Over 400 of the World's Most Popular Websites Record Your Every Keystroke

An anonymous reader quotes a report from Motherboard: The idea of websites tracking users isn't new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled "No Boundaries," three researchers from Princeton's Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world's most popular websites track your every keystroke and then send that information to a third-party server. Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers' findings. If you accidentally paste something into a form that was copied to your clipboard, it's also recorded. These scripts, or bits of code that websites run, are called "session replay" scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don't just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don't run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. Most troubling is that the information session replay scripts collect can't "reasonably be expected to be kept anonymous," according to the researchers.

Web 3.0!

[Frosty+Piss]

Quite often, these scripts are part of jQuery or some other JS framework that "needs" to know your keystrokes as a part of the web site interface, "application" if you will. Sure, this info can be used nefariously, but most likely the purpose is the web site interface mechanics itself.

Re: Web 3.0!

Did you even read the article? It discusses session replay marketing firms, such as FullStory. These are emerging companies that are finding their session recording software on more and more websites every day.

Re:Web 3.0!

You're getting dangerously close to summoning him.

Re:Web 3.0!

[Arzaboa]

You use what called a hosts file. Can be found on Windows and Linux. Someone can add their two cents on IOS.

You can always block them through an ad-blocker, noscript or things of that nature in your browser.

--
"Ribbit" - Unknown Frog.

Re:Web 3.0!

[Lucky_Strikez]

Yeah, but.... Surely there's SOME kind of tool that would help you manipulate said hosts file? :P Maybe someone could tell us about it?

Re: Web 3.0!

Okay, notepad.exe

Re:Web 3.0!

[Bite+The+Pillow]

APK APK AP

***CONNECTION TERMINATED**+

---

Filter error: Don't use so many caps.

---

I earned these caps in the wasteland, and I'm gonna use them as I see fit. Are we clear?

---- .CRYSTAL.

Re:Web 3.0!

[ITRambo]

These days websites also use HTML5's canvas fingerprinting to identify your computer. If there's a way to gather any useful information, to be used for marketing, it'll happen. Check out Canvas Defender. You can change your machines white noise at will to help mask it's identity. It's really a bit sad that all this crap goes on.

Re: Web 3.0!

[TqUhpiQaw]

Heretic!
sudo vi /etc/hosts

Re: Web 3.0!

Can we compile out this ability from the browser? I don't need autocomplete - and I don't need advertisers to get 'what they want'.

While this stuff may have some uses, there are too many options for abuse. So, can I have a browser with reduced javascript functionality? Not an add-on, but a scrape-off?

Re: Web 3.0!

EFF makes a browser plugin called Privacy badger. It Will automatically block most of these scripts soon enough because the scripts will also try to track you with cookies, and that is what it detects and prevent. And you can very easily block more sites when you find them.

Re:Web 3.0!

[AmiMoJo]

uBlock Origin allows you to use a list of hosts, and the performance is excellent...

Shame nothing like that existed before. All those years we could have been blocking this crap, if only app had existed. I'd like to see .apk version for Android too.

Re: Web 3.0!

Fails elegantly

Re: Web 3.0!

[EndlessNameless]

So, can I have a browser with reduced javascript functionality?

It will improve security, but a lot of things will break. Very few web sites are simple HTML that you can poke at in your text editor.

The best suggestion is to use a browser with Javascript disbaled for normal browsing, and to have a second browser with incognito/private mode for sites which are completely broken without Javascript. And even in this case, your "safe" browser can be exposed to any malware dropped via JS exploits.

Given the rampant snooping and exploitation, it is probably best to have a non-persistent VM with a web browser for sites with scripting, pervasive advertisement, or questionable content. Take a snapshot and be sure to reset it to its clean state after each site/session. This requires considerably more effort, although it is not particularly difficult now that Windows and Linux both offer virtualization features natively.

Re:Web 3.0!

[Dread_ed]

Quire funny, but if you look at the posts below its like he Linus'ed everyone's brains. He just uploaded his ideas to the interwebs and now everyone is mirroring them! He doesn't even have to post anymore, we are doing it for him!

Well done APK, well done.

Re:Web 3.0!

[rjstanford]

Yeah, I guess you could call him some kind of tool.

Re: Web 3.0!

[rjstanford]

Fails elegantly

And with root authority too!

Re: Web 3.0!

[Tanktalus]

ITYM

echo '192.168.1.10 foo.mydomain.org' | sudo bash -c 'cat >> /etc/hosts'

or

xclip -o | sudo bash -c 'cat >> /etc/hosts'

which doesn't seem that elegant to me. YMMV.

Re: Web 3.0!

[omnichad]

JavaScript without the ability to respond to user input events? Yeah, just disable JavaScript then. What would be left?

Google.com

Yandex searches as you type, so its hardly surprising it captures and sends the keystrokes in realtime....

But then again, so does Google, so why isn't Google on that list?

Re:Google.com

[thegarbz]

Searching as you type in a search field while displaying that obviously to the user, and recording key strokes with no searching or other useful function for the end user are two very different things.

Adding Google to every tiny bit of outrage just dilutes the value of the complaints against them.

Not good...

I started typing:

"I fucking hate you, Microsoft. I'm going to bomb your Azure datacenters and slit your throats. Eat shit and die, you incompetent fucks."

Then I deleted it and actually submitted:

"Dear Microsoft. I hereby request that you close my Azure account as I found the service unsuitable to my specific needs at this time. Thank you very much in advance. Sincerely yours, X."

So now you're telling me that they have seen the first version?

Re:Not good...

[hcs_$reboot]

The words "bomb" and "die" being in the text, the NSA got it even before MS.

Re:Not good...

The first version, maybe. The second one? Nope, nobody reads information that they know you intentionally sent to them.
They don't want user feedback, they want to know how the user works at a more fundamental level.

Re:Not good...

[JustOK]

NSA *IS* MS

Re:Not good...

[hcs_$reboot]

Interestingly, that's an anagram of "Mass Sin".

Re:Not good...

[ebvwfbw]

Of course they saw both versions. However they realize you really love them and don't mean them any harm. Just like what you said to your mother last week. Of course we know all about that too!

400 ?

[rtb61]

How about a list please, a useful list, name of company, data stolen, scripts and cookies to be killed upon a slow smouldering flame. How can you say 400 without having a list of the 400. That 400 players to add to noscript and cookiemonster.

Re:400 ?

[dfm3]

The page at the first link was updated with a link to their data, complete with a list of all the offending sites that are ranked in the top 10,000 by Alexa.

Re:400 ?

[Arzaboa]

Here is the list, linked to from the actual article. List of 400

--
"Ribbit" - Unknown frog

Re:400 ?

"Alexa, read me the list of 10,000 websites which track users' keystrokes and mouse movements."

Re:400 ?

[AmiMoJo]

Privacy Badger fixes most of this automatically. It's a good option for less technical people.

uBlock Matrix with "medium mode" (https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode) kills it completely. Without medium mode it also kills it, but you are reliant on the block list authors keeping up with whatever changes are made. Since this threat is so well known, they are probably on top of it.

Re:400 ?

