Tynt Insight Is Watching You Cut and Paste

← Back to Stories (view on slashdot.org)

Tynt Insight Is Watching You Cut and Paste

Posted by timothy on Thursday January 14, 2010 @06:31AM from the peeking-at-your-poke dept.

jerryasher writes "In recent weeks I've noticed that when I copy and paste text from Wired and other websites, the pasted text has had the URL of the original website appended to it. Cool, and utterly annoying, and how do I make that stop? Tynt Insight is a piece of Javascript that sends what you copy to Tynt's webservers and adds the backlinks. Tynt calls that a service for the site owner, many people call that a privacy invasion. Worse, there are some reports that it sends not just what you copy, but everything you select. And Tynt provides no opt outs. Not cookie-based, not IP-based, but stop-it-you-creeps-angry-phone-call-based. It ain't a pure useful service, and it ain't a pure privacy invasion. But I sure wish they'd go away or have had the decency never to start up in the first place. I block it on Firefox with Ghostery."

42 of 495 comments (clear)

Min score:

Reason:

Sort:

use noscript! by Anonymous Coward · 2010-01-14 06:33 · Score: 5, Informative

Only run the javascript you want.
1. Re:use noscript! by melikamp · 2010-01-14 06:36 · Score: 4, Informative
  
  I have to second this. NoScript is now my favorite extension, with ABP being a close second.
2. Re:use noscript! by izomiac · 2010-01-14 07:24 · Score: 5, Interesting
  
  As a poster above mentioned, allowing 2nd level domains is a good trade off between security and convenience. Before I used NoScript I blocked external scripts using a proxy filter for years, and it's only been in the past couple that I've bothered whitelisting anything. Basically, a few APIs (e.g. Google's) and some oddly configured sites that use multiple 1st level domains are about it. Other than those, it is quite rare for a script from an external host to be something that is beneficial for the user. Usually they're ads, stat counters, or something flashy and annoying. This will get you into trouble with some shopping sites though, like Pizza Hut's where I wasn't sure if my order was placed or not, and didn't want to refresh and possible order another pizza. So I whitelisted "https://*", and that seems to work well.
3. Re:use noscript! by virtualXTC · 2010-01-14 07:26 · Score: 4, Informative
  
  Comparing the false positive rate of ABP to noScipt is about as useful as comparing apples and oranges. ABP is a blacklist based service, Noscript is a whitelist. Therfore ABP only has false negatives (including all of the things you need noscript for). No-script therefore has only false positives. Unfortunately, un-like ABP, a user curated list isn't practical; as soon as you do and whitelist a paticular script, someone will change it to do something malicious.
  
  ....the fact that some users are too dumb to figure out how to use no-script makes me like it that much more.
4. Re:use noscript! by Anonymous Coward · 2010-01-14 08:08 · Score: 4, Informative
  
  comparing apples and oranges.
  You said the magic words!
  Gentlemen, I repost Apples and Oranges: A Comparison
Other script blockers will work, as well by srmalloy · 2010-01-14 06:34 · Score: 5, Informative

NoScript will also block it, and if you configure it to block by default, Tynt's code will never execute unless you specifically permit it.
1. Re:Other script blockers will work, as well by causality · 2010-01-14 07:46 · Score: 5, Insightful
  
  Somebody's been insulted by the story. Half the replies to this story have been down-modded as Troll.
  Make note, meta-mods!
  Unfortunately meta-moderation is quite useless these days. It mattered when it produced a "fairness" score for moderators and whether they received points was affected accordingly. Now it just meta-moderates posts and not moderators, which completely defeats the useful original purpose. Anyone who's been on this site for a decent length of time has noticed the increase in low-quality moderation that has happened ever since this decision was made.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
It is to laugh. by geminidomino · 2010-01-14 06:35 · Score: 5, Funny

Epic Win for Irony.
Currently on the front page of Wired.Com
"WebMonkey:
Warning: This site may be sharing your data"
If its just JS break it. by DarkOx · 2010-01-14 06:35 · Score: 4, Interesting

If its just J/S it must be useing the browser to get or post the information back to their web server. Figure out what there net block is and black configure your firewall to send you a nice reset packet anytime your box tries to hit it.

