Tynt Insight Is Watching You Cut and Paste

jerryasher writes "In recent weeks I've noticed that when I copy and paste text from Wired and other websites, the pasted text has had the URL of the original website appended to it. Cool, and utterly annoying, and how do I make that stop? Tynt Insight is a piece of Javascript that sends what you copy to Tynt's webservers and adds the backlinks. Tynt calls that a service for the site owner, many people call that a privacy invasion. Worse, there are some reports that it sends not just what you copy, but everything you select. And Tynt provides no opt outs. Not cookie-based, not IP-based, but stop-it-you-creeps-angry-phone-call-based. It ain't a pure useful service, and it ain't a pure privacy invasion. But I sure wish they'd go away or have had the decency never to start up in the first place. I block it on Firefox with Ghostery."

use noscript!

Only run the javascript you want.

Re:use noscript!

[melikamp]

I have to second this. NoScript is now my favorite extension, with ABP being a close second.

Re:use noscript!

NoScript users are going to be a minority of internet users, but you have to be INSANE to browse without it.
I whitelist base 2nd level domains, but noscript really highlights the amount of CRAP that many sites use, like fuck-up-you-shit-apis.com

A page rarely appears, or functions differently with all 3rd party scripts blocked. It also might be blocking some advertising, but I can't tell if Adblock got there first.

Re:use noscript!

Maybe I'm doin' it wrong, but NoScript broke an awful lot of the web when I was running it using default settings. AdBlockPlus, on the other hand has a 0% false positive rate for me.

If you want widespread adoption, I think the ABP route is the one to go for, even at the expense of letting some new/unknown scripts through.

Re:use noscript!

[virtualXTC]

Comparing the false positive rate of ABP to noScipt is about as useful as comparing apples and oranges. ABP is a blacklist based service, Noscript is a whitelist. Therfore ABP only has false negatives (including all of the things you need noscript for). No-script therefore has only false positives. Unfortunately, un-like ABP, a user curated list isn't practical; as soon as you do and whitelist a paticular script, someone will change it to do something malicious.

....the fact that some users are too dumb to figure out how to use no-script makes me like it that much more.

Re:use noscript!

[ahabswhale]

NoScript is whitelist oriented. You have to explicitly tell it what sites are ok to run javascript. If you don't do that, you're opening yourself up to a world of hurt (especially if you ever browse porn). Once a site is whitelisted, you shouldn't have any problems with it at all.

Re:use noscript!

comparing apples and oranges.

You said the magic words!

Gentlemen, I repost Apples and Oranges: A Comparison

Thought JavaScript clipboard was opt in?

[tjstork]

I thought that to allow JavaScript to access the clipboard, you had to opt in, and even then, you can't really do it the right way under FireFox or Chrome. Like, JavaScript clipboard access is an IE only thing.

  Are we sure this isn't a Java application or something?

Re:Thought JavaScript clipboard was opt in?

This can be done by overloading the Ctrl+c keypress event, etc.

Re:Thought JavaScript clipboard was opt in?

[FlyingBishop]

It's plain JS. It doesn't actually access the clipboard. It just tells what you're highlighting through mouse interaction.

In any case, I blacklist *.tynt.com in hosts.

Re:Thought JavaScript clipboard was opt in?

=O=

Re:Thought JavaScript clipboard was opt in?

[FlyingBishop]

http://man.netbsd.se/?find=hosts.deny+5+30

I think the proper way is ALL: .tynt.com

*.tynt.com shouldn't work on any platform, to my knowledge.

Re:Thought JavaScript clipboard was opt in?

[clone53421]

Blocking .tynt.com doesn’t block tynt.com itself. You have to use two entries.

Re:Thought JavaScript clipboard was opt in?

[broken_chaos]

The specific URL to block, in case you don't want to block absolutely everything from a domain, is:
http://tcr.tynt.com/javascripts/Tracer.js

Re:Thought JavaScript clipboard was opt in?

[ais523]

Some moderators also do it to reward the poster (or cancel out a mod-down, as the grandparent says). Modding someone funny doesn't increase their karma; modding them interesting, informative, insightful or underrated does.

Other script blockers will work, as well

[srmalloy]

NoScript will also block it, and if you configure it to block by default, Tynt's code will never execute unless you specifically permit it.

Re:Other script blockers will work, as well

[maxwell+demon]

It's not in my NoScript whitelist (just checked). But anyway, even if it were, RequestPolicy would reliably block it anyways.

Re:If its just JS break it.

[TheRaven64]

I often randomly click on a page while I'm reading and select bits of text. If I visit any site that uses this, then they'll get a lot of data but no useful information from me.

Re:Snopes

[Unbeliever]

I don't use noscript, but have been noticing lots of disabled copying on more and more websites.

The simple fix I use is to Ctrl-U/View source and copy from that window.

