181 comments

[ 3.4 ms ] story [ 273 ms ] thread
Not to bang on about it, but this kind of thing is why I use an ad-blocker.

It's barely even about ads in the traditional sense anymore, it's about being able to read a fucking article without having half the internet downloaded in the background while every nano of my being available is processed and analysed by 30 different tracking companies simultaneously.

Its not as sexy a name, but I think ad blockers should be primarily described as tracking blockers. Its sounds as important as "anti-virus" and i think it could drive a few more people towards using them.
I'd agree with this. I would be more likely to allow ads, particularly on sites I want to support, if I could have assurances that those ads aren't harvesting every available datapoint they can. Make ads dumb again.
Yep. So much this. I don't mind ads. I mind tracking. Oh, and advertisers: I've never bought anything because I saw it on facebook or in a google ad or anywhere else like that. I'm not sure what you think you are doing with all that data, but it's not working. Ads are not how I learn about new "needs."
I've never bought anything because I saw it on facebook or in a google ad or anywhere else like that.

Can you be certain that this is true? Perhaps you didn't click through (I don't either), but what if your unconscious mind saw an ad that you did not register consciously.

You can never falsify that, obviously, and I think a lot of the web-ad industry like to keep that FOMO in front of the advertisers. But I'm fairly certain. Vacations? Nope: I have my way of deciding and that's how I do it. Car? Nope. Calendar/planner? Nope. Pencils? Pens? Grill? Pants? Nope Nope Nope Nope. I'm hard-pressed to think of the last brand I learned of from an ad. Books? Usually from here (also planners, cars, etc.)
Most of the the the ads I see by Google or Facebook are the ones for purchases I already made. Few weeks ago I already booked a hotel on booking.com, and then searched about that hotel's official website and facebook page, and boy, for two weeks every google ad and facebook ad had that hotel name.
LOL exactly. It's ridiculous. I accidentally cost my buddy a click when his ad appeared on my feed (his ad has no business being on my feed)- I was on mobile so of course accidentally clicked it.

The ad industry is just so damn broken that it's ripe for a huge disruption. The whole hypothesis of Google- that people will want to see ads centered on what they are searching for- seems to be erroneous. But it's been taken as gospel for what- a dozen years?- that everybody has piled on to the idea that we can know what people want to buy based on the type of information they seek. I think that except in explicit cases- searching for 'umbrellas that can withstand high winds' for instance- it's not true.

As I've said before here, when I'm ready to buy I'm searching Amazon, not Google.

uBlock Origin describes itself as "a wide-spectrum blocker which happens to be able to function as a mere ad blocker". It has the explicitly stated goal of allowing the user to personalise their browsing experience in whatever way they choose.

https://github.com/gorhill/uBlock

For finer grained control of the scripts, XHRs, and media being accepted by your browser I'd recommend installing uBlock Origin && uMatrix. uMatrix allows you to blacklist or whitelist everything on a page with some pretty good defaults.
You can get a lot of uMatrix's functionality just by enabling the "I am an advanced user" checkbox in uBlock Origin. I actually find it a better interface, but that's a personal preference.
I second the recommendation for uMatrix. Recently switched from noscript due to ff57 and boy, what an improvement. The matrix model works very well. It makes total sense to only allow certain types of resources and/or/from certain domains per level in the dns hierarchy. The defaults are much more usable than noscript and the UI is great once you “get it” (won’t take more than a day or two).
I run one as a malware blocker, because if I don't then my computers get attacked at least once a day, often by reputable sites.

It's probably more important than an antivirus for stopping malware.

It's definitely more important than antivirus but I don't think the general population has figured that out.
Firefox and Brave have tracking protection built-in. Not sure if any other browsers offer this out of the box.
how good is it though? I couldn't care less about "non-intrusive ads" of adblock plus for example, that's not very efficient.

microBlock origin on the other hand, that's pretty much required these days, especially on tiny mobile screens.

Firefox doesn't really have tracking protection built-in. There's "Do not track", but that's worse than worthless and off by default, and you can turn on blocking thrid-party cookies but, again, off by default and only covers a small area of concern. I don't even know what to say about Brave other than the business model feels very wrong.

Firefox + uBlock Origin is the right level of protection and you can get it on desktop and mobile (Android at least).

I've come across a few sites that were still using affiliate links and uO didn't block them. I'm not sure if uO has a policy of not blocking them but, to me, those are the only type of "acceptable ad" and CPU cycles shouldn't be wasted trying to detect and eliminate them.

I use noscript and am pretty happy with it. I also use Adblock Plus because I'm ok with the idea of allowing certain types of ads through the adblockers. I was kind of thinking that we could get sites to stop doing the tracking bullshit if we put out a list of what is acceptable and blocked the rest. I guess it wasn't well executed?
That's a very noble and really naive thought.

Ad pushers have repeatedly shown that they cannot be trusted with our bandwidth and browser resources, they will always try to find the most insidious ways of inserting themselves into our lives, and try to track our every move, no matter how unwelcome they are.

Add to this the long history of malware using ad networks as an attack vector, and you have a very good case for simply blocking everything, in the name of privacy and security.

I hate ads, both for the above mentioned reasons, and because I find them extremely obnoxious (yes, even simple text ads), so I block everything with extreme prejudice. I am also on the "no mailed ads, ever" and the "you will be fined if you ever call this number with advertising" registries. My eyeballs, my attention, my PC, my OS, my browser, my home. Anything I don't trust and don't explicitly allow can just buzz off and leave me alone.