--
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
1. Re:If its just JS break it. by TheRaven64 · 2010-01-14 06:41 · Score: 5, Informative
  
  I often randomly click on a page while I'm reading and select bits of text. If I visit any site that uses this, then they'll get a lot of data but no useful information from me.
  
  --
  I am TheRaven on Soylent News
2. Re:If its just JS break it. by Jah-Wren+Ryel · 2010-01-14 07:51 · Score: 4, Funny
  
  Don't like it? Metamoderate.
  It is impossible to metamoderate without javascript.
  The irony of that requirement is particularly stark given the context of this slashdot article.
  
  --
  When information is power, privacy is freedom.
NoScript by leoc · 2010-01-14 06:36 · Score: 5, Insightful

Personally I have stopped browsing without NoScript enabled. I sincerely hope that the functionality it provides is adapted as a base feature in future browsers. Javascript is simply too dangerous to be trusted by default. Sites need to earn that trust, IMHO.

--
STFU about slashdot bias.
1. Re:NoScript by inviolet · 2010-01-14 08:08 · Score: 4, Informative
  
  Personally I have stopped browsing without NoScript enabled. I sincerely hope that the functionality it provides is adapted as a base feature in future browsers. Javascript is simply too dangerous to be trusted by default. Sites need to earn that trust, IMHO.
  It is in Opera. Opera has built-in site prefs that include java, javascript, plugins, 1st and 3rd party cookies, send referer, right-clicks, etc. These can be configured per site, per domain, and both. Then you turn all that crap off browser-wide, so that your site prefs become a whitelist.
  Opera is so far ahead of its time.
  
  --
  FATMOUSE + YOU = FATMOUSE
Re:Thought JavaScript clipboard was opt in? by FlyingBishop · 2010-01-14 06:37 · Score: 4, Informative

It's plain JS. It doesn't actually access the clipboard. It just tells what you're highlighting through mouse interaction.
In any case, I blacklist *.tynt.com in hosts.
Re:Thought JavaScript clipboard was opt in? by tjstork · 2010-01-14 06:38 · Score: 4, Interesting

This can be done by overloading the Ctrl+c keypress event, etc.
Then from there, you can get the selection...
I got you.

--
This is my sig.
Habits by Hatta · 2010-01-14 06:40 · Score: 4, Interesting

I have a habit of repeatedly selecting and deselecting text as I read it. I probably selected the story blurb here 10 times while reading it. It would be hard for them to mine that data for anything useful. Not that I run strange javascript anyway.

--
Give me Classic Slashdot or give me death!
1. Re:Habits by LMacG · 2010-01-14 06:45 · Score: 4, Interesting
  
  I'm a "highlight while reading" guy too. That's what first made me notice Tynt, and that's what made me swich back to Firefox (w/ NoScript) from Chrome.
  
  --
  Slightly disreputable, albeit gregarious
Re:Thought JavaScript clipboard was opt in? by rhsanborn · 2010-01-14 06:40 · Score: 4, Interesting

Is anyone else half-tempted to write a script to post back random text from Pride and Prejudice, or something to that effect?
Re:Snopes by Unbeliever · 2010-01-14 06:42 · Score: 4, Informative

I don't use noscript, but have been noticing lots of disabled copying on more and more websites.
The simple fix I use is to Ctrl-U/View source and copy from that window.

--
--Carlos V.
Easy Adblock Plus Filter by CritterNYC · 2010-01-14 06:42 · Score: 5, Informative

Just add a filter to to Adblock Plus in Firefox. Go to Adblock Plus's preferences page, click Add Filter and enter:
http://tcr.tynt.com/*
Then just click OK or Apply.

