hrbrmstr's Daily Drop

Bonus Drop #102 (2025-11-09): It Always Feels Like Someone Is Watching Me

hrbrmstr

Thwarting Google’s Surveillance Links; Surveillance Watch; Achievement Unlocked: You’re Being Watched

I turned a reaction to a Mastodon post into today’s diatribe on surveillance. Apart from a tool to help thwart Google’s attempt to track your every click in certain document formats, there’s not alot of “upsides” in this Bonus Drop; just stark realities.

TL;DR

(This is an LLM/GPT-generated summary of today’s Drop. This week, I’m playing with Ollama’s “cloud” models for fun and for $WORK (free tier, so far), and gave gpt-oss:120b-cloud a go with the Zed task. Even with shunting context to the cloud and back, the response was almost instantaneous. They claim to now keep logs, context, or answers, but I need to dig into that a bit more.)

  • The first section introduces a browser‑based tool that strips Google Docs’ tracking redirects from exported files, enabling privacy‑preserving edits (https://rud.is/defang-google-docs/)
  • The mid section highlights Surveillance Watch, an interactive map exposing the global surveillance industry and offering a free API for further investigation (https://www.surveillancewatch.io/)
  • The final section points out how modern games like Silksong embed player‑behavior telemetry behind achievements, turning entertainment into extensive data collection (https://hollowknightsilksong.com/)

An October 2025 thread about Google inserting “surveillance” links into some exported file types from Google Docs meandered into my timeline this weekend and it’s been interesting seeing the various reactions to it. Like all good controversaries and conspiracies, it even has its own Hacker News thread.

The list of which download formats are impacted was incomplete (it was missing Markdown), so I added that and have tweaked formatting to reproduce here (“❌” means no surveillance links)

  • ❌ txt
  • 👀 html
  • ❌ odt (Open Document Text)
  • ❌ pdf
  • 👀 epub
  • ❌ rtf (Rich Text Format)
  • ❌ docx (Microsoft Word)
  • ❌ md (Markdown)

These links look like this:

https://www.google.com/url?q=https://check.labs.greynoise.io/&sa=D&source=editors&ust=1762711628321472&usg=AOvVaw2t0wWADbTJxCZ7RUUW6_8M

One argument in the “pro-Google” column in the threads was that this lets Google scan it for malware. If that were the purpose, then the link rewrites would have to be this instead:

https://transparencyreport.google.com/safe-browsing/search?url=https:%2F%2Frud.is%2F&hl=en

That’s Google’s “safe browsing” checker, though I’m partial to urlscan.io for those types of operations.

This bit — https://www.google.com/url?q= — in the tracking URL is Google’s open redirector, which they use to, well, track/surveil us if we weren’t clever enough to catch the trick before tapping/clicking.

The bits after the &sa= aren’t so benign:

  • sa=: the “source action,” e.g., D for “document,” indicating how or from where the link was followed.
  • source=: indicates where the link came from (here, editors, meaning likely from a Google Doc or Sheets link).
  • ust=: a timestamp or an encoded expiry/timing value, used to scope the link’s validity or cache.
  • usg=: the URL signature generated by Google, usually a short base62-like hash (starts with AOvVaw…). It’s derived from internal metadata such as:
    • The q parameter (target URL)
    • The referring Google service (Docs, Gmail, Search, etc.)
    • Possibly the user/session or anonymized context
    • A secret signing key known only to Google

So, it can fully associate the URL access with the document it came from, and we know Google’s AI hoovers up everything, so they even know what the document was about. They know where you’re accessing it from, and you’re very likely logged into Google (though an increasing number of awesome humans are not doing that anymore). So, you are 100% being tracked.

It’s a little worse than that, though, since most endpoint protection solutions on corporate workstations will check every URL they see in a downloaded document, too. So, you’re being surveilled even if you haven’t opened the document yourself.

This is yet-another skeezy move by the sociopaths Google hires, and I’m glad someone raised awareness of it, but that’s not enough. It’s paramount we have some way to neutralize these links, provided we are horrible monsters and have exported Google Docs content into epub or HTML. What Google’s converter does to those two document types is unforgiveable, and you should never, ever use either format in an export from Google.

In my quote-boost of the thread, I linked to a Finicky.app rewrite rule that will take care of this for folks who use Finicky as a URL interceptor and router on macOS. But, that doesn’t help most humans.

So, I made this Defang Google Docs super-simple, self-hostable, all-processing-in-browser tool to find surveillance links and neutralize them. It’s 100% self-contained, vanilla HTML/CSS/JS, except for the CDN load of a javascript library that helps machinate ZIP content. Select or drop a compatible file and it will quickly make a clean, surveillance-free version of the document and auto-download it.

There are no javascript “tricks” or fancy CSS ops used. Just plain, readable, boring CSS (though it does handle light/dark mode) and javascript code.

