Back to episodes

Episode 18

Harmonizing User Privacy with Web Functionality and Ad‑Blocking Technology

Ryan Brown (Filterset Engineer at Brave) and Peter Snyder (Senior Privacy Researcher at Brave) discuss the latest advancements in ad-blocking technology, and how Brave’s control over its browser stack plays a crucial role in maintaining a private yet fully operational Web experience. They also reflect on the resilience of the ad-blocking community, especially in response to the looming changes of Manifest V3, and its potential to reshape the extension landscape.

Transcript

[00:00:00] Luke: From privacy concerns to limitless potential, AI is rapidly impacting our evolving society. In this new season of the Brave Technologist Podcast, we’re demystifying artificial intelligence, challenging the status quo, and empowering everyday people to embrace the digital revolution. I’m your host, Luke Maltz, VP of Business Operations at Brave Software, makers of the privacy respecting Brave browser and search engine, now powering AI with the Brave Search API.

[00:00:29] You’re listening to a new episode of the Brave Technologist. This one features two guests, both internal members of the Brave team. Ryan Brown is a filter set engineer at Brave. He’s also a list author and maintainer for the EasyList project and a web compat fixer. Pete Snyder is our second guest who serves as the senior privacy researcher at Brave.

[00:00:47] Pete received a PhD from the University of Illinois at Chicago, focusing on web privacy, security, and measurement. In this interview, we discussed what distinguishes Brave’s privacy features from other competing browsers, along [00:01:00] with the ethos of Brave’s product principles to influence product development, how privacy tools have evolved over time, as sophistication and tech familiarity of users has broadened.

[00:01:10] We also discussed the arms race between big tech and ad blockers, and what the Chromium Manifest V3 update is, and its impact on ad blocking. And now for this week’s episode of the brave technologist, Pete, Ryan, welcome to the brave technologist podcast. How are you guys doing? Done great. How are you doing?

[00:01:30] Pete: Looking well,

[00:01:31] Luke: doing well. Doing all right. excited to have you guys here. So for the audience, I think this duo here, if you’re used brave is like impacted your experience in a lot of ways. You probably don’t understand. Some of that will go over today. Ryan, like give audience a little bit of background into kind of how, how did you make it to brave and a little bit of your background in like the ad blocking space?

[00:01:50] Ryan (2): So the ad blocking side of things probably started maybe about 15, 16 years ago. And it started [00:02:00] basically when we were trying to filter via a squid proxy where I’d set up rules for a flatting situation where we wanted to limit our bandwidth. And I created a squid proxy where everyone would go through the proxy.

[00:02:14] To filter all the ads out because we only had a certain amount of bandwidth and thus we would to lessen the degree of ads being shown mean that we could do more with, our limited bandwidth and that sort of became the norm until the point where I wanted to do more than just do it via proxy.

[00:02:33] And I guess that started the ball rolling on what can I do to help the community? Because it was a small community. Already doing some form of ad blocking, um, a real primitive ad blocking, but it was something that was, I thought I could join in and at least help out. And I guess that’s started the ball rolling for me where I would start contributing to other lists until we created our own list.

[00:02:56] My background in itself, I’ve been in IT for quite [00:03:00] a bit, but it never involved ad blocking per se. So when I got an email out of the blue saying, Hey, I’m going to You want to join or you want, you know, do you know anyone who’s interested in doing brave? I was like, well, at first I thought it was a

[00:03:15] Pete: scam

[00:03:21] Ryan (2): This is clearly someone’s emailed me because I have had customers all these businesses Who wanted special treatment and they’ll send me an email saying, Hey, uh, we want to talk to you about something. And it’s always, they want a special treatment on removal or whatever. And I thought it was the situation where it’s like someone’s trying to reach out.

[00:03:43] So I, I left it alone and got back to it again and then realized it was a little bit more than that. So I flicked the email back to Pete and I guess we started emailing back. And from there it was history, right? And I guess I was surprised that any [00:04:00] business would be interested in any form of protection and I just hope that the community would sort it out for themselves and, be done with it.

[00:04:06] and then I guess the privacy aspect as well. I was surprised on whether someone was actually interested in anything like that at all. And I guess I was hopeful that something would happen. And then sure enough, it did. And I was really happy to join a company that respected privacy. So

[00:04:20] Luke: for folks that might not be familiar with how ad blocking works, you mentioned there’s lists.

[00:04:25] How do these lists get created? And you mentioned community too. Can you give people a sense of like how these work?

[00:04:30] Ryan (2): Unless they were just I had a static list where it was just a static text, file. And all we would do is go through the forums. People would post various websites and there was, this was before the pre get hub days.

[00:04:43] So before there was any, even the get us in the sense where you just modify the text file manually, and then people would download it and the ad block extension at a time. And then if they came across an issue, they’d report it on the forums. From there, you’ll find that. That was very limited because you got, you [00:05:00] know, there’ll be only a select few of people using that extension and only then it’s a, you know, a few are probably select people using the forums as well.