--
Portable versions of Firefox, GIMP, LibreOffice, etc
1. Re:Easy Adblock Plus Filter by bheer · 2010-01-14 07:14 · Score: 5, Informative
  
  They also use http://wau.tynt.com/javascripts/TyntLite.js for some pages, so I'd recommend adding http://*.tynt.com/* if your blocking system supports multiple wildcards.
  
  --
  Go somewhere random
Based on Selection by CritterNYC · 2010-01-14 06:45 · Score: 5, Informative

It's based on selecting text, not copying and pasting it. So when you select the text in your browser, as soon as you finish making the selection, it sends the info on what you selected back to Tynt. It also adds in the attribution link to the selected text (although you won't see it in the web page). Then when you CTRL-C or right-click and copy as usual after making the selection, you get your selected text and the attribution link.
That's how it avoids needing to use Javascript to do anything to directly touch the clipboard (which is disabled by default in your browser for security reasons).

--
Portable versions of Firefox, GIMP, LibreOffice, etc
Re:Thought JavaScript clipboard was opt in? by Anonymous Coward · 2010-01-14 06:48 · Score: 5, Funny

Or an ASCII art version of goatse.
rename extension.xpi to extension.zip ... profit! by Anonymous Coward · 2010-01-14 06:49 · Score: 5, Informative

... closed-source software?
1. rename extension.xpi to extension.zip
2. open extension.zip with unzipper of your choice
3. read all source-code
4. ???
5. profit!
Kind of One Sided Review of the Service by eldavojohn · 2010-01-14 06:50 · Score: 4, Interesting

I can't get it to work when I copy paste from Wired (must be something with my setup and javascript) but I will make the unpopular statement of saying that 1) you are copying and pasting Wired's content and 2) as early as high school I was taught that if I was copying information verbatim, I had better have some sort of reference (MLA preferred).

Now, on Slashdot I drop in a link on some text like just did up there. But if I'm quoting it, I'll throw in a quote block and lead up to who said it and call it a day. Now, let's imagine a world where all that was automated when you copied something and the text you copied came with XML metadata saying all the things like where you got it, when you got it, who wrote it, etc. That could potentially be pretty useful. If you think of the web as actual works belonging to people then you can start to see how legitimately referencing other works could be made a lot easier with stuff like this. And maybe text editors could have plugins to digest it?

Unfortunately the submitter and editor of this site seem to cry privacy violation at any attempt to move past the wild wild west anything goes attitude of the world wide web. That's fine as this has an element of privacy concerns what with the phoning home. But please consider the issue from Wired's side, from the side of the author and content creators. They might just trying to help us with what we were taught in school.

Lastly, I would like to point out that another solution aside from Ghostery or Noscript is just to not use Wired's site at all. Vote with your feet and bring your eyeballs elsewhere for pageviews and adclicks. I'm sure Wired's not losing a whole lot of adclicks if you do.

--
My work here is dung.
1. Re:Kind of One Sided Review of the Service by guido1 · 2010-01-14 07:02 · Score: 5, Informative
  
  The copy/paste/autolink behavior is not the privacy concern. I didn't read anyone here saying that it was.
  The privacy concern is (from the summary): sends what you copy to Tynt's webservers...
  So I, as a user of a random webpage, copy something for later pasting. That info, and my IP address, is sent to a third-party, theoretically for the purpose of appending a URL to the end of the text. Is that data also used for something else? Most likely. What company wouldn't try to make use of data it receives?
  Since the same append functionality can be done trivially with some JS without contacting a home server, we immediately hop on the privacy horn.
How Tynt.com says to avoid being tracked... by landrew · 2010-01-14 06:52 · Score: 5, Informative