Easy Adblock Plus Filter

[CritterNYC]

Just add a filter to to Adblock Plus in Firefox. Go to Adblock Plus's preferences page, click Add Filter and enter:

http://tcr.tynt.com/*

Then just click OK or Apply.

Re:Easy Adblock Plus Filter

[bheer]

They also use http://wau.tynt.com/javascripts/TyntLite.js for some pages, so I'd recommend adding http://*.tynt.com/* if your blocking system supports multiple wildcards.

Re:Easy Adblock Plus Filter

[InvisiBill]

Similarly, I blocked http://*.tynt.com/javascripts/* myself. I prefer to be as specific as possible for what I want to block (their scripts in this case) so as not to completely block the whole site, while still trying to block the widest swath of the unwanted stuff. Not that I ever plan to go there, but this way it won't block it if I decide to check out their ToS or something.

Re:Easy Adblock Plus Filter

[clone53421]

Just subscribe to the EasyPrivacy filter list.

It includes the filter ||tynt.com^$third-party already.

Based on Selection

[CritterNYC]

It's based on selecting text, not copying and pasting it. So when you select the text in your browser, as soon as you finish making the selection, it sends the info on what you selected back to Tynt. It also adds in the attribution link to the selected text (although you won't see it in the web page). Then when you CTRL-C or right-click and copy as usual after making the selection, you get your selected text and the attribution link.

That's how it avoids needing to use Javascript to do anything to directly touch the clipboard (which is disabled by default in your browser for security reasons).

Re:Based on Selection

[sproingie]

All browsers offer an API for getting at the current selection. You just hook MouseUp and read the selection. Nothing so low-level as translating mouse coordinates.

rename extension.xpi to extension.zip ... profit!

... closed-source software?

1. rename extension.xpi to extension.zip
2. open extension.zip with unzipper of your choice
3. read all source-code
4. ???
5. profit!

Re:Why collect that data?

[LMacG]

I wonder if they tracked me copying the URL for their page - Why Tynt Insight?

How Tynt.com says to avoid being tracked...

[landrew]

This from their FAQ - Technical Topics (http://www1.tynt.com/faq-technical-topics):

Q. How can I block Tynt Insight from monitoring my actions?

A. Tynt understands that some people are uncomfortable having events from their web browsing recorded in a database. We take your privacy concerns seriously and we are therefore investing considerable effort into developing a feature that will allow users to block Tynt software across all the sites that are using it, from within their own browser. Until we have this blocking feature ready, it is possible to achieve a similar effect by using one of the many ad blocking components available on the net. For Firefox users, we have found Adblock plus to work well, and Super Ad Blocker is effective for IE users.

I can't wait to download and install software they've written to help me block them from tracking me with their software. Good thing I'm using Ad Block Plus and NoScript while I wait, or they'd know I cut-n-pasted that...

Re:How Tynt.com says to avoid being tracked...

[clone53421]

AdBlock Plus filter:

||tynt.com

hosts file seems to work

[jtroutman]

I seem to have stopped this by adding the following to my hosts file:
127.0.0.1 www1.tynt.com
127.0.0.1 tynt.com
127.0.0.1 www.tynt.com
127.0.0.1 w1.tcr112.tynt.com

Re:hosts file seems to work

[jtroutman]

and... fail. For some reason it stopped and has now started again. I'll look into it further when I'm back in front of a computer.

Re:Kind of One Sided Review of the Service

[LMacG]

Part of the problem is that the script seems to want to communicate to the server even when you've only highlighted text. As mentioned in another post (that the mods on acid seem to have gotten to), I highlight when I read. I don't know why, but it's what I do. I'm NOT copying, but tynt is still tracking me; the "cite your references" argument doesn't apply.

As far as just not using Wired.com, that completely ignores the fact that many other sites have this POS JS running; I first noticed it at the New Yorker magazine site.

in Opera...

[AliasMarlowe]

Just make sure that the option "Allow scripts to detect context menu events" is left unchecked (this is the default). Then you can select text/graphics/whatever, and copy operations via right mouse click are not observable by javascript.

In fact, javascript can't detect any right click actions in Opera unless you explicitly allow it. So copy, paste, translate, search, dictionary, encyclopedia, etc. actions can't be monitored by javascript in a web page.

This feature was in earlier versions of Opera as well, but the checkbox was named differently.

Re:in Opera...

[LordKazan]

having right click detection disabled breaks some very useful sites.. like Google maps

Re:in Opera...

[sconeu]

Then allow it in your site preferences for maps.google.com

Re:in Opera...

[freeweed]

Yes and no. It took my slow brain a while, but I eventually realized that when you right click in GM, and the context menu comes up, you can hit escape and it will go away - leaving the Google menu for "directions to here", etc visible.

Broken, but with a simple workaround.

Re:in Opera...

[psithurism]

Then allow it in your site preferences for maps.google.com

Yes, but then you have to start a whole list of sites where you want right click detection allowed, among other rules to detect copy paste or whatever. Creating these exception lists always annoyed me and is only useful on the handful of sites you visit over and over again. Go to a new site and you are left wondering why certain features aren't working, until you remember to configure your allow lists accordingly.