[Freischutz]

How about a list please, a useful list, name of company, data stolen, scripts and cookies to be killed upon a slow smouldering flame. How can you say 400 without having a list of the 400. That 400 players to add to noscript and cookiemonster.

...and how bad is this flaw? Can they read everything I type in the browser tab where this website is loaded, everything I type in the browser regardless of the tab I'm using or can they literally key-log everything typed on the computer as long as the browser is running in the background?

Re:400 ?

[Mordaximus]

How about a list please, a useful list, name of company, data stolen, scripts and cookies to be killed upon a slow smouldering flame. How can you say 400 without having a list of the 400. That 400 players to add to noscript and cookiemonster.

They provide a zipped csv right on their site. Good to see I have even more reason to hate wordpress.

Re:400 ?

[Bloxclay]

*Cough Cough* NSA *Cough Cough*

Re:400 ?

[jbmartin6]

Probably safer to just assume all of them

This is (sort of) old news

[dfm3]

As one of the links even mentions, Facebook was caught doing the same with status updates (recording everything you type, even if you delete it before posting) back in 2013. What's news here is the extent to which websites are doing this these days.

For years now I've been operating under the assumption that websites collect as much data on user interaction as possible, even including things like what links you mouse over (not necessarily click on), how long you spend reading content before moving on, and how long the cursor remains on different parts of the page. This is yet one more reason why I never browse without NoScript and uBlock Origin. Fortunately, as reported in the first link:

Does tracking protection help?

Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.

Now that this practice is getting a little more attention, here's hoping that more of these sites will be added to popular blocklists.

I have a nervous habit of idly swirling the mouse around while I read, and I've long suspected that sites were logging these movements. So, it's a habit that I've never tried to break, but rather I've been hoping that by passing the cursor over all sorts of page elements hundreds of times in the course of a few minutes, I'm screwing with their data collection somehow.

Re:This is (sort of) old news

As one of the links even mentions, Facebook was caught doing the same with status updates (recording everything you type, even if you delete it before posting) back in 2013. What's news here is the extent to which websites are doing this these days.

For years now I've been operating under the assumption that websites collect as much data on user interaction as possible,

This is the price you pay for a free Internet. "Free" meaning "no charge".

Here are your choices.

[ ] Pay for every website you access
[ ] Have websites spy on you and collect as much information on you as they possibly can

Those are your only choices. Pick one.

I'm not saying it's right or desirable, but that's just the way it is.

Re:This is (sort of) old news

[theweatherelectric]

This is yet one more reason why I never browse without NoScript and uBlock Origin.

In Firefox 57 there's now also the option to turn on its built-in tracking protection all the time, as opposed to only in private browsing mode.

Re:This is (sort of) old news

[AReilly]

The issue isn't that web sites are doing real-time analytics. It's that they've all out-sourced the process to a handful of third party companies. No one cares that the information they've provided to the company they are interacting with over SSL gets seen by that company: of course it does. What they care about is that this stream of data is parceled up and sent (not necessarily securely, according to the article) to some company you've never heard of, and have no business relationship with.

Re:This is (sort of) old news

[tquasar]

I have the nervous habit of swirling a cat around while I read. The cat sees everything. There is no privacy. Every thing is viewed and or saved.

Re:This is (sort of) old news

[Anonymous+Brave+Guy]

That's funny, my recollection is that we managed pretty well without the spying for at least a decade, and yet during that time the Web grew from an academic/enthusiast medium into a mass communication medium. It turned out that countless people were willing to contribute without trying to exploit others for profit as their only motive.

Indeed, social media today, arguably including sites like this one, is still built almost entirely from contributions given freely by normal people. It's just that today, instead of everyone getting some web space as part of their normal ISP package and making their own home page or blog, we have a relatively small number of large, mostly ad-funded, mostly data-hoarding giants centralising our basic hosting instead. That has some advantages, of course, but also a very high price to pay for anyone who values privacy and security online.

Re:This is (sort of) old news

This raises the question: why the heck was "tracking" built into browsers as a function in the first place?

My browser should only send data to the webserver when I click a link or a button. And then, it should only send data that I have explicitly entered in a web form, minus anything I've erased.

Re:This is (sort of) old news

[theweatherelectric]

Web browsers send data to a webserver every time you request a web page and every element within a page. How could HTTP work otherwise?

Re:This is (sort of) old news

[holostarr]

Personally, I think people are making a mountain of a molehill and thinking there is some nefarious reason behind this. The company I work for uses a product from IBM called Tealeaf which does exactly this, it records user sessions which can then be played back. The reason why we introduced this to our product was to understand our customer better to help us improve our product. For example marketing wanted to know what caused a customer to start a purchase and then stop halfway. They wanted to understand for instance if it was due to a UI error or if the customer found the options confusing? We also used this product in several occasions to identify hard to reproduce bugs. Using this product we were able to watch the recorded user session who experienced the bug and understand exactly what steps he/she took before encountering it. I think for most companies, these kind of products are just there to help marketing or the dev departments improve their products, rather than harvest users behaviors and sell it (I'm sure some do), because I doubt there is much value to some individual's random mouse movements.

Re:This is (sort of) old news

dude, don't be naive!
As every (powerful) tool, it can be used for good, and it can be used for evil.

The point is, that a web site is in a position of power in relationship with the user. And power grows exponentially with the number of users accessing the site!

Re:This is (sort of) old news

[Narcocide]

The only thing you're doing is giving them more information to fingerprint you with.

Re:This is (sort of) old news

[theweatherelectric]

You don't click to request, for example, any of the images. Or any other resource in the page (or subpages in iframes) which could be sourced from any other webserver on the web.

Re:This is (sort of) old news

[thegarbz]

In Firefox 57 there's now also the option to turn on its built-in tracking protection all the time, as opposed to only in private browsing mode.

You should do that anyway if for no other reason than to actually speed up the internet. http://www.ieee-security.org/T...

Re:This is (sort of) old news

[theweatherelectric]

There's no reason it couldn't proactively send me those images

The images could be served from a different server. This is commonly done by many websites, including Slashdot.

why the flip should my browser send anything else to the server before I click another link?

So the page can refresh itself for live updating content.

Re:This is (sort of) old news

[fafalone]

Well well look who's here to yet again remind us how great FF 57 is. You got a script to help you do your job that flags keywords needing your response? Your affiliation is so blatantly obvious no amount of calling me a lunatic is going to help.

Re:This is (sort of) old news

[EndlessNameless]

Once this has all played out, why the flip should my browser send anything else to the server before I click another link?

Many web sites have dynamic content. It can be anything: a news feed, image gallery, navigation. All of those things can trigger a request for more data, some of them automatically.

Some servers send a small starter page and load more as you scroll. Why load 10+ MB of images if you will never see them? Those images can be loaded on the fly as you read the article. They just need to pick reasonable points to preload images, and most users will never notice the difference between dynamic and static delivery. This is actually beneficial to users on metered data plans. (Some countries even have metered residential connections, which is fairly terrible but still something that those users have to deal with.)