[00:05:07] So only had a real small segment of a segment of people actually submitting bugs and things like that. So it didn’t really escalate until other extensions got involved and it became. A little bit more serious where you can actually manage, start managing these lists for people would use on their browsers and extensions.

[00:05:24] So at the moment we use, there’s a whole community around easy lists, but there’s also communities around each region. So each language on each country, will have their own little list and someone will manage that. And, you know, they’ll probably have different rules as well, because you have to.

[00:05:39] Everyone wants their, you know, their own sort of set of roles, which is fine. As long as it’s not allowing ads or anything like that. But, you know, you’ll have different regions also having their own, their own list. So you’ll have a Spanish list, you’ll have a German list, an Italian list, and then they all work well.

[00:05:55] They basically, Work well with the default azure list as well. [00:06:00] So

[00:06:00] Luke: Pete, I know you’re looking at these things from, a different level too. There’s these, filter lists. Right. But then I know with the firewalling and other things like that, that you guys have been having to kind of put a lot of work together.

[00:06:10] I mean, like things get reported and I know that Ryan’s always like Johnny on the spot to fix things that are reported as broken, but how are you looking at this from like a more automated level from like a higher level? Right. Cause we’re like a browser.

[00:06:21] Pete: Totally. Well, I want to jump on that, but I want to say a little bit more about how Ryan got involved in Brave, just because, uh, yeah, yeah, yeah.

[00:06:27] I welcome it. People love that. I mean, so this will sound like hyperbole, but I mean, it’s sincerely like Ryan is probably one of the 10 people who’ve had like the biggest impact on the web, truly that people like most people don’t know their name. mean that sincerely, like Ryan is like influence hundreds of research papers.

[00:06:41] He is like shaped the direction that the browsers are building their products and planning specs and certainly changed. I don’t know. Countless numbers, the company’s business plans, you know, that mean like where it’s like this complicated structure and there’s one little piece at the bottom.

[00:06:54] It’s keeping it all together like That is absolutely Ryan. and so when I joined brave and, I was [00:07:00] working on the privacy team at the time, ad blocking was an important filter lists and blocking and privacy. Preserving tools were an important part of Braves goal and Braves mission and Braves business plan.

[00:07:08] And so we needed help maintaining the list that we use in that is Ryan.

[00:07:13] Ryan (2): No one else better to

[00:07:13] Pete: do

[00:07:14] Luke: And it’s an interesting point, right? Because I remember when I started to work at Brave, when we would get reports of things either kind of breaking or bypassing or whatever, and you kind of dig in and see, okay, well.

[00:07:24] Now ad blockers are starting to ship like a quote unquote, like acceptable ads. A lot of the discourse was around ads being annoying versus like the privacy implications of tracking that come with the ads or even the ad calls themselves. And so, I mean, I think it’s a really interesting area and I know the privacy research perspective, right?

[00:07:44] I mean, on the opposite end of that. How hard is it operating in this environment where you’ve got like some of the most popular ad blockers are also letting these companies still track people while we’re trying to balance that with being like a web browser, which is kind of a [00:08:00] whole different animal in itself, right?

[00:08:01] Can you give people a sense of like how you’re thinking about this stuff? I mean, like in balancing all these things together.

[00:08:07] Pete: Totally. Yeah. So, there’s kind of like, that makes you think about two things. One is that Braid wants to be a tool that technical and non technical users alike can use, and, you know, it helps them use the web in a respectful privacy preserving way.

[00:08:18] So we want to ship a product that people can use without needing to. Get under the hood and flip a hundred switches and whatever, but ad blocking and content filtering, the way we do it in brave also puts us in a, like an antagonistic relationship with some websites, and that really makes it a difficult product where wewant to ship privacy preserving tools that also don’t break websites.

[00:08:35] It’s very easy to make a private web, but it’s. Not easy to make a private web that also works well. That’s one, big part of like Brian’s work and the work that I do and the research that we work on is like, how can we figure out in an automated way when a website is broken? What’s the minus, the smallest tweak we can automatically make that will unbreak the website and let the user continue to do what they want to do.

[00:08:54] And without creating the incentive for websites to intentionally bork themselves until we. Flip some switches for [00:09:00] them. So there’s really this kind of like three tiered back and forth game going on. That makes it an interesting research problem. The second thing that comes to mind though, is that because Brave is very early in the space and trying to claim like the privacy crown, I think we’ve done a good job of that.

[00:09:13] It’s something that cynically or otherwise other browsers are finally getting serious about too. At least some other browsers are shipping filter lists by default and other things like that. And so it’s also another thing that like, Ends up taking a lot of my time is to think like, how can brave stay at the forefront of like, be

[00:09:25] Ryan (2): the sharpest

[00:09:27] Pete: knife in the drawer still.

[00:09:28] And one way we can do that is because we are not just an extension. We’re not just something that gets wrapped on kind of at the last level, like we control the entire browser stack. And so how can we leverage that to provide content filtering and privacy protections that other people can’t because of the business strategies that they’ve decided to go down.

