Jetpack Notifications puts Quantcast tracking in your WordPress Admin

WP DoNotTrack user Marco Donati asked why the plugin did not stop Quantcast from being included in the WordPress admin pages. After some research (with the kind assistance of Marco), I discovered not one but two problems;
WP DoNotTrack relies on “output buffering” in WordPress to filter/ modify the HTML when in “Forced (default)” or “SuperClean” mode. Apparently WordPress does not use output buffering in the admin-pages, so WP DoNotTrack did not get triggered. My bad! I’ve updated the code to fallback to “Normal” mode when in admin and will push out a new version with this fix soon.
But then it got slightly ugly; even with this fix in place, the Quantcast-tracker kept on appearing! It was being called from within an iFrame, outside the reach of WP DoNotTrack. The culprit turned out to be the brand new “Jetpack Notifications” feature which -as most of Jetpack- is activated by default. As from Jetpack 1.9, you’ll see a small icon next to the greeting text on the right side of the admin-bar. When you click that icon a drop-down appears which contains the iFrame and the tracking code. To disable, in “Notifications” click on “Learn more” to reveal the “Disable”-button. Click that one and the icon, iFrame and tracker code are gone. Good riddance!
My advice to Jetpack users; explicitly disable any feature you do not use. Jetpack might offer some nice functionality, but of that is available in other plugins as well and being tied in that heavily into wordpress.com does come at a price. Moreover it seems there are some security concerns; as an user with author permissions I had access to the Jetpack overview page and I was able to activate the “Jetpack Comments” feature on Marco’s blog, but I couldn’t disable it. Call me a paranoid security-zealot, but non-administrator users should not really be able to do that, should they?

Follow-up Friday: Ubuntu Unity, Android security & WordPress Stats

Just a couple of small updates on previous stories to keep you posted really.
We’ll start of with Ubuntu Natty Narwhal; beta 2 has been released earlier today. I’ve downloaded a lot of updated packages over the last few days, so I guess I’m on the second beta as well. The Unity launcher now comes out of hiding perfectly and it scrolls down automatically to show items at the bottom as well. There also was a bug with the menu-items of some applications (e.g. Firefox 4) disappearing which seems fixed. Hope they can get the launcher to behave with Java apps (e.g. my favorite mindmapping application) soon.
On another note: Lookout, the Android app that allows you to locate your handset and -if you have the paying version- remotely wipe it, seems to be getting some serious competition from …. Google. Enterprises who have Google Apps for Business can now locate, encrypt and wipe their Android devices. Especially the encryption is important news, but it really should be available and configurable in the Android OS itself
To finish off with some news about WordPress Stats secretive inclusion of Quantcast behavioral tracking: it seems like WordPress Stats plugin will be replaced by Automattics Jetpack, which according to the site:

supercharges your self‑hosted WordPress site with the awesome cloud power of WordPress.com

Jetpack actually is a “super-plugin” that offers functionality from Stats, Sharedaddy, After the deadline and other previously separately available Automattic plugins. The Jetpack WordPress.com stats module does still include the Quantcast “spyware”, doesn’t disclose this feature and doesn’t provide functionality that warrants Quantcast inclusion (in spite of Matt Mullenweg claiming “We’ve been using Quantcast to get some additional information on uniques that it’s hard for us to calculate”). But there is (some) good news in the Jetpack Stats source code though, because on line 145 it reads:

‘do_not_track’ => true, // @todo

This could mean that blog-owners will one day be able to opt out of 3rd party tracking or it might be that Stats will take e.g. Firefox DNT-header into account for your blog’s visitors. Having both would off course be what I will be rooting for!

Mozilla rethinking extensions with Jetpack

Show me a ‘Mozilla Labs’ page on Facebook and I’ll click on that ‘Become a fan’-button immediately. ‘Labs‘ is where new and often exciting browser-functionality is being prototyped (think Prism, Weave, Ubiquity, About:tab, Personas), and where the everyone can get involved in the process. How great is that?
Last week the omnipresent Aza Raskin introduced ‘Jetpack‘ to the community. To summarize; Jetpack aims to simplify extension development by requiring only html, css and -off course- javascript, with a simple API, jQuery and Firebug-integration built in. Publishing your Jetpack is as easy as referencing it in a link on a webpage and installing it is very straightforward as well as it requires no browser restart (and as a bonus Firefox upgrades won’t break Jetpack-extensions either).
Aza’s demo on Vimeo is a great introduction:
(This embedded video can be watched on blog.futtta.be)
It’s still early days and some important features are not implemented yet (e.g. persistent storage, access to the browser’s chrome beyond notifications and the status bar, ajax when behind a proxy), so as far as I’m concerned Jetpack doesn’t outdo Greasemonkey just yet, but looking at the draft specs and at some of the functionality that they would like to introduce in the next milestone, Jetpack could indeed bring browser extensions to a whole new level.
But don’t take my word for it, just install the Jetpack extension and see for yourself.