Skip to content

Instantly share code, notes, and snippets.

@ryanccn

ryanccn/README.md

Last active September 21, 2022 03:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ryanccn/4b5fa375cd63f404fea6c918f94926ff to your computer and use it in GitHub Desktop.
Save ryanccn/4b5fa375cd63f404fea6c918f94926ff to your computer and use it in GitHub Desktop.
Download ZIP
An experiment with Modrinth and Carbon Ads, an open letter on the issue & a response from team
Raw
README.md

Modrinth Ad Experiment

Update 2022/9/20 🎉💯

The Modrinth team had contacted Carbon Ads, and as it turns out, Google DoubleClick integration could be turned off. So now DoubleClick is no longer present on the Modrinth website! 🎉🎉🎉

Thank you to the Modrinth team for prioritizing user privacy 😉

Update 2022/9/15

After a discussion in the Modrinth Discord on this issue, it was concluded that there was no way to prevent Carbon Ads from connecting to DoubleClick. Unfortunately, most ad platforms on the Internet seemed to be connected in some way or another to the advertising services provide by major corporations, so it isn't an issue that Modrinth can fix, really. I understand the tradeoffs Modrinth has to make between revenue and respecting privacy, and it is more likely a problem with the whole system rather than something Modrinth can solve by itself. Therefore, if you do not want these scary trackers to be tracking you, just turn on your adblocker. That's it.

This project proves that Modrinth, with Carbon Ads, makes requests to DoubleClick and sets third party cookies without user consent in certain regions. The team has recognized this issue and will hopefully update its Privacy Policy to be more informative of the fact.

Original letter

Recently, Modrinth announced that they were switching to Carbon Ads in order to provide better payouts and create a more sustsainable business model. This decision by itself is quite understandable, and I fully support Modrinth in its decisions to make itself a better platform for creators and users alike.

However, a few people soon pointed out that Carbon Ads, a supposedly relatively independent ad platform, was making requests to DoubleClick, a Google owned tracking advertising company. Even though DoubleClick is only applied in certain regions (e.g. the United States), there is a serious privacy issue at stake here. Carbon Ads reserves the right to set cookies on your browser session, as well as load scripts or resources hosted by third parties into a publishers web page.

Modrinth will never use an ad provider that does not respect the privacy of you, our users.

- https://docs.modrinth.com/docs/details/carbon/

While we support the protection of our customer’s privacy on the Internet, Modrinth expressly disclaims any and all liability for the actions of third parties, including but without limitation to actions relating to the use and/or disclosure of personal information by third parties.

- https://modrinth.com/legal/privacy

In order to "supporting both Modrinth and its creators", a lot of users would very much like to turn off ad blockers on Modrinth. However, something often unacceptable to privacy-minded users is association with the overall Google ads and tracking ecosystem. Under this change, Modrinth is no longer a black hole to big tech.

Even if legally this might be GDPR/CCPA-compliant via geofencing, it still isn't comforting to see an advertising company that sends data to its own third parties without user permission. IP addresses and other information are being passed to Google without permission, is this "fully GDPR compliant"? (I am not a lawyer) Modrinth claims to respect users' privacy; however, legally complying with laws does not equate with fully respecting user privacy. Users not under protective laws' jurisdiction will still be subject to additional tracking, and as this project finds, Google's DoubleClick is harvesting user data off Modrinth.

We would like more clarification on the relationship between Carbon Ads and the Google ecosystem, and this project simply aims to cast more transparency on the requests, redirects, and cookies that Carbon Ads is involving on the Modrinth production site. All of us love Modrinth and want to support both Modrinth and the creators on the platform, but we will not do so at the cost of our privacy at the hands of advertising platforms with dubious practices.

Selected Findings

  • Tracking pixels from adsafeprotected.com, which appears to be owned by Integral Ad Science, are only loaded when not in headless mode. IAS provides a service called TRue Advertising Quality, also known as TRAQ, which could be related to the tracking pixel.

  • Carbon Ads-affiliated domains such as buysellads.net (BuySellAds), carbonads.net, and carbonads.com are repeatedly requested. https://cdn4.buysellads.net/acceptable.gif is a tracking pixel.

  • Visits from the United States also results in tracking XHR requests to https://ad.doubleclick.net/ddm/trackimp (tracking impressions) with the tag of BUYSELLADS. This is a DoubleClick domain owned by Google.

  • In most locations, clicking the link goes to a srv.carbonads.net domain which then redirects to the actual page. In the US, sometimes this hops to a https://ad.doubleclick.net/ddm/trackclk (tracking clicks), again, owned by Google, before redirecting to the final URL.

  • Third party cookies are set by doubleclick.net such as IDE and test_cookie (lmao) without the user's permission to have any cookies set, since the cookies settings had been removed.

Source code

The source code for analyzing the Modrinth website has been deleted from GitHub in order to prevent further controversy on the subject.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment