As an EU citizen, do the following: Paste some information about yourself into one of these forms without submitting, then send them an e-mail asking them to delete your personal information. Bonus points for having your lawyer write that mail, so it gets handled by their legal department instead of regular support. Watch them scramble trying to figure out how to even go about that. When gentle reminders to not irresponsibly collect data aren't enough, maybe a kick in the teeth will do.
Shit sites becoming responsible for all the data they soak up couldn't have happened soon enough.
People keep talking about having "your lawyer" do something as if everyone just walks around with a personal pet lawyer and I never understood it. Are you suggesting that you should hire a law firm at $1000/hour to mildly annoy some website..?
I have a lawyer that I have a relationship with and regularly ask questions to. He costs me 375 usd an hour and is great at his job (which I know by having worked with him for a while).
When I was younger, I didn't use to have one and tried to cheapen out by reading contracts carefully without checking with a lawyer. One of those contracts was a rev share in exchange for free work I did (plus some work I paid other contractors to do), I didn't notice that there was an easy way to get out of the contract by the company. Once the company was successful thanks to the work I initially did, they used that to cut me out. If I had used a lawyer back then, I'd still be earning 150k a year from that contract...
So, yeah having a relationship with a lawyer in the same way you have a favorite dentist is worth it. Having the reflex of using a lawyer when possible potentially can save a lot of money down the road. And using a lawyer at first for less impactful work is sometimes a good way to find out if the lawyer is any good.
I'd actually suggest any consultant/contractor to have a lawyer, work with him to review every contract and budget a small percentage of your income on this every year.
> So, yeah having a relationship with a lawyer in the same way you have a favorite dentist is worth it.
> costs me 375 usd an hour
> budget a small percentage of your income on this every year
What you are saying is that for those with enough disposable income to throw 375 per hour at minor annoyances, going straight to that nuclear option is often preferable to settling for a cheaper secondary or backup option. This is the "simply buy Twitter if the way it's run annoys you so much" of legal advice.
This doesn't apply to 99.999% of people on this planet. It is "worth it" in the sense that $800 / oz gold plated caviar is better food than McDonalds. If the median American decided to "find out if [your] lawyer is any good" by hiring them for a 1 hour task, they have already spent more than 1% of their yearly income. In a single hour.
It seems pretty silly to throw $375 at mildly inconveniencing a website operator with the input form thing.
On the other hand, I guess we'd all probably be better off if we'd have a lawyer look over things like our employment contracts, renting contracts, etc (I just sign the dang things though).
Most of those people don't have contracts they want a lawyer to review.
For other needs, people who can't afford lawyers and need help use family, acquaintances, church members, etc. who are lawyers, either free or at a sliding scale. They also sometimes subscribe to prepaid legal plans which do add up to a few hundred dollars, but over the course of a year.
Big cases (like the sudden need for a defense attorney) are funded by passing the hat (or GoFundMe et al, these days.) There are also public defenders.
The truly destitute don't even have that, of course, but other needs are pressing. Aid and social safety net programs do offer charity legal services where they can, but reach and benefit is limited.
People with and without the disposable income blow $300 an hour on all kinds of stuff.
Unless you have never spent $300 on something, i'm absolutely sure you've spent $300 on something that median family would call a waste too.
But I can't figure out what your point is. Its a waste to call out these sites? Lawyers are too expensive? The lower classes don't make enough? Don't give advice if it doesn't apply to %100 of people?
I'm saying, if you're a US software engineer/contractor earning 100k+ a year like a lot of people on HN, then reserving 2% of your income (2,000) for legal fees is worth it. Doesn't have to be for what the OP suggest, but definitely to check any contracts you get into (including employment contract).
The advice I wrote applies in the context of consultants/contractors on HN which I'm pretty sure tends to earn quite a bit more than the median income.
When I was in private practice at a small firm, I would often take care of things like this at no charge for good clients if I could knock it out in a few minutes. It's the old "ounce of prevention" bit. Not every engagement with a lawyer has to be a "nuclear option."
That said, at a big firm, lawyers often don't have that flexibility.
In the EU you're probably looking at the equivalent of $300 on average for a letter like this, and you're more likely to have the disposable income available to do it.
Something like this you can easily do yourself and imo wouldn't be worth the money, however getting a law firm involved in small tasks is a good way to test them with something simple to see if they're any good, and build up a working relationship with one incase you need them for something more serious or time sensitive later on. It's generally a good life skill to get comfortable working with lawyers because at some point all of us will end up in a situation where we need one, and that's really not the point at which you want to deal with that learning curve.
Where I live (EU), lawyers have standard rates for standard stuff. For a run-of-the-mill letter, you're looking at ~ 100 €, but could be 50 if they want to get you as a new customer. Source: A lawyer asked me whether they should write a legalese letter to someone I was planning to sue (work-related) with their help, and explained to me all of this, plus a lot of stuff I had to stress/ watch out for. I knew I had found a good lawyer when they then told me I could also have a go at writing it myself.
Now whether or not the example at hand counts as run-of-the-mill, I don't really know.
The privacy concern is valid, but most people (from my experience) aren't interested in interacting with the legal system in this way, and for these sums of money.
Same to be honest. I can't imagine baiting anyone into something like this. One of the things you learn when you get more experience with the legal system is when, why, and how to avoid engaging with the legal system.
"Obviously we don't mean having a lawyer on retainer. That'd be unreasonable. We're talking about the lawyer with whom you maintain a working relationship should you need one. You know, kind of like your accountant!"
Honestly, having a lawyer on retainer may not be a bad idea in our field. Definitely you want a contract lawyer checking your contract and evaluating them.
I have an accountant, a lawyer, a dentist, an internist, and plenty of others. All of them are "mine" because they are the ones I use when I need their service. They all aren't on retainer, but instead are basically fee-for-service.
Most people don't even have a lawyer in the same way they have a dentist. And the fact that I might just be a few Google searches away from finding one doesn't change the parent comment's point about the fee still stands.
Most people don't bother, in EU you can do that with disposable income, but if you don't have disposable income there are lawyers studios that are funded publicly to be used by lower income people, so you either have disposable income or you have the will to look around, but you have possibilities
to make you an example I am in the netherlands, few weeks ago I went out with some friends, a dutch guy was complaining about an issue and about having to pay a lawyer, and a polish immigrant here had to tell him that he could give a go to https://www.juridischloket.nl/contact/ , like some people live and grow up in a system and they don't even know what they're surrounded by
That's pretty interesting. In the US the civil legal system is much less accessible to anyone without disposable income and disposal time. There's small claims court which in my area only costs $15 to file, but that is highly limited in the types of cases you can bring before it.
