Slashdot Mirror
Browser Spyware: Watching Where You Linger
An Anonymous Coward writes: "Just when you you'd installed Junkbuster and thought it was safe to go back onto the web, the BBC runs this story which tells you that webshites will soon(?) be able to tell whether you are reading the page, what parts of it are of interest to you, etc. Guess we can expect porn sites to be the first to take advantage of this." Or perhaps someone else is already doing this, and hasn't told you.
The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
Konqueror and Mozilla both allow you to disable popups while allowing JavaScript to run. I believe that at least Konqueror and possibly Mozilla as well will allow you disable or enable features on a site by site basis. The web has become a whole lot less obnoxious since I set Mozilla up to disable popups and animation. I highly recommend running a browser that will let you do this. Mozilla is now fast enough that I can actually tolerate using it and has been since a CVS build about a month and a half ago.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
How difficult is it to configure one's web browser so that it rejects most of the scripting junk out there? If you are using IE, check out the security zones feature that allows you to toggle scripting, cookies, and so forth depending on to which of four security zones a particular site belongs. I'm sure the free browsers have something much more sophisticated. Use it!
I'm proud of my Northern Tibetian Heritage
Then the javascript code in the main window will fill a string with your mouse movement like:
(100,100)-(110,100)-(110,109)-...
After the buffer is filled enough, it will update the hidden frame with a code like:
TrackerFrame.URL = "http://server/track.cgi?" + str;
That's it. That's all. Your tracking is complete.
I can imagine it now: hundreds of hits a day showing that the only widget the cursor moves to is to close the browser window. Confusion in the corporate ranks as a solution is desperately sought to the mysterious problem causing so much loss of revenue. Complete site redesign at the cost of millions. And hopefully, they'll run out of possibilities and twig to the idea of removing the spyware, and voila, hits increas again. Bleh, yeah right.
A word can paint a thousand pictures
If a JavaScript or a Java applet can subtly catch your mouse movements, then they can be imbedded in hidden inputs on the web page
No ifs about it. Javascript has quite a number of mouse dependant event-handlers, onMouseOver, onMouseOut, onMove, onClick, onMouseDown, onMouseUp.
Getting the details back to the server is even easier, just condense mousemovements into a bunch of characters (like Logo commands), stick them into a query string.
Now use a hidden image (a transparent 1x1 gif), useing javascript you can change this object on the fly - change the src attribute of that image to a cgi script, with the query string attached, plus a timestamp (making the url unique, thus not cached). The cgi-script then stores/analyses/ignores the data presented, and returns a status 204 - No change.
Its too simple, really.
On the plus side, hopefully it will convince more and more people to disable Javascript - and then boycott any websites that rely/insist on having it enabled. There's enough sites out there as competition to safely avoid intrusive websites - if not, then there's a niche market you can join.
This is not Your Rights Online nor is it news. Lets go back to bashing M$oft.
Rant Mode OFF.The Anti-Blog
Just because a store researches something doesn't mean they're going to make the shopping experience better for the consumer.
Case in point: The grocery store you referenced. Haven't YOU ever noticed that the dairy, bread, and fresh vegetables/fruits are scattered at different corners of the store.
And you know why, to make you wander the other aisles to get you to buy crap you didn't originally walk in to get.
"We're sorry, but the website you're trying to reach has been disconnected."
Their stated motivation is:
The technique they used was to "add Javascript externally to an existing web page." They mention using barnesandnobel.com, amazon.com, and ashford.com explicitely, but more had to be used given the nature of the tasks given. This seems to imply that they are able to, as a third party, add the javascript tracking to already existing sites. However, they also may be using the fact that they control the testing environment to do this, such as by inserting the code using an http proxy. Details related to how the code was introduced are not given, and would be necessary to determine how much of a privacy threat this is.
"I'm a man... But I can change... If I have to... I guess..." -- the man's prayer, Red Green Show
Mozilla definitely does allow you to disable popups. See http://www.mozilla.org/projects/security/component s/configPolicy.html
Even more off-topic:
Does anyone know how to make Mozilla lie about what User-Agent it is? My bank software rejects Mozilla, claiming it's not compatible. I'm pretty sure it is, and I want to try to make Mozilla claim to be IE on that domain.
In Mozilla you can disable any javascript method or property on a site by site basis.
So you can disable window.open, OnClose and other annoying methods.
Deny scripts access to data on your browser, screen dimensions etc.
See here for info on how to do it.
Most pop-up ads come from one of the usual banner-ad sites, not the actual website, so this feature works pretty well.
Here's my user.js file - you may find it useful. I allow pop-ups by default, except for the listed sites.
I'm a leaf on the wind. Watch how I soar.
I found the Web page of project "Cheese" at MIT. They don't seem to be using their own mouse tracking technique yet. The publication that the researchers have produced doesn't provide much more information than the BBC article.
It seems its from a company called NetActive Inc. and the file version is 4.2.3 (build Lithium)!