Most web apps are "live" in this respect as well. Do you want to lose an entire email or document because you refreshed your browser, accidentally clicked a link, or had a browser crash? What about losing a large form submission due to a misclick? Most people don't, so a lot of web apps will either stream or checkpoint your interactions.

Now we're starting to see the shady or illegitimate use of these browser features. Some people warned that it would happen, but a lot more people wanted those features on the browser side so they could deliver applications or content the way they want. The pendulum perpetually swings back and forth between functionality and security.

Re:This is (sort of) old news

[thegarbz]

That's funny, my recollection is that we managed pretty well without the spying for at least a decade

How well? My recollection was the internet was mostly a cesspool of garbage design until we started "spying" on how users use webpages.

But we're back to the anti-telemetry argument:
Today: don't record anything I do.
Tomorrow: why did you do that, do you not know how users use your product?

Re:This is (sort of) old news

[tepples]

Some servers send a small starter page and load more as you scroll

Anti-script hardliners would prefer to follow "Next Page" and "Previous Page" links.

Some countries even have metered residential connections, which is fairly terrible but still something that those users have to deal with.

Hardliner: "Do I have advertisers or payment processors in those countries yet? Do I have translators to translate our articles into the native languages of those countries? No? Then I needn't take special measures to serve users in those countries. Besides, if they're on a metered plan, they can just not follow 'Next Page.'"

Do you want to lose an entire email or document because you refreshed your browser, accidentally clicked a link, or had a browser crash?

Hardliner: "I won't. My mail is in a native mail user agent, and my documents are in a native text editor or word processor."

What about losing a large form submission due to a misclick?

Websites with large form submissions already provide a save button. Slashdot labels its button "Preview". This way, the values already entered are stored in the next version of the document.

Re:This is (sort of) old news

[Anonymous+Brave+Guy]

I personally think telemetry/analytics in terms of how someone's own site/app/service is used is a distinct issue to the kind of ubiquitous monitoring used by ad networks. Of course they both raise privacy concerns up to a point, but if you're using something that is running on a remote system anyway then I don't think it's realistic or particularly helpful to try to stop the operators seeing what their own system is doing.

For me, that's a very different thing to putting web bugs or tracker scripts or fingerprinting hacks all over other sites, and doing so covertly so that users are being tracked by third parties that they have no knowledge they are dealing with at all.

There's also a middle ground where you have something that is installed locally but phoning home covertly and potentially sending data the user thought was private, or an analogous situation with web sites/apps where you've got something like a form that the user might expect to be private until they explicitly submit it but which is actually sending everything ever entered even if it's subsequently edited or deleted before the user intends to continue. In these cases, I think the ethical position (and possibly also the legal one) probably depends on why the data is being sent, exactly how it's used, and what a typical user would reasonably expect to be happening or not happening.

Re:This is (sort of) old news

[theweatherelectric]

You've made it clear that you're a conspiracy nutcase but why can't you stick to good and honest conspiracies? Like how the Grey aliens are in league with the lizard men to take control of world government which, as everyone knows, is currently run by the Illuminati and Major League Baseball.

Re:This is (sort of) old news

[Dread_ed]

Do you know what they do with this information? I do. I got it from the proverbial horse's mouth.

About 2 years ago I was speaking with some of the marketing people at a very large retailer I am tangentially associated with. They were describing the extent of logging activity on their corporate website. They spoke about everything this article mentions, in addition to cross site tracking, data sharing with other sites, etc., ad nauseum. I was not surprised that there was this level of logging activity. However, I am surprised that this is a surprise to anyone else. I thought this was common knowledge, self evident from first principles.

What was fun to discuss was the level to which the gleaned information is analyzed. You can learn an incredible amount of "important" information about your website and, more importantly, your customers by tracing a customer interaction backwards through your records from a known completed outcome (sale, no-sale, etc.) to the initial instant of contact with your products. You can learn even more when you have a giant stack of "same outcomes" to compare.

For instance you could stack up all of your "sales" in one pile and all of your "no-sales" in another. Then compare something relatively simple and one dimensional, say like how they move their mouse on your web page. Did you know that many retailers can very quickly determine with a high degree of accuracy if you are going to end up in the "sale" bucket by how you use your mouse on their website? Apparently, people move their mouse differently when they are in a buying mode.

Keystrokes are also examined in a similar way. Not just what was typed, but when, and how. Again, comparing many different customers with known outcomes leads to a model that can predict the outcome of a website interaction from just a few bits of input.

These are just the obvious bits that come from analyzing the data. There are much deeper inferences that can be made from a multidimensional matrix of observed behaviors, and across multiple sites. One of the other things that was interesting was how the retailer was trying to get people to move, type, and ultimately look in a way that resembles modes and mannerisms which closely approximate the behaviors of known buyers. The logic being similar to the old "fake it till you make it" adage. Or more rigorously, if we can influence a site visitor who shows "non-buying" behavior to emulate "buyer" behavior it can influence them to actually purchase. This was just in the works when I had this conversation, but they indicated that there was substantive evidence to support this being a profitable practice.

After the conversation I will say that my determinism doomsday clock was advanced about 3 hours closer to midnight. The certainty and exuberance they had about their ability to influence behavior by informed application of stimulus was creepy as fuck. From what they revealed it was not born of hype, optimism, or marketing buzz. It was a direct result of processing the data, implementing reasoned changes, and observing the results. And this was years ago. Fuck, fuck, fuck!!!

I can only imagine what Facebook does with all of the data that people give them. The dimensions of their matrix must be immense, and their conclusions the stuff of nightmares.

Re:This is (sort of) old news

[epine]

Those are your only choices. Pick one.

For plain-old-text, at a blog post parcel size, the economics of the internet very nearly fall into the bucket known as "too cheap to meter".

[ ] Pay for every website you access
[ ] Have websites spy on you and collect as much information on you as they possibly can
[ ] Tell the anonymous coward to fuck off, and point out the option missed

So there. FTFY.

Re:This is (sort of) old news

[Agent0013]

You really think that companies that you pay for content would not sell extra information to another company to make even more money? Do you remember Cable television? Do you remember that you pay for television, rather than watching the free over-the-air stuff, and you get it commercial-free? That did not last very long before you pay for it and you get commercials also.

List of Websites

The list of websites:

https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html

Re:List of Websites

[hcs_$reboot]

Note that the "expected" ones are there: (main sites .com, not the .ru ...)

Norton, Microsoft, Godaddy, Skype, Adobe, ...

Re:List of Websites

[hcs_$reboot]

(and btw neither google.com nor facebook.com are in)

Re: Name names

https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html

Slimy

[Arzaboa]

I guess they do really know what I'm thinking when I leave feedback but can never send the form.

--
"Ribbit" - Unknown frog

Re:Slimy

[hcs_$reboot]

I doubt slashdot does that . No offense, but considering how difficult it seems to be to implement a couple of new features on the site, they wouldn't push the hard work to perform that level of algorithmics... [ anyway, in Chrome open the dev tools / console, and check if there're any XMLHTTPrequests going on when you type a comment ]

Re:Slimy

[Narcocide]

They don't have to. Banner ads are perfectly capable of doing this type of tracking without the page's help.