[00:09:44] Luke: There’s always the email you get from somebody that you’re blocking something on. And then, you know, you’re, you’re realizing, Oh, wow, this is actually kind of a hairier problem. And then just a simple straight line. Okay. Let me, a whitelist area. It is an arms race, right? In a way that you guys are dealing [00:10:00] with on a daily basis.

[00:10:01] And the users always let us know, right? When something’s not working. How much are you seeing publisher sites media sites commingling dependencies with, advertising calls and, things that would be kind of privacy harmful, like where’s the line drawn on these types of things? I

[00:10:18] Ryan (2): think we do see obviously a lot of requests where.

[00:10:22] We have to evaluate if we have an email saying, Hey, you know, you’re blocking X and Y and Linux or whatever, there’s obviously a good reason why we’re blocking it. You know, it’s, it’s not something that I guess for a lot of businesses, they write every script that they deploy as a, an important, a must have.

[00:10:42] But it’s, not, it’s a nice to have for them, but we can choose to block it or not block it, you know, depending on whether someone set their shields to stand or aggressive or whatever, but we get regular emails sent to the list and via GitHub and whatever saying, Hey, can you, you know, [00:11:00] unblock it?

[00:11:00] And then you have, then I’ll take it on face value. I won’t. Modify anything until I know for sure this is a legitimate request. So I’ll go through the GitHub depending on how, recent the request is. I’ll go through the GitHub and see how, the commit is. And then go from there and see if, if it’s actually a legitimate request or not.

[00:11:18] So there is some time. I guess you take the complaints somewhat on face value saying, Hey, sometimes you can also say that all they’re doing is trying to get special treatment, I guess, I guess you have to give them sort of tough love saying, no, you’re not, we’re not going to remove this. This is not happening anytime soon.

[00:11:35] not on my watch, not on anyone’s watch, but you do have to explain to them that this is why you’re blocking it. This is why. We’re doing what we’re doing and I guess as long as have a next summer explanation if they don’t accept it At least we’ve wiped our hands off this, you know So this is this is why it’s been blocked and you do with us what you want to do with this information But it’s remaining I guess not recently, but in the past we have seen where companies would then [00:12:00] start modifying their methods to bypass it I guess you’ll find that depending on how far they want to escalate it, whether they accept what we just told them or they’ll go, no, we’re going to, fight them.

[00:12:10] And then from there, we’ve got other tools to counter that as well.

[00:12:14] Pete: From like a research angle, like, so this is the problem of like mixed resources of things that are not just bad and you want to block them or just good. And you want to load them, but things that, you know, Cynically and intentionally or otherwise do both is really something that as internet measurement and privacy research folks have like just started digging into and, in some ways, like it’s, an interesting problem.

[00:12:32] Like if somebody is like harming someone’s privacy without meaning to, maybe you do want to treat that with like a different level of caution than if somebody is just very intentionally trying to circumvent privacy protections. But on the other hand, like as people like shipping a product and not just writing papers in some ways, it doesn’t matter, like users not going to be Chilled out or it shouldn’t be chilled out.

[00:12:49] Like if you just say, Oh, don’t worry, they’re doing it for a good reason instead of a bad reason. They can’t audit that. that could change on a dime, whatever. so in some ways it’s like trying to understand the motive behind people mixing [00:13:00] resources and stuff almost doesn’t matter, or at least it’s, it doesn’t necessarily matter so much from shipping a product, even if it’s an interesting kind of research question.

[00:13:06] It’s actually been a really useful benefit for Brave then both research wise and product wise, Because we own the entire browser stack, we can do things like farbling. You mentioned farbling before. Farbling is, approach to defeating browser fingerprinting that doesn’t block a resource, but instead manipulates response that comes back to protect someone’s privacy.

[00:13:23] And the reason this is important and things like farbling and the kinds of more advanced things that brave does are important is because for a long time, the way privacy tools would approach the web is we’re going to be as aggressive as possible and block. Anything that could be privacy harming and then make exception, make a whole bunch of like fine grained exceptions to try to unbreak sites.

[00:13:39] And that’s, useful, but it has its limitations, especially as the sophistication or like the tech familiarity of your users. Broadens and also just the amount of the web that you need to work with grows. And so instead of blocking a bunch of things and then having to be very cautious and like roll it back in a bunch of places, which is inviting privacy harm, we can do things like we’re not going to block it or completely allow it, but we’ll put it into this.

[00:13:59] [00:14:00] Alternative, like kind of middle state that will still be privacy preserving still be a general policy, but avoid the kinds of downsides. So that’s an effective strategy that brave is used to, be privacy preserving, even when we have these kinds of mixed resources. The thing that I think makes it useful at brave is just that we can relax policies over here sometimes to make them more compatible because we have these other protections in another category that fill in the gaps.

[00:14:21] Luke: Like a more elegant, less bam, bam with the club kind of, it’s always, I bring it down to, surgical versus, you know, okay, we’re just going to run a hard block on, on something like that. And I think, and just so I’m my, my layman’s understanding of, farbling, right. It’s almost like you’re, you kind of let the request happen, but you fuzz it enough or make it unidentifiable to an individual user.