Why don't we just call them malware blockers? What we refer to as tracking or analytics code has evolved well past the point of understanding and has crossed over into manipulation. That's ultimately what advertising is these days, a means to manipulate you into spending your money.
Honestly I don't care what is be tracked, but until it is no longer the case that 60% of webpages slow my computer to a crawl for about six seconds I am not turning mine off, no matter how many times the website asks politely.
I hope you do not use Google Chrome, if you are worried about privacy.
Well that's debatable. The technology of chrome (better sandboxing) is an advantage.

I've alternated between Chromium and Firefox. Some sites seem to work better in one browser or the other.

I think the parent comment was because Chrome does its own user tracking and reporting to Google.
What exactly does it do?

I've re-read their whitepaper and while there is some data one may consider sensitive, it's not something like "user tracking and reporting" beyond the performance metrics and search suggestions (which all other major browsers do as well). There are optional features which may result in private data being sent to Google, e.g. keeping history with Google without local encryption - but you have to opt-in, which feels OK to me.

https://www.google.com/chrome/browser/privacy/whitepaper.htm...

> this kind of thing is why I use an ad-blocker

While ad blockers do stop a lot of third party ads and iframes, and probably some tracking, I don't think that ad blockers are stopping most tracking by web sites. Not the kind this article is talking about, anyway. It's quite simple for sites to track user activity in ways that ad blockers can't easily stop. And I suspect it's becoming more likely quickly, purely on the anecdotal number of sites I visit that now detect ad blockers.

Some of this article seems like FUD though. It's pretty hard to think of what keystrokes you would type into a web site that you don't want to send the web site. The main thing they're getting by tracking keystrokes that they didn't get before is typos and form activity that you start and then decide to clear and bail out. I'd speculate that this is being used and is most important for sales conversion pages, where they monitor your activity to try to figure out if you started out interested in buying something but then decided not to buy.

Web sites cannot track your keystrokes when you're using a different site / tab in your browser, they can't track keystrokes when you use another program besides the browser, they can only track when you're interacting with the site. So what sensitive data can they get that you weren't already giving them?

I was at a University that paid for some tracking software we self-hosted. It showed a highlighted webpage showing gradients over the most common places they scrolled too.

Adblock lists are community maintained, so whether this stuff is blocked depends a lot on people who actually enjoy having their network debug panel open.

Facebook's tracking pixel their e-commerce affiliates use is insane. It sends most mouse movements and they use it to determine what words users hover their mouse over! Their AI/marketing engine is pretty advanced, to the point where their predictive analysis is accurate enough people swear Facebook/Instragram are sending microphone data.

Sure they cannot track you across tabs and browsers ... directly. But they do. If 30% of the pages you visit have some kind of Adobe Omniture or Facebook pixel, they do in fact gleam a ton of data about you. This AI is so powerful it can predict products you want, potentially before you even verbally announce them. That's incredibly powerful predictive analysis ... used to cure cance---oh no wait. It's not. It's just used to sell you shit. What a waste of tech honestly.

I know a lot of people here use uBlock Origin since there are concerns with Ghostery/AdBlock/etc either allowing in certain ads for a price or selling some of your data to be viable. The only real solution for tech people is to run a Javascript blocker like NoScript, and explicitly white listing what you want to run .. which is honestly a ton-o-work.

I agree with 100% of what you said, the level of tech being used for behavior predictions is scary and the level of tech being used for sales seems like we could be putting all this engineering to better use. OTOH, this seems like natural economics to me given our system, for better or worse. Money is the driver of all things, sadly.

Yep, heat maps for mouse movements are a very common technique. You get click location data out of Google Analytics and everyone uses Google Analytics.

But we should be clear and careful -- since I'm using the web site, my click data is not something I can ever keep private from the web site. We can (and probably should) keep it from third parties, but first party mouse and keyboard data isn't a privacy concern.

Good point about cross-tab tracking, this is fairly common too, and an ad blocker does usually block this. But, the article was primarily about key logging, and the iframed ads can't do any key logging.

Don't get me wrong; I use an ad blocker myself, and I think it's a good idea. I just wanted to make the point that blocking only 3rd party content does not solve the problem this article pointed at, and it especially doesn't solve direct key logging or mouse tracking by the website you're using.

"first party mouse and keyboard data isn't a privacy concern"

If that data can be used to infer anything about me, it certainly is a privacy concern for me.

I think of it like going to a library and instead of freely browsing through the books without being watched, instead being spied on and every book I look at and even where my gaze travels through each book's pages being monitored.

This is a paranoid's nightmare level of surveillance, and that's what we're gradually being weaned in to accepting. It certainly is a major privacy concern for me.

Ideally, the internet would have been built in such a way as to allow fully private and anonymous use, as it's really nobody's business but your own what you look at, what you're interested in, or what you read.

We've helped build the internet in to a spy's paradise, and it's really sad.

> I think of it like going to a library and instead of freely browsing through the books without being watched, instead being spied on and every book I look at and even where my gaze travels through each book's pages being monitored.

I totally agree and empathize with the increasingly privacy hostile place the internet is. But, that analogy seems a little hyperbolic to me. The library currently does track which books you check out, and maybe fine you when you’re late to return them. They do track which books are popular, in order to figure out what to stock. Some libraries track how their building is being used, and my local library does have cameras. These are all the same kinds of things web sites are doing. It may be more aggressive on a site, and more focused on selling you something, but it’s not fundamentally different. First party sites (not ads) aren’t tracking your gaze or invading your privacy, they’re responding to what you ask for, and using some of the breadcrumbs you leave to improve conversions if they can.

