Supporting newspapers harms your privacy


I am a Gaurdian reader. Have been since 2006.

I am a Guardian subscriber. Have been, on & off, since they introduced subscriptions.

I still see this banner every time I go to the site. (OK, I would if I didn't have an adblocker.)

Guardian Subscriber Plea

The point I am clumsily trying to make is that I pay but I don't sign in.

When I don't sign in, I have the option/notion of rejecting all tracking. Once I sign in, all bets are off.

Guardian Privacy Settings

Thankfully, the Guardian only has annoying ads and not a paywall. Unlike the other newspapers I subscribe to.

Newspaper I pay forCan I read without logging in?
The HinduNo
The New York TimesNo
Wall Street JournalNo
Live MintYes
The GuardianYes

Why do newspapers want you to sign in?

The obvious, if naive, explanation is that you need to answer are you a subscriber?. This is essentially the AAA problem:

But the answer to the question above is solely Authorization. You don't really need Authentication or Accounting.

Sure, some degree of Accounting may be needed for tiered access and so on, but last I checked none of these sites offer anything of the kind.

So, why do they really need AAA?

I don't know the answer. But I can guess. It's because they really do want the answers to the age old questions:

Either that or they have a bunch of lazy coders.

Because there's a better model

Blokada Home Screen

Let me introduce you to Blokada. I have been using it for a couple of years to block trackers and ads on my phone. A few months ago, with the WeChat ban in India, I signed up for Blokada Plus. This gives me access to the toggle button at the bottom of that screen.

Blokada works on my phone, on my web browser and my desktop. And it does not know who I am.

How does it do that?

By asking the only question it needs to, Are you a subscriber?.

And when it does, I provide my unique, randomly generated, 12 character account ID and all is good.

To access the VPN from my desktop, I log into the web interface with, you guessed it, the account ID. Once logged in, I can generate cryptographic client certificates to use with my VPN client.

Blokada Web Login

What's the catch?

In theory, this model is no more immune to tracking than any other.


In practice, it is possible to make the system pretty rugged.

Let's imagine a much more private flow for my beloved Guardian.

It's not that hard. We just need to take this shit seriously.