Anyway, I never liked these lists as a solution.

A comment from Tynt

[TyntGuy]

I work for Tynt. I appreciate the discussion here and want to make sure that everyone knows we want to be respectful of the opinions here. Not sure i I will get flamed just for wading in, but I hope not. To clarify on a few points 1. Tracking and Attribution – the attribution feature is separate from the tracking features. The tracking features work very much like any other analytics tool. We do not store any personally identifiable information, but we do want to help publishers learn what content people are choosing to preserve and promote. In addition, publishers can turn the attribution feature on or off on their sites. If you want to see what is actually collected - sign up for an account and look at the dashboard, you will see that we are tracking the content, not the user. 3. What if I don’t want this behavior? We are currently working on a global opt out for users who would rather not have Tynt monitor them. In the interim you can opt out on a site by site basis (i.e. the opt out for the SF Gate is here: http://www.sfgate.com/chronicle/faq.shtml#faq1.5%23ixzz0bxLIAbL7). More info on how to not have Tynt monitor you is available in our FAQs here: http://www1.tynt.com/faq-technical-topics#ixzz0bxGzIgPZ but as pointed out in the comments here, NoScript is a very effective tool for this. Derek

Re:A comment from Tynt

[whois_drek]

You're not the customer, the websites are. They have no reason to ask the visitors to the websites to opt in or out.

Re:Kind of One Sided Review of the Service

[guido1]

The copy/paste/autolink behavior is not the privacy concern. I didn't read anyone here saying that it was.

The privacy concern is (from the summary): sends what you copy to Tynt's webservers...

So I, as a user of a random webpage, copy something for later pasting. That info, and my IP address, is sent to a third-party, theoretically for the purpose of appending a URL to the end of the text. Is that data also used for something else? Most likely. What company wouldn't try to make use of data it receives?

Since the same append functionality can be done trivially with some JS without contacting a home server, we immediately hop on the privacy horn.

Re:Kind of One Sided Review of the Service

[pdboddy]

Yes, it is Wired's content, but there are rules for fair use.

Some folks just use the highlighting part of copy to read.

Some folks copy and paste links to email themselves so they can find it later. Likewise some folks copy and paste articles, in part or in whole, to themselves to read later.

People do get annoyed when websites do things without saying such things are being done. Wired has every right to defend its content, however, it should do so in an open manner.

Re:Snopes

[shamborfosi]

Here's the script snopes uses:

var omitformtags=["input", "textarea", "select"]
omitformtags=omitformtags.join("|")

function disableselect(e){
if (omitformtags.indexOf(e.target.tagName.toLowerCase())==-1)
return false
}

function reEnable(){
return true
}
if (typeof document.onselectstart!="undefined")
document.onselectstart=new Function ("return false")
else{
document.onmousedown=disableselect
document.onmouseup=reEnable
}

So you can see that with the exception of select input and textareas, they disable selection when the mouse is pressed and re-enable it when the mouse is released.

Re:All Your base are belong to us

[elysiana]

It's not the most beautiful of prose, but it made sense to me. What are you missing here? Maybe I can fix it a bit...

"Not cookie-based, not IP-based, but 'Stop it, you creeps'-angry-phone-call-based. It ain't a pure useful service, and it ain't a pure privacy invasion. But I sure wish they'd go away and that they'd had the decency never to start up in the first place."

Does that help? Am I misunderstanding what you're getting at?

Re:NoScript

[inviolet]

Personally I have stopped browsing without NoScript enabled. I sincerely hope that the functionality it provides is adapted as a base feature in future browsers. Javascript is simply too dangerous to be trusted by default. Sites need to earn that trust, IMHO.

It is in Opera. Opera has built-in site prefs that include java, javascript, plugins, 1st and 3rd party cookies, send referer, right-clicks, etc. These can be configured per site, per domain, and both. Then you turn all that crap off browser-wide, so that your site prefs become a whitelist.

Opera is so far ahead of its time.

Re:If its just JS break it.

[mikael_j]

Or with Bind you could create an empty master zone conf that returns NXDOMAIN for everything and then tell Bind it's the master server for tynt.com and tell it to use the empty zone file, that's what I do with annoying junk domains and I only have to change it in one place to change it for my entire network.

/Mikael

Re:If its just JS break it.

[mister_playboy]

If you meta-moderated yourself, you'd know that it no longer has anything to do with moderation of the moderators.

Re:Kind of One Sided Review of the Service

[shutdown+-p+now]

That info, and my IP address, is sent to a third-party, theoretically for the purpose of appending a URL to the end of the text. Is that data also used for something else? Most likely.

There's nothing theoretic about it - they spell it out in large letters on their website. It's all about data mining first and foremost; autolinking is actually an optional add-on, and even then it's advertised as "driving up more visits" - i.e. it's a feature for site owners, not for end users.