Talking to a person face to face has exactly the same issues. If I buy a car, for example, the sales guy will definitely watch my gaze and listen to what I say with an ear toward exploiting anything I share with him to increase his odds of selling me a car. We wouldn’t call what the sales guy does a privacy issue, and what “first party” web site tracking directly (without third party services) is doing is no more creepy and no less private than what car sales guys do.

If the direct tracking is sold or shared or handled by a third party, then absolutely, huge privacy concerns. But for the direct communication, if you don’t want someone to infer anything about you at all, your only choice is and always has been to not use the service.

"that analogy seems a little hyperbolic to me. The library currently does track which books you check out"

This is why I explicitly talked about browsing of books at the library, not checking them out.

But now that you mention it, tracking who checks out which books also has disturbing privacy implications, and I am against that. There's nothing stopping an anonymous library checkout system from being designed and implemented, if we only had the will.

Camera use in libraries is a relatively new phenomenon, and I'd have similar privacy concerns about it if, like website tracking, its explicit aim was to track who was looking at which books, but as far as I know it's not being used for that purpose. But it's not very far from being capable of doing that, especially with high resolution cameras and facial recognition systems. So that's definitely something to keep an eye on.

"Talking to a person face to face has exactly the same issues. If I buy a car, for example, the sales guy will definitely watch my gaze and listen to what I say with an ear toward exploiting anything I share with him to increase his odds of selling me a car. We wouldn’t call what the sales guy does a privacy issue"

I would in fact call that a privacy issue. We're just so used to it we don't normally notice it. There's also an enormous difference between one person noticing your interest in one thing and the systemic, omnipresent surveillance apparatus we've made the internet in to, which is tracking all your interests, and voiced opinions and ideas.

Look at the repression, imprisonment, murder of political or ideological opponents throughout history, and you'll see their surveillance, tallying, and location has always been a part of that. Today's surveillance apparatus is thousands or millions of times more effective than it's ever been in the past, and every bit of data collected about you feeds in to those profiles which could be used against you. We should oppose it, instead of meekly submitting to it, much less enabling it.

I'm totally with you on the surveillance and potential misuse of tracking information. This is a brave new world.

You're right that there is a difference between face to face conversations and digital tracking. That's why I'm weaseling out with my "first party" qualifications. As long as the tracking is between you and the site you're on, it's sort-of similar to personal conversations. Not the same, but not super different. As soon as third parties and groups of people and governments are involved, it's wildly different.

The camera issue is interesting. This will be a growing concern from now on. According to US law, there is no expectation of privacy from being photographed while you're in a public place. You are not currently entitled to privacy in a library, or while walking downtown, or while driving in a car on public roads. But that law wasn't drafted with the idea of digital mass surveillance in mind, nobody had the capability to capture and correlate all your movement when it was written.

I've been using NoScript since forever and one gets used to it.

Also, I've always wondered what the use is of tracking which words the mouse is hovering over. I mean who does that: hovering the mouse over words?

> who does that: hovering the mouse over words?

Lots of people, you’d be surprised. ;) Sometimes I catch myself unconsciously highlighting what I’m reading.

But the mouse tracking is for detecting waffling potential button clicks and form fills too.

It’s a bad proxy for attention, but it is a proxy that kinda works.

Quite often I'll move the mouse pointer out of the way of what I'm reading. So my mouse pointer will be "hovering", but not over anything I'm interested in at all.
If you midway opt for a different credit card, phone number, alias, name, or address that all gets lumped together. They get a better picture of you.

Lots of people will cut and paste passwords and sensitive information while working and swapping back and forth between applications. That would include every sort of personal information possible that can be put into a clipboard.

Yes, that's all true. Do assume that anything you type into a website is being recorded, even if you delete it before clicking anything.

Having 3rd party tracking services is a bit of a problem with some complex issues, but it's very common. Ad blockers can help, but I suspect the ability for ad blockers to increase privacy is going down. It's easy for sites to configure third party services as though they belong to the site's domain, and all ad blocking goes out the window. This is an arms race that will not end by blocking third party requests.

For first party tracking though, direct tracking by the web site, there is no hard line for what input tracking even means, using the web site at all is a form of input tracking. Logging of inputs to a site by the site should be and always has been expected. Accidentally sending sensitive data directly to a site has always been a problem, and ad blockers don't solve that problem at all.

Typing in a form field on a private forum page I wouldn’t expect that my conversations are also available to the advertisers posting banners to that page.
The problem isn't just ads, though: first-party JavaScript can still record every keystroke you type, so e.g. if you accidentally type your login password into a browser window (even if no input field is focused) then you must change it.

The problem is that most of us are reading what should be static content which is instead a dynamic program written in a general-purpose language.

I simply disable JavaScript. Only when I’m on a page that I think I really need JavaScript capabilities to I open it in another browser that has JS enabled. Of course some in the latter category do nasty stuff but only those I explicitly allow get to run JS with Adblock enabled.
If javascript is allowed to persist in the background, read the keydown and cursor location, and keep a socket open back to the server, then that won't matter.

Personally, I do not understand why this has become acceptable, if all I am doing is viewing text and static images.

Ideally, I would like it so that the browser suspends everything if a tab is not visible in the foreground, unless I pin it.