Autocomplete

[fermion]

Obviously any autocomplete funcitonality, or the like, is going to require keystrokes sent to the server. A post will not suffice. Google, for example, would need to save what the user typed and what the user chose, to optimize future results.

On the other hand, much of the web is run on advertising dollars, and we are in an arms race between intrusive tracking and privacy. It is therefore anyones guess how this will be used moving forward.

Native app

[tepples]

Obviously any autocomplete funcitonality, or the like, is going to require keystrokes sent to the server. A post will not suffice.

Cue the anti-script militants who prefer to download, compile, and install a native app when things like autocomplete are necessary.

privacy.trackingprotection.enabled in Fx 52

[tepples]

And even in earlier versions, such as the Firefox 52 that people are using in order to give Mozilla a few more months to make necessary APIs available to WebExtensions, the user can turn on Tracking Protection system-wide by entering about:config and turning on privacy.trackingprotection.enabled. The drawback is that several sites, such as TV Tropes, intentionally conflate tracking protection with an ad blocker and block page views until the user activates the "Disable protection for this site" control.

Javascript?

[ArchieBunker]

Does disabling javascript help? I disabled it recently and the internet looks the way it used to. No fancy shit moving around with auto scrolling pages, very refreshing.

Re:Javascript?

[tepples]

Without script, you're limited to the checkbox hack, navigation to other documents, and form submission as the only means of interaction, and every action other than the checkbox hack results in a full page reload. Some web applications aren't very usable under these constraints. On these apps, disabling JavaScript is good for showing "please download our native app or enable JavaScript" notices.

Re:Javascript?

[tepples]

Without script, ... every action ... a full page reload.

And thats a show-stoper ... how exactly ?

I can think of three reasons:

Perceived latency Consider a machine on which a native IRC client is not currently installed, such as one to which you cannot forward port 113 for identd. For this, you would need to use a web-based front-end to IRC. Without client-side script, how would this web-based front-end check for new messages? Would the user have to mash F5 every few seconds in case another user sent a message to the channel? And even if it did, how would it add the new messages to the scrolling list of messages sent to the channel without having to resend old messages? Bandwidth inefficiency Say you have a discussion page where randomly chosen users who have not posted comments to a particular discussion can collaborate on choosing a score for how constructive each comment appears to be. Then the user can choose a score threshold above which comments appear in full and below which comments appear abbreviated, with only the subject, author, and first few words. If the user chooses to expand a particular abbreviated comment, and client-side script is on, client-side script fetches the full text to replace the first few words. Without script, the would have to save the state of which comments the user has chosen to expand and reload the entire HTML document, including the full text of all comments that are expanded on account of score or that the user has chosen to expand. This set of comments already expanded would also have to be included in the link or form for every single comment that isn't already expanded. Having to reload all the comments for each expansion would quickly run up the user's data bill. No way to input a drag Forms allow capturing clicks using the ismap attribute of an <img> element. A collaborative real-time whiteboard application without client-side script cannot let the cursor draw a curve by moving the mouse while its button is down.. Instead, the user would have to click each point along a polyline, with a full reload of the HTML and image every time.

If the webpage designer is even just halfway* competent only the HTML text will be downloaded

Even if doesn't have to redownload images or stylesheets, a web application free of client-side script has to redownload the entire HTML, not only the HTML for the parts that the user's interaction has changed. In addition, the new document would load scrolled either to the top of the document or to the top of the section identified by a fragment identifier, not to the exact point to which the user had already scrolled.

You don't want to know how many websites place their style-sheets in-line

They do this to reduce perceived latency. On a satellite or cellular network, each HTTP request may add a second to round-trip time. Thus placing style declarations required for the first screen inline can be a good thing because it reduces the number of round-trips needed to display the beginning of the document. I believe the pattern nowadays is called inline style above the fold.

Re:Javascript?

[tepples]

Maybe someone should not try to transpose native aps like IRC to force it to work in HTML ?

If there's no IRC client currently installed on a particular device, there isn't much other option. This is even more true of a protocol whose native client is not ported to a particular combination of architecture and operating system at all, such as Discord on 32-bit X11/Linux devices.

And that takes care of ... what, a handful of websites outof the gazillion which abuse JS ?

A handful here, a handful there, and soon it adds up to a substantial amount of use cases.

Bandwidth inefficiency

Already answered too.

I don't see where it was. Though the images and CSS are cached, the HTML markup for the comments that were already sent is not because the query string portion of the URL has changed to reflect the comments that the user has chosen to expand.

And just take a look at how this very website does it. A nice trade-off between bandwidth and providing info.

The D2 system on Slashdot uses JavaScript. I was describing the contortion that a web application would have to make if a website were to provide functionality identical to that of D2 without JavaScript.

Same answer as the first: If you want to do something HTML is not made for, you should maybe just stick with the/a native application.

Same objection to the answer as the first: Not all native applications are available for all significant platforms. Please find me a complete Discord client for 32-bit X11/Linux.

A script which allows such a dragging motion to be send so collaboration is possible ? Doesn't sound too bad. But wat does sound bad is that I have no way to allow only that script to run (and limit it to only that function).

One possibility is LibreJS, which allows all scripts to run so long as auditable source code is available to the public under a free software license.

Just imagine a website using AJAX requests over such a connection [with a ping near 1000 ms]

It would still be painful, but importantly it's less painful than the alternative. Most users would find a seconds-long throbber for only the part of the document that has changed less jarring than a seconds-long throbber for the entire document.

Re:Javascript?

[tepples]

If there's no IRC client currently installed on a particular device, there isn't much other option.

Yes, there is. Especially with the current plethora of platforms which do rather similar stuff.

Say you're logged into a PC owned by a public library using the patron ID on your library card, and you want to use this PC to connect to an IRC server. Without administrative access to this PC, how do you arrange for the installation of a native client?

Say you've received a FaceTime invitation from a person with whom you wish to communicate, but you don't own a sufficiently recent Mac, iPhone, iPad, or iPod touch. Instead, your primary PC runs X11/Linux or Windows, and your primary mobile device runs Android. How do you communicate with this person?

The D2 system on Slashdot uses JavaScript.

Thats a prime example. Why (does it use JS) ? Composing a reply is a rather non-interactive activity.

Choosing which replies to expand and collapse is interactive.

And maybe you should not be buying devices which cannot do what you cannot do without ? :-)

If you had a good reason to run six applications, each exclusive to a different operating system, would you buy six devices, one to run the operating system for each of these applications? Many operating systems cannot be installed on generic hardware for legal or technical reasons, such as macOS and mobile phone operating systems.

You're warned everywhere not to open random email attachments and/or running executables from unknow sources, but in the case of JS there still is an "just download everything and run it" attitude (pushed by website designers).

There's more sandboxing with JavaScript than with the native executables that email worms used.

Most users would find a seconds-long throbber for only the part of the document that has changed less jarring than a seconds-long throbber for the entire document.

I think you are mixing up latency with bandwith there ...

