Tag Archives: quantcast

Jetpack Notifications puts Quantcast tracking in your WordPress Admin

WP DoNotTrack user Marco Donati asked why the plugin did not stop Quantcast from being included in the WordPress admin pages. After some research (with the kind assistance of Marco), I discovered not one but two problems;

WP DoNotTrack relies on “output buffering” in WordPress to filter/ modify the HTML when in “Forced (default)” or “SuperClean” mode. Apparently WordPress does not use output buffering in the admin-pages, so WP DoNotTrack did not get triggered. My bad! I’ve updated the code to fallback to “Normal” mode when in admin and will push out a new version with this fix soon.

But then it got slightly ugly; even with this fix in place, the Quantcast-tracker kept on appearing! It was being called from within an iFrame, outside the reach of WP DoNotTrack. The culprit turned out to be the brand new “Jetpack Notifications” feature which -as most of Jetpack- is activated by default. As from Jetpack 1.9, you’ll see a small icon next to the greeting text on the right side of the admin-bar. When you click that icon a drop-down appears which contains the iFrame and the tracking code. To disable, in “Notifications” click on “Learn more” to reveal the “Disable”-button. Click that one and the icon, iFrame and tracker code are gone. Good riddance!

My advice to Jetpack users; explicitly disable any feature you do not use. Jetpack might offer some nice functionality, but of that is available in other plugins as well and being tied in that heavily into wordpress.com does come at a price. Moreover it seems there are some security concerns; as an user with author permissions I had access to the Jetpack overview page and I was able to activate the “Jetpack Comments” feature on Marco’s blog, but I couldn’t disable it. Call me a paranoid security-zealot, but non-administrator users should not really be able to do that, should they?

Applying Javascript AOP-magic to stop 3rd party tracking in WordPress

It was always my intention to elaborate on my small donottrack plugin for WordPress, but it was only when Automattic upgraded to the new asynchronous Quantcast code that I was forced to look actually dig in.

The new Quantcast-code doesn’t use the old-fashioned document.write, but inserts the javascript asynchronously with an insertBefore on the parent of the first script-node (as popularized by the asynchronous Google Analytics-code). Variations on this method would include e.g. using appendChild or adding it to head (although that might not exist).

A couple of months ago I experimented with the DomNodeInserted event, but that isn’t supported by all browsers. And even when it works, I found no consistent way to stop the tracking script (which was already added to the DOM, as the event is triggered after) from being loaded or executed. But last week while searching for a better solution I found a reference to javascript AOP on StackOverflow and after following some links I discovered the JQuery AOP-plugin.

JQuery AOP allows one to (amongst other things) add an advice around a method. When the method is called, the advice kicks in before the execution. The advice is a function which can investigate and change the parameters used by the method. And that’s exactly what the current version of DoNotTrack does; it has AOP.around (I’ve removed the JQuery dependency) catch insertBefore and appendChild, investigates the src-attribute and replaces that value if it points to quantserve.com before allowing the method execution to proceed.


aop.around( {target: scriptParent, method: /[insertBefore|appendChild]/},
        function(invocation) {
                if ((typeof(invocation.arguments[0].src)==='string')&&((invocation.arguments[0].tagName.toLowerCase()==='script')||(invocation.arguments[0].tagName.toLowerCase()==='img'))) {
                        if (sanitizer(invocation.arguments[0].src)===true){
                             invocation.arguments[0].src='javascript:return false;';
                return invocation.proceed();

I’m working on a more generic version of an AOP-based WordPress Privacy plugin now. In a first stage it will probably be based on a blacklist, that is editable in the WP Privacy options-screen but at a later date a whitelist-based approach will be added (based on an integration with webpagetest.org). Let’s add that to my New Years resolution for 2012, shall we?

WP Privacy: Quantcast sneaks back in

After almost a year of peace and quiet, Quantcast tracking code has returned to this blog. As reported by Brian Yang, the stupid hack that stopped the code from being included doesn’t work any more. Automattic recently switched to the new Quantcast-code, which instead of using the old-fashioned document.write now gets inserted asynchronously by a DOM-method (insertBefore). I’m looking at ways to stop this from happening or at least limit it one way or the other, but for the time being there’s no fix. Bear with me and do speak up (in the comments below of via the contact form) if you think you can help!

Follow-up Friday: Ubuntu Unity, Android security & WordPress Stats

Just a couple of small updates on previous stories to keep you posted really.

We’ll start of with Ubuntu Natty Narwhal; beta 2 has been released earlier today. I’ve downloaded a lot of updated packages over the last few days, so I guess I’m on the second beta as well. The Unity launcher now comes out of hiding perfectly and it scrolls down automatically to show items at the bottom as well. There also was a bug with the menu-items of some applications (e.g. Firefox 4) disappearing which seems fixed. Hope they can get the launcher to behave with Java apps (e.g. my favorite mindmapping application) soon.

On another note: Lookout, the Android app that allows you to locate your handset and -if you have the paying version- remotely wipe it, seems to be getting some serious competition from …. Google. Enterprises who have Google Apps for Business can now locate, encrypt and wipe their Android devices. Especially the encryption is important news, but it really should be available and configurable in the Android OS itself

To finish off with some news about WordPress Stats secretive inclusion of Quantcast behavioral tracking: it seems like WordPress Stats plugin will be replaced by Automattics Jetpack, which according to the site:

supercharges your self‑hosted WordPress site with the awesome cloud power of WordPress.com

Jetpack actually is a “super-plugin” that offers functionality from Stats, Sharedaddy, After the deadline and other previously separately available Automattic plugins. The Jetpack WordPress.com stats module does still include the Quantcast “spyware”, doesn’t disclose this feature and doesn’t provide functionality that warrants Quantcast inclusion (in spite of Matt Mullenweg claiming “We’ve been using Quantcast to get some additional information on uniques that it’s hard for us to calculate”). But there is (some) good news in the Jetpack Stats source code though, because on line 145 it reads:

‘do_not_track’ => true, // @todo

This could mean that blog-owners will one day be able to opt out of 3rd party tracking or it might be that Stats will take e.g. Firefox DNT-header into account for your blog’s visitors. Having both would off course be what I will be rooting for!

Google Analytics for the privacy aware

While the entire German blogosphere seems to have discovered the pretty unpleasant, secretive inclusion of Quantcast tracking in the “WordPress.com Stats” plugin, I found an article on the blog that broke the story in Germany, that explains how you can somewhat limit (valid) privacy-concerns with Google Analytics.

You just have to push “_gat._anonymizeIp” as an option in the _gaq object, as shown on line 5 in this code snippet:

<script type="text/javascript">
  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-xxxxxxx-x']);

  (function() {
    var ga = document.createElement('script');
    ga.type = 'text/javascript';
    ga.async = true;
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
    var s = document.getElementsByTagName('script')[0];
    s.parentNode.insertBefore(ga, s);

According to the relevant Google Analytics docs page, this:

“Tells Google Analytics to anonymize the information sent by the tracker objects by removing the last octet of the IP address prior to its storage. Note that this will slightly reduce the accuracy of geographic reporting.”

Call me naive (or overly idealistic), but shouldn’t your Google Analytics implementation have this option on as well?

Quantcast spyware puts selfhosted WordPress blogs in Automattic network

A quick update about the WordPress.com Stats plugin secretive inclusion of Quantcast tracking:

Coding for the New Year

Just a quickie before diving into 2011;

And this is how I feel about 2011:

Jon Hopkins – Light Through The Veins (Full 9 Minute HQ Version)

Watch this video on YouTube.

Have a great New Year!