific sensitive data which they are abusing.

This is a Chrome thing. It’s a safe bet that if you use Google products you don’t care about privacy anyway. “Google product collects info about you: news at 11.”

> 1. Do a request to `chrome-extension://<extension_id>/<file>`. It's unclear to me why this is allowed.

Big +1 to that.

The charitable interpretation is that this behavior is simply an oversight by Google, a pretty massive one at that, which they have been slow to correct.

The less-charitable interpretation is that it has served Google's interests to maintain this (mis)feature of its browser. Likely, Google or its partners use similar to techniques to what LinkedIn/Microsoft use.

This would be in the same vein as Google Chrome replacing ManifestV2 with ManifestV3, ostensibly for performance- and security-related purposes, when it just so happens that ManifestV3 limits the ability to block ads in Chrome… the major source of revenue for Google.

The more-fully-open-source Mozilla Firefox browser seems to have had no difficulty in recognizing the issues with static extension IDs and randomizing them since forever (https://harshityadav.in/posts/Linkedins-Fingerprinting), just as Firefox continues to support ManifestV2 and more effective ad-blocking, with no issues.

> Who makes browsers? Ad companies.

> Of course Google is going to back door their browser.

Aside from the fact that other browsers exist, this makes no sense because Google would stand to gain more by being the only entity that can surveil the user this way, vs. allowing others to collect data on the user without having to go through Google's services (and pay them).

Absolutely not. At no point am I saying this is ok.

I’m saying that the framing of the article makes this sound like LinkedIn is the Big Bad when the reality is far worse - they’re just one in a sea of entities doing this kind of thing.

If anything, the article undersells the scale of the issue.

You really need to work on your reading comprehension, dude.

This doesn’t fit the description of scraping by any normal definition. It’s a classic feature probe structure, where the features happen to be scraping extensions.

I think it’s kind of funny that HN has gone so reactionary at tech companies that the comments here have become twisted against the anti-spam measures instituted on a website that will never trigger on any of their PCs, because HN users aren’t installing LinkedIn scrape and spam extensions.

well if they have evidence why they dont report it? why are these extensions on the store? im sure linkedin has enough motion to report it directly to google

also, having a PQC enabled extension doesnt seem like a good "large user base capture" tactic.

the source code is as usual obfuscated react but that doesnt mean its malicious...

EDIT: i debuged the extension quickly and it doesnt seem to do anything malicious. it only sends https://pqc-extension.vercel.app/?hostname=[domain] request to this backend to which it has permissions. it doesnt seem to exfiltrate anything else. it might get triggered later but it has very limited permissions anyway so it doesnt seem to be a malicious extension. (but im no expert)

Probably compromised extensions or misleading extensions.

You'll have to do better than "Probably."

What is it about the tech bubble that compels people to proactively apologize for and excuse the bad behavior of trillion-dollar companies?

This only happens if the extension puts their `moz-extension://` links into the DOM. It's different to chrome case where extensions can be detected regardless of being activated on that site or not.