IANAL, but it appears that the type of case I'd have to bring against a company that was inappropriately handling my personal information would require over $400 just to file the papers for the lawsuit. And the fact that I can't easily determine if that's the type of legal action I'd need to bring demonstrates the opacity if the legal system that further prevents access by an individual without spending even more money on a lawyer for the help needed to make that determination.
There are ways I could get inexpensive legal advice, but that's where disposable time comes in. I have too much income to get free legal aid for the lawsuit itself, and honestly there are people with much more serious legal problems that need those limited resources. Unless you can catch the attention of a class action lawyer that sees potential for massive $$ damages it is very difficult for the average person to take advantage of the legal system to protect their rights.
I have never really needed one. Then again I live in high trust society. Currently buying appartment, but I kinda believe enough that either the realtor or the bank wouldn't really try to cheat me. Or that best I could do is choose someone else.
Same is true for most others. Things in life really rarely go to court or rarely is there any bespoke contracts.
Buying in NY required you have a lawyer, and the same with a couple states in the North East. I'm sure that the West Coast is the same. I would assume that the "deregulation" states don't require it, but I am using "mine" for buying my grandpa's house in Louisiana just because I cannot be there in person, so they are handling everything on my behalf.
That's funny, because I'd have had the exact same response to seeing advice on the form "Just have your accountant ...". Most people barely have a dentist or a GP.
>People keep talking about having "your lawyer" do something as if everyone just walks around with a personal pet lawyer and I never understood it.
"My dentist" also isn't my personal pet, but it's the dentist I go to. Neither am I my dentist's pet for being "their customer". I'm sure you also know some professionals that you trust and have some sort of relationship with.
>Are you suggesting that you should hire a law firm at $1000/hour to mildly annoy some website..?
Not really. But there's usually people who do it for the good cause and later take it to court, often backed by nonprofits. Also that cost is insane, it should absolutely top out at 300 euro/hour. Some specialized lawyers charge a flat amount to send such standard requests.
Usually "your lawyer" just refers to any lawyer you have a working relationship with, in my experience. I'm guessing this advice is for someone who finds the privacy issue especially heinous
If you need one to write a snarky letter you'll end up meeting one. After that you'll have a lawyer. What are you hoping to add with your line of argument?
I understand the definition, that's not the problem, I'm merely expressing some bafflement over the 'your lawyer' term seemingly being used here as something common. And apparently I'm not alone, looking at the other comments.
Would you have been equally confused by someone saying "talk to your dentist"? I don't understand this widespread bafflement.
Would it be less confusing to say "talk to _a_ lawyer"? This just seems like a bunch of people arguing for the sake of arguing. It has nothing to do with the original point.
Would you have been equally confused by someone saying "talk to your dentist"?
No, because in my culture it happens to be rather common for people to have one fixed dentist. Moreover, tranlated we also effectively it 'your dentist'.
Would it be less confusing to say "talk to _a_ lawyer"?
For me personally yes, because it does not have the same connotation i.e. doesn't imply something common. Which leads me to think this might be a combination of cultural/language thing. As in: when I read 'your lawyer' I translate this mentally then think about occurrences where I heard that phrase in my language. Doesn't ring a bell, so I start thinking about what I did hear or think I would hear another person say when talking about something like this. And 'a lawyer' would be that.
This just seems like a bunch of people arguing for the sake of arguing.
It's not, at least not from my part. See previous paragraph: this is HN, I come here because stuff like that gets discussed here freely and going off-topic is also not exactly a problem.
Freelancers often have lawyers who: write their contracts, adjust them for new clients, fight over breaches, etc. Founders will have lawyers who do something similar for them via-a-vie their companies. When you have a steady stream of work, you can often ask them to do little things like this as a favor, just like they might ask you to help them with some tech thing.
I think those groups just happen to be massively over-represented on HN.
Not an american thing, but rather old-fashioned. A long time ago, well-to-do Britons had a "family lawyer". Not on retainer; but he knew the family business (so didn't need briefing), and he dealt with wills, property, that kind of thing. Like a family doctor, rather than a specialist consultant.
Nowadays only the very rich can claim to have a "family lawyer".
My middle class family certainly has a "family lawyer" who deals with wills, property, that kind of thing. You should use a lawyer for those things, why not use one you know and trust?
If we were very wealthy, perhaps we'd have a legal matter for him every month instead of every year or two, but that's plenty of time to build up a relationship. Similar to having a family doctor.
Some people do but usually the "have your lawyer" phrase means "find a lawyer who specializes in this area and contact them". Still, the point still stands, it's expensive and time consuming to even begin the process of engaging an attorney if you haven't done so before.
Say "have a lawyer" instead of your lawyer would convey that point without that baggage of someone sounding like they don't understand that most people don't already have a lawyer in the same way they have a dentist.
> People keep talking about having "your lawyer" do something as if everyone just walks around with a personal pet lawyer and I never understood it.
Let me explain: they don't walk around with a personal lawyer. Just as if I buy a chocolate bar it doesn't mean I walk around with a personal sweet shop. You've just radically misunderstood how everything in the world works.
> You've just radically misunderstood how everything in the world works.
Nothing here should have provoked you enough to get that combative.
It's an amusing point they made. Not to mention, we're all roleplaying anyways. It's just not that serious.
And none of us including the thread OP is actually ever going to do this, much less involve "their lawyer" over a networked <form>. It's like when we roleplay that we're going to call our government representative and inconvenience some intern with some stern words: it's just a fun circlejerk. None of us are actually going to do it.
So it doesn't make sense to get emotionally involved to the point of asserting that someone misunderstands how everything in the world works.
I'm emotionally involved to zero extent, which is still enough to make that statement. If you have an objective point to make then great. But there's no point assuming my emotional state and then writing about it.
No, you're just misunderstanding an exaggeration. It's just bafflement at how people seem to assume everyone just has a lawyer in the same way the just gave a GP.
Okay, good. Me assuming everyone has a GP is a great example. I'm in Norway, where everyone _does_ have a GP automatically. I could nonchalantly say "You should speak to your GP about X" as if having a GP was the norm, since that's the only thing I've ever experienced. When I see "you should speak to your lawyer about X", I'm reading that as the same kind of assumption that "having" a lawyer is the norm; that speaking to a lawyer you have an established relationship with is just a normal thing to do.