This from their FAQ - Technical Topics (http://www1.tynt.com/faq-technical-topics):
Q. How can I block Tynt Insight from monitoring my actions?
A. Tynt understands that some people are uncomfortable having events from their web browsing recorded in a database. We take your privacy concerns seriously and we are therefore investing considerable effort into developing a feature that will allow users to block Tynt software across all the sites that are using it, from within their own browser. Until we have this blocking feature ready, it is possible to achieve a similar effect by using one of the many ad blocking components available on the net. For Firefox users, we have found Adblock plus to work well, and Super Ad Blocker is effective for IE users.
I can't wait to download and install software they've written to help me block them from tracking me with their software. Good thing I'm using Ad Block Plus and NoScript while I wait, or they'd know I cut-n-pasted that...
Trolls? by jgtg32a · 2010-01-14 06:53 · Score: 4, Interesting

Does Tynt have multiple /. accounts or something? I've never seen so many posts marked Troll
1. Re:Trolls? by TyntGuy · 2010-01-14 07:14 · Score: 5, Interesting
  
  We're not a big company, and I can tell you I'm the only Tynt guy commenting here. Derek
hosts file seems to work by jtroutman · 2010-01-14 06:54 · Score: 4, Informative

I seem to have stopped this by adding the following to my hosts file:
127.0.0.1 www1.tynt.com
127.0.0.1 tynt.com
127.0.0.1 www.tynt.com
127.0.0.1 w1.tcr112.tynt.com

--
I stole this sig from a more creative user.
Re:Why collect that data? by Nerdfest · 2010-01-14 06:55 · Score: 4, Interesting

Many password storage utilities use the paste buffer to keep you from needing to type the password, although the good ones will blank it out after a short period of time. This has the potential for some fairly serious abuse.
in Opera... by AliasMarlowe · 2010-01-14 07:00 · Score: 5, Informative

Just make sure that the option "Allow scripts to detect context menu events" is left unchecked (this is the default). Then you can select text/graphics/whatever, and copy operations via right mouse click are not observable by javascript.

In fact, javascript can't detect any right click actions in Opera unless you explicitly allow it. So copy, paste, translate, search, dictionary, encyclopedia, etc. actions can't be monitored by javascript in a web page.

This feature was in earlier versions of Opera as well, but the checkbox was named differently.

--
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
1. Re:in Opera... by sconeu · 2010-01-14 07:17 · Score: 4, Informative
  
  Then allow it in your site preferences for maps.google.com
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
A comment from Tynt by TyntGuy · 2010-01-14 07:00 · Score: 5, Informative

I work for Tynt. I appreciate the discussion here and want to make sure that everyone knows we want to be respectful of the opinions here. Not sure i I will get flamed just for wading in, but I hope not. To clarify on a few points 1. Tracking and Attribution – the attribution feature is separate from the tracking features. The tracking features work very much like any other analytics tool. We do not store any personally identifiable information, but we do want to help publishers learn what content people are choosing to preserve and promote. In addition, publishers can turn the attribution feature on or off on their sites. If you want to see what is actually collected - sign up for an account and look at the dashboard, you will see that we are tracking the content, not the user. 3. What if I don’t want this behavior? We are currently working on a global opt out for users who would rather not have Tynt monitor them. In the interim you can opt out on a site by site basis (i.e. the opt out for the SF Gate is here: http://www.sfgate.com/chronicle/faq.shtml#faq1.5%23ixzz0bxLIAbL7). More info on how to not have Tynt monitor you is available in our FAQs here: http://www1.tynt.com/faq-technical-topics#ixzz0bxGzIgPZ but as pointed out in the comments here, NoScript is a very effective tool for this. Derek
1. Re:A comment from Tynt by Hatta · 2010-01-14 07:12 · Score: 5, Insightful
  
  we are tracking the content, not the user.
  And when the content is personally identifiable?
  We are currently working on a global opt out
  Why not an opt in?
  
  --
  Give me Classic Slashdot or give me death!
2. Re:A comment from Tynt by Jeng · 2010-01-14 07:35 · Score: 4, Insightful
  
  If I was posting for the company I work for I would create a new account specific for the company I work for to post with. I would not use my everyday account.
  I find his post rather credible and I don't see how old his login has bearing on the issue. I find his answer credible because of the argument made.
  So, what is the reason that you are posting as AC? Just trolling are you?
  
