Posted on

Focus & Blur: Behavioral Inference & the Tattletale Browser

This web thing’s been bugging me for too long. Have you ever tried to background a tab that is playing insufferable & unskippable content, only to find out that the annoyance has paused itself until your eyeballs are known be aimed back at it? Why do browsers honor requests to let websites know if you’re paying attention or not?

This is achieved by relying on the focus and blur events. But there are many UI Elements that rely on them to trigger useful UI responses. Think of a suggestion box that shows up when you click in a search bar for example. The window element though, is one for which I cannot think of a single instance where the focus and blur events at are used to benefit the user. I think a well intended couple of events were generally implemented to every possible elements, but one of them reveals more than was intended and is abused to that effect. Why would ad-blocker not nuke them either? I’ve gone through this rabbit hole several times over the years trying to find an extension or adblocker customization to dismiss these events. Alas, they never seem to have made it into the crosshair as the true annoyance that they are. How do you like to have your browser report how good you are at consuming content as intended?

These events are responsible for more ills than making sure you’re watching, they are a key metric for inferring behavior. As with much of data mining, what’s scary isn’t really the information you’re giving away, it’s what can be inferred from it. In a way these attention events are perfectly suited for the attention age. Particularly though, they matter when they are attached to the window element. As far as I know, that is the only method I’ve seen in the wild that is abused into this purpose.

In any case, since I never could find anything, here’s what I came up with. The best way I found to run user JS on all websites is using Tampermonkey. Then here’s the script I’m running:

// ==UserScript==
// @name         Attention Event Nuker
// @namespace    http://tampermonkey.net/
// @version      2024-05-01
// @description  nukes focus and blur events when attached to the window element
// ==/UserScript==

(function() {
    var old_add_event_listener = EventTarget.prototype.addEventListener ;

    EventTarget.prototype.addEventListener = function(event_name, event_handler) {
        if( this.toString()==window.toString() &&
           (event_name=="blur" || event_name=="focus") ) {
            console.log( "attention event caught: " + event_name + " on: " + window.location.host ) ;
        } else {
            old_add_event_listener.call( this, event_name, event_handler ) ;
        }
    };
})();

Unfortunately I did run into a couple of sites that somehow rely on the events to even work properly. I don’t think I want to reverse engineer them 1 by 1 so I’m adopting a blacklist of sites which is a bit obnoxious. For a while I did have the script report which sites were asking for the events, the results weren’t surprising and showed that pretty much any big site with a baseline of behavioral data mining wants to know what your eyeballs are in front of.

Posted on

Pi-hole

I don’t know why I didn’t deploy this before, but this is another case where Docker lowers the bar of entry and makes running this less of an ordeal.

10% of internet traffic at home is ads & trackers (well 10% of DNS queries but let’s not split hair).

This number is obviously higher in reality considering all the ads and trackers which DNS alone can’t tackle. Ublock Origin is still really busy after all.

There are 2 main drivers of these 10%. Unsurprisingly a 13 year old’s windows machine, he just wants to game but gaming now means being online and bundling in greedy vectors to your eyeballs. The other unsurprising culprit is an iPhone tied to social media. Without these 2 devices, we hover around 2% with 10+ various connected devices. With them we immediately jump to 10% of all home internet traffic being ads.

The real beauty of Pi-hole, is in being able to neuter various household “smart” devices. The printer which calls home and requires extra buttons presses to annoy us into a firmware update we don’t want. Screw you Epson. The connected TV which should have never been connected but the kids wanted Netflix, and oh surprise ads are now everywhere. Screw you Roku. Both are gone now. Pi-hole makes it very easy to see what clients are contacting and neuter it along with the millions, yes millions of worthless domains your home network will never see.

