> [...] send Ghostery into the abyss [...]. I want the web to work like it’s intended to 99% of the time and I know how to control my privacy the remaining 1% of the time. You don’t need a plugin for that.
I want to control my privacy 99% of the time, and unfortunately I can't seem to do it without plugins. yes, it's a pity that me protecting my privacy kills your website. yes, I'd rather all these measures weren't necessary, but we're at a point where I simply don't trust any third party, disqus included.
if all this screws your revenue, please use ad-providers that don't track me. there aren't any ? well shucks, looks like I won't visit your website anymore then.
(really, I wouldn't mind ads on a website, if that didn't also mean I'm tracked everywhere. as it is now, I block almost everything, using ghostery and/or disconnect, adblock(plus) and noscript. and I have no qualms about it).
I can only agree, but it goes farther still. I do not(!) have Ghostery, but I kill external requests by default (Plugin == RequestPolicy) and I block scripts by default (== NoScript).
There are 8 foreign domains, that this site sends requests to. One or two seem to be a CDN, one is creativecommons.
BUT:
I do not accuse anyone but myself for making this experience of visiting this site a horrible one. As I do not want any foreign, plugged in web-servers, to know, that I visited site a or b, I have to live with these kind of experiences.
And I love RequestPolicy for the Job it does, enabling me to exclusively control, who gets to know, I visited site a or b.
Sorry ajax.google, webfonts, disqus, addthis and so on.
I mostly agree with you but I do blame the webmasters.
Every piece of third party content reduces the quality of the experience, even assuming it works 100% correctly. I have never visited a site to check out its third party content; it's rare that third party content has remotely enhanced my experience.
Including third party content which tracks people across the web without any concept of consent (here I am referring to Disqus) is unethical.
Some third party content is fine by me. But why this tracking insanity?
If someone talks about some great tutorial on YouTube, I love it, if they embed the video. OK, I would certainly block it non the less, but I could jump to the vid if I wanted.
If they wanted statistics, they could use some OpenSource tools like Piwik.
> There are 8 foreign domains, that this site sends requests to. One or two seem to be a CDN, one is creativecommons.
I'm constantly amazed by the number of other domains that I see websites referencing. If there are really 8, then I don't think this site falls under 'simple websites' anymore.
But it also means that FB, Google et al don't get notified of every website I ever go to ever. So I'll live with it. I wouldn't complain to website owners about it, but I would probably stop going to their sites.
I use Privoxy, which is frankly more of a pain b/c there's no simple browser tool to toggle on/off when it breaks a site (I have to occasionally turn the proxy off in my Mac network settings).
But you know what? It's worth it. I'm not being tracked all over the web, I'm not being served re-targeted ads, etc. I'll never go back.
No, not directly. That possibility is somewhat intriguing though.
I simply meant Privoxy appears as a single "application" for Little Snitch rules.
It also provides fine grained rules for cases where Little Snitch is too blunt, and each can be quickly and independently disabled when necessary.
Honestly, I'd rather you browse my sites, I don't mind if you disable tracking. Supporting you screwing with my scripts is another matter, it's hard enough to build features, support all the browsers and platforms and realistically people like you are less than 1% of my traffic.
I use tracking to make better products and learn about my audience. Nothing about privacy gets in the way of that.
Err, I think that's sort of the authors point...so we all agree.
And look, I have friends/colleagues who do that (NoScript etc.). And it's probably terrible of me, but I can't deny it isn't a bit amusing watching them fight with every second site, and their need to maintain massive whitelists of every site they need to browse.
It's like people who turn off images in their browser. Sure, it's your prerogative, but the web's sort of moved on from the Mosaic days.
It's like people who think cameras steal their soul, or that wifi radiation will give you cancer. As long as it's just them and the don't inconvenience other people, or complain that stuff "doesn't work" for them, it's cool.
If this was an accessibility issue, I could absolutely understand - I myself have a hearing impairment and it's not something you can help, so I get taht. So yes, whether it's making sure it works for colour blind people, or making sure things have captions, I support.
But this isn't a case of some disability a person can't help - this is people having tinfoil hat conspiracies about what Google might do when they find out they browse lolcats, or that they're buying My Little Pony toys.
>> It's like people who think cameras steal their soul, or that wifi radiation will give you cancer.
It's really nothing like those because web tracking is a real phenomenon and we all know its happening. It's absolutely not tinfoil hat territory to object to foreign corporations being given information on everything you do online.
It's up to you to decide if you don't care, or actively think that it's a good thing, but please don't try and dismiss perfectly valid privacy concerns as paranoid or delusional.
AdBlock blocks the ads, Ghostery blocks the scripts. It's an interesting combination that is less radical than NoScript, and still prevents loading most of the annoying stuff.
