Privacy Advocate Challenges YouTube's Ad Blocking Detection Scripts Under EU Law

"Privacy advocate Alexander Hanff has filed a complaint with the Irish Data Protection Commission (DPC) challenging YouTube's use of JavaScript code to detect the presence of ad blocking extensions in the browsers of website visitors," writes long-time Slashdot reader Dotnaught. "He claims that under Europe's ePrivacy Directive, YouTube needs to ask permission to run its detection script because it's not technically necessary. If the DPC agrees, it would be a major win for user privacy." The Register reports: Asked how he hopes the Irish DPC will respond, Hanff replied via email, "I would expect the DPC to investigate and issue an enforcement notice to YouTube requiring them to cease and desist these activities without first obtaining consent (as per [Europe's General Data Protection Regulation (GDPR)] standard) for the deployment of their -spyware- detection scripts; and further to order YouTube to unban any accounts which have been banned as a result of these detections and to delete any personal data processed unlawfully (see Article 5(1) of GDPR) since they first started to deploy their -spyware- detection scripts."

Hanff's use of strikethrough formatting to acknowledges the legal difficulty of using the term "spyware" to refer to YouTube's ad block detection code. The security industry's standard defamation defense terminology for such stuff is PUPs, or potentially unwanted programs. Hanff, who reports having a Masters in Law focused on data and privacy protection, added that the ePrivacy Directive is lex specialis to GPDR. That means where laws overlap, the specific one takes precedence over the more general one. Thus, he argues, personal data collected without consent is unlawful under Article 5(1) of GDPR and cannot be lawfully processed for any purpose.

With regard to YouTube's assertion that using an ad blocker violates the site's Terms of Service, Hanff argued, "Any terms and conditions which restrict the legal rights and freedoms of an EU citizen (and the point of Article 5(3) of the ePrivacy Directive is specifically to protect the fundamental right to Privacy under Article 7 of the Charter of Fundamental Rights of the European Union) are void under EU law." Therefore, in essence, "Any such terms which restrict the rights of EU persons to limit access to their terminal equipment would, as a result, be void and unenforceable," he added.

Another pop-up incoming

[Powercntrl]

Seems like Google's possible fix for this is simple: have a pop-up requesting permission to run their anti-adblock scripts, and if you answer "no" the site will refuse to load. Kinda like the same thing we already have to deal with now for cookies.

It certainly does suck that Google is cracking down on adblockers, but it's their ball and if they want to take it and go home, that's unfortunately how things are when you're a guest on someone else's machine(s). They're a for-profit business and they exist to make money, not to provide the world with free cute cat videos, as much as we'd prefer to believe it's the latter.

Perhaps we should switch to some sort of peer-to-peer video sharing system, rather than relying on the ephemeral goodwill of an advertising company? Just sayin'.

Re:Another pop-up incoming

[pixelpusher220]

Peertube [joinpeertube.org]

Free/user supported youtube alternative...uses the same W3C approved protocol, ActivityPub [w3.org] as Mastodon [joinmastodon.org]

Re:

[lsllll]

I think it's great to have alternatives to YouTube. Unfortunately, as I've said over and over, size matters when it comes to competing web services. It's the story of the chicken and the egg, except the egg has already hatched. I just searched Peertube for the word "Shostakovich" and got 5 hits. On YouTube, using the same unique word that cannot be mistaken for anything other than what I intended to find, I can scroll for an hour through videos. How do you compete with something like that? In essence,

Re:Another pop-up incoming

[pixelpusher220]

Yep, entirely why we're all still on MySpace!

It's *tiny* for sure. Mastodon is the 800 lb gorilla of ActivityPub and it's I think around 15 million users. But if people start using it, it grows and becomes bigger and better.

It's a different thing - not controlled by *anyone* or any company. It's what the web actually was before it became corporatized. Now it's Silos that literally prevent you from leaving their walled gardens and force feed you ads and 'their preferred content'. Google search? mostly ads on the first page now. DuckDuckGo is at least a sane alternative.

What if, from just your Facebook account, you could follow people on Twitter, Insta, Reddit, Youtube, Spotify and literally every other site? If you didn't like your particular server you could switch to another one...and take all your followers with you?

Paradigm shift. And for now, they are far far more sane experiences than the silo's of grief and Serotonin driving 'influencer' drives. Actual conversations, actual experiences with actual people vs AI generated fluff being pushed at you.

Re:

[pixelpusher220]

'Another social media account'. Exactly, they're all 'separate' silos so you need 47 of them.

But email? you only *need* one since you can email with every other email user on the internet by design.