About 6 months ago I got tired of all the tracking and fingerprinting that is going on and installed NoScript. Surprisingly few web pages require Javascript. Give it a try, you might be pleasantly surprised.
That's not the case at all if you go to a site that uses React. For those, you are welcome by a blank page with NoScript.
Personally I prefer uMatrix since that tool usually allows first party scripts be default (unless you configure otherwise), so most JS sites work on a basic level.
This is somewhat moot as (a) I think most React devs don't do this, and (b) if they do, the resulting page may still not be very useful.

However, any React developer worth their salt (probably still a minority, as mentioned above) should be using ReactDOMServer which will render the page fine without browser JS being enabled.

I thought this was mainly used to improve first load speed. The site won't be very useful if you can't interact with it beyond that.
While it does depend on the purpose of your site, even in the purest examples in the "web app" category, I can think of very few sites that are guaranteed to be absolutely 100% useless without interactivity. Certainly not as useless as a white screen.

In most cases though, you should be able to present a pretty useful static page by default without too much effort.

This is somewhat moot as (c) you can disable NoScript on certain pages
I've been out of the Web dev game for a while, but isn't this meant to be avoided for SEO? I know Google's bots now execute some JS, but has the consensus now shifted enough that this is widespread?

(Of course, as a Web user I consider both JS-only pages and SEO to be awful somewhat-parasitic practices, but that doesn't unfortunately doesn't factor into many business decisions :( )

Most people using React are using for webapps that aren't meant to be crawled.

Sometimes we see examples here on HN of blogs, that are mostly text content and pictures, built on a client side JS framework like React, but that's the exception.

You can set Noscript to accept scripts coming from the current domain (and sub-domains) by default. It helps a lot.
Yes I know that. But why would you enable anything if you don't know the contents in the first place?
In such cases I usually just close the page and happily move on. Every once in awhile, I enable JS and reload -- not a huge hassle.
I prefer uBlock Origin in dynamic mode, with default deny on 3rd party scripts and 3rd party frames. Usually 1st party scripts aren't much of an issue, and if they are, it's very easy to block that domain from firing any scripts at all.
Makes me want to search StackOverflow to see who asked how to reverse the order of a keystroke log file, so they can see if anyone backspaced off "your site sucks" in the comments box.
This is why it is absolutely mandatory that any browser I use has Privacy Badger and uBlock Origin in dynamic mode with all 3rd party scripts and 3rd party frames blocked by default, in addition to the static block lists.

Dynamic mode is the somewhat hidden feature that makes uBlock Origin as powerful as NoScript, and more flexible when it comes to differentiating between whether to allow content from a domain globally, or only on specific sites.

https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-qu...

Highly recommended.

Long time NoScript user here, and I had to remove it today as it is completely broken and unusable. I cannot even get the preferences to open so I can export my whitelisted domains to uMatrix, which I'm testing as a replacement.

I would like to combine uBlock and uMatrix, but I'm not sure I can replicate the functionality I want. Your mention of dynamic filtering is interesting and I wonder if others are using it and can make a recommendation?

I need all JavaScript off by default (including first-party) and the ability to block both ad-serving domains and filters such as /ads/ that work across all domains. Is this possible to do entirely within uBlock Origin?

Looking at the uBlock dynamic filtering, it looks very similar to uMatrix. To block all scripts in uBlock, you'd probably want to block inline scripts, 1st party scripts, and 3rd party scripts with global rules which is possible with dynamic filtering.

However, if you're using chrome, you should have the ability to disable it from the browser altogether.

uBlock and uMatrix are designed to work together :)

and yes you can disable ALL javascript with uBlock :)

Did you change browsers or something? Noscript seems to still work fine for me. Linux Firefox 56.0 (64-bit)
Firefox 57 was release a couple weeks ago and breaks most extension by dropping the legacy add-on system.
I was hoping that was not case. I was hoping something like Safari on a Mac Pro.
For the avoidance of doubt, NoScript version 10 shipped a few days after FF57 was released, and it is an update to that combination which is not working for me. I uninstalled & reinstalled the extension, and clicking on the settings icon instantly crashes the browser. It is totally unusable for me.
There was a huge change with Firefox 57.

It is getting back to usable but it still lacks ABE and some other tools.

No, I'm using Firefox 57 (sure you are still on 56? 57 should be in the repos) and after a shaky start with NoScript 10, whatever the latest update did has badly broken the extension for many users. I am hopeful it will be as good as it used to be some day but today it really is badly broken and unusable. See the reviews from the last 24 hours, it's a mess: https://addons.mozilla.org/en-US/firefox/addon/noscript/revi...
yeah- 56. double-checked. But linux mint- they try to not break things :)
I used to use NoScript and am now more than happy with uBlock Origin in medium mode. The developer of uBlock Origin and uMatrix actually recommends against using them together now (for most people).

See https://www.reddit.com/r/firefox/comments/706xrr/umatrix_vs_...

It depends on how much work you want to do... I change umatrix defaults to not allow any javascript, which breaks a lot of things (usually images :/). I also don't load anything from third party sites by default, which also breaks images and often css (many sites I usually just read the text with broken css). For this uMatrix is great and I wouldn't use uBlock Origin at all except that uMatrix has no option to not load fonts and I also have Firefox configured to just use DejaVu 16pt on all sites (which makes the web so much nicer, although also breaks a few things), but this doesn't prevent it from loading fonts for some reason (at least last I checked). I guess because some sites use icon fonts and maybe Firefox can't tell the difference until it gets the file.
So which part of this isn't possibly with only uBlock Origin?
Blocking font loading. I'm not sure where fonts show up in uMatrix and there is at least not a specific fonts category, which is what I want.
I block all fonts by default ("no-remote-fonts: * true" in "My Rules"), and selectively re-enable them on sites that I trust to use fonts responsibly.