I feel like there's a parallel "internet law" that is informed by semi accurate news stories, movies, TV, and a sort of "if I could I'd have a lawyer do X and then I imagine Y will happen" ... that has very little to do with actual law.
I can't say about other countries, but in France most (if not all) house insurance come with a “legal assistance ” clause which covers this kind of stuff. Depending on the company ou can either use their lawyer or find your own and have fees reimbursed by your insurance (of course the fees are subject to validation by your insurance and the maximum amount depends on your contract)
Since parent wrote about the EU, which .de is a part of, there is this thing called "Rechtsschutzversicherung" und "Prozesskostenübernahmeversicherung".
Also aeons ago in tv-adverts: "Advocard ist Anwalts Liebling!" meaning with this card you are the lawyers favourite.
So basically, yes, with appropriate insurance you can have that done for you :-)
I would probably have phrased it "hire a lawyer to..." Which also conveys that you have to open your wallet -- not something lightly done for many people, although the significant trust-fund wantrepreneur crowd on Hackernews may think nothing of it.
> Shit sites becoming responsible for all the data they soak up couldn't have happened soon enough.
Yeah, it's amazing! I think we need even harsher laws. Data should be toxic for businesses. They should be aiming to know as little as possible and to forget everything the second business is concluded. They should be too afraid to do what they're getting away with today.
> Watch them scramble trying to figure out how to even go about that.
It won't be much of a scramble. First, they will look at your email to see if you have actually provided enough information in the email to tell whose data you are talking about and to prove that you are that person. If not you will probably get a response telling you what you need to provide.
When you've provided that information, then they will run their standard "delete someone's data" procedure. Whether or not that actually deletes and data that came in via some pre-submit channel will depend on whether they actual realize they have that data.
If they are actually using that as an intentional persistent data collection method, it will probably be in some place that is covered by they normal "delete someone's data" procedure.
If they are using it for some transitory purpose, it is quite possible that any long term storage was accidental and might not be in someplace the "delete someone's data" procedure covers.
In either of these cases it won't cause any scrambling.
Finally, your delete request will probably be added to a database along with enough information to identify whose data was deleted. They need this because GDPR data deletion requests do not require the company to immediately go through all backups deleting your data from them. It is likely to remain on old backup media until the ordinary backup media rotation reuses that media for a new backup.
Hence, they need to keep a record of deletions and who they were for so that if they ever have to restore from backup then can then reapply deletions.
This last is kind of amusing. Where I work we keep very little data on customers beyond what is legally required by the EU. When someone requests data deletion it can actually increase the net amount of data we retain about them. The record of their deletion request can add more data than the deletion request deleted.
It's not about what's in the letter, it's about who sent it.
When you personally request something it will get handled by their usual support people, but letters from lawyers usually go straight to legal and get handled there.
Legal saying "what we're doing may be problematic" is much more likely to cause change.
You think you're going to get discovery to even prove this? Plausible deniability and even just ignorance will likely cause you to get nowhere with wiping this collected data.
If they know it's personal data and handle it accordingly it might be ok.
What if the user submits personal data without being expected to? For example, I have to enter a nickname on online game before starting to play, what if my nickname is my full name and home address? Now they unknowingly store PII without a privacy policy. What should the company do in this case?
How do they know what the difference is between a keylogger and auto-complete?
I use auto complete A LOT and my customer's love it. On the back end I sure could be storing that information (I don't)...
There's some good use cases that easily could be a keylogger, but aren't, or at least we don't know. Even if they store something that isn't auto complete it could be legitimate "hey are people stumbling over those stupid dashes all the time?" exploration of how the users do things.
Real dark patterns, and legit features tend to intermix sometimes and the devil is in the details...
You hit on my first thought. There are numerous legitimate user experience cases where keystroke by keystroke or field by field processing is beneficial. Autocomplete for address data is one I see commonly used. Saving a partially filled out form field by field in the event a user becomes disconnected and would like to complete it later is another. From a security perspective, I know of numerous tools that examine the speed and cadence of the act of typing to discern between bot entry in a field versus human entry. There is also software like FullStory that records everything client side, including mouse movement, so companies can determine exactly how people are interacting with their sites in an effort to improve the UX. And from a tinfoil hat perspective, if a user is interacting with a webpage, they should assume everything they are doing on that page is subject to observation by the page author. If the researchers were surprised by this, I fear it's from inexperience.
Even if it is beneficial, the user might still want to disable it. (Possibly a option in the browser for manual/auto calculate; if manual, then events are disabled until you push submit or recalculate. This might improve speed, too. Another thing that might be useful may be ARIA mode (which can also have other advantages, although other things are needed too anyways).)
Saving a partially filled form is something that should be a feature in the browser, you can do "File > Save Form Data" (and then specify the file name) and "File > Recall Form Data".
I generally disable JavaScripts. Sometimes the web page will still be displayed if CSS is also disabled (and sometimes I want to disable CSS anyways), and sometimes links to original data, etc can be found if you view the source.
You don't need to send queries that return very few results.
Once you send a partial text that returns a few hundred results, any additional typing can be completely handled on the client side. If you only have a few hundred options at all, you don't need to send any text.
That's just good software engineering, by the way. Autocomplete queries are quite expensive, you want to minimize them. But, of course, that won't stop sending data pasted in a single step.
Anyway, the article isn't about auto-completing fields.
At that point you're sending anyway ... I'm not sure someone seriously concerned about keylogging to the point that they object to auto complete cares if you send 5 or 6 characters.
I think at that point you're addressing all your users on behalf of a few who are so concerned that they're not going to be happy with any "solution" outside turning it off altogether.
It’s really hard to have a meaningful discussion if we’re warping the definitions of words so much that “keylogger” now means something other than “a thing that logs keys” :(
> You are literally transmitting my keystrokes through several log keeping machines, to a piece of software that probably keeps logs.
I mean, yes, this is the internet we're talking about. I think this discussion is breaking down because keylogger = surreptitious, like when you are being logged by a third party when typing to a second party (ie you type a Google search into google.com and person who is not Google listens and logs that). It would be weird to describe you performing a search on Google as keylogging, though Google used to "transmit your keystrokes through several log keeping machines" to get auto-complete working
I feel like at that level of skepticism you're well on your way to the "just copy and paste" kind of thing. I think that advice is kinda horrible / difficult, but I think we're at that level where not much would assure you that X or Y isn't happening anyway.