[00:14:41] Right. Like, is that fair? Yeah. So it can do the job, but it doesn’t tell you who the person is. Right. Okay.

[00:14:46] Pete: Exactly. Like, the older style or more, like maybe still more common style of trying to deal with these kinds of problems is to just block through the API or the request altogether. And the idea was like, we’ll protect people’s privacy by making every browser look identical or [00:15:00] as common as possible.

[00:15:01] and so if you can’t identify people and they all look the same, then you have some nice privacy protections there. It’s a useful idea, but it also has its limitations because of these kind of like mixed resource problems or these compatibility problems. And so Firebling works by instead of trying to make everybody look the same, it tries to make everybody look different.

[00:15:16] rotatingly different, so you don’t have a fixed identity, so you look extremely unique every time you visit the site, it’s a different form of camouflage, something like that. Okay. Which ends up being enormously more privacy preserving, being in control of the signal you’re presenting to the site instead of just trying to block it, but also enormously more compatible too.

[00:15:35] I

[00:15:35] Luke: suspect if we looked at our retention curve on the product from when these things started to roll out, like that, we probably would see a vast improvement. I should know what that is off the top of my head, but I don’t. These are important things because breaking the web, I mean, there’s no thing that’s going to get somebody to churn faster than, Oh, my bank site won’t work or my, I’m on the airplane and it won’t let me watch my free movie or whatever.

[00:15:54] And I might be speaking from experience sometimes on that. And I know Ryan’s worked on some of those things before. One thing that comes to mind when [00:16:00] thinking about all these like rules and lists and filters and everything is as the web gets larger, these lists must just get massive. I know there’s like, and we used to advertise this because it was observable, right, where if you block a lot, like some of these sites would have thousands of network requests that would happen that are tracking just for all the programmatic bidding stuff to work.

[00:16:19] So you’d get a performance win for blocking some of these things, but how big are these lists? Have they gotten like massive in size or?

[00:16:26] Ryan (2): I feel that it’s Relatively stagnant, the only thing, if you’re looking at the increase of, lists and is probably the ad serves itself because there are certain companies, it’s about four or five companies that will intend to have rotating domains where they’ll basically just keep farming out domains, they’ll monitor our GitHub.

[00:16:45] And then they’ll basically just keep the moment where you commit a change half an hour later, new domain comes, pops up, there is an arms race that people don’t know about is it’s behind the scenes that not many people are aware of, but there is an arms race between the ad [00:17:00] servers. And the list authors where we’ll add something to counter of the domain and then an hour later, same website, brand new domain, and that network requests aren’t the most detrimental to performance.

[00:17:14] It’s a lot of the cosmetics that will actually probably cause the most performance issues. Bad generic cosmetics, or this is basically CSS. This is basically removes the white spacing, the blank spacing from a website where those can slow the web down. Cause if you have too many of those that will slow the web space down, but the network blocks self blocking the domains.

[00:17:34] Isn’t that detrimental to performance? It’s the CSS that will probably cause the most performance issues. If you have too much CSS or even. a complex CSS line where you’re basically going to parents and sub parents and that will cause more performance issues than anything else. Not just for Brave, but for any extension.

[00:17:52] The more, complex you make a rule, the slower it will become and thus people will see the performance. So I guess, We, at least an easel if we try and make sure [00:18:00] the list, the rules are as simple as possible so it can get translated by any extension, by any browser, without any issues. the moment you try and make something more complex, it means that it will be slower for some people as well.

[00:18:13] I guess we try and improve the performance by making sure that we’re always pruning the dead domains off. we have scripts that will list all the domains we have. that are dead, that have been, removed or at least expired and we’ll remove those. EasyList itself is quite a, is not largest list and we try to keep it that way as well.

[00:18:31] You know, we want to make sure that It’s going to not create a performance impact on the user as well. So

[00:18:36] Luke: cool. And it kind of like leads me into my next question. There’s rumblings about this manifest v3 update that’s coming out for, I think, Chrome, Chromium browsers. Can you give a little bit of color as to what manifest v3 is and what the impact is on ad blocking?

[00:18:52] Pete: There’s an interesting link between the size of filter lists in Manifest V3 that actually was one of the first research papers we wrote at Brave. [00:19:00] There’s a paper we wrote with INRIA, which is a public research lab in France, about measuring the size and composition and change rates of filter lists.

[00:19:07] Basically, they’re enormous, but they also have There’s a power law in that a very small number of rules are the most important, and then there’s a long tail of things that are You know, still useful, but useful in less places. And the reason we wrote that paper is because of limitations that browsers were placing on the size expression of the filter lists.

[00:19:23] At the time, we were focusing on Apple, which has something very similar to the Manifest Content restrictions, but manifest V3 is the same thing. They limit the size of filter lists, basically. So you’re restricted in the number of rules that you can ship. And so it’s very important to understand which rules are the most important.

[00:19:39] If you need to work within these systems, that said, these systems are, are bad. I mean, just broadly they’re bad because they intentionally by design are limiting the expression of what rules you can say. That’s one. So there’s just less flexibility in crafting rules. So you, instead of being able to create some rules that are very specific or very broad.