It's not a perfect analogy but that's what ActivityPub protocol is. A *common* way for social media to interoperate so you only *need* one account to consume all the different services.

Re:

[Riceballsan]

I mean I do agree with the general gist that moving to the fediverse is the only way to save the internet control. That being said I don't know of any of them hitting real long term major usage against the big guys like google. IE peer tube I see working in the hosting content for fun... but I can't see it being a succesful platform for creators to generate revenue. Myspace/facebook I find a bad example... fact is the reality is the biggest reason facebook moved on and myspace died... is facebook was quicke

Re:

[pixelpusher220]

Sure, email wasn't really useful until it was indispensable either. And it's always chicken n the egg with new systems. It's small and nice because it doesn't have a huge user base, but users don't come because it's small and niche etc.

And if it wasn't for Musk literally destroying Twitter I wouldn't have likely even been exposed to it. But that's the thing with big corporate things...they *always* destroy themselves because they have to have bigger and bigger share and market.

As coined by Cory Do

Re:

[Errol backfiring]

In the meantime, those 5 videos on Peertube can be viewed and even easily downloaded without any ads shoe-horned in. For YouTube, you need a special program to do that if your browser settings are even moderately secure and privacy preserving. One of those programs on Android is called NewPipe, and yes, it supports Peertube as well.

Re:

[sysrammer]

Yes. That's what YT is doing. My popup sez "3 vids and done" unless I remove the ad-blocker or pay $14/month.

Re: Another pop-up incoming

[ArmoredDragon]

I still haven't even run into this yet except once when I was using somebody else's computer. Either you have to be logged into the service (why would you do such a thing to begin with if you're not in the middle of uploading something?) or you have to be retaining cookies between sessions. On my personal devices I'm always using Firefox with temporary container tabs so any and all session data is wiped as soon as that tab closes and isn't shared with other tabs either. That and I'm always on proton VPN so

Re:

[lsllll]

I haven't ran into the "3 vids and done" popup, but for the past 10 days I'm constantly running into the "You're running an ad blocker", which I haven't found a way around it. I'd be happy to pay a reasonable fee per month. I think $14/month is too much. What's reasonable IMO? $3/month, $30/year, or $200/lifetime for an account.

Re:

[MoreDruid]

I agree, I was checking the cost out and its € 11.99 a month or € 17.99 for a family subscription. If they'd slash that in half I'd subscribe without a second thought, and I think a lot of people with me. Same goes for Spotify, Netflix, the account sharing on those platforms is simply because it's too costly for people to be subscribed to several services. A lot of people rotate their subscriptions because of this as well. I don't mind missing out, so I'm subscribed to a few services but those are

Re: Another pop-up incoming

[ArmoredDragon]

Meh... YouTube is pretty invasive when it comes to privacy, plus I can't stand their stupid recommendation algorithm. Watch just one history channel video and next thing you know it keeps telling you about ancient aliens. Nothing good comes of logging into YouTube.

Re:

[sysrammer]

I'll check that out.

I find that it happens on PC/Firefox/uBlock. On iPhone/Norton, I get ads and no begging screen. Either Norton sucks or has a sweetheart deal w/ YT. Or both.

Re:

[Anonymous Coward]

Yes. That's what YT is doing. My popup sez "3 vids and done" unless I remove the ad-blocker or pay $14/month.

That is not correct. Read it a bit closer.

Youtube is blocking everyone that has an adblocker installed. Period, full stop.
Paying $14/month for premium does NOT exempt anyone from this!

Many of us that have paid for premium, in my case for years, are still being blocked simply for having an ad blocker installed.
$14/month premium removes ads, it does NOT remove the ban when running an adblocker.

They literally expect BOTH. You must remove your ad blocker, AND if you want no ads to also pay.
It is not an OR/XO

Re:

[mgoff]

Youtube is blocking everyone that has an adblocker installed. Period, full stop.

This is not accurate. You can have an adblocker installed as long as you whitelist YouTube.

Depends on the GPDR

[Roger W Moore]

It certainly does suck that Google is cracking down on adblockers, but it's their ball and if they want to take it and go home...

It is not entirely their ball though. They are operating a public service over a public network and most governments impose restrictions and requirements on people providing such services. For example, if Google decided to restrict access to YouTube based on protected grounds - such as race or gender - that would clearly be very illegal in almost every country. I do not know the details of the EU GPDR but it is definitely possible that it makes it illegal for companies to require users to waive their privacy rights to access a service when that waiver is not technically required to provide the service - it just depends how the law is written.