I think, especially in an age of heroku/lambda/etc, we can assume requests are logged by infrastructure. It is a trivially easy mistake to make - most devs forget that requests tend to be logged by infrastructure. This happens enough to get it's own CWE - https://cwe.mitre.org/data/definitions/532.html
Copy and paste won't help you here. This usually happens on focus changes and frequently is done not as part of form submission but to see if people bounce from the page and for stats - meaning it goes to a less secured database and usually has widely available access to it.
The fix here, in my opinion, is a mixture of technical (browsers aggressively disabling this sort of thing) and legal (penalizing accidental disclosures heavily). As a user, you can't do much.
I had a friend that had his card charged, even though he hadn't actually completed it (He entered the card number and exp. date, but then left the shopping cart, without completing the transaction).
The Web site owners were pretty damn aggressive, when he complained about it, but he was even more aggressive (he has since passed, but he was not someone that you wanted to mess with).
> He entered the card number and exp. date, but then left the shopping cart, without completing the transaction
I do that somewhat often, for sites that don't reveal shipping charges and other components of the "final price" until the end. Sometimes at that point I'll change my mind. Never been charged, fortunately, but I have worried about the possibility.
Privacy concerns aside, I'm having trouble understanding the value prop. It's more to build and maintain, requires more bandwidth and storage, and the resulting dataset is mostly noise or not significantly different from what was submitted. Data mining that would be a lot of work for very little gain in most cases.
If someone is literally on the signup page but end up not clicking the submit button you want to find out what stopped them and coerce them somehow to actually clicking the button.
The more data you gather about the process the more you can adapt the signup page to actually get them to click the button. It's really important for startups as one of their KPI's will be new signups per X. Companies like slack, facebook, youtube ..etc have teams of people who are working on this type of thing.
Note: I do not condone this type of invasive analytics but I'm telling you why they do it that's all.
I worked for a popular software services company that used this sort of thing on their inbound interest forms.
They found that oftentimes prospective clients would write a first draft that was much more candid about what they wanted and what their budget was, and then they'd revise it to make it more circumspect before submitting.
Going into negotiations, our side had the original unfiltered data.
I hadn't thought of that, thanks. I suppose if there's a trend of users quitting when they get to a certain sign up field, the company can determine if that field can be changed or removed.
I take advantage of this on a few websites. Sears Parts Direct is a good example. Add the items to your cart, fill out your information and do not complete checkout. In a few hours you'll have a 10-20% off coupon in your inbox asking you to finish your checkout.
Adding items to your cart counts as "hitting submit". "Hitting submit" means you asked the site to save some information or change state somehow. You can do what you describe without secretly collecting data that the user didn't want you to collect.
On most commerce sites, while shopping as a guest or logged out user, you place items in your cart without providing personally identifiable information. After, during the checkout phase, you provide either all your PII in a single step or in phased steps. In either case, it's not clear that you're submitting that information to the other party until you click, 'complete order', or however they label their submit button.
There was a submission[1] here on HN a while back which went into some detail about the how and why. He got an email from a site that he started to sign up for, but did not hit submit. Using the browser dev tools, he saw that it recorded the email that he put in.
I once lost focus of my terminal and typed in my root password into Stack Overflow (I prolly had too many whiskeys). Glad Stack Overflow didn't have a covert keylogger, and JavaScript was disabled so I got lucky.
Protip: Always make sure the focus is on your terminal when typing in credentials to it, or any input box that holds sensitive info. I sometimes forget to focus Firefox's master password prompt too and end up typing my Firefox master passphrase into other apps!
Related to this, I’m constantly paranoid about entering confidential data into communications apps.
Once having typed a password into Teams, I decided to create a small Keyboard Maestro automation (on Mac) to automatically remove focus from apps like Teams after a short period of inactivity. It’s not intrusive but just ensures that the current focus is not left in the chat message box when I’m not actually typing chat messages.
Additionally I’ve taken to having all comms related apps on a separate machine to my main development machine. This was ostensibly for reasons of reducing distractions, but hugely helps reduce the risk of this sort of accidental input as well.
I cannot begin to express my rage at windows changing focus when typing. Is there no way for it to not do this when receiving input? Feels like it should be an OS feature
This seems to be an artifact of OS's that also decide that "window on top must have keyboard focus" (i.e., MSWin is very bad in this regard). Because the pop-up dialog must be "on top" to be a pop-up, the OS's built in design of "window on top must have keyboard focus" results in the popup gaining keyboard focus, even if you are actively typing into another window at the same time.
On my Linux system, I run Fvwm2, and because on X the decision to grant focus to a window lies with the window manager, I can control who gets focus via my Fvwm2 config. I have Fvwm2 set for focus follows mouse so unless a popup happens to appear, directly under where the mouse cursor happens to be at that moment, the popup can appear, and be "on top" and my keyboard focus is unchanged.
I also have Fvwm2 configured so that a window gaining focus does not in any way change its order in the stack, so I can focus, and type, into a partially obscured window, without ever moving that window up/down from where it sits. An old version of OpenOffice (I think back when it was still called StarOffice) had decided at some point that if the mouse cursor so much as brushed across its window that it would pop itself to the top and take keyboard focus. That happened about two times, then I added a couple lines to my Fvwm2 config to take away StarOffice's ability to both take focus and to raise itself to the top, and it became a properly behaved program that stayed put until I told it specifically to move to the top.
These kinds of irritants can be fixed, but only if the environment one uses gives one the ability to control these miss-behaviors.
macOS does this occasionally too, with pop ups sometimes appearing while I type (software update messages etc)
Especially problematic if you happen to hit Enter for a line return and end up accepting the default selected button on the popup instead.
I think there should be some OS-level heuristics-driven functionality to prevent or delay this sort of thing while the user is actually inputting data. And prevent any third party apps from overriding this unless consent is explicitly given (if the app really needs direct control over window focus) similar to how consent is required for apps to record the screen in macOS.
For sure, and doubly(?) bad when some system dialog pops up, with "Reboot now" or "Confirm, upgrade" selected, so the "enter" key for the command you were cheerfully typing now causes havoc
I'll open it up, click connect, then go back to my work while it churns away and establishes a connection.
The number of times I've been in the middle of writing something and had the connection dialogue gleefully pop up to inform me that it's finally finished, only for me to hit return on what is now a focused "disconnect" button...