Not necessarily. As long as the rest of the user interface of a single-page web application remains visible during loading, the user is more likely to accept the latency than if the application's interface were to disappear during loading (which is the case for script-free navigation and forms). In addition, TCP's slow start keeps a new connection at low bandwidth until it has received a few packet acknowledgments (or "acks"), and these acks take a while to come back on a high-latency connection. In the terminology of RFC 2488, satellite has a high "delay*bandwidth product" (DBP), which standard TCP limits to 65.5 kB (64 KiB).

Even on a 10Mbit line you would be able to download a respectable HTML page (below a meg) in less than a second.

A lot of the data links to which I refer are far slower than 10 Mbit. A single TCP connection with the standard 64 KiB window and the 560 ms minimum ping of satellite won't be able to exceed 0.9 Mbit. On a 1 Mbit link, 100 kB of changes load in 1 second, but 100 kB of changes and 900 kB of redundant unchanged data load in about 10 seconds. In addition, at a typical cellular data transfer price of $10 per GB, it costs one cent to load a 1 MB document, but ten 100 kB change sets fit in the same cent.

IT'S OVER 9000!

[n329619]

The list is actually really long, over 90000 to be more precise. For 'session recording' web (aka tracking) it's over 7000.

Let's design a domain blocker

[tepples]

Give me a spec for what such a tool should do, and I might see if someone can build one and release it as free software. Does this feature set sound right for a minimum viable product?

• Read and combine hostname blacklists chosen by the user
• Periodically download updated blacklists from URLs chosen by the user
• Periodically resolve hostnames chosen by the user as most commonly accessed, such as yro.slashdot.org, twitter.com, and explosm.net, and cache them locally in case of DNS outage
• Elevate to install the combined list system-wide

Re:I'm OK

[tepples]

Thick Thigh Tranny Bitches.com

Thick thighs, automotive gearboxes, and female dogs? That's an odd combination of topics for a website.

Sorry

[PPH]

My cat was walking on the keyboard again.

Re:I'm OK

[Templer421]

Manual Tranny or an Automatic Tranny?

Ford or Chevy?

What Engine and Year?

Block it

[AHuxley]

from the browser. It's the only way to be sure.

Can anyone suggest an extension to totally block this illegal 3rd party key logging? Ty.

Re:Block it

[dcw3]

I'm not at all happy about it either, but what are you claiming is illegal?

Re: Block it

[ChoGGi]

For anyone else using unbound

local-zone: "clicktale.net" refuse
local-zone: "decibelinsight.net" refuse
local-zone: "fullstory.com" refuse
local-zone: "hotjar.com" refuse
local-zone: "inspectlet.com" refuse
local-zone: "logrocket.com" refuse
local-zone: "luckyorange.com" refuse
local-zone: "mouseflow.com" refuse
local-zone: "quantummetric.com" refuse
local-zone: "salemove.com" refuse
local-zone: "sessioncam.com" refuse
local-zone: "smartlook.com" refuse
local-zone: "userreplay.net" refuse
local-zone: "yandex.ru" refuse

Re: Block it

[ChoGGi]

err that should be always_refuse

Re:NoScript, but... (use Brave)

[theweatherelectric]

Previously I would have said NoScript

Use it again. NoScript has been released for Firefox 57.

Noscript

[Orgasmatron]

Tell me again why Noscript isn't the default mode of every browser?

Why does, for example, slashdot think that I want to run software provided by truste.com, janrain.com or pro-market.net? I don't know any of those sites, and while I appreciate that slashdot trusts those sites not to harvest my data or harm my computer, they aren't exactly the party with skin in the game.

If you want to see how fucked up the web is, how fucked up we've allowed it to become, install noscript and set your browser to treat OCSP failures as hard errors. We have the technology to fix this. We just don't care enough to use it.

Re:Noscript

[Dwedit]

UMatrix has temporary permissions, or rather it has permissions that go away unless you hit the save permissions button.

Re:Noscript

[theweatherelectric]

temporary permissions

They're still there. See the developer's blog post.

Re:Noscript

[Mkkby]

Yep, and this is why I won't DOWNGRADE to firefox 57. I'll stay frozen on 50 until NoScript has the full functionality it had before. Note, it's been released as of today but users are complaining of missing features and a terrible UI. Keep waiting.

The internet is almost un-usable without an ad blocker and a JS blocker. I don't know how anyone can stand the slow load times and blinking/flashing ads in your face. Perhaps TV has made all this normal for most people.

Re:Noscript

[thegarbz]

Tell me again why Noscript [noscript.net] isn't the default mode of every browser?

Because by default it breaks most of the internet and all but the most dedicated put up with manually having to manage whitelists.

Re:Noscript

[thegarbz]

Tell me again why Noscript isn't the default mode of every browser?

Because by default it breaks most of the internet and only the most dedicated of geeks are happy to battle with the frustration of managing whitelists to make basic browsing work.

Re:Noscript

[PeeAitchPee]

The problem is the 99.9999% don't understand what you just wrote, or why it's important to them. They probably do know that one of the times they let a tech-minded friend help them, certain web pages stopped working. So we're back to the same reason that fucks up pretty much everything, eventually: once you let "normal people" use it, well, anything, shit will get broken. And once you let for-profit companies use it, its original intent will be perverted. That's why we have a crippled, adware-laden crapfest of an Internet run by corps and consumed by the unwashed masses versus what was envisioned for a worldwide public network 25+ years ago.

Re:Noscript

[gitano_dbs]

Can also stay on older versions and still patched on Firefox ESR (Extended Support Release) https://www.mozilla.org/en-US/... at version 52.5 currently.

Re:Noscript

[Orgasmatron]

That's kinda my point. We should have been doing a better job managing the defaults that the "normies" will be operating under.

Re:Noscript

[epine]

Because by default it breaks most of the internet and only the most dedicated of geeks are happy to battle with the frustration of managing whitelists to make basic browsing work.

NoScript doesn't even remotely dent my frustration meter. There's a simple reason for this. If I can't fix the site in two guesses, the site is probably shit, anyway. This isn't sour grapes, either. The correlation is strong, and positive.

Quite regularly, I click onto an unfamiliar web site, it doesn't display properly on first load, I right click the NoScript item at the bottom corner of my FF browser window (full screen, portrait mode, 23" monitor), and up comes a menu that occupies 60% of my vertical real estate. We're talking twenty to thirty foreign page elements.

Man, I can not flee those web sites fast enough.

The only time I ever get frustrated is with sites that put Amazon bucket numbers into page element URLs. For those I fire up Chromium (plug-in naked), which I only use for pages where NoScript on Firefox interferes with something I actually want to access. Then I shut Chromium down again. This happens roughly a few times per week.

Still doesn't dent my frustration meter.

And it's not like I'm generally a cool cucumber. I'm easily enraged/outraged by many things I encounter.

This TED talk had me hitting the fucking ceiling.

The first secret of design is ... noticing — March 2015

We all know what he's talking about. As human beings, we get used to everyday things really fast. As a product designer, it's my job to see those everyday things, to feel them, and try to improve upon them. For example, see this piece of fruit? See this little sticker? That sticker wasn't there when I was a kid. But somewhere as the years passed, someone had the bright idea to put that sticker on the fruit. Why? So it could be easier for us to check out at the grocery counter.