Re:

[beernutz]

It is NOT a public service. Not in any way shape or form. They are a business. It IS entirely their ball. You are neither paying for the service not subsidizing them.

Re: Depends on the GPDR

[Carewolf]

Most public services and areas are privately owned. No idea why you would think those exclude each other

Re:Depends on the GPDR

[Roger W Moore]

It is NOT a public service. Not in any way shape or form. They are a business.

A hotel is a private business but it provides a public service i.e. a service that is available to the public. Most, if not all countries, have laws that regulate anyone who provides a service to the public. For example, restaurants have to meet minimum health standards, hotels must meet safety standards. Simply being privately owned does not absolve a business from having to meet certain legal standards required to provide a public service. Would you really want to eat at a restaurant that did not have to meet basic health standards simply because it was privately owned? Really?

Re:

[penguinoid]

cute "PUP" videos, thank you very much

Re:

[Anonymous Coward]

It certainly does suck that Google is cracking down on adblockers, but it's their ball and if they want to take it and go home, that's unfortunately how things are when you're a guest on someone else's machine(s).

Just so we're clear here: Google/YouTube is a guest on your machine. Do you allow visitors to your home to set the rules of the house? No? So why would you permit that on your computing devices?

Re:Another pop-up incoming

[thegarbz]

have a pop-up requesting permission to run their anti-adblock scripts, and if you answer "no" the site will refuse to load.

Except that would be just as much of a breach of the ePrivacy directive as the blocking script itself. You're not allowed to block access on the basis of a user rejecting non-essential tracking, only essential tracking. And the entire point here is identifying whether an adblocker is present is not essential.

Re:

[AmiMoJo]

They might try to rely on the "legitimate interest" defence, the argument being that the service is paid for by ads and without them they can't provide it.

That's a weak argument I think. It's been tried with ads themselves, the argument being that there is a "legitimate interest" in tracking people because that's the business model of the site. It has been rejected by regulators and courts.

It won't stop them trying though.

Re:

[tijgertje]

If Youtube did not put so many (bad) adds in the video's, most people would not be bothered to block them.

Re:

[AmiMoJo]

I agree that the quality of adds is really bad. Not just the pre and mid-roll ones, but the ones baked into the videos.

I highly recommend SponsorBlock for that. It will skip over the in-video ads, as well as other pointless crap like intros and previews.

Re:

[nzkbuk]

Wouldn't that open them up to police that the ads are not going to cause damage? How about ads which scam people, how much liability would they then be in for?

Re:

[mjwx]

have a pop-up requesting permission to run their anti-adblock scripts, and if you answer "no" the site will refuse to load.

Except that would be just as much of a breach of the ePrivacy directive as the blocking script itself. You're not allowed to block access on the basis of a user rejecting non-essential tracking, only essential tracking. And the entire point here is identifying whether an adblocker is present is not essential.

What will happen is that Google will remove it for the EU and keep it everywhere else. Also redouble their efforts to prevent GDPR laws from propping up elsewhere.

Re:

[thegarbz]

What will happen is that Google will remove it for the EU and keep it everywhere else.

Yes, working as intended.

Re:

[VeryFluffyBunny]

If Google want to impose such strict rules on people's software, then they shouldn't make it a publicly accessible site & require a login & require agreement to specific & succinct terms of service to use it. Google also have to comply with the laws of the countries in which they operate.

Re:

[martin-boundary]

I'm not a guest on someone else's machine. I do what I please on my machine. Like watching pixels and bits of data that happen to be on my machine for various amounts of time. Sometimes I modify the bits that are on my machine to make them do entertaining things. Sometimes it takes a bit of effort and some breakage to make them do exactly what I want, but I usually feel quite smug afterwards, so I consider that a plus.

Re:

[nanoakron]

Proving you didn't RTFA. The argument being presented is that anti-adblock scripts aren't necessary for delivering the technical service and are therefore not allowed under the GDPR.

The regulator and potentially European courts will decide this.

Re: Another pop-up incoming

[munehiro]

Stop with this bullshit argument. An advertiser does not have a right to my attention. They only have a hope, and that's all they can claim. If I have decided I don't want to grant them attention, and can't sustain themselves on that assumption, then their business model is broken.

I owe Google no attention. The fact they have to make money is done of my problems

Re:

[Nugoo]

They're a for-profit business and they exist to make money, not to provide the world with free cute cat videos, as much as we'd prefer to believe it's the latter.

It may well be that they exist in order to make money, but they exist because they provide the world with free cute cat videos.