I seem to recall “do not steal focus” was a hard rule in the macOS human interaction guidelines. However, lately, macOS itself even steals focus and more and more apps steal focus as well. Most notably through authentication/authorisation dialogs.
With OpenBox (linux window manager thing ... included in eg LXDE) there is a configuration option called "Focus new windows when they appear". You can uncheck that (have not tried it myself).
Most popular website are tracking your mouse movements and clicks on their website. It's called a user heatmap and it's meant to be used to see what users are actually clicking on when they drop into your website i.e. everyone highlighted this word on you copy or stopped scrolling after this section that sort of thing.
It's been happening for many years. If you don't want to give websites this data block javascript in your browser by default.
I don’t really have a problem with this - as long as it’s not tracking people - I don’t think it’s unreasonable to know where people are clicking most.
Seems fairly sensible to figure out how to optimise the ui
>I don’t really have a problem with this - as long as it’s not tracking people
It is. Everything you do is being logged and categorized, and your automatically assigned device fingerprinted user UID (whether you've made an account or not), is associated to all of your actions. Those associations are then dumped into a data lake for data scientists to mine for marketing purposes, and to cross-reference your activities across other sites.
Much of what you describe is immoral and/or illegal in the EU. It's certainly not the case that every site is breaking the law this way. You can get 90% of the benefit of analytics with anonymized data.
Precisely. If anything, session recordings are one of the least invasive forms of tracking because they restrict data collection to what you do on the website you're visiting.
They don't record information typed into forms, e.g. addresses, emails, CC numbers. Well, some don't record by default, with others you have to specify that manually.
Either way, it's better than a Facebook or Twitter Like buttons that infest the web and connect your visits with that site to your Twitter/FB account.
Check out FullStory. It's a drop-in Javascript snippet (aka accessible to any marketing/design folks) that records the DOM and rebuilds it as a playable video in their backend as if you were doing a screenshare and recording it.
>Most popular website are tracking your mouse movements and clicks on their website. It's called a user heatmap and it's meant to be used to see what users are actually clicking on when they drop into your website i.e. everyone highlighted this word on you copy or stopped scrolling after this section that sort of thing.
It's even worse than this. They have full HD screen recordings of every single user session, including all values typed into any input field regardless of submission. I can pull up hundreds of thousands of unique user sessions right now and sit there watching everything they did on our sites, going back for years.
Say it with me now:
Every. Single. Interaction. With. Any. Computer. Is. Tracked.
It would be really inefficient to store this as a full HD video for thousands of users.
If you store and mouse movements, scroll events, clicks ...etc and you know what the website looked like then you can replay these to produce something that looks like a video. The bonus points is that you can run mathematically analysis on the clickstream to get things like most clicked area and suchlike.
It's actually the same data that's used in the heatmap just a different visualisation.
Most heat mapping services do not store such qualitative data because of the cost (e.g. hot jar). They opt instead to simply reproduce the "almost full story" by faking a video from the data. Services like fullstory are different.
Customers are already video recorded in a real life shop, which not only provides analytical data but also contains their personal information (face, credit card, what they purchased, etc.). Is anonymously tracking which buttons were clicked on a site more creepy?
>Is anonymously tracking which buttons were clicked on a site more creepy?
It's not anonymous and it's not just buttons. Furthermore it comes down to consent. I can see the cameras in the shop. I have no idea without doing network traffic analysis what kind of surveillance is happening on a website.
Some shops do apply machine learning on recorded videos of customers to find out more info about how they navigate the store. As far as I remember, even electronic advertising panels have cameras and track how long people are looking at the ad and store the age/race of the person.
And forms in many pages are analyzing text and typing patterns as you type. This can actually be used to identify someone. I generally resort to typing everything into a notepad and then pasting when ready. Whonix resolves this, but my work on work computer is slowed down by this inefficient process.
Yeah, I knew about heatmaps, but my eyes were opened further by a product that my current company uses that can replay a user’s actions on the entire site — it’s like watching over their shoulder.
FullStory is a competitor. We used it at a previous company. From a product design perspective, it was amazing to have that tool available, to see where users were running into problems with our application. From a privacy perspective, I can definitely see how it would freak someone out.
Just try to browse the web with noscript (most browsers have a switch to toggle JavaScript, alternatively use uBlock Origin) - many pages won't render at all! It's a really sad state of affairs.
When I need to allow JavaScript on a page - I know all bets are off.
It's because modern client-side frameworks like react or vue use javascript for routing, and in fact storing every character in a form as you type it is a basic design principle in such frameworks. If you are curious, you can install their respective dev tool extensions so you can tell at a glance which framework a website is using by checking which button lights up in the browser toolbar.
I like the uBlock Origin toggle myself, aka the "naughty website gets no javascript" button.
I've noticed over time that requiring JS correlates heavily with low quality content and other abusive behavior, so closing the tab saves me time and nothing of value is lost.
I have used this as a general policy for whether or not I interact with a site since about 2004. That policy has kept me 100% off Twitter, Facebook, etc, since they appeared. I highly recommend, for those who can live without the modern web reality.
I love how this site rendered the full article but magically transformed itself to hide everything but the first paragraph, the words literally disappearing under my eyes. And then the rest of the page is "enjoy more great articles from Wired". Like, hello, I didn't even enjoy one!?
A dark pattern all too common these days. I hate the modern web.
> A dark pattern all too common these days. I hate the modern web.
This is a belief I strongly disagree with that has become pervasive on HN: "I don't like this thing so it is a dark pattern/is toxic, etc." People will, on the one hand, decry the current state of news media and bemoan how Google and/or Facebook have destroyed or perversely mutated it, while, on the other hand, decry the efforts of the news media to monetize (aka get paid) for their efforts.
There is no free lunch. Journalism isn't free. Labor isn't free. We certainly aren't entitled to the free use of the products of each other's labor.
It's just a bait and switch. These journalists want all the benefits of the web: free indexing and archiving, free global distribution and rendering, virtual word-of-mouth advertising; a huge and easy revenue generation model. Their production and design costs are nothing compared to two decades ago. They don't own printing presses. The internet pretty much bends over backwards to throw traffic at them, and on top of that, they rip the rug out under your feet as soon as you land there! Like you can't even read the words that they wrote unless you agree to more bother, and they've already made a few cents off you just from the ads that were served! And to boot, the whole show shoved megabytes of crap in your face, which actually costs you money, and they follow you around the internet like an unimaginable creep.