This will block all externally loaded fonts, only system fonts will be used.

I looked an only saw references to that in uBlock Origin, then realized I read the question wrong :/. As far as I know it is possible to do everything I want in uBlock Origin (I do the same with fonts), however the interface is less convenient than uMatrix, even with the advanced extra panel. It would work if uMatrix ever goes away, but I'd rather use uMatrix while I can. I tend to leave changes as temporary only when I can unless I am visiting a site frequently, so I end up having to redo many permissions and even a small increase in convenience is nice.
Gotcha, that's fair enough!
It's kind of hidden, but if you select the wildcard in the top-left domain list of uMatrix, you can disable classes of requests by default. eg Cookies, XHRs, iframes, then whitelist them per-site.
Also highly recommended for people who are willing to spend a little more time to control where their browser retrieves content is uMatrix[1]. Written and maintained by the most esteemed Raymond Hill who creates uBlock Origin.

If you're on Chrome, don't forget to also install uBO-Extra[2] along with uBlock Origin[2], otherwise you don't get WebSocket coverage.

[1] https://github.com/gorhill/uMatrix [2] https://github.com/gorhill/uBO-Extra

Actually, Chromium (and uBO) has supported blocking WebSockets via webRequest for a while now[1], despite the desperate protests of a MindGeek employee[2].

[1] https://chromium.googlesource.com/chromium/src/+/0f198df6bc8... [2] https://bugs.chromium.org/p/chromium/issues/detail?id=129353...

All this time I assumed 3rd-party frames were blocked by default in uBlock Origin. I never even noticed the line in the Dynamic mode UI :/
This is what worries me a bit about browser extensions like 1 password and other password managers.

Could a website that has a keylogger in it potentially pick up these keystrokes when I put my password into an extension?

No. They only have access to anything inputted within their site's window.

I think this article is a bit sensationalist. These sites already have access to all of your data (stored in their databases!). There's nothing additional they are gaining from this aside from how you input that data. That is much less sensitive information and I can't think of another usage aside from improving their site's UX.

> These sites already have access to all of your data (stored in their databases!)

The assumption for most people is going to be that they have the data that you explicitly sent them. Implicitly gathering and sending data is equivalent to snooping on people without consent. It's all about expectations.

Is there a risk of information leakage?

Say for example a website asks me for something (e.g. an address, phone number, bank account number), I type it in (thus registering my keystroke presses to the keylogger) and then realise oops I didn't mean to type that, I meant to type something else

Does the website then submit the logged keystrokes for offline analysis?

Yes, theoretically in the case you mentioned.

All responsible implementations of this won't actually log PII. It's pretty trivial to withhold certain inputs. All of the services mentioned in the article have easy ways to flag an input field as private / do not log. I'd wager a lot of money that these sites are interested in gathering UX data and not scraping for accidental form input.

I suppose there's a certain level of trust involved, but I don't think that's any different than when you make an online purchase. /shrug

> Could a website that has a keylogger in it potentially pick up these keystrokes

Yes of course. All it takes is misclicking and having the focus on a wrong window, and you're toast.

Can you explain this more? What do you mean by "focus"?
By "focus" i mean the current window on your desktop that has the focus, as in, the one that's going to receive the input you give through your keyboard. I've seen plenty of people (and it's happened to me too) fumble and accidentally type or paste things in the wrong window. If that window happens to be your browser on a website that does this kind of tracking, that information goes to some random third party instead of the window you thought it was going to.
The risk is actually the other way around. A page can't access data in an extension, but extensions with full permissions (most of them) can access anything on any page.

Hacking a popular extension is one of the easiest routes to fully compromising millions of users (and every account they own). People are generally unaware of this danger, but it's much worse than ads or tracking.

Not that I agree with the practice or anything, but I have to call out the how obviously maximally-outrage-inducing the headline is. From the middle of the story:

>They found that 482 of the world's top 50,000 sites used scripts provided by one of these firms.

Less than 1% of the sites did this.

God I'm tired of this kind of "journalism".

And this is why we need the GDPR. The potential for the sheer amount of sensitive personal information that this can hoover up is extraordinary.
An EU regulation for data protection (https://en.wikipedia.org/wiki/General_Data_Protection_Regula...) for anyone else who was wondering.
If you are a tech-type company doing business in the EU and this is news to you, hie thee hence to a lawyer forthwith. The GDPR has teeth. You are not going to want to discover you're in violation the hard way.
2018 will likely not see active enforcement, a couple of stern warnings and maybe a single case to court to show they mean business. But I fully expect the hammer to come down in 2019 and frankly I can't wait.

I look at a lot of companies professionally and the range goes from: "GDPR? What is that?" to "Sure, we're ready, here is what we did and we are already compliant.".

Most companies are somewhere in the middle between those two, they are aware that something is changing but they are still trying to figure out the impact on their business. Lawyers are - unless their specialty is privacy law and they have boned up on this - pretty useless and generally tend to know even less.