Re:

[groobly]

Youtube succeeds because it shares advertising revenue with its creators. This creates an ecosystem where a lot of people think they might become millionaires by working for free. Meanwhile, any medium that depends on advertising eventually turns into TV. It's a law of nature.

Re:

[Luckyo]

>Seems like Google's possible fix for this is simple: have a pop-up requesting permission to run their anti-adblock scripts, and if you answer "no" the site will refuse to load. Kinda like the same thing we already have to deal with now for cookies.

This is not allowed. You must offer the site even if user disagrees with accepting all but strictly functional cookies. Just the additional functionality (such as targeted ads) may be disabled. This is why cookie warnings have a default on for "strictly necess

Providers must be legally liable for malware

[ameline]

I will not remove my ad blockers unless Google/Youtube accepts legal liability for damages caused by malware distributed via their ad serving.

There should be a minimum mandatory statutory payout of $2500 (enough to buy a new computer) to each victim of any malware that winds up on user machines directly or indirectly as a consequence of ads on their website. Each time it happens this payout should double.

I can live without youtube - I need my computers to do my work - so I will not be letting anyone serve ads (or any other unwanted content of code of any kind) to my machines until they accept responsibility for any and all damages caused by their actions.

Re:

[Baron_Yam]

I have seen your jib, and I like its cut.

Re:Providers must be legally liable for malware

[wickerprints]

I would argue that $2500 doesn't even begin to scratch the surface of the damages for a first-time malware intrusion, because the hardware isn't the most valuable property; it is the data stored on or accessed with the hardware.

Malware installed on a device through a malicious advertisement could be ransomware that irretrievably destroys unique data (and their backups, if not detected in time); it could also be a password sniffer, which could compromise otherwise secure banking credentials. On a work computer, it could result in exfiltration of corporate trade secrets. There is literally no upper bound on the extent of damages that could apply. The machine itself is the least of one's concerns.

The idea that a company in the business of serving ads to users could avoid performing due diligence that such data would not be malicious, yet unilaterally claim that they are not legally liable for the outcome, is absolutely repugnant. Oh, I'm sure they do some level of checking, but malware has been served through ads in the past, and there is absolutely no reason to believe that it will never happen again. Yet Google not only absolves itself of any and all responsibility, but has the arrogance to circumvent measures put in place by the user to prevent such a security threat. They absolutely need to be punished extremely severely for this.

For anyone who says "if you don't want to see their ads, then don't use their services"--what cave have you been living in for the past 30 years? Google and Facebook have their tentacles in every fucking website on the planet. Blocking is the only way to reliably access the web, because you cannot know in advance whether or not a given site accesses their code and ads. I don't use Facebook at all, I don't have an account, and yet I'm forced to block all of their invasive scripts on the client side in order to avoid being tracked by them. Google is even worse. Even if you try to get away, you can't.

Re:

[Baron_Yam]

>Google and Facebook have their tentacles in every fucking website on the planet.

I run a script blocker and I just checked... Slashdot isn't trying to run any Google or Facebook scripts on my system. Every other site I go to? Yep.

Re:

[tijgertje]

Well they could make ads that don't rely on JavaScript?
I'm not running an ad-blocker, I block third party JavaScript.
That it also kills 99,9% of the ads, well....

Google-hosted malvertising for KeePass

[tepples]

And, of course, you'll be able to prove bt a preponderance of the evidence that 1) the malware came from an ad and 2) that ad was served by a Google-owned server, right?

I could pull some evidence from my Ars: "Google-hosted malvertising leads to fake Keepass site that looks genuine" by Dan Goodin, 2023-10-19 [arstechnica.com]

Re:

[thegarbz]

I will not remove my ad blockers unless Google/Youtube accepts legal liability for damages caused by malware distributed via their ad serving.

That's a comically low bar. Google/Youtube don't distribute malware via ads. Their direct users to questionable sites which distribute them. You can not click on an advert and be perfectly safe.

Be careful with your wording.

Re:

[AmiMoJo]

YouTube ads are just normal YouTube videos that are forced to play. They are not sourced from third parties, they are served from the same Google servers as all YouTube videos.

Unless the whole of YouTube gets hacked to deliver malware... Well, I suppose in theory you could upload a malformed video in a format that YouTube doesn't transcode, with malware in it. I think the video itself would have to be malformed (not the headers/container) as that is the only part that is delivered.

Re:

[mjwx]

I will not remove my ad blockers unless Google/Youtube accepts legal liability for damages caused by malware distributed via their ad serving.

There should be a minimum mandatory statutory payout of $2500 (enough to buy a new computer) to each victim of any malware that winds up on user machines directly or indirectly as a consequence of ads on their website. Each time it happens this payout should double.