It's like they feel entitled to all this free stuff and the one thing they offer of value they pull back at the last second. Shitty.
>It's like they feel entitled to all this free stuff and the one thing they offer of value they pull back at the last second. Shitty.
FTE salaries, healthcare, equipment, business expenses, travel costs, legal fees, etc, etc versus...few cents? Maybe it would help the conversation if you can you quantify what you think they're actually earning from all the "free stuff" as you claim.
What? There's no bait and switch - the site tells you as soon as you load that you need a subscription.
> These journalists want all the benefits of the web
Where's this coming from? Where's this "want"? Most of the stuff that you listed is either explicitly paid for or just comes with the web automatically.
> free indexing
Yes, Google offers free indexing because they get search engine ad revenue as a result. There's no "stealing" here.
> archiving
Hosting costs money. Journalists pay for that themselves. There's nothing "free" about it. The end.
> free global distribution
They're also paying bandwidth costs.
> and rendering
There's no way to view a page on the internet without rendering it on your computer. That's not something that journalists are taking advantage of - it's how the internet works. Also, publishers pay for hosting costs, too...
> virtual word-of-mouth advertising
Word-of-mouth is completely unrelated to the internet.
> a huge and easy revenue generation model
Please don't tell me that you're complaining about publishers trying to recoup costs of the journaling process. Who's going to pay for the salaries of writers? Infrastructure costs? Distribution? Web development?
> Their production and design costs are nothing compared to two decades ago.
...and yet, the costs are still there. Publishing is not free, especially if you want content to publish, and especially if you want quality content.
> It's like they feel entitled to all this free stuff and the one thing they offer of value they pull back at the last second.
The only entitlement here is you feeling entitled to the work of journalists. This is a rant with little substance behind it, predicated on the false assumption that publishers and journalists have no costs.
IMO the dark pattern here is that they ask for money and also show ads. I assume they still show ads to subscribers given their magazine roots (they don't list "no ads" as a benefit). I'm willing to pay for services but not if they still attempt to show me ads.
Go back to the early 2000s and admire all the work people put out for free on the net because they enjoyed doing it. This was thriving, but then people with dollar signs for eyes took over and now we're stuck with them.
True, but also, newspapers were still very financially stable. The number of gainfully employed journalists throughout the U.S. was far greater. Regional and city newspapers thrived. Now, many are dead and many of the survivors are slowly dying. Print news is now looking like a power law: a handful flourish (NYT, WSJ, WaPo, etc.) and a long tail struggles to stay afloat. These outcomes are, in part, created by people's perception that the information generated by news organizations is a both a commodity and is free. Neither is actually true.
Surely the newspapers are partly to blame for this perception going back more than one hundred years: $2 (or whatever) was never the actual cost to fund the news.
During the dot-com-bubble, it was a race for users/eyeballs, with hopes of later profits. It wasn't sustainable. But it was definitely fun while it lasted.
That's the rise of the dollar symbols for eyeballs period. There were plenty of people making things with 0 regard to profit. Think back to all the random little websites or flash games people put countless hours into.
So print newspapers, and sell them. I regard the worldwide web as free to use; I treat sites that don't share my view as not being part of the worldwide web.
The world is full of interesting websites. If a website doesn't want me to read it, that's fine, I'll move on.
Better yet: as readers, we can buy a paper in that nearby news-stand and be sure we can read it safely. Print papers do not come with spies that follow us as we walk through the city nor start playing loud voice ads once we turn a particular page, etc.
There is no free lunch. Journalism isn't free. Labor isn't free. We certainly aren't entitled to the free use of the products of each other's labor.
Sure, but it's rude to present something and then take it away. Google used to downrank sites who did this, anyone remember how awful experts exchange was? If they want to have a paywall then they should have a paywall.
Exactly, this is a dark pattern because it uses up the visitor’s bandwidth before dropping a paywall in front.
On a similar note it’s using unnecessary power (quite possibly from a battery of limited capacity) rendering a paywall with an effect nobody wants to see, except probably the people who made it.
There’s an easy solution:
HTTP response 402: payment required
HTTP 402 is like Hashcash[1] - greatly underrated and/or unknown, and yet extremely effective in solving its target problem.
In 402's case, if it was, say, legislated by the government, then the following would happen:
(1) Users wouldn't be bait-and-switch'ed by a paywall that revealed part of the content before appearing
(2) Companies would need to band together to implement a micropayments framework
(3) Lasseiz-faire maximalists wouldn't be able to complain because the only requirement would be that paywalls be signalled by an HTTP status code
The only potential downside is that companies might, instead of making a common micropayments API, instead just use Google, or even worse, not use any common platform and instead make consumers sign up for a new account for each site.
Agree 100% on the effectiveness and it being underrated.
Lightning Service Authentication Tokens[1] (LSATs) provide a standard that’s usable today.
With a Lightning Network browser integration like Alby[2] you can access paywalled content behind a proxy like Aperture[3], and it’s a very smooth process already.
However, it’s also not my problem to solve. That’s a problem for Wired to solve. How I feel about these UX patterns and business models is not negotiable; it’s an honest reaction. How Wired makes money and deals with free use is negotiable.
The internet has not been kind to many business models, particularly, it has been rough on paying for content. That’s just what happens when copying costs basically $0. You can pirate almost anything and people definitely do. Many people will immediately hop on archive.is if they hit one of these patterns. Personally I often just don’t read the article and leave.
In the end, it isn’t my problem if people don’t like my attitude. Wired is trying to sell to me, so it is absolutely their problem if I don’t like this pattern. And guess what? I am, in fact, a former Wired subscriber. Maybe they make more money now that they paywall, but I don’t even care. I’m still going to hate them for it.
Likewise, I will never like or respect being forced into advertisements. If I like something enough, I will pay for it. I pay for YouTube and it feels like a win/win for me.
You clicked a link to a Wired article that someone posted on Hacker News. Wired was not involved.
Digital properties aren't going to be groomed to meet your precise tastes. This is doubly so for general interest publications like Wired that have to appeal to a broad base of viewers and can't charge more than a few bucks for a subscription.
If the article is valuable but paywalled, there are ways to get around that. Try turning off Javascript or accessing the page in an incognito browser. archive.ph can also work.
> You clicked a link to a Wired article that someone posted on Hacker News. Wired was not involved.