Well that's great, we can get in and out of the store quickly. But now, there's a new problem. When we get home and we're hungry and we see this ripe, juicy piece of fruit on the counter, we just want to pick it up and eat it. Except now, we have to look for this little sticker. And dig at it with our nails, damaging the flesh. Then rolling up that sticker -- you know what I mean. And then trying to flick it off your fingers. (Applause) It's not fun, not at all.

But something interesting happened. See the first time you did it, you probably felt those feelings. You just wanted to eat the piece of fruit. You felt upset. You just wanted to dive in. By the 10th time, you started to become less upset and you just started peeling the label off. By the 100th time, at least for me, I became numb to it. I simply picked up the piece of fruit, dug at it with my nails, tried to flick it off, and then wondered, "Was there another sticker?"

I've never become numb to removing a fruit sticker. There was never anything to become numb about, in the first place.

Every night lately I've been reading my wife a chapter of Henry Marsh's excellent book Do No Harm. She confessed last night that she's getting a bit tired of cute 12-year-olds with brain cancer and lovely, long red hair bleeding to death on the OR table (this is rare, actually, but there's a chapter on it).

Ten to the fucking power of nine fruit stickers, in every second chapter.

Welcome to real life, all you Tony Fadell bird brains.

Re:Noscript

[thegarbz]

If I can't fix the site in two guesses

And you haven't dented the frustration meter? The simple reason has nothing simple in it. It's just that you have an incredible amount of patients. In the mean time the rest of the world relies on uBlock and it's far more automated cross site script blocking along with specific black lists.

No guessing. If something requires guessing it's broken. A plugin that prevents a website from loading is broken. A plugin that "regularly breaks unfamiliar websites" ... well sorry but you've just lost the majority of the world there.

I'm not saying there's no place for noscript in the world, there's just absolutely no place for it to be a default.

Ignored option

[Hallux-F-Sinister]

[ ] Don't pay for every website you access, that's what ads are for. Let advertisers be unable target you and unable to track you specifically, etc., which means sellers of ads won't make as much money, and certain companies won't have billions or trillions of dollars that they only have because people tolerated this behavior. I typed a bunch of stuff after this, but no one is going to read it anyway.

Re:Ignored option

[Pascoea]

I typed a bunch of stuff after this, but no one is going to read it anyway.

There are apparently 400 sites out there that will.

Re:Ignored option

[Hallux-F-Sinister]

Is /. one of them?

A Lot of Trouble

[techdolphin]

It seems like these websites are going to a lot of trouble to discover that I can't type and can't spell.

Duh! Autocomplete REQUIRES some tracking

[redelm]

You know how Goggle and others do autocomplete on your search entries? Or spell check in text boxen? Or mouse zooming? How could they do this if every mouse/keystroke was not sent to them? Of course some loaded script does, and whatever else it does is probably described as "trojan".

I do not much like this mis-behaviour and mostly browse using `links2`, a lynx-like text browser. Missing images is a feature :)

websites and windows

[bugs2squash]

so if the website steals the errant/orphan/reconsidered keystrokes does that mean windows doesn't capture them maybe this is the lesser of two evils.

Re:websites and windows

[hcs_$reboot]

Windows captures them at a lower level, even before the keyboard event reaches the browser. Don't worry, MS knows even more that those spy web sites.

But but ...

[hcs_$reboot]

what are they doing with that information? I mean 99.99% of that is completely boresome, and for the rest, they'd need a quite capable AI algo to extract relevant information. Unless there is a 24/7 staff in charge of checking the crap that's been entered then deleted... which I doubt.

Web Sites Behavior Control

[hcs_$reboot]

That proves (even if we've known that for a while) there is no control of web sites behavior. A concrete analogy is, you're angry after the tax office because you pay too much taxes, and start to write a letter, joking around, "go f..k yourself" etc... then throw that paper away and write the real one. Following this web site behavior, the tax officer is constantly looking over your shoulder - without you being even aware of that. This is totally unacceptable. The user should be at least made aware of that spying policy.

Re:Web Sites Behavior Control

[dinfinity]

Granted, in that case you are technically writing the letter and throwing it away in the tax officer's office. People think they're doing online stuff 'from home', but the internet is the digital equivalent of walking around outside, with all the dangers, 'spying' and caveats that come with that.

Re:Name names

[hcs_$reboot]

BigBrother.com

Re:yawn ....

[lucm]

it's now part of IBM so we can assume it will stop working soon.

I feel pretty safe on Slashdot

[Hal_Porter]

The editors are much too lazy to implement something like this in their 20 year old Perl abomination.

Re:NoScript, but... (use Brave)

Mine just synced to 57 recently, and I hate it though. I'm not sure if I'm actually temporarily enabling sites or not. It used to have text that *said* temporarily allow. Now it's nothing but icons. Dam it. What do those icons mean? How can they screw up something so simple. It seems slow too. I hate these kinds of UI changes in general though, so maybe I'll give it some time... but... why??? The UI wasn't broken. Also, everything in FF 57 looks like it was drawn with a fine-point pencil. Yuck. It's like the arrow is barely there. Fucking shit designers, just making changes to justify their existence.

And they don't even know how to use all that!

[CustomSolvers2]

My current position about privacy is acceptation of the reality (everyone, everywhere dealing with my a-priori-not-too-relevant data without my express consent) + neither liking nor really minding it. The key issue allowing me to think in that way is knowing what is being mostly done with that data now and in the near future: not too much.

Most of big-data efforts have been focusing on gathering and managing, but not on properly understanding; that's why and despite its huge potential value, most of this information isn't being properly maximised. In any case, I certainly don't support any kind of against-intention-of-user actions, I have never developed or used anything on so invasive lines and look forward to legislations to keeping up with all what is happening on the online/software privacy front.

Re:And they don't even know how to use all that!

[citylivin]

"what is being mostly done with that data now and in the near future: not too much."

Your going to love the future then, where our descendants can go back through forums posts from the early aughts, find all the climate deniers, and charge them with destroying the planet. Which because of the anti climate denial law of 2041, is now a mandatory life sentence and confiscation of all property.

Think its far fetched? There are nazi hunters around the world pouring through old records trying to connect the dots, 70 years after the war ended. The internet, and every single hacked (and will be hacked) database will be a treasure trove of meta data allowing anyone to go back in time to now and figure out exactly who everyone was. Heck they will probably have a service to "find what grammy wrote way back in 2017" for the low price of $19.95 per ancestor.

I've seen the future, and breaking todays pseudo anonymity will be a game of sport for future historians. Its only a small hop to then arrest people for retroactively "bad things", what they did, or said, when they thought they were being anonymous, based on laws and societal mores that we can't even envision yet.

Re:And they don't even know how to use all that!

