Note: This is explicitly posted in my private blog rather than the Adblock Plus blog. This post represents my own opinion only. It is likely unwise to rant about a competing project but I just don’t want to keep my findings to myself. If you are here for Adblock Plus bashing and don’t care enough to read the post, please make sure to read the edit at the bottom nevertheless.

On Chrome, two popular ad blockers are currently available: AdBlock and Adblock Plus. Despite the confusingly similar names, they are completely unrelated projects. I am in charge of the latter, yet people will occasionally ask me whether I would recommend AdBlock or Adblock Plus to them. There is certainly lots of room for improvement in Adblock Plus for Chrome, so my answer typically goes along the lines of: “These projects have different approaches but the resulting products are roughly comparable.” Recently, I looked over to the AdBlock for Chrome project and was shocked to discover that things changed, a lot actually. So next time somebody asks me about AdBlock and the difference to Adblock Plus, I can point them to this blog post.

Open development

The AdBlock project started out as an open project. They used Google Code hosting to make sure people can see their source code and contribute. However, that code repository was abandoned in August 2013. The new project description points people to source code packages that they can download. So you can still see the source code but extracting individual changes requires significant effort.

Other people noticed as well. AdBlock support staff promised that the situation was only temporarily and that a new source code repository would be created on GitHub soon. I indeed found a reference to this repository so it must have been public at some point. It seems to have been marked as private however.

Several other discussions brought up this topic, in particular this one from January 2014. All of the sudden, the support staff is talking about changes they want to keep private which is why they cannot make the repository public. From the discussion, it sounds like it is all about April Fools jokes and the like that shouldn’t become public before their time has come. The discussion concludes with “AdBlock won’t have public Git repo in near future” without any explanation why the workflow suggested in some comments (separating public and private changes into different repositories) won’t work.

To conclude: AdBlock covertly moved from an open development model towards hiding changes from its users. Users were neither informed about that decision nor the reasons behind it. The source code archives are only left around to keep pretending that AdBlock is still an open source project, these are hard to find and the project owners are clearly hoping that nobody will be able to extract the individual changes from them.

What are they hiding?

Not sure about anybody else but I immediately felt the urge to download the source archives and check what changes have been implemented there. So that’s what I did. There is a CHANGELOG file in the archives but it is still better to see for yourself. Here are the highlights:

AdBlock 2.6.11 (2013-10-25): The AdBlock feature which sends a unique user ID to the AdBlock server every day (you knew about this one, didn’t you?) has been extended. The server can now decide that the user should see a survey — this one is being opened in a new tab, immediately, no matter what the user is doing right now.

AdBlock 2.6.14 (2013-11-09): AdBlock won’t just send a unique user ID to its server now, it will also transmit user’s setting determining whether Google Search ads are allowed. The changelog message for this release: “Settings measurement.”

AdBlock 2.6.20 (2014-02-11): AdBlock will now send a request to goldenticket.disconnect.me each time it starts up — but not in the first two days after installation. It took a while until people noticed, apparently AdBlock partnered with Disconnect.me and advertises their services to selected users. The Disconnect functionality has been actually bundled with AdBlock and ads in their search were whitelisted. Another interesting addition: the unique user ID mentioned above will be sent to getadblock.com every time an AdBlock user visits that website. Or if an AdBlock user visits getadblock.com.malicious.com . Or any other website that has getadblock.com somewhere in the host name. If I were owning a website relying on ad revenue, I would have inserted a hidden frame into every page and used that bug to track AdBlock users — maybe some websites already had the same idea? And how does the changelog describe these changes? “Beta test for survey” – yes, sure.

each time it starts up — but not in the first two days after installation. It took a while until people noticed, apparently AdBlock partnered with Disconnect.me and advertises their services to selected users. The Disconnect functionality has been actually bundled with AdBlock and ads in their search were whitelisted. Another interesting addition: the unique user ID mentioned above will be sent to every time an AdBlock user visits that website. Or if an AdBlock user visits . Or any other website that has somewhere in the host name. If I were owning a website relying on ad revenue, I would have inserted a hidden frame into every page and used that bug to track AdBlock users — maybe some websites already had the same idea? And how does the changelog describe these changes? “Beta test for survey” – yes, sure. AdBlock 2.6.21-2.6.27: The Disconnect.me functionality is being heavily worked on, it looks like Disconnect developers are changing it themselves. Trial and paid memberships are being implemented, whitelisting of Disconnect search ads tweaked. According to the changelog, all these releases are “Beta tests for survey.”

AdBlock 2.6.29 (2014-04-28): The “AdBlock custom filters” (AdBlock-specific filter list that is installed by default and listed as recommended) add a set of filters to whitelist Mixpanel tracking on the AdBlock website.