[00:19:58] The way you can craft rules becomes [00:20:00] simpler and so less useful. Also, though, because these lists have these fixed sizes, the manifest v3 and Safari content blocking rules have these fixed sizes. It means that you can not deal with the kinds of problems that Ryan was just talking about where somebody may be cycling through domains or things like that.

[00:20:15] You’re limited in your ability to deal with those things where you might want to have a dynamic or kind of runtime. Check going on, this is important because one thing that Google is shipping is, or has already shipped is an update to Google tag manager that is designed to make it look like you were shipping Google tag manager from the first party by effectively rotating domains.

[00:20:32] So it ends up being a significant problem. I mean, there’s a long list of other problems with manifest V3 that I’d be happy to talk about and rant about, how Google is really locking down the web in ways that I think have gotten a lot of press, but also. A larger picture that I think has, has been underreported on, but manifest v3 is bad because locks down the size of the list.

[00:20:49] That’s the non rambly answer to

[00:20:51] Ryan (2): your question. Also, , limits how often you update it comes with predefined rules and those rules can only be updated at [00:21:00] certain times as well. Like if you have a dynamic, you have static dynamic rules, it’s making something, something more complex. Then it should be.

[00:21:07] And when you’re so sorry, that’s. I guess I’m restricted as it is now. And the excuse it’s going to be better for privacy slash security. I just don’t see it. I don’t, I don’t see v3 benefiting the community, but I’ve pushed back as so much as I can because the community weren’t, happy, especially at least, when we brought it up in the, the last, adblock dev summit, the previous adblock dev summit, when I, we basically everyone was calling them out because of the fact that these limitations are just not on essentially.

[00:21:38] We, we don’t. It’s creating a burden where there doesn’t need any burden for the list authors or any of the AdBlock devs at all because it’s not ideal. And I guess, at least with Chromium, at least it’s been forced out regardless, of, they keep tweaking, I guess, but then they keep tweaking the amount of rules.

[00:21:57] But it is making, it’s still, it’s still making it more complex. So [00:22:00] just for an extension author, if they want to roll out an update, you basically, I think the way the one does, they have to roll out an update, that extension to write the update. If they want updated rules that are not static rules, they have to update the extension.

[00:22:15] For those rules to go out, it’s pretty serious and then if, you have, and then you’ve got the dynamic rules where the dynamic rules will be, you know, if there was small changes from the static rules, so it’s a lot different to what is currently, list for, for the extension authors, where it’s just, it’s a lot more hands off and all the extension authors doing is just updating extension.

[00:22:35] That’s what we’re doing now that being forced into a position where the extension author has to also. Well,

[00:22:42] Luke: just to kind of frame it for, for people that might not be totally aware, this applies specifically applies to extensions you use on your browser. Right. Is that fair to say, and on how those extensions request calls or, or how they handle the traffic that goes to the site, is that fair?

[00:22:59] Pete: Manifest [00:23:00] v3 is a, broader, is it like basically Chrome or Google updating the extension architecture for all browser extensions? The thing that’s gotten the most attention is this declarative net request change that’s happened, which is these static lists of filterless rules, but there’s also other things in it that have been very frustrating or very concerning.

[00:23:18] EFF put out a piece describing how manifest v3 also limited their ability to address fingerprinting concerns and cookie management because of. Very specific details on when browser extensions can modify APIs on a page. The thing that’s got the most attention on Manifest V3 is the, filterless rule stuff.

[00:23:35] But there’s other things in there,

[00:23:37] Ryan (2): because the, how the extensions work has been really reworked significantly. It’s like breast monkey, basically any, you know, a lot of the privacy extensions will be affected by the size. So it’s not, not just strictly AdBlock that will be affected by this, but, Yeah, grease monkey is going to be a big one for them, any, JS extensions, but I guess we’re being force fed this basically by Chromium and obviously Brave’s taking a, it’s going to be taking a [00:24:00] different approach for this as well, which I guess you’d lead up to as well.

[00:24:03] That’s where

[00:24:03] Luke: we’re going. I mean, there’s two threads of this. I think, yeah, one is like obviously ad blocking and other extensions are going to be impacted by this on, Chromium browsers. Like how does Brave going to approach this for their users? Is it something they’re going to have to worry about?

[00:24:18] Pete: Big answer no. If you want to use Brave’s built in ad blocking capabilities, which are top tier, best in class, those are completely unaffected because we implement those in a way that does not use the extension architecture. It’s one of a large number of reasons why Brave can provide privacy protections that other browsers can’t.

[00:24:33] If you want to also install additional ad blocking tools and content filtering tools and things like that, which you shouldn’t need to in Brave, but if for whatever reason you want to. There will be some limitations on those because of Manifest V3 changes. Brave is still shipping some parts of Manifest V2 as well and we’ll try to do so for as long as possible to minimize the impact of that.

[00:24:52] But if you are installing a Manifest V3 extension on Brave, you get everything that that system gives you, good and bad. The important thing is that [00:25:00] all the privacy protections that Brave can apply are completely unaffected because

[00:25:04] Ryan (2): they’re not implemented to

[00:25:05] Pete: the extensions.

[00:25:06] Luke: You were hinting at this earlier too.

[00:25:08] I mean about how like Google locking down the web in certain ways, right? It is pretty wild when you think about the market share that Google has on web browsing, you know Not even counting search or other areas where they’re really dominant But how a change that one company can make basically impacts Such a huge amount of the users using the web, right?

[00:25:27] Is this concern you guys at all with how much market dominance Google has, when they can make a decision like this and impact so many people their privacy or preferences or whatever? Absolutely.

[00:25:39] Pete: One of my roles at Brave is to represent Brave in the W3C. The W3C is the standard body that manages mainly the web APIs that are implemented in browsers, although it does other things as well.

[00:25:48] You can really see the. This broad effort that Google is having to basically turn the web as we know it, as this kind of user editable, understandable set of ways of delivering applications into something that looks much more like the Android [00:26:00] app store or the Apple app store. There’s a long list of technologies, and I can go into them if you’d like, that are designed to allow broadly any website, but specifically Google to ship websites to you in a way that you cannot modify meaningfully, that you cannot understand confidently where they come from.

[00:26:17] Where, the information flows and what other sites have access to data is difficult for even experts users to understand, let alone, you know, typical web users, there really is this broad effort to make websites look like uneditable applications the way that any other app that you download from an app store is and some of that standards focused and some of that is things that Google is just pushing on its own and some of them are faux standards that Google is pretending are standards that are just doing on their own.

[00:26:44] Luke: This is impactful, right? People often lose this detail or are just simply unaware of it. The browser is kind of, it’s called, you know, technically speaking, like the user agent, right? Like it’s kind of that piece of software between you and, the internet that you control. I mean, I know we’re just [00:27:00] working, working for Brendan and everybody here, you guys, right?

[00:27:03] Like everybody is like, User’s choice in building things for users first in their interest is like paramount. And it seems to me like, , whether it’s, and some of those lists of technology, I mean, like web bundles is one of those things too, right? Where it kind of like obfuscates, you can’t really see what’s coming through it’s sold on being encrypted or whatever, but it sure seems like it makes it harder to block things that might, you know, impact your privacy.

[00:27:24] Right. But it is an important fight to be having, you know, this kind of. Feels like a watershed moment where, what happens when your user agent’s no longer your user agent, right? And is now acting on behalf of these companies. Like, I don’t know, like, are you guys concerned about that? Like, I mean, how do you guys feel about that in general?

[00:27:44] Pete: Yeah. I mean, there’s sitting in these standards conversations, there really is a fundamental chord difference in how browsers see their role. Some browsers see their role as generating software that works on behalf of the user to protect the user and serve the user’s goals, independent of what [00:28:00] websites want to do.

[00:28:00] And there are other people, other organizations and companies, not just Google, but. Importantly, Google who see the browser as part of a larger system of clients and servers talking to each other. And so the user agent should be restrained and to participate meaningfully or like collaboratively with servers and the larger system, even when that might deviate from the user’s goals.

[00:28:20] And so there’s been things like a debate about whether it should be allowed in the standards for browsers to lie to servers in ways when browsers think it is useful to lie. I mean, things like. Fingerprinting protections where I’m saying the hardware I have is actually this, even though it’s that or different kinds of measures like that.

[00:28:35] But yeah, I think the way you put it is, important that what it means to be a user agent is, is not agreed upon in how you define what the user agent is ends up having a lot of downstream effects.

[00:28:44] Luke: When you look at these things, like how do you think the ad blocking community is going to respond to a lot of these changes that are coming up?

[00:28:52] Do you see them, you know, adapting and making more extensions to try and have a broader array of rule sets to try and [00:29:00] compensate for having fewer of them? Or how do you, does the ad blocking community is super savvy? That’s one thing it’s like. That I noticed like when I started working at Brave was just how fast they operate as a community.

[00:29:10] It’s, it’s a sight to be seen. It’s one of those things I really love about the web is just, you know, you’ve got these pockets where I don’t think, and you correct me if I’m wrong, but there’s no real and financial motivation or incentive, right, to be active in the ad blocking community. It’s because you want a better web for people.

[00:29:25] Is that fair to say?

[00:29:26] Ryan (2): Yeah, that’s definitely correct. A lot of these people. Most of these people, in fact, I’d say, doing it in their own time, they don’t get paid for it. They’re basically just doing it because they want a bit of web. They want something that is akin to basically a clean web where they don’t get, they get essentially a stripped down version of, the web where you don’t get your pop ups or nag windows or, anything like that.

[00:29:48] What’s quite funny is like, when I’ve, When I first started Abrave, I think one of the requests is like, you know, you need to open up a, a GitHub repo, GitHub, request every time we come across an issue. And I [00:30:00] was like, well, that would soon morph into too much.