[CustomSolvers2]

Although your whole post is a bit too melodramatic, recent events seem to kind of prove that it might not be as crazy as might seem at first sight. In any case and luckily for me, I don't have any kind of reputation to damage (other than the technical/professional one which actually shouldn't be immune to my incompetence) or any ideas, actions, expectations, etc. to hide (right the contrary: lots of things to share, mainly to help certain clueless idiots understand that they should better avoid dealing with me). Actually, my behaviour has been becoming increasingly careless about all that during the last times. Anyone can find lots of stuff about me that, at first sight and for some people, might not look too good; on the other hand, I don't care about those people, their concerns and much less about their (non-existing) authority. I correct any error as soon as I realise about it. I update my behaviour/expectations as much and as regularly as possible, every time by doing what I consider best under the given conditions. Out of all the forms of stupidity, I despise fanatics the most; and out of all their possible versions, the coward, behind-the-back, in-group, getting-everything-out-of-context, always-looking-for-unfair-advantages, etc. ones. And I will always support these "individuals" to be disrespected, ridiculed and even bashed. I always expect everyone to be fully responsible for all what they do, but expect way much more of those daring to have a so pathetic attitude toward anyone (= doubt and conspire all what you want, but better be ready for the very-bad-for-your consequences if case that you were wrong).

In case of having children (I still have to find the required second half and am quite demanding; so, not too sure on this front), I will make sure that they grow knowledgeable and fearless. I will do all what is my power to help them become fully-aware persons actively contributing to make the world a better place. That world you predict isn't a world for me, for my children or for any person with a bit of self respect and knowledge. In the extremely unlikely scenario of such an eventually to ever happen, I would be joining whatever resisting movement is available (or creating my own!) and, hopefully, my kids will join me.

Nowadays and in rich countries, problems on these lines are usually accepted or, at least, tolerated by the victims; or even better: the victim already did (or probably will do) something similar. You know what they say: live by the sword, die by the sword. If you are a politician, show business celebrity or similar, perhaps you should be very careful when choosing allies/enemies and, if you have something to hide, better start thinking about how to deal with the eventual publicity. I am not part of this and will never be. I have nothing to do even with low-level hypocrites, standard conformists. I am an outsider even within the software development industry (IMO, much more concerned about non-technical aspects than it should be). Anyone wanting to prove that I am not compatible with whatever PC trend should find more than enough references after a short research (or could contact me and I would provide whatever is needed), but this is almost a badge of honour for me. I might be poor, have lots of debts, find lots of difficulties to get clients, over-work a lot and my whole activity might be systematically under-appraised, but I am very proud of what I am, think, do and every single step I have taken. There is no buts, no "will tolerate this little thing on exchange of getting whatever" to be ashamed, no even slightly dishonest or unfair actions. I have made tons of mistakes, but every time by thinking that I was doing the right thing in that moment and by trying to correct them/accept the consequences.

Some people cannot understand why I do things as I do. They cannot understand the tremendous value of always doing what you think that should do by being as fair, honest, respectful to others and, at work work, objective/professional as possible. Nothing to hide, not

Re:NoScript, but... (use Brave)

[theweatherelectric]

If you want UI changes in NoScript then tell the developer of NoScript. He says he wants to hear everyone's UI ideas.

Re:Legal

[CustomSolvers2]

Capturing my keypresses without my permit would be illegal almost everywhere.

The most ironic part is that you have most likely given your permission, but only in a generic or even just implicit way. Additionally, most of users aren't even completely aware about what web-based anything basically implies: browsing through files stored on a third-party computer, where every action can be easily tracked and stored. Another aspect to bear in mind is that a big proportion of modern functionalities do need to rely on visitor's information; temporary and without-allowing-access-to-anyone-else data gathering should be fine.

In summary, what is required is much more control on the visitor data non-temporary storage, sharing and usage fronts. Also clearer/express indications (and ideally the option to freely reject non-essential data collection; now, you are usually forced to accept everything in order to use whatever application) about what is happening with your data at each point like via a popup before using whatever functionality.

Overblown. Gonna play devil's advocate.

[geekymachoman]

So, this is completely overblown out of proportion. I'm a web dev, and more. Basically I've been deciding and implementing all sort of web things, including this "tracking" everybody is hung up about. Everywhere I worked at, the "tracking" is used for the good of a consumer as in ... analyzing data to provide better user experience, to make it easier for the users to find what they need ( granted: in effort to increase sales ), when they need it, and overall just increase user experience.

After 15 years of being in the business, I never seen tracking for malicious purposes (or purposes other than attempting to make it easier for YOU to use the website ).

I understand the concerns people are having, but jesus christ you people talk about it like we're filming you while in a shower, just because websites track where people click and what they insert into a web form ( on their own sites ) does not mean they CARE about you. No business cares about the individual.. but about statistics, percentages, numbers.

It's even said so in the article summary:
"Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages."

What on earth is so wrong about this ?
For people doing it, this is you "a3727fd0a20d5eef697d3c2f41bf0e4d". This is what they see and track, and care about.

Get over yourself, for god sake.

Re:Overblown. Gonna play devil's advocate.

[afgam28]

Let's suppose that there are no malicious uses of web tracking, that it is solely used to improve the user experience. There's still a big problem, which is that a lot of software developers are just incompetent when it comes to security. And sorry to break it to you, but your post proves that you're one of them.

If you don't see the problem with a key logger on a site that contains a password field, and then sending those logged keys to a third-party, and through unencrypted channels, then you need to be fired from your job as a web dev asap.

Re:Overblown. Gonna play devil's advocate.

[AmiMoJo]

Looking at the number of sites that use anti-patterns (malicious UIs designed to trick the user) I'd say you have lived a very sheltered life.

Getting you to buy more stuff IS abuse in many cases. Jacking up prices because your page view times and mouse hover positions suggest that you will pay 10% more is also abuse, and spying. It's creepy AF.

Re:Overblown. Gonna play devil's advocate.

"What on earth is so wrong about this ?"

One serious thing; this is done without consent.
And usually without clear policy about future use of the data, auditable by a respectable authority.
You ping my screensize/fonts/whatever = we're at war (and if I'm still interested in your content, expect a visit through Tor).

Web-sniffers are the new Spam...

Re:Overblown. Gonna play devil's advocate.

[bluegutang]

For people doing it, this is you "a3727fd0a20d5eef697d3c2f41bf0e4d".

No, this is you: ID "a3727fd0a20d5eef697d3c2f41bf0e4d", username bob123, email address bobsmith123@gmail.com.

And email address bobsmith123@gmail.com can be correlated with a Facebook account, medical history, credit rating, and much more.

Re: Overblown. Gonna play devil's advocate.

[afgam28]

Even if passwords are excluded, the article gives other examples of sensitive information like medical info that would get logged.

The unencrypted channel thing wasn't an assumption either, the article mentions that some of the dashboards are served over HTTP, so sensitive information would be sent unencrypted from the third party tracking company to the developers looking at the dashboard.

Re:Overblown. Gonna play devil's advocate.