A few years back, I tried a more drastic approach doing a full network proxy with whitelist only. But that proved too cumbersome to setup and maintain. Specifically, the interconnectedness of everything. You can’t just allow one website through, it requires too many dependencies to be functional. I wish they had a concept degrees past whitelisted websites one can get to, but they didn’t. Say you whitelist wikipedia, and that lets anything it refers to through as well. I never found something that did, and I didn’t have time for another project. Pi-hole isn’t a panacea, but it strikes a great balance of effectiveness Vs ease of deployment.

I have no polite words for people wasting human potential on marketing. Nothing in the world was ever made better with marketing, its impact on society is strictly negative with no redeeming quality. It is a nefarious endeavor amplified by recent advances in technology. One of the most salient point I heard against it (I wish I remembered where) went like this: chess grand master Kasparov was overtaken by a computer in 1997. 27 years of exponential technological progress later, we now allow thousands of super computers to be pointed at our kids’ brains for persuasion. Do you really think they stand a chance?

Ads should be illegal. I understand we historically accepted them into society at a time when they were innocuous, but their dial was cranked so far up they are unjustifiable in their current form. There is no justification for using psychological trickery on children. People should risk prison for being so ill intended as to devise such machinations. And let’s not even get into how bad it’s been for public conversation to use them as a funding model for everything. There is a direct line between flailing western democracies and the outrage engines ad funding inevitably creates. Maybe it’s not the only line, but it’s definitely one of them. It’s a moral imperative to avoid ads.

Vermont has a road billboard ban. You don’t quite know why things feel better here until it’s pointed out to you. It was done so as not to stain the beauty of the state, thus preserving tourism. But a side effect is that it also removes an ambient layer of aggression and you can feel yourself relax driving into the state. Life is demonstrably better without ads.

Warning! We have detected that we need to monetize absolutely everything with ads. Lower the draw bridge, drop your shields, and let us aim an army of poorly vouched 3rd party marketing dickweeds at your family.

I love seeing these anti-ad-blockers popups for they show how they lost the arm’s race, and all they have left is making an inarguable case. What a pathetic position to find oneself into, all they can do is ask “pretty please let us keep harassing”. I have no doubt they’ll find more insidious ways soon enough.

All the respect in the world to ad blockers, and sites taking risks with principled funding models.

Posted on

Quiet Airtags

I didn’t post several years ago about the GPSes I installed on our farm vehicles. It felt like painting a target on my back. It took quite a bit of figuring out to set up Particle.io‘s early asset trackers. They’ve since created a dedicated preprogrammed and well polished device, seeing an opportunity in the success of the early hobbyist version I suppose. I never posted my setup, code, or experience but let’s just say it worked well for a few years, for very cheap. Unfortunately, the 2G network they relied on was eventually retired, and that forced me reconsider options.

And well, an obvious contender these days are Airtags. I bought a few for testing, and they quickly became the obvious choice. I replaced bulky cellular GPSes with them and folded them into home monitoring. Watching for geofences, battery status, and last contact.

While I can’t wire them directly to the vehicle’s battery, their battery does seem to last a good year (Vermont winters wear them down faster). And they come with several huge advantages over GPSes.

  • A mesh network of people’s iPhones has a lot better coverage than cellular in a rural area. Cell phones will report them when they finally get to a tower or some wifi.
  • They aren’t subject to tree or cloud cover.
  • They are tiny! I went through great lengths to paint and find a place for bulky GPS boxes. Airtags on the other hand will live anywhere.
  • They are cheap, and have no recurring cost (except the cell battery once a year).

These advantages led me to significantly lower the bar to what I stick them on. It’s no longer reserved for the expensive vehicles. If it costs money and isn’t fastened to the ground, it gets an Airtag.

Of course when used as theft tracking, their chirping is problematic. And so I finally bit the bullet and gave them the surgery they need to make them quiet. And it was very very trivial, I should have done this much earlier.

Open them up, I used a stronger blade than the exacto for prying. Note the 3 sharpie dots to point tabs.

I simply snipped the 2 wires going to the speaker

Still works!