If it looks like a duck; ditching Google Search (again)

Let’s apply the duck-test to Google;

  1. They’re changing their privacy policy without offering users a true opt-out
  2. They severely limited access for Scroogle, the Google-scraper for privacy-nuts, to the point where it is effectively out of service (although apparently Google isn’t the only one to blame)
  3. They have been caught with their hands in your cookie jar, not only bypassing user’s cookie preferences in Safari but also in Internet Explorer

So if Google looks, swims and quacks like it doesn’t care about user privacy, it must be that it … doesn’t care about user privacy.
I on the other hand do care about my privacy, so I decided to put even less eggs in Google’s basket: I’ve switched my search-engine to startpage.com, which is operated by a Dutch company (i.e. one which has to comply with stricter European privacy laws) and which guarantees privacy while being powered by Google.
Startpage’s only downside: they are blocked by our company internet-filter because they provide proxy-services, so as an alternative I also use the less powerful DuckDuckGo (I changed keyword.url in Firefox’ about:config to “https://duckduckgo.com/?q=”). And a nice bonus; DuckDuckGo also has a nice Android-app, which I have installed to replace Google Search on my Sammy SII as well.

AddToAny now includes Lockerz tracking

Update 02-2015: things change, blogposts get out of date and indeed A2A is not owned by Lockerz any more.
AddToAny, one of the most popular sharing-widgets around, has had 3rd party tracking by Media6degrees for quite some time already. I wasn’t too happy about that, but it did have the no_3p option to disable this “functionality”. Half a year ago however AddToAny was acquired by Lockerz.com and it now includes tracking by Lockerz.com which cannot be turned off and does not check for navigator.doNotTrack either.
I’ve contacted the developer (Pat’s a swell guy, really) and he answered he would look into honoring the DoNotTrack header, which he wrote he’d love to include in Q1 somewhere. In the mean time, if you have AddToAny on your site, you can already hide the Lockerz “Earn” tab. And if you’re on WordPress, you could install (or upgrade) WP DoNotTrack, which I’ve updated to stop the Lockerz tracking (make sure lockerz.com is your blacklist).
If there’s a Drupalista out there that uses AddToAny and would like to stop Lockerz tracking; I’d be happy to co-author a Drupal DoNotTrack module, do get in touch!

Iframe sandboxing support coming soonish

Did you know you can limit the damage an iframe can do by adding the “sandbox” attribute? And that you can add a value to that attribute to loosen your grip if you choose to do so?
I remember reading about this a couple of years ago or so, but forgot as  support for this html5 spec was limited to Chrome (Apple added support in Safari as well). But while investigating a problem a WP DoNotTrack-user was facing, I re-discovered iframe sandboxing (it effectively stopped the javascript-based tracking inside the iframe) and noticed that support for it is to be included in Internet Explorer 10 and that Mozilla is finally working on an implementation as well.
So yeah, the option to sandbox iframe’s pointing to blacklisted (or non-whitelisted) hostnames will probably be in a future version of WP DoNotTrack. Stay tuned!

Configure WP DoNotTrack to block what you want

I pushed out a major new version of WP DoNotTrack to the WordPress plugin repository and major in this case means:

  • you can now choose between a blacklist and whitelist-approach (previous version did blacklisting only)
  • define what exactly is in that black- or whitelist (previous version came with a hardcoded blacklist)
  • option to block javascript-initiated tracking code from being added for all your visitors, or just those that explicitly opted out of tracking in their browser (supported in MS IE9 and Firefox 9, not supported in Google Chrome)
  • and off course an option-page under wp-admin to change all these settings

Because of these new features (4 of them) and because I think the plugin is already at least 50% mature, I decided to bump the version from 0.1.0 to 0.5.0. Never been good at math anyway …
If you encounter any problems when installing or configuring this plugin, you might find valuable info in the FAQ. But here’s two tips anyway:

  1. In general caching and js-aggregating plugins can interfere, so you might want to disable those while working on your WP DoNotTrack configuration and re-enable (with cleared caches) once you’re satisfied with the result.
  2. If you’re running WP YouTube Lyte with the bonus “donottrack” feature activated, you’ll want to deactivate that before installing/ activating WP DoNotTrack. If you don’t do that, you’ll have to turn to the FAQ …

Don’t hesitate to contact me or leave a comment beneath this here little blogpost if you run into problems, if have a feature request or if you just want to chat a little. I just love receiving feedback!

It’s official: you can not track your visitors

After almost a year of tinkering with my Donottrack-plugin for WordPress, I’ve requested it to be hosted in the WordPress repositories and uploaded version 0.1.0. So if you’re using Donottrack on your blog, or if you activated this “bonus feature” of WP YouTube Lyte, I propose you give WP DoNotTrack a try and let me know what gives here in the comments or via the contact form?
From the readme:

WP DoNotTrack stops plugins and themes from adding 3rd party tracking code to your blog to protect your visitor’s privacy. WP DoNotTrack uses (a slightly modified) version of jQuery AOP to catch and inspect elements that are about to be added to the DOM and renders these harmless if the black- or whitelist says so.
The current version is blacklist-based and stops tracking by media6degrees and quantserve. This can easily be changed in the javascript though. Future versions will include a WordPress admin-page to change these settings.

Hey! Widgets! Leave our privacy alone!