[geekymachoman]

> Let's suppose that there are no malicious uses of web tracking, that it is solely used to improve the user experience. There's still a big problem, which is that a lot of software developers are just incompetent when it comes to security. And sorry to break it to you, but your post proves that you're one of them. > If you don't see the problem with a key logger on a site that contains a password field, and then sending those logged keys to a third-party, and through unencrypted channels, then you need to be fired from your job as a web dev asap. So, who's talking about security ? If you want to talk about security and how tracking is done, then open another thread that discusses security. This topic, and my reply to it is about tracking itself, and session replays.
Your assumption appears to be "if you track, you're bad at security" - which makes no sense at all.

I never said I don't see a problem with sending password fields, or sending them even clear text even. Again, where did you read that ?

What I said is that for people that are tracking, you are not afgam28, you are "a3727fd0a20d5eef697d3c2f41bf0e4d" for purposes of improving the UI, and automating certain things to, again, improve your experience in using our website.

Re:Duh! Autocomplete REQUIRES some tracking

[Narcocide]

Gee, you don't make it sound very welcoming or enjoyable. I can only imagine you think the best way to make yourself feel better about your miserable life is to drag other people down to your level. It stinks of a trap. Or, maybe that wasn't your intent and in reading this you just realized you're still a petulant child after all?

Re:Duh! Autocomplete REQUIRES some tracking

[thegarbz]

You know how Goggle and others do autocomplete on your search entries?

Yeah I do. They don't typically do so on username or password fields. Maybe read the entire summary or article and actually understand the topic at hand before posting. Your UID is too low to be spouting something so silly.

Re:Duh! Autocomplete REQUIRES some tracking

[DNS-and-BIND]

Here's a fun party trick: go to Google.com, type in "Hillary Clinton", and try to get autocomplete to say something bad about her. Then, try it with "Donald Trump" (impeachment was the first auto-complete result I got, it may vary with your location).

During the James Damore scandal, I couldn't get Google to suggest anything at all about his name. It just suggested variations on "d'amore", the French word for love. Weird, eh?

Zounds!

[cascadingstylesheet]

It's almost as though the web were some sort of client-server technology!

Re:Duh! Autocomplete REQUIRES some tracking

[drinkypoo]

You know how Goggle and others do autocomplete on your search entries? Or spell check in text boxen? Or mouse zooming? How could they do this if every mouse/keystroke was not sent to them?

You know you can turn off autocomplete in your browser search field, right?

Re: Name names

Or the CSV file here

  https://webtransparency.cs.pri...

Re:Duh! Autocomplete REQUIRES some tracking

[redelm]

Yes, at least some browsers have this setting. And as another poster mentioned, scripts do not autocomplete all fields (uid/pwd). But this does not necessarily stop the scripts from running and sending running data, even if the browser does not show any useful return. Websites can adjust their behaviour per user, and might appear less intrusive to some users. Cookies & per-user scripts. That does not mean that they do not track and capture data, just that they are more subtle in displaying the results of tracking.

Two words

[volodymyrbiryuk]

Use uMatrix

Re:Overblown

[avandesande]

I suspect 'cat' and 'video' is going to show up a lot in the data.

Mark of the beast

[HalAtWork]

"He also forced everyone, small and great, rich and poor, free and slave, to receive a mark on his right hand or on his forehead, so that no one could buy or sell unless he had the mark, which is the name of the beast or the number of his name. This calls for wisdom. If anyone has insight, let him calculate the number of the beast, for it is man's number. His number is a3727fd0a20d5eef697d3c2f41bf0e4d."

Poison the Well?

[Maritz]

Anyone ever come up with software to just pile shitloads of fake data into all these sniffers? I'd like every web page to think I hovered over every fucking link and wrote a bunch of random shit. All day every day.

Would like to see something that requests pages off completely random websites every few seconds. Sure would make GCHQ style pricks work for their dinners.

If you can't stop the trickle, make them drink from the fucking firehose.

No surprise this is happening.

[Bloxclay]

Well well well how predictable that search engine companies are still "in bed" with the NSA and all those Nosey shady government entities. ..... #RIP Privacy

Re:I'm OK

[trg83]

If you're a proper manual driver, you don't have need of space for a rollback. I never had rollbacks after about 3 months of practice. It might be a little harder on your clutch, but you don't have the right to randomly back into cars because you don't know how to drive yours.

Firefox ESR

[gitano_dbs]

I am using Firefox ESR (Extended Support Release) https://www.mozilla.org/en-US/... for this only reason, can keep using the add-ons i want. They are currently at version 52.5

There are valid uses for this...

[gosand]

I think I understand your point, there ARE valid uses for this.
It's frustrating to develop software and not have full understanding about how your clients use it. There is a desire and a need to have that information in raw data that can be used to make the product better. It could even be used by client support and to help prevent bugs. I'm not talking about shopping carts or blogs, but enterprise-level systems that are very complex.

But let's not kid ourselves... that isn't what this story is about.

Sounds like

[no-body]

jail time for somebody for illegally snooping without consent. Oh, we are in the USA, sorry for bringing that up.

If I want updates, I'll press Ctrl+R

[tepples]

So the page can refresh itself for live updating content.

Likely reply of anti-JS hardliners: "I don't want live updating content in the web browser. I'll press Ctrl+R to poll for new content when I want new content, thank you very much. If I wanted live updating content, I would download, compile, and install a native application that provides live updating content, such as an IRC client."

Re:Duh! Autocomplete REQUIRES some tracking

[hawk]

It's time they start.

I am so tired of typing out "Shazam" and "1234" in their entirety . . . :)

hawk

Re:Duh! Autocomplete REQUIRES some tracking

[citylivin]

"You know how Goggle and others do autocomplete on your search entries?"

Oh i love that feature that replaces text i am typing with some other random terms and then when you try and highlight the field to delete the stupid auto complete, it actually submits the search (because you are clicking on the term in some kind of blocking mouse order drop down list). I also love the browser lag that these stupid lookups cause.

What a wonderful feature that no one needs! is it really hard to type entire words and sentences without a computer holding your hand for you?

poison the well

[gosand]

I can only hope someone sets up a botnet to visit these sites and relentlessly hammer their pages with searches for bizarre words and profanity.

TeaLeaf is now standard

[JamesKeane7745]

How is this even news - TeaLeaf, since being bought by IBM is near ubiquitous on most new e-com deployments, and in this community I thought enough people would have known this fact..

Wordpress plugin

[wolfheart111]

Theres a plugin for that. :) https://wordpress.org/plugins/... I think this one actually records a video of the user interactions.

Seeing is believing i guess

[Apuleus]

After 15 years of being in the business, I never seen tracking for malicious purposes (or purposes other than attempting to make it easier for YOU to use the website ).

I have never seen a robbery, but that doesn't mean they don't happen.

Re:NoScript, but... (use Brave)

[Darinbob]

Yes, the new noscript UI is disconcerting and inscrutible. I don't think any user input was taken into account here.

Useless article: No site names included

[PlaynBass]

What a frickin' useless article!

No site names included in order to protect the cash flow of the guilty. No doubt /. is one of them...

Is this the dead of SuperGenPass

[twms2h]

.. at least the version that runs in the context of the web site.

Or isn't it?

I mean: SGP relies on you typing your master password into an entry field which it then uses together with the domain name to generate the actual password. If the sites can spy on all your key strokes, they will know your master password, which is not good.