Well, to some extent, I'd argue they _are_ trying to sell to him. From everything I've seen the whole "display the whole page of content and then block with javascript" is done so that the whole page of content gets indexed by Google. If so, then they are intentionally trying to lure non-customers to their site with that content. Admittedly, coming from HN isn't exactly the same, but it's the same general audience of non-subscribers they want to come look at their content and subscribe.
Of course they are trying to sell to you. Why else would they exist? Just for the warm fuzzy feeling in their heart? Then why are they asking for money? Oh, right, they're trying to sell their service. And part of that is encouraging people to use it & share it on social media.
lol, you think that they’re not measuring conversions on these paywalls? I can’t tell if you’re acting in bad faith or just naïve, but yes, trust me, Wired is in fact trying to sell to me (and also more directly sometimes, since I don’t know if I have unsubscribed from their emails.) The free marketing from having people share your articles and from showing up in search results is part of their funnel. You are mistaken sorely.
That’s not a solution to the problem of people loathing your business model, that’s just a repeated statement of the business model.
If it works for them today, good for them. It works for some big publications. Let’s see how that continues to pan out as subscription fatigue increases and publications close up content almost entirely.
Also in Safari: "Settings for wired.com" —> "Use Reader when available"
But I agree that it sucks to be here. And while I agree that journalism is between a rock and a hard place to all of our detriment, not sure "Wired" is that kind of journalism.
I'd question whether it's really a dark pattern. Seems like a benign way of monetizing their articles. A little annoying, sure, but nothing "dark", nothing misleading
"Dark pattern" seems like one of those phrases that's in the process of changing its definition. People use it to mean anything in software that they don't like. It used to mean something that tricked the user into paying money or attention. I don't see how this is a trick (I also find it annoying, as you do).
I think it's a bit of a trick because instead of just blocking the page unless you're inside the paywall they let you download it and then whip it away from you are you're reading it.
Designing something to deliberately annoy people when they could just be upfront about things seems like a tricksy way to behave IMHO.
Is it really a "dark pattern" to charge for content? There have been premium forums and sites since the dawn of the internet. The only difference here is that it is made painfully obvious how easily they could make the content available to you.
I suppose you mean "I hate people making money off the modern web"
Unless you are ultra-paranoid or cynical, it is pretty reasonable to believe that a site is not submitting the contents of a form before you click the Submit button.
Abandoned Cart is a good example. It takes the email address if it's been filled out and auto-sends a reminder email later.
Not really the same thing as taking your payment and address information and sending it to some guy in a basement. Half-complete or incorrect data isn't an issue any company wants to deal with. Abandoned Cart functionality makes money, so that's why it's included.
Another use is for a form with questions, like you get in jobs postings. Seeing how someone types in the answers may be more revealing than the answer itself.
As far as I know many support/chat applications do this, so the support rep can see what you typet/think and respond faster. Also useful if the user is trying to scam the company, they can see if the user changes details about their story while typing.
Whenever I talk in a chat pop-up I always assume they see live what I'm typing.
And I do think that a normal person must be a bit pathologically skewed, here in 2022, if they are not a little bit cynical or paranoid when they interface with a computer.
Finally, one can be ultra-paranoid, cynical, or just mildly knowledgeable about the technology upon which the entire modern experience depends.
A few years ago in a digital self-defence class someone picked me up
on choices of words.
Paranoia and cynicism are pre-Snowden words from an era when the
nature of online computers was unclear to most people. Since 2013
(that's almost a decade ago now) we've been in a world where it's
taken for granted by anyone with an IQ of 2 or more digits, that
digital devices and many services are hostile. Cynicism and paranoia
are no longer strictly possible.
I was grateful to the young woman who pointed out that adopting
negative psychological language empowers the attacker and places the
victim on a back-foot. Cynicism and paranoia are no longer accusations
you need to hear, nor feelings you need to own.
Since then I have tried to couch digital self-defence language more
carefully in terms of self-respect, dignity, informed consent, and
ultimately in terms of ethics and morality that reasonable and
informed people expect. By "reasonable", we do not mean bullied and
browbeaten into learned helplessness by threats of compulsion, total
lack of real choice, subterfuge and deception.
Good points, though I was one of those people who was disturbed that Snowden's 'revelations' were news.
Pre-Snowden, there were many of us who weren't paranoid or cynical, but who were not surprised by surveillance tech. And some of us weren't tech experts either.
One person's cynicism is another person's gentle understanding of social mechanisms.
I remember having discussions about this exact thing over 20 years ago. The fact that it's still considered ultra-paranoid or cynical after all this time is unsettling to me.
There's probably an untold amount of shady data-trading stuff happening whenever I swipe my credit card at a POS somewhere. I don't know because I'm not a payment processor expert.
You don't have to know the intimate technical details. You just need to have the awareness that "something shady is probably happening as a result of this interaction".
If someone is surprised that in 2022 people are tracking / logging your digital interactions, well, I don't know what to say.
Interesting question: If I have a keyboard that malfunctions so that it'll accidentally type gigabytes of data into the form (but never submit it)... is that still a DDoS or just an unfortunate keyboard malfunction?
Would be good if someone modified the extension a bit, and make it send thousands of fake requests to pollute their data if this behavior is detected. Works like Adnauseum which works like ublock origin, except you can set it to click a portion of the ads to waste the advertiser's money while supporting the underlying websites.
Great idea. Ideally, it would find their "contact us" email address and use that so that websites who implement this get a taste of their own medicine.
In the early days, Instagram silently uploaded your photo before you actually officially posted as a way to improve the "speed" of the user experience. So go ahead and add your filters, the text for the post, etc. because then the moment you clicked Post the app presented like it happened immediately. All for the UX.
For an email file attachment it quite clearly shows it uploading.
The issue with the Instagram model is that it looks like you are just doing things locally on your phone, and haven't uploaded yet. If you have second thoughts and decide not to post the pic, Instagram could keep the photo.
That said, I don't really see why they would do this. What would it gain them to keep millions of discarded photos?
Iirc, they were saved as “drafts”, meaning you could come back to it later or on another device. Youtube was like that before instagram, it’s a popular feature on Snapchat/Tiktok.
My point is that it is feature clearly people appreciated, not a dark UX pattern.
This isn't terribly surprising given how many sites are architected so that the page running in your client is just the UI for an app running on a server. Auto completion of addresses, for example, requires this approach unless you want to download the entire planet's address database onto an end user's machine.
Do tech companies really store unbounded amounts of information, like keyboard strokes, from their users? For me this seems hard to believe, at least over the medium to long term.