It's our fault for turning the web into the monstrosity it has become. Web browsers are for displaying hypertext documents. DOCUMENTS. Why on earth are we executing code at all?
For the same reason all major document formats execute code.

PDFs execute code, DOC(X)s execute code.

Users want features: interactivity, automation of various bits, etc. Features = users = money. Money > anything (security, privacy, etc.).

PDF code execution is an implementation detail. It's there for data compression purposes, not interactivity. DOCX macros are disabled by default.

Code execution by default in HTML documents is unusual.

Javascript was tacked onto PDF a few years back for interactive display.
Plenty of that could have been achieved by slower but more consistent and secure development of extensions to HTML.

That wouldn't give you Google maps, docs or gmail, but the vast majorit of SAAS products could have probably been created in one way or another with the restriction that no code could execute client side.

More and more pages that could have worked just fine now render as totally blank because client side frameworks are now being pushed from every angle. As an end user there is no clear advantage to this.

> That wouldn't give you Google maps, docs or gmail

So, it wouldn't have given you three of the most important and useful applications in the modern world, used every day by millions of people.

No, it would not have given you those on the web. You could have simply made applications that do the same thing.

Gmail could have been made to work (on the web) by the way, just not with such a spiffy interface, and maps probably as well.

> just not with such a spiffy interface

What makes you think that's not the main selling point of those applications? "Except for that one thing that normal people care about, my sticks-and-stones are just as good!" :)

Works in a secure and predictable way without eye candy to me trumps works in an insecure way but has eye candy.

Software was plenty usable before we had the CPU power to burn on 'pretty'. In fact, in many ways it was more usable.

To some extent hardware has outpaced our ability to do useful things with the cycles and transistor budgets available. So we've become super wasteful and our software is now mostly immature. If instead clock cycles had doubled every decade or two and ditto with the transistor count we probably would have had a much more mature software eco system as a result, rather than a bunch of pretty junk with plenty of that pretty junk as a service rather than as an application that you control and all the security headaches that come with that.

The web has shown us that people don't want to download an app for everything.
It's more complicated than that. The web is being run by companies that would rather sell you a service than a one time install. Hence the feeling that in 9 out of 10 of those cases the only reason the product only works 'online' is to serve its creators, there is no added value for you the consumer.

I've got a 5 year old 'TomTom', a simple and dedicated navigation device. It beats the pants of all the connected versions out there because it simply always works. I didn't download anything for it, you just switch it on, it takes about 30 seconds to find its bearings (longer in urban canyons) and then you tell it where to go, with pretty much all of Europe covered. User interface is a dream compared to mobile phones and most other in-car navigation systems.

Turn-by-turn voice navigation works and works well. No online service even comes close for that application.

So, whatever the web has shown is that people don't want, at least speaking for myself you can keep your services and give me that download.

Word processors and email clients existed before the web was created.
And especially for email clients, they sucked. You know why? Cause I couldn't check my email anywhere. With mobile devices this is less of an issue. But even with those, often I want to access an account I don't have (or don't even want to have) configured on my phone/tablet.

And guess what, nothing beats the convenience of the web's 0-install in those cases.

Even fonts execute code (truetype/opentype, at least)
The web became a place to do business. You can't do business just sharing documents.
Businesses existed before the creation of Javascript. Conducting most business does not require a Turing complete language and executing arbitrary code on every document.

The HTML <form> is all that is needed to conduct business. The web was created as documents+forms in the IBM 3270 model, which businesses and other other organizations were using since the 1970s.

Once again, this is why I've blocked javascript for years. Browsers really need to start offering this without add-ons or extensions.
Whenever someone complains about a website not working without javascript enabled, someone inevitably responds "it's 2017, you can expect javascript to be enabled". I think that piece of knowledge is outdated:

- Late 1990's: static html documents + forms - early 2000's: shitty DHTML scripts that added nothing - early 2010's: javascript + gracefully downgrading sites - 2015/16: required useful javascript everywhere - early 2017: trackers everywhere, html5 popups, trackers, spywhere, trackers, bitcoin miners, trackers, etc, etc.

2017 is the year where you NEED a javascript blocker. What's the use of having any security at all if you're going to leave the biggest attack vector in modern times completely unprotected?

Plus, the web has become completely unusable without a script blocker.

I used to be big into webdev back in the .com wave.

Nowadays I always push for HTML5/CSS3 with minimal JavaScript, preferably with server side rendering.

For anything really complex I usually try to see if it can be done as native app instead.

> the web has become completely unusable without a script blocker.

When you exaggerate like that, it diminishes your point. I use the web all day, every day and I have never installed a script blocker.

Maybe not outright unusable, but certainly really fucking annoying.

Not to mention hazardous.

Which browsers don't allow this? In Firefox and Chromium, you can switch off JavaScript entirely in preferences.

The extensions just make it easier to allow whitelisting sites that you trust and that require javascript, or toggling for the current site.

I agree that this can be used for ill, but there's a number of very valid reasons to use these tools:

- Heatmap views of where people hover and start to type

- capture of individual sessions to research support cases

- Better understanding of user flows through a site or web app

And all of these tools, at least the reputable ones cited in the article, allow you to mask fields or parts of the screens so that PII isn't captured, and reputable companies do that.

The other part of this is that I don't think the article captures well is that these tools aren't used for targeting of ads or personalization or "spying" in the sense of malice, but to try to better understand users, what they're trying to find on a site, and clarify pain when using applications. I also think the people that use these tools, generally speaking, are perfectly fine with blocking them, since it's meant as a diagnostic and analytic tool.

