Tell HN: You.com extension injects tracking beacons across the web and locally
Well, I was experimenting with search engines in my browser and I had you.com search extension installed to try it out.
I didn't get to remove the extension and a few days ago while I was on the element inspector in devtools I noticed a strange div on the bottom of the page which contained a class of "you-firefox-addons-beacon". Needless to say I forward immediately and removed the extension.
I didn't get the chance to share it then and I happened to think about it today. Went ahead and re-installed the extension to make sure its still the case and no surprises it is.
I think this won't come as a big surprise as to my knowledge you.com is vc-backed so that is something one would most likely anticipate in such scenarios. Thought I share that as it might be interesting to know for people using the engine/extension.
15 comments
[ 3.7 ms ] story [ 40.5 ms ] threadI dont want this to come across as condoning the tracking. I hate being snooped on.
But everything including your vacuum tries to track you.
Anything that markets itself as personalized is just weasle speak for tracking your every move.
Nonetheless turning an extension that's sole function is to add a search engine in the browser to a universal tracker is invasive to say the least.
Installing my adblocking extension the browser told me the app is capable of reading all web pages and editing them, but I assume they aren’t using that capability to track me.
often there are shady "by using this service ..." type clauses in the most obscure places. I've even seen them in black text on a black background and only noticed because my mouse ran past it and I noticed the change.
I just take it as given that they all do, and you just need to examine the source code to see where and how.
I went back and looked at the open source code, and I can see how someone might misunderstand what is happening so I will clarify here with pointers to the open source code as well. The Firefox extension should be unminified too, so anyone who has it installed can check that the code I'm referring to is represented in that open source repository I will link to below.
Let's walk through the extension code, starting with the relevant part of the manifest.json:
"content_scripts": [ { "matches": ["://localhost/", "://you.com/", "://.you.com/"], "js": ["content-script.js"] }
This says that on domains that match ["://localhost/", "://you.com/", "://.you.com/"], we run content-script.js.
source: https://github.com/You-OpenSource/You-Firefox-Extension/blob...
In content-script.js we have:
``` let beacon = document.createElement("div"); beacon.className = "you-firefox-addons-beacon" document.body.appendChild(beacon); ``` https://github.com/You-OpenSource/You-Firefox-Extension/blob...
So if you are on localhost or a you.com owned domain (certainly not "across the web"), we add a div to the page that does nothing by itself. We do this so that our client side code can detect whether you have the extension when you are on you.com and other you.com subdomains. We had the localhost in there for convenience while developing and should have removed it before publishing, but to be clear, even with that localhost match in the code, there is still no tracking, not across the web and not locally. We'll take the localhost match out out though to avoid any confusion.
We unfortunately named that div "you-firefox-addons-beacon", which I think misled the original poster to think we were doing something with the Beacon API (https://developer.mozilla.org/en-US/docs/Web/API/Beacon_API). But we are not. It is just an empty div that our client side code checks for when it loads the page for you.com domains and subdomains so you don't see the "Install extension" buttons and things like that once you have the extension. We will change the name so that it does not create this misperception moving forward.
And to address the downstream concerns in the other comments, we don't track users around the web. We don't use tracking to provide personalized search results -- we use the App Preferences feature that is available after someone signs up.
I'm glad that it is newsworthy that our search engine and browser plug-ins don't spy on our users! Please check the source code if you'd like: https://github.com/You-OpenSource/You-Firefox-Extension and spread the good word!
The desktop Chrome extension (https://chrome.google.com/webstore/detail/youcom-search-chat...) has some additional functionality. It lets users easily switch their default search engine between you.com, our new youchat feature, and our youcode mode. It also has quick shortcuts to some of our most popular apps, like YouImagine (which is an image generation app, like Stable Diffusion).
For mobile, we have our own custom mobile browsers apps on iOS (https://apps.apple.com/us/app/you-com-search-and-browser/id1...) and on Android (https://play.google.com/store/apps/details?id=com.you.browse...) where we pack in a lot of additional features since as you mention there are no extensions for Chrome mobile and Safari extensions are somewhat hard to install.
But the div doesn't mean to be injected to anywhere else except you.com site and localhost (for our own testing). It does nothing but let us know if you are in a browser with the extension installed when accessing to our site, so that we show you a clean page without extension nudge (https://github.com/You-OpenSource/You-Firefox-Extension/blob...).