AdBlock 2.7 (2014-06-06): Calling home functionality has been extended. It now sends user’s locale in addition to the unique user ID, AdBlock version, operating system and whether Google Search ads are being allowed. Also, AdBlock will tell getadblock.com (or any other website if asked nicely) whether AdBlock has just been installed or has been used for a while — again, in addition to the unique user ID. This functionality was tweaked a bit more in AdBlock 2.7.2.

(or any other website if asked nicely) whether AdBlock has just been installed or has been used for a while — again, in addition to the unique user ID. This functionality was tweaked a bit more in AdBlock 2.7.2. AdBlock 2.7.4 (2014-06-20): The changelog is now visible in the extension, wow! All the sudden, meaningful changelog messages are being added again instead of just saying “bug fix” or simply referring to GitHub issues that nobody without access to the private repository can see. Now somebody would only have to make sure that these messages match the actual changes…

To conclude: If a project suddenly decides to work behind closed doors, something bad is usually going on. In AdBlock’s case, they started monetizing their users by partnering with Disconnect.me, and they didn’t want anybody to notice. When people noticed and started asking questions, they tried to downplay the impact of this change.

What about privacy?

From the AdBlock project page:

Privacy Is Paramount

And further below:

AdBlock won’t save or retrieve your personal browsing habits or information for any reason beyond what is required to make it work.

So they say. As became obvious above, AdBlock has no scruples to assign unique IDs to their users, to collect data about them (like which settings they enable) and to track the users each time they visit their website. You also cannot avoid visiting their website because the extension will send you there occasionally, most notably on first run. There is no privacy policy, so nobody knows what happens with that data. The discussion on their privacy policy has been marked private for some reason, I guess details were published there on what data they collect.

Not just that, the AdBlock project was also so careless when implementing this “feature” that every other website can track AdBlock users as well. And they explicitly allowed Disconnect.me to be notified whenever some AdBlock user starts up his browser. At least Disconnect.me has a privacy policy and claims that no data is being collected there.

To conclude: The AdBlock project only pretends to care about user’s privacy. From their actions, it is very obvious that privacy considerations don’t play any role when decisions are being made.

Does Adblock Plus do it better?

Yes, I believe that we do. We try to be open and transparent about everything we do. Our source code repositories are out there in the open (actually available both on our servers and GitHub, so that more people find them), we have a public issue tracker and public code reviews. What’s even more important, we announce all important changes in our blog (these announcements are picked up by the press regularly), the changes really affecting all our users are announced in the extension itself. And that meant also announcing controversial decisions where we knew that they would spark painful discussions.

We have a very detailed privacy policy. More importantly, we don’t just say that we won’t collect any more data than absolutely necessary — we try hard to actually do this. This means for example that user IDs are an absolute no go. This means that the first-run page is part of the extension — our server doesn’t need to know that somebody installed our extensions. This means that we can only estimate our user numbers rather than calculate them directly. This means that we have little idea about how our users configure Adblock Plus — unless these users decide to tell us. There are many things where we have to say: “we cannot do this.” But I think that we owe that much respect to our users.

Edit (2014-08-04 09:20 CEST): Two new AdBlock versions came out since that blog post was published. AdBlock 2.7.9 fixed the bug I mentioned above, now only getadblock.com can track AdBlock users and no other websites. From the response of the AdBlock team (see comment 27 below) it doesn’t look like any other points I mentioned are considered an issue. In fact, AdBlock 2.7.9 again extends the calling home functionality. Now it will also send the number of ads you blocked.

Edit (2014-07-30 10:54 CEST): I would normally disallow off-topic comments. However, some people are just too willing to bash Adblock Plus based on misinformation every time some slightly related topic comes up and accuse me of censorship when I remove their comments for the sake of a meaningful discussion. So I relaxed this rule here and replied to comments that are only marginally related to the topic discussed. Still, please have understanding that I will not tolerate insults here. Also, I might decide that comments repeating claims I already replied to are not made visible. So if you are here for Adblock Plus bashing, please make sure to read replies to comments 8, 11 and 22 first. So far four comments have not been made visible: two containing insults, one linking to a FUD discussion without any further content, and one that was really way off topic here.

Edit (2015-05-20): Much time has passed and it is now easier to see what kind of content these “surveys” contain. One survey is still active, it is a donation nag message. Others were advertisements for Disconnect Mobile (DuckDuckGo finds two more with slightly different phrasing). What I couldn’t find was evidence in favor of Gabriel’s claim (see comments) that users were actually surveyed about AdBlock’s funding approach or Disconnect functionality within AdBlock.