[00:30:03] And I guess once you realize that you can do stuff real time, you don’t necessarily need to open a report every time something comes up that has an issue or an issue being, you know, maybe a missing ad or a missing pop up or something that’s more serious where we’ve blocked something we shouldn’t have blocked, but the ad stuff is more, is very much real time where if someone has a fix, that fix can go out Straight away, I guess with, with a B3, it can take longer now because, you know, depending on health and the dynamic rules that get updated, it’s going to slow things down, at least from a user’s perspective, it’s going to be slow because the change will go out straight away.

[00:30:43] But when that change gets lands onto the, the user’s browser for an MB3 extension, well, who knows how long that will take. So it could be slower, at least. On the user side where we could have fixed it, but it might take another six hours [00:31:00] or whatever. Will that change to actually reach the end user?

[00:31:03] At least for Brave, It’s a lot quicker because obviously we’re not relying on mv3. For the extensions that rely on mv3, it could take a little bit longer, just because how mv3 works, you know, the dynamic rules could be a while away before, you know, that end user who complained about a certain website doing a certain thing, it could take a while for them to get that, that patch to fix their own.

[00:31:23] Luke: Cool. Yes. And on kind of a fun note, I mean, like, I guess I could start with Ryan, what’s the weirdest thing you’ve seen come through or happen as a result of trying to block ads on websites in your

[00:31:34] Ryan (2): experience? I guess the weirdest was more than the weirdest, but more the most memorable one is when we got a DMCA request and rather than just hide it away and just remove, commit being, you know, nonchalant about that, we just removed a server.

[00:31:51] Yeah. I decided to add the DMC request in the commit message, and that became Because I wasn’t going [00:32:00] to hide the fact that we’re going to remove this just because, you know. Because, uh, you know, you could, you could just have a random message saying, Hey, we removed the server. But I thought, well, if we’re going to remove what drew the DMCA due to a DMCA request, well, I’ll mention that in the message.

[00:32:15] And, and sure enough, that went, went straight to Hacking News as well, because Hacking News moment they saw it. And then that started the ball rolling. It’s, I guess they say the strides in effect when you remove one survey, one says, okay, let’s see why this was removed. And then suddenly. The whole company’s servers were on, on show and it became, such a spectacle to watch when, and there were companies from other companies looking this, going, you know, what’s going on here?

[00:32:40] And it was, it was good to see the community get behind us. And in the end, it’s, you know, that’s one memory meant for me anyway. That’s

[00:32:47] Luke: what about you, Pete? What’s the most, it could be ad blocking. It’d be privacy. It could be web standards. Anything jump out as a truly interesting, interesting enough to comment on, I guess.[00:33:00]

[00:33:00] Pete: I don’t have any funny story. I mean, I don’t work as like kind of the front of the lines, the way Ryan does. I did have a question though, right. Actually for Ryan, just since I don’t have anything to contribute to this one, right. I mean. You block origin is another very popular, very well regarded, very well performing content filtering tool that a lot of people rely on.

[00:33:16] It’s similarly powerful. The way brave is has a well deserved good reputation for advocating for users. The terrific tool. And my understanding is initially that team was not going to release a manifest v3 version. And then ultimately decided that they would release a as powerful as possible, but constrained manifest v3 version.

[00:33:34] And I wonder Ryan, because Ryan works in these communities and That group pulls from the same filter list that Ryan helps maintain. How you’ve seen the community respond to that? Like, are people largely okay with it? Or do, are users saying this actually is significantly worse for me? I just wonder if you have, I know this is third party and hearsay or whatever, but like, I’m just kind of curious if you have any.

[00:33:54] Ryan (2): At least from the community, they’re not happy with v3, obviously, they’re not ecstatic, but I guess [00:34:00] Raymond, who manages UBlock Origin, I guess somewhat was forced into a position where he had to release a v3 extension otherwise. That would be, Chrome, because when it went, most Chrome gets us, you know, that that’s going to be like for the general population, it’s going to be 80 percent or 9 percent of the users that use Chrome.

[00:34:20] So I guess if he didn’t release it in B3 extension, it would have been a large segment of people are not using UBO. So I guess he was. forced into a position, a not ideal position of supporting mp3 because of the fact that it would be a large segment of the adblock population where ublock couldn’t be applied.

[00:34:39] I mean, for them, there’s a lot of people who would say, you know, they want to use Firefox and Firefox is the king or whatever, but they’re such a small, a small minority compared to the juggernaut that is Chrome and Chromium that I guess he couldn’t, he couldn’t see, Not supporting it.

[00:34:53] From a filterless perspective, I would guess they, we just keep doing the same thing we did before. And the [00:35:00] extension author, in this case, for UBO Raymond, he’ll just keep improving the extension to make sure it is as compatible as possible. possible compared to what they have currently, I guess, is that I guess they’re trying to make the transition for them at least to make mp3 as, you know, as painless as possible, but there are some functions that don’t carry over to mp3 that are not compatible at all.

[00:35:21] So I guess there’s some going to be some limitations at least on, on UBO side that I think there’s something like sort of client hunts, but there are, there’s some filter switches that you can’t apply. Okay. And then be three that you can apply on the old same scheme. And then, and that’s, there’s going to be some downsides to using the newer version of uBlock origin than the old, the old style.