Of course, if you want to limit the features of a website (whether it's a feature for you, the user, or the website owner), you'll end up breaking some stuff. It's a compromise between privacy and ease of browsing. Still, it's very rare for me to reach a page that becomes totally unusable due to a script blocked by Ghostery. The only example I have in mind is Adobe's Kuler [1]. It's a web app, and it's the kind of websites that tend to break with Ghostery. But the UI is simple enough to circumvent those ponctual failures, by temporarily (or permanently) whitelist the script and/or the domain.
As an ex-Ghostery user, I can vouch for this. I switched to Disconnect after recommendations from HN-ers and thus far it seems to be doing a better job of not breaking sites and leaving users scratching their heads wondering what to do.
I wouldn't call that controversy, from what I can tell they've always been clear about what they are. Ghost Rank option is literally the first thing you see in the Ghostery options. As long as they respect that, I have no problems with them.
Yup, I've just installed it, and 'GhostRank' is disabled by default, as is any blocking - you have to specifically ask for individual 'trackers' to be blocked. Interesting how many are reported for various sites - twitter.com: 1, apple.com: 1, facebook.com: 3, bbc.co.uk: 0, the author's site: 14, theguardian.com: 21, news.ycombinator.com: 0.
Tried to use disconnect.me as well but found it lacking in terms of features and number of trackers it's blocking, at least when compared with Ghostery. It has its' round of issues, OP is the best example, but clicking "Allow once and reload" is usually enough to solve them.
I've been left perplexed a few times after having Disconnect block otherwise perfectly innocent parts of a web page leaving me wondering why a web app isn't working as expected. Had to uninstall it.
This is a good case of a third-party extension going wrong. Yeah, ideally it shouldn't happen, but I actually haven't seen this effect on any other site - indeed, sites usually fail because of slooppy JS by the developer - depending on Google Analytics being there or something similar. Ideally, sites should not be totally dependent on external JS to work (what's going to happen when Analytics goes down!?)
Honestly, I wish I didn't have to use this plugin. But whenever I'm not using it, I get immediately irritated by a lot of sites - it's not so much the tracking, which I'm pretty ambivalent about, but how slow and janky many sites become when they load so many scripts. Example: https://pbs.twimg.com/media/BVK2FLZCMAAkxKh.png - totally nuts.
So an extension breaks a site, and the web developer is to blame for sloppy coding? How can he ever predict all extensions and different versions of extension visitors might have on their systems?
Taking Google Analytics as an example, it guarantees the availability of `window._gaq = []`, even if the external resource fails to load. If an extension were to just detect and remove the script block, it'd kill the site.
This is an innocent and unlikely example, because no extension actually does this. But extensions do other bad things much like it, and this post points out exactly one of those very bad things. It simply looks for a specific DOM element, then goes and deletes its parent from the page.
But yes, websites that have an abundance of trackers are crap. Remember that it may also not have been the developers decision.
The only thing I can say is degrade gracefully as possible.
I am completely unwilling to unblock a sites main items (noscript user) unless there is a pressing need for their content, and there rarely is. (Also, his content works fine with noscript on. I dont get why ghostery would want to inject more content into a site, that does seem a bit ridiculous.)
However, I dont blame the person who makes the site, we just have different priorities.
TL;DR: The author thinks using the browser in private mode is enough to avoid being tracked, or at least he wants us to think that. He also wants everybody to use the web in the same way he does.
My bad, I didn't notice this was Ghosterys fault but commented that his site didn't work.
I really like how Troy Hunt step in to this.
First the "it's my fault attitude". I can learn from this because I blamed his site but in fact it was my own problem because I used Ghostery. I think you can become better at a lot of things when you first blame yourself :|
Second his dive into the problem and notifying Ghostery.
So, sorry for my 'way to quick comment' about the site not working. I'm now using Disconnect and am enjoying your site :)
Yes, this annoys me a little with Ghostery. But overall the benefit it provides me outweighs the few bugs it induces. (And honestly it's not that hard to notice that something's wrong when the whole pages stays white after loading so you can temporarily disable ghostery.)
Doesn't that defeat the purpose? Anyone who really wants to track you is just gonna have a failure mode under ghostery that requires you to turn it off.
I only do this with sites I really want to visit. My usual response to a site that doesn't work with Ghostery or needs to set a cookie for anonymous browsing is to go to another site for the same information.
Depends on from whom I've got the link. Usually I just don't bother and close the tab. But if the link is for example top submission on HN I tend to disable ghostery for that page.
I find myself going through several phases when it comes to online ads.
At first, I was fine with online ads. Show me the cool stuff! And companies did. And it was good.
Then there were blinking text, animated graphics, pop-ups to keep your from the text, and forced waits while you were "served". And it was bad. So I decided I never wanted to see an ad again.
I stayed with that for some time, until I started running my own web content. Now it's like: but who's going to pay for all of this? So ads don't seem so bad -- as long as they behave themselves.
I'm okay with ads. Heck, I'm okay with paid promotional