  --
  Don't know something? Look it up. Still don't know? Then ask.
3. Re:A comment from Tynt by ibpooks · 2010-01-14 07:45 · Score: 4, Insightful
  
  If you want to see what is actually collected - sign up for an account and look at the dashboard, you will see that we are tracking the content, not the user.
  Doesn't signing up for an account with you kinda defeat the purpose of not giving you any of my information? Even signing up for your vaporware opt out gives you information about me that you will no doubt exploit in some way. In order to opt me out you need to be able to uniquely identify me.
4. Re:A comment from Tynt by Dolohov · 2010-01-14 07:54 · Score: 4, Insightful
  
  I can't speak for anyone else, but I find a couple things wrong with this:
  1) Like a number of people, I tend to highlight text as I read -- it's a good way to mark my place, and it helps overcome some of the stupid font and coloring decisions that sites make. That means you're not just telling publishers what I want to preserve and promote, but snippets of what I'm reading. That bugs me, and I can't imagine that it's useful.
  2) Maybe you're not storing or tracking personally identifiable information, maybe you are -- I have no way of knowing. (I appreciate the offer of the dashboard access, but that's just what you choose to share) I have to trust you not to, and you are not behaving in a manner that makes me want to trust you: silently sending data? Asking me to opt-out rather than opt-in? Sorry, no. I've been to a couple of the sites mentioned here and had no idea that my reading habits were being monitored in this way -- that makes me feel like I'm being spied on, and I have to wonder what else you're doing that you just haven't been caught at yet. You guys launched without an opt-out, that tells me that you consider privacy concerns an afterthought.
  3) Even if I trust you not to mistreat my data, how do I know that you're sending this in an intelligent fashion? I haven't done a TCPdump yet, but when I do, am I going to discover that you're sending what I highlight plain-text? Can someone who isn't you track me personally based on what you're collecting and sending? Is there any effort to make sure that the sites who use this are not being stupid and applying your tool to text on secure pages? How can I know without stopping and peering at the source for every page I visit?
  4) If my choices are individual opt-out on your customers who are polite enough to offer it versus either blanket blocking or global opt-out, I'm going to have to pick global opt-out even if I don't mind the polite folks using it. Otherwise I have no control over how the less-trustworthy people use it -- as an opt-out service, your whole service is only as trustworthy as your least honest customers. And I cannot imagine that your customers who rely on ad revenue are happy to have you recommending that people who don't want to be spied on use an ad blocker.
  I actually don't mind the attribution tool, I think it's clever and potentially useful -- but also something that could have been accomplished without tracking my reading habits.
  If you want to be trusted and not "flamed", it's simple: make it opt-in, and give me a good reason to opt in. You make money off monitoring my browsing habits, maybe I ought to get a cut.
Re:Thought JavaScript clipboard was opt in? by lattyware · 2010-01-14 07:07 · Score: 5, Funny

'ASCII art version of goatse.' +4 Interesting
Only on slashdot.

--
-- Lattyware (www.lattyware.co.uk)
Re:Snopes by Lord+Ender · 2010-01-14 07:19 · Score: 5, Funny

Hey boys! This feller here is calling himself "IT Ninja" but he doesn't know the difference between java and javascript! I say we run him outa slashdot!

--
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Re:Thought JavaScript clipboard was opt in? by vnaughtdeltat · 2010-01-14 07:23 · Score: 4, Interesting

I have this terrible habit of double-clicking on text when I'm reading it, which selects it every couple of seconds. If more people did this maybe we could overload their servers.
Obfuscation on one of the big lyric sites by tepples · 2010-01-14 07:39 · Score: 4, Interesting

The simple fix I use is to Ctrl-U/View source and copy from that window.
I've seen one lyric site that thwarts this by encoding every character of each song's lyrics as a numeric character reference (for example, hello for hello). It expands the size of the markup, but for one thing, that's what mod_gzip is for, and for another thing, obfuscation of View Source makes it that much easier for sites to keep their licenses from the music publishers.