[00:35:42] That

[00:35:42] Pete: makes a lot of sense to me. And maybe my last thought or whatever is just that, like, that’s why it’s critical to have like truly privacy focused tools that are alternate browsers that aren’t just extensions that you apply on top of a thing that you can’t really trust because. Truly, if, if the web becomes edge in Chrome and users are restricted to whatever [00:36:00] little kind of.

[00:36:01] Hand waves they can put on the outside of that to be through these very constricted extensions. Then what we’re going to wind up with is a web that looks like AMP everywhere, where Google serves the entire web to users and it’s locked down and what little changes you can make to advocate for yourself are restricted and temporary.

[00:36:17] Luke: Yeah, no, that’s a great point. That’s a great point. Well, you guys have been fantastic guests. I’m glad the world could see a little bit more of you guys too, because you, you seriously like the duo that just really have, have been so huge to making, you know, what we’re doing at Brave work for a lot of people, if you have a site that breaks, like Ryan fixes it within, you know, an hour, it’s amazing.

[00:36:37] An hour or so, you know, give or

[00:36:38] Ryan (2): take. I’ll do my best. we got, we got plenty of tools out about slave, I guess. When we, when we come across breakage, we’ll investigate, see what’s causing it and then go from there. It’s certainly, not the easiest of things to do, but at least we can find out what’s causing it, eh?

[00:36:52] Pete: Can I give a shout to the other people on the privacy

[00:36:54] Luke: team real quick? Absolutely. No, no. Give shout out any other parting thoughts too. And, let people know, if you want people to [00:37:00] find you where they can find you online, which may or may not, I’m privacy team. It’s, sometimes they don’t want to be found online and I respect that.

[00:37:07] Go

[00:37:07] Pete: ahead, Pete. I want to just appreciate, Siobhan, who now leads the privacy team and does that kind of management and product design work and is, you know, An enormous asset to have at Brave. Arthur, who does a lot of work, but particularly around DNS over HTTP and HTTP and HTTPS restrictions.

[00:37:23] Jacob, who is doing the vast, vast, vast majority of privacy work on the iOS platform and is doing really just. Fantastic work. And , Anton, who among many other things, maintains adblock rust, which is our, our system for applying filterless rules to websites, which is top of class and open source and available to other people, just a bunch of people who are a very small group doing an enormous amount of work that I just wanted to,

[00:37:48] Luke: to, enormous amount of work, enormous amount of work.

[00:37:52] You guys on social or anything, or can folks reach out, , if they want to report an issue or, or bug or anything like that,

[00:37:59] Pete: [00:38:00] I’m on social, but my social is specifically about Chicago bike politics. And so probably not the best place to get in touch with me, but anybody who needs to, you can email me at P

[00:38:11] Ryan (2): E S at brave.

[00:38:12] com. I’m on, X or Twitter on, family and Zed and, GitHub, Ryan

[00:38:17] Luke: BR. Awesome. Well, thank you guys. I really appreciate you joining and, sharing so much about what we’re up to and in the broader privacy and ad blocking world. So I’m sure our audience will dig that. Maybe we’ll have you guys back after they roll out Manifest V3.

[00:38:30] We can do a follow up or something, but thanks guys. Thanks so much. so

[00:38:34] Pete: much. Take

[00:38:35] Luke: care. Thanks for listening to the Brave Technologies Podcast. To never miss an episode, make sure you hit follow in your podcast app. If you haven’t already made the switch to the Brave browser, you can download it for free today at brave.

[00:38:47] com and start using Brave Search, which enables you to search the web privately. Brave also shields you from the ads, trackers, and other creepy stuff following you across the web.

Show Notes

In this episode of The Brave Technologist Podcast, we discuss:

  • How privacy tools have evolved over time as users have gotten more familiar with these tools, and more sophisticated in their usage.
  • The arms race between Big Tech and ad blockers, and the community-driven ad filtering that powers many of today’s best privacy tools.
  • What the chromium Manifest V3 update is and how it will impact ad blocking.
  • What distinguishes Brave’s privacy features from other competing browsers, and how Brave’s product principles influence product development.

Guest List

The amazing cast and crew:

  • Ryan Brown and Peter Snyder - Filterset Engineer and Senior Privacy Researcher at Brave

    Ryan Brown is a Filterset Engineer at Brave and a List Author Maintainer for the Easylist project and Webcompat Fixer. Peter Snyder is a Senior Privacy Researcher and Filterset Engineer at Brave Software, who received a PhD from the University of Illinois at Chicago, focusing on Web privacy, security, and measurement.

About the Show

Shedding light on the opportunities and challenges of emerging tech. To make it digestible, less scary, and more approachable for all!
Join us as we embark on a mission to demystify artificial intelligence, challenge the status quo, and empower everyday people to embrace the digital revolution. Whether you’re a tech enthusiast, a curious mind, or an industry professional, this podcast invites you to join the conversation and explore the future of AI together.