Passwords, medical records and credit card information are so sensitive that it's irrelevant that there are good uses for the tech that captures them or that at some point in the pipeline they get masked.
So, to be clear, the way at least the tools I've worked with operate:

- websites implementing these tools need to specifically opt-in text fields they want to capture the inputs for

- for HTML-side capture, the javascript will obfuscate PII before sending it to the servers

- some of these tools will not capture password fields under any circumstances

Does that address some of your concerns?

No. There's too many parties involved I'd have to trust to a) want to keep my data save and b) don't mess up. And even if both are true, I have to accept yet another way with several points of failure where bad agent could exfiltrate my data.
But this is being run by a party you trust with that data in the first place surely?

It's capturing the things you are typing into the website's input boxes!

Just because you trust the first party site with that information doesn't mean you would necessarily trust a third party to store or transmit that info.
We trust the website we give our information to. It is https-based (else my browser will tell me) and probably using an ORM that will 99% of the time hash my password. But the javascript layer...

Sorry, call me paranoiac, but i will never trust the javascript of a website. With no webdev experience, i was able to inject js (almost by mistake) three years ago. Moreover, is the js communicating with the backend using https too? How can i check that? Are those js library on the website server, or are they hosted by a third party? I can trust them, but how do i know that no attacker was able to modify those scripts? Yes, those risks are small, but i'd rather have ublock making those risks closer tho 0 than not, am i wrong?

That's mostly fine, but it should be clear to me (the user) that it is happening.
> number of very valid reasons

I'm genuinely curious what steps are executed once this data is collected.

Also, in theory, you only need to do this after design/layout changes and only for a while, so what justifies collecting it all the time? I might be wrong though.

Usually if someone complains to support, their session can be tracked down and sent to the devs.
o.O that goes massively against data protection laws.
There are definitely SaaS tools that let you watch a user's session on your site. They stitch together page transitions, show you the mouse cursor moving around, what they type. It's like watching a remote desktop session. Creepy as hell.
Data protection laws? Provide some examples.

Google does this on all of their products. And people that have left Google have made their own versions of this software for others to use. For example: https://www.fullstory.com/

So, again, the use cases here are varied. For the most common, which is understanding user behavior, you'll do something like:

- I'm going to capture 5% of users sessions as they progress through a purchase funnel

- I capture data for a few days after a design change, and look at behavioral changes, such as spending more time in a particular step of the funnel

- Where there's something weird going on, I'll watch an aggregate view of people's mouse behaviors - I can then see that a lot of people are hovering between two different buttons, or highlighting a particular sentence

- Based on that feedback, I'll do an A/B test of changing the button textx or the dialogue message

- Capture more data, did that change?

It's not "Let's go look at john smith's website behavior" except in the support example, where you get a user's consent to do that, and you usually only do it for internal corporate applications where there's a dedicated helpdesk.

Doing this without explicit user consent (explicit, detailed and with risks shown) is illegal for all 'good' use cases. (At least in the EU). It is criminal for all others.

Edit: It also needs to be stored anonymously, though even people I know who build wifi/bluetooth tracking software&hardware say that is almost impossible.

So, in a GDPR world, it is true that you need to get more explicit user consent for the gathering of this permission. However, I think it's overly dramatic to say "illegal for all good use cases" and criminal for others. These tools have been used for years in the EU, with signoff from lawyers and regulators when PII is being obfuscated or removed.
GDPR is addressing precisely these things though, and tightening up the allowed actions. It doesn't really matter if it was previously allowed, you need explicit documented consent to store PII.

But, I thought it wasn't coming in to force until next May.

There's a lot of "valid reasons" for doing a lot of bad things.
there's a number of very valid reasons to use these tools

They're very useful for testing. I don't think there's any debate about that. The issue is with using them in production capturing everyone's data with no regard for a user's privacy.

I've found these tools extremely useful to understand user behavior. We rely on Fullstory all the time to improve the user experience, to identify bugs, and to debug user issues.

The result of these tools is a far better user experience on our site and many other sites.

"recording every keystroke" makes it sound like there's malicious intent, but it's misleading. It should be added that all these tools have a lot of options to avoid tracking sensitive data (like password fields) and we always rely on that (in fact anything else would be a compliance violation for us).

I don't have any malicious intent, but don't mind me as I set up camp here in your bedroom...
> "recording every keystroke" makes it sound like there's malicious intent

Thinking from a security perspective, I'm not sure "intent" is an important consideration. The question is: should third parties have the technical capability to do this?

IMO there are enough bad actors out there to answer this with a resounding _no_, at least by default.

If you want to record user browsing sessions, you should ask permission.

I suppose the issue here is that these aren't really "third" parties doing the recording, even if they're using third-party scripts.
Yeah the owner of the website which include the script has only their website data.

The third party follows users over all the websites they're deployed on. Best example is google analytics and all beacons scripts (G+, FB like, share on twitter etc.) which track you almost everywhere.

Those are all valid reasons. But what these companies need to do instead is pay consenting users to engage in usability sessions.
I know plenty of companies would pay a lot for usability sessions if they were remotely accurate (and they do anyway), but they really aren't like regular users using the site naturally.
Because people don't think they're being watched.

... so it is deceptive to watch them.