Storing data is not free and if you plan to use this data for anything it can definitely be not cheap (i.e. cold vs hot storage). When you extrapolate this to the scale of a service like Facebook or Google it becomes insanely expensive. So there would have to be some pretty clear monetary payoff to justify this expenditure. I understand the worries of privacy advocates, but I don't understand the economic incentive of keeping all this data. The only way it could possibly make sense is if it were highly aggregated, but at that point you nullify many of the privacy concerns.
> Storing data is not free and if you plan to use this data for anything it can definitely be not cheap
I think there are a lot of companies that are not running out of money and are holding on to a lot of data that might, someday, be valuable. Look at Google's features like spelling correction or search term suggestions - they likely used huge troves of semi-anonymous user input to develop and support them.
> When you extrapolate this to the scale of a service like Facebook or Google it becomes insanely expensive
This is just not true. Backblaze is putting their storage cost at ~$0.035 a gigabyte[1], which means you can store a megabyte of data for every human on earth for a bit under $300k a year (about 8 petabytes). Big companies probably can get even lower. This isn't...a negligible cost, but it's very normal at that scale. Google only has ~4.5 billion users and most companies have orders of magnitude fewer.
> Look at Google's features like spelling correction or search term suggestions - they likely used huge troves of semi-anonymous user input to develop and support them.
There's a big difference between data which is directly tied to PII and data which is held in aggregate in terms of privacy. I'm not arguing there can't be leakage here, but it certainly blunts many of the more severe privacy implications. Conflating these two is more sensationalist rather than useful in terms of honing in what is ok vs what is not.
> which means you can store a megabyte of data for every human on earth for a bit under $300k a year
Sure, I mean as a slippery slope you could also write this data to paper and keep it indefinitely at a very cheap price. My point here is more: if you plan on using the data, it becomes more and more expensive as your access patterns change. This also has privacy implications because I would imagine the easier the data is to access in raw form the higher the potential privacy cost to the user. If all they are doing with these key strokes is recording somewhere that you might be interested in Corgis and German Shepards based on your keystrokes, as opposed to something more detailed like an accidental paste of your password, I think that changes the conversation.
> My point here is more: if you plan on using the data, it becomes more and more expensive as your access patterns change.
I don't think this is true either. Google does not need to keep much of its data in hot storage to use it effectively: their ML products can be periodically trained / updated, their search can be iteratively updated with each crawl, etc. Sure, it would be expensive to keep all user data from all sources in hot storage all the time - but it's not needed. The idea that you...would happen upon some new question you hadn't though of before and need to get the answer immediately is just false. Instead, you make regular updates to a model and periodically run your corpus through that model.
You're welcome to request your data from Facebook and see if they have this data (assuming they are following the law, which I assume they are). I've requested my data from various companies and they did not have anything even close to this level of detail. That makes me think that if they do store data such as keystrokes or mouse clicks or whatever, it's being stored in a highly aggregated way, which doesn't bother me very much. But I also imagine one of the reasons they are storing data in an aggregated way is: 1) they don't need it at an individual level and/or 2) it's not cost effective.
This is pretty common and it's easy to do. It was popularized first by Google search decades ago, then by Facebook search. How do you think they make suggestions as you are typing?
Responsiveness creates a better user experience.
In our use cases we are using this primarily in search fields. In a few places we do queries onblur. The cost of these queries is trivial, directly hitting indexed db columns. I don't think we have any db inserts triggered from this behavior, and we don't log request params as a general rule (except rarely for short term debugging or non-sensitive performance tracking).
It's wrong to do it on posts though. I have often responded to a comment with a rather heated reply before thinking better of it and hitting the Cancel button. I guess I like to vent but would rather my "venting" not end up in some site's DB.
Totally get it, and it is a problem. I don't like it, and I also don't like clipboard access. Browsers could have a mode that prevents this, similar to how certain features don't work unless a user has interacted with the page (like playing sound). Something like no queries when an input field contains data unless the user submits a form via a click or enter.
This is nasty, especially the plaintext password leak. I wonder if you could build a chrome extension to monitor for patterns like this — just like at the payloads being sent while you're typing and pattern-match (without keylogging itself, or maybe allow it but keep it open-source)
Is there a browser extension that will show a visual indication of network activity so I know to take a closer look via the network monitor. I know - it might flash all the time, but at least I can take a closer look to assess the sites that I visit regularly.
Or a browser extension that captures your text in a floating window just over the focused text field — user has to hit Enter/Return before it moves it from floaty window to web document.
(Wondering if some built-in accessibility features in the OS might have something similar.)
That doesn't really help you as if you want to use the website you already allow connections to that host and as far as I know these are mostly aimed at hostnames not the endpoint where the "creepy" request is being fired at.
Correct. You could always have JS disabled by default in uBlock Origin to mitigate JS snooping on sensitive info, so there is that. You can blacklist specific domains in uBlock too. We need something like Portmaster[0], but inside the browser as an extension.
Apart from a few of us nerds on HN nobody will do that. In reality people have a hard time seeing the problem with re-using a password, making people decide which hostnames are okay or vet javascript files before allowing them is unrealistic and not the solution to the problem.
A while ago I was doing a review of youtuber merch sites to get an idea of the shipping charges to my corner of the world. The PewDiePie merch site requires you to enter an address and email before you can see shipping prices. It's on the same page as the quote generation but the form isn't submitted and an account isn't created. I didn't go any further than looking at the total price before leaving, then I got an email minutes after I closed the tab with a discount code.
That would give you an average message length that's shorter than what you typed. In the case that it was longer, it turned out those users were copying and pasting the content, then maybe editing it a bit before sending.
I subscribe to exactly one website. If I subscribed to every subscription website that I read, I'd spend more on subscriptions than my income.
So: F12, "display: none". Wut? Really? A one-paragraph article? I guess Wired can join NYT and Washpo as sites I'm not going to visit, because they don't want the likes of me to visit.
Aren't services like Heap effectively worse versions of this? On their landing page they outright list this as their value prop:
> Heap collects all the data on your customers - automatically. What they click. Where they go. What they do, even when you’re not looking. All without the need for engineers.
I wonder if there's a way for ad blockers to block these requests -- the pre-submit non-user-driven requests -- without me turning off JS or anything drastic like that. I suspect the answer is no, but I'm wondering if it's at all feasible for an extension to do that.
Shit sites becoming responsible for all the data they soak up couldn't have happened soon enough.