After having NoScript disable the Facebook Like widget a couple of weeks ago, I felt really bad for Mark Zuckerberg who must have been feeling singled out by my actions. If only to make all widgets equal and as I don’t use them anyway, I’ve now told NoScript (only available in Firefox) to also block the Google+ and Twitter widgets with the following ABE User ruleset (under NoScript Advanced options):
# also stop google+ widget
Site plus.google.com
Accept from plus.google.com
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)


# and twitter
Site platform.twitter.com
Accept from twitter.com
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

Applying Javascript AOP-magic to stop 3rd party tracking in WordPress

It was always my intention to elaborate on my small donottrack plugin for WordPress, but it was only when Automattic upgraded to the new asynchronous Quantcast code that I was forced to look actually dig in.
The new Quantcast-code doesn’t use the old-fashioned document.write, but inserts the javascript asynchronously with an insertBefore on the parent of the first script-node (as popularized by the asynchronous Google Analytics-code). Variations on this method would include e.g. using appendChild or adding it to head (although that might not exist).
A couple of months ago I experimented with the DomNodeInserted event, but that isn’t supported by all browsers. And even when it works, I found no consistent way to stop the tracking script (which was already added to the DOM, as the event is triggered after) from being loaded or executed. But last week while searching for a better solution I found a reference to javascript AOP on StackOverflow and after following some links I discovered the JQuery AOP-plugin.
JQuery AOP allows one to (amongst other things) add an advice around a method. When the method is called, the advice kicks in before the execution. The advice is a function which can investigate and change the parameters used by the method. And that’s exactly what the current version of DoNotTrack does; it has AOP.around (I’ve removed the JQuery dependency) catch insertBefore and appendChild, investigates the src-attribute and replaces that value if it points to quantserve.com before allowing the method execution to proceed.

scriptParent=document.getElementsByTagName('script')[0].parentNode;
aop.around( {target: scriptParent, method: /[insertBefore|appendChild]/},
        function(invocation) {
                if ((typeof(invocation.arguments[0].src)==='string')&&((invocation.arguments[0].tagName.toLowerCase()==='script')||(invocation.arguments[0].tagName.toLowerCase()==='img'))) {
                        if (sanitizer(invocation.arguments[0].src)===true){
                             invocation.arguments[0].src='javascript:return false;';
                        }
                }
                return invocation.proceed();
        }
);

I’m working on a more generic version of an AOP-based WordPress Privacy plugin now. In a first stage it will probably be based on a blacklist, that is editable in the WP Privacy options-screen but at a later date a whitelist-based approach will be added (based on an integration with webpagetest.org). Let’s add that to my New Years resolution for 2012, shall we?

WP Privacy: Quantcast sneaks back in

After almost a year of peace and quiet, Quantcast tracking code has returned to this blog. As reported by Brian Yang, the stupid hack that stopped the code from being included doesn’t work any more. Automattic recently switched to the new Quantcast-code, which instead of using the old-fashioned document.write now gets inserted asynchronously by a DOM-method (insertBefore). I’m looking at ways to stop this from happening or at least limit it one way or the other, but for the time being there’s no fix. Bear with me and do speak up (in the comments below of via the contact form) if you think you can help!

Remove Facebook like buttons with NoScript

If you don’t like Facebook’s omnipresent Like widgets (there were already plenty of reasons why not to like them and last week’s cookie-debacle only added to that conclusion) and if you already use NoScript so you don’t want to install another plugin (like Ghostery, which reports any tracking activity and allows you to block it), you can put this in NoScript’s ABE user ruleset (NoScript Options -> advanced -> ABE);
# Allow Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com .fbcdn.net .facebook.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

This tells NoScript to allow Facebook scripts (you know, to visit facebook.com), but to stop them from being included in other sites. I guess with NoScript’s surrogate scripts one might even be able to replace Facebook’s Like-widget with one that just shows the old-fashioned (and harmless)  share-button. Now wouldn’t that be fun?

Why your WordPress blog needs DoNotTrack

So what’s with all that nagging about tracking and that DoNotTrack plugin, you might wonder? Well, it’s pretty simple actually.

  1. Some very popular WordPress plugins include 3rd party tracking, sometimes even without properly disclosing, often without means to disable this behavior
  2. 3rd party tracking has privacy implications: all your visitors are tracked by the 3rd party, in general for behavioral marketing purposes (depending on what data is captured, tracking might even be illegal in some countries)
  3. 3rd party tracking has a performance impact: every visit to your blog will include between 2 and 5 extra requests for the 3rd party tracking to succeed, effectively delaying full page rendering

It is my conviction that blog owners should be able to install and use WordPress plugins without having to worry about undisclosed tracking and that plugins should provide a way to disable such 3rd party tracking if included.
As this is not the case yet, we have to resort to (messy) solutions to stop unwanted tracking from happening. And that’s exactly what DoNotTrack does. It’s a small javascript-hack in a WordPress-plugin to stop 3rd party tracking introduced by some of the most popular plugins.
Some details from the readme.txt:

  • What works:
  • What does not work (yet): Tracking code added using innerHTML or appendChild/insertBefore is not yet intercepted (but I’m working a solution for that)
  • What else might be added:
  • How you can help:
    • Provide me with links to plugins that include browser-based tracking + domain where the tracking is done.
    • Provide me with known opt-out code (javascript) to disable tracking services on a site.
    • Tell plugin writers you’re not happy with 3rd party tracking!
    • Tell your visitors about tracking & privacy, link to e.g. http://www.privacychoice.org/

And remember: if you host your WordPress blog yourself, you and nobody else should be able to decide who tracks your users!