I can live without youtube - I need my computers to do my work - so I will not be letting anyone serve ads (or any other unwanted content of code of any kind) to my machines until they accept responsibility for any and all damages caused by their actions.

In that case, what you need to do is start supporting GDPR style laws in your country and every other country that proposes it.

Re:

[gweihir]

Yep, same here.

A far more important question

[Opportunist]

How do you tell that JS to fuck off and pretend you don't have an adblocker?

Re: A far more important question

[jonwil]

I have the latest version of unlock origin running in Firefox and as long as I keep the filters up to date it does a good job of blocking both YouTube ads and the YouTube ad blocker detection.

Re: A far more important question

[Mal-2]

The "in Firefox" part is important. Imagining you can undermine Big Evil using the tools they provide you is for fairy tales. You're not going to take out Alphabet using their own browser or derivatives thereof. They control the horizontal and the vertical, as the saying goes.

Re:

[AmiMoJo]

I can confirm that it works with uBlock on Chrome too. If Google were going to do anything to stop ad-blockers they would have done it in the many, many years that uBlock and several others have been available from Google's own extension website.

My guess is that even if they wanted to, they wouldn't dare for anti-trust reasons. They are in enough trouble with that as it is.

Re:

[catprog]

Google wants you to be able to block every ad except their own.

problem is

[Anonymous Coward]

YouTube could start banning accounts that use adblockers.

Funny thing though - the super annoying feature where google autoplays videos when you hover your cursor over a thumbnail actually works to watch the whole video without ads. It's like two forms of Google shitty anti-features canceling each other out.

Re: problem is

[jonwil]

If you are using the ad-blockers that can fool the Google detection then they have no way to know you are using an adblocker and therefore presumably no way to ban you...

Re:

[penguinoid]

You'd be a fool to think Google doesn't know you're using an adblocker. You'd have to watch each video from a different IP and no login, or else perfectly mimic watching videos for the length of the video + ad.

Re:

[Opportunist]

If they start banning accounts, it only means that you have two: One for posting videos, one for watching them. If the "watch" account gets banned, get a new gmail address, get a new youtube account...

Re:

[mjwx]

I have the latest version of unlock origin running in Firefox and as long as I keep the filters up to date it does a good job of blocking both YouTube ads and the YouTube ad blocker detection.

Same for Firefox on Android. The worst that's happened is that a video has refused to load and this was fixed by... refreshing the page.

Fighting ad blockers is pointless because there are more ways to block than there are to stop the blockers. Basically we treat ads as damage and route around them.

Re:

[junkname]

They updated how they detect as of today. ublock is now detected again.

Re:

[lsllll]

Funny, I'm using Brave with uBlockO AND Ad Blocker and I still get the annoying popups.

Invidious

[VeryFluffyBunny]

Find an instance of Invidious https://invidious.io/ [invidious.io] & say goodbye to all your intrusive, incessant, & annoying interruptions so that you can just watch videos. That's all I have to say.

I find can dismiss the pop-up

[nukenerd]

I watch a lot of Youtube videos, mostly for DiY advice and for less than a minute if I realise they are crap. I get the pop-up about 1-in-10 times, but find I can dismiss it with a small cross in the top right of the pop-up. Using Firefox in private mode with uBlockOrigin, but signing in to an account because I tend to comment.

How could the legal system be better?

[jago25_98]

I have a vested interest in the outcome of this case. I'd pay a few hundred $ for it to go my way. I'm sure there are MILLIONS of people who feel the same way. But it comes down to this one guy.

Whats' up with that?

Just block Javascript

[cjonslashdot]

If you use Firefox, it's easy: just install "NoScript". You are then in control of what Javascript loads on each page. Everything is "no" by default. And it can remember your choices.

Re:

[gweihir]

And if you use Vivaldi, NoScript comes pre-installed.

Re:

[cjonslashdot]

Huh. I did not know that! How do you like Vivaldi?

Re:

[gweihir]

Generally quite nice. I still have FF as secondary browser, but I think I have not used it for more than half a year now.

I did check again, and I have AdBlock Plus not no-script, and I think I self-installed it quite a few years ago. My apologies. Vivaldi has very painless updates.

Citizen vs resident

[manu0601]

Any terms and conditions which restrict the legal rights and freedoms of an EU citizen (...)

I understand that laws protects residents, not only citizen.

Title.

[Motleypuss]

Good. Unnecessary scripts are unnecessary. YT can find a more ethical way to earn its money.