"There are a number of very valid reasons to install cameras and microphones in every living room. Consider the amount of domestic abuse that could be prevented this way! Also, interior designers could further understand and tweak the layout of people's living rooms for optimal recreation and entertainment."
A more correct comparison is a store recording how people shop in their locations to better optimize paths and locations of products. Your comparison is more like an app that watches everything you do on your computer outside the context of the app.

Not quite the same thing.

An even more correct comparison is if you invited a salesperson into your house and they had hidden cameras and other sensors recording everything.
Not really, because again it doesn't recorded anything outside of it's context. It's more like being part of a user study group every time you use their product, whether or not you want to be, or agree to be.
Fine then, compare it to a TV that watches you back whenever you're looking at it.
false, many many websites have much of your very personal information, information that is not leaked by walking around a store.
Unless you signed up for the loyalty card.
Certainly if someone breaks into my house and watches it with not-spy-at-all cameras, they can know how I live and provide me with better products shaped for my habits and preferences, and help me with emergencies or particularly difficult tasks. But that might be sliiightly inconvenient at times, no?
Not quite the same thing.
> what they're trying to find on a site, and clarify pain when using applications.

No. We are doing analytics for the sole purpose of selling our products and services better. Let's not kid ourselves into thinking we are spying on our users for the greater good. Nobody implements user tracking simply to make their user's lives better. If it does happens, it's merely a side effect of our sales strategies.

We use HotJar at work, and it's super useful to see heatmaps of what people click on and what they ignore.

This article is a little clickbaity- it implies your passwords and other private info are being stolen, instead of just webpage clicks.

Maybe people can hack those tools for ill but that's true of almost any web software platform.

That's because they ARE being stolen. Maybe not intentionally, but when you log every keystroke, and the user happens to type passwords and other private info in those keystrokes, those are bound to get captured.
I don't want to be alarmist, but just because it's not stolen doesn't mean that it isn't logged. I've worked with Dynatrace. I've used it piece together bugs that QA had found but couldn't reproduce a second time around. It's truly powerful software.

After a set of test data refresh, we lost some of the new test passwords associated with some of the new data. Then it clicked: Dynatrace has keylogging. I searched for login events of those users, and sure enough, there were the keystrokes for the passwords of each of those users.

Yes, this kind of software is a godsend for debugging, but improper usage, storage or transmission of data is a real concern.

Bit hypocritical of the publisher to be decrying intrusive analytics when their site is running Comscore and Chartbeat tracking.

Not to bash the BBC – all web publishers are using this stuff and loads more. The BBC are unusually good actually, as their sites don't run adverts and all the adtech crap that comes with them.

As someone who designs and builds websites, the data provided by platforms like Hotjar etc. are very useful. And the advertising stuff is required if you want to keep the lights on (unless you have another source of funding like the BBC).

As a user I block it all with extreme prejudice.

> Not to bash the BBC – all web publishers are using this stuff and loads more. The BBC are unusually good actually, as their sites don't run adverts and all the adtech crap that comes with them.

Recently I was surprised to discover that the Australian equivalent that also has no advertising has half a dozen trackers on there main page. Plus twitter integration and CDN material.

This is sensationalized, fear-based reporting. Classic case of someone publishing a strong opinion about something they don't understand. Unless she is trying to imply that security issues are inevitable, session replay tools are used to improve user experience in 95% of cases.
Is there a browser or extension which doesn't enable mouse and keyboard events by default? I would like to see permission alerts for mouse and keyboard listeners similar to location permission requests.
When they "record every keystroke", do they mean: a) every keystroke on that particular webpage? b) every keystroke of any webpage on any tab of the browser? c) every keystroke on the laptop itself?

If it's b or c, I have a MAJOR problem with this.

It's referring to scenario A, since the code only runs on that webpage (or any others with it).
Assuming no bugs in the browser's same-origin implementation.
B and C are not possible, it's talking only about scenario A.
Does uBlock origin block these recorders without having to do all kinds of crazy advanced config?

Edit: TO anyone else wondering the same thing, the answer is no. However, Ghostery does block it. I didn't like ghostery before because it broke all kinds of sites, so this time around I re-added it except I ONLY selected the "Site Analytics" category and left all the others blank (which can be handled by uBlock origin)

Ditch Ghostery, they collect and sell your information (how ironic). Use Privacy Badger instead.
That didn't block the inspectlet demo: https://www.inspectlet.com/hello/capturedemo

Do you have a source for them selling data?

That demo doesn't record anything at all here, or at least it certainly cannot play anything back. I'm using Privacy Badger and uBlock Origin (with dynamic mode on).

In all fairness to Ghostery, it seems they've cleaned up their act after being bought out by Cliqz: https://adexchanger.com/data-exchanges/ghostery-sheds-ad-tra...

Specifically, it was the Ghostrank feature that was troublesome: https://en.wikipedia.org/wiki/Ghostery#Criticism

I don't know how the current version of Ghostery behaves.

It's more than hundreds. I'm guessing that each of Inspectlet, Hotjar, Mouseflow, Crazy Egg and Full Story has hundreds of customers.

But it's not 'every keystroke', but keystrokes you make whilst interacting with a page on that particular site.

(comment deleted)
Many a year ago, an ad firm used to track the words you highlighted with your cursor. I wrote a userscript that highlights every letter repeatedly to spell out "FUCKYOU" when it loaded that company's JS.

I mean why do advertisers think its impressive to do this? I swear they increase their intrusion and in return more and more people tune into ad blocking. And don't even ask what I do about sites that insist I turn it off -- I blacklist them.