I never use those export formats, so if the extractor mangles some URLs, please drop a note in an issue and I will gladly update the code.

In the meantime, if you must use Google Docs (like I do at work), then please export to Markdown like the amazing humans you all are.

Surveillance Watch

Surveillance Watch is a living map of the world’s surveillance industry. It’s an amazing global “x-ray”, of sorts, that reveals who’s watching, who’s funding the watchers, and how deeply this machinery has burrowed into our digital and physical lives. It’s the work of folks who have been on the receiving end of that surveillance: privacy advocates, researchers, and activists determined to turn the lens back on those who profit from watching the rest of us.

A core goal of the project is to expose the sprawling network of companies, subsidiaries, investors, and governments enabling surveillance capitalism and human rights abuses. Its message is sharp: they know who you are, so it’s about time we all know who they are. They aim to make the invisible visible, connect the dots between entities that thrive in opacity, and ensure accountability can’t be dodged behind shell companies or vague “security” justifications.

The site zeroes in on how spyware and data-tracking tools have been weaponized against journalists, dissidents, and human rights defenders. It traces the business ties and financial structures that sustain this industry, illustrating how exploitation is funded and normalized. Each data point is grounded in citations, research, and documentation open to public scrutiny.

This is not a corporate initiative or a government transparency project. It’s built by the Distributed AI Research Institute (DAIR), a collective of researchers pushing for community-driven, Big Tech–independent AI and data ethics work. DAIR was founded by scholars who’ve been critical of both AI hype and the surveillance systems powering it. Dr. Alex Hanna and Dr. Emily M. Bender, two of DAIR’s leading voices, have spent years unpacking the harms of automated systems, the politics behind “neutral” algorithms, and the industries profiting from them. Together, they’ve brought that same energy of accountability and resistance to Surveillance Watch.

The API that powers it is freely available, offering categories like entities, funders, countries, and cities. It’s structured to let others investigate further. With it, you can map funders, build academic datasets, or create visual analyses of industry sprawl. It’s open enough for developers to build on and reliable enough for journalists to cite. This is what real infrastructure for public knowledge looks like.

Like the surveillance systems it tracks, the project is distributed and ongoing. It invites the public to submit missing information, corrections, and new discoveries. The creators acknowledge that they’ve only begun to uncover the scale of this industry—but by inviting participation, they’re ensuring the project stays alive, current, and community-owned. Anyone can help document what’s been hidden in plain sight.

If you share in DAIR’s ethos — “Community over capital”, “transparency over opacity”, and “human rights over convenience” — then bookmark Surveillance Watch, dig into the data, shore up missing bits, and let’s hold to account all those who seek to track our every move.

Achievement Unlocked: You’re Being Watched

I was going to close with something a bit light, given the downer this “surveillance” topic is, but I snuck in some Silksong play time today and saw there were two more “achievements” in whatever that section of the Steam game area is called. And, that nixed a happier ending to today’s Drop.

Surveillance isn’t always wrapped in government contracts and AI ethics papers. Sometimes it’s wrapped in pixels, shaders, and a dopamine loop. Modern gaming has turned behavioral telemetry into both an art form and a business model. This fact is suer easy to miss because it all feels like play.

Every jump, every vanquished monster, every 0.8-second delay between deaths is logged, analyzed, and monetized. Game studios now collect and analyze player telemetry at scales that rival adtech platforms. These systems were once meant for balancing gameplay or catching cheaters, but they’ve evolved into comprehensive behavioral laboratories. Epic Games can tell when Fortnite players are tiring of a mode before the players themselves realize it. Steam’s backend knows which achievements most people abandon halfway through a campaign — and quietly redesigns incentives around that knowledge.

Achievements are the perfect cover story. They make the surveillance feel like progress. The “100 hours played” badge, the “flawless run,” the “you found all the collectibles” moment — each is a tiny confession of where you were, what you did, and how predictably you did it. While you earn that precious XP, you are most certainly being watched.

Console networks and PC platforms alike have turned “player analytics” into a trillion-line behavioral dataset. Xbox and PlayStation correlate account activity with region, hardware, and engagement time; mobile game SDKs track app-switching behavior and hardware motion; and Unity’s analytics pipeline quietly transmits “player progression” metrics even when games are played offline. Sadly, none of this is illegal. We all clicked “Accept” between loading screens. It’s one of the cleanest examples of how we’ve been trained to consent to surveillance in exchange for entertainment.

So next time you earn that shiny new achievement, take a moment to savor it. You didn’t just level up. You contributed to the world’s most advanced behavioral research lab — and you didn’t even have to sign an NDA.

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on:

  • 🐘 Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev
  • 🦋 Bluesky via https://bsky.app/profile/dailydrop.hrbrmstr.dev.web.brid.gy

☮️

Fediverse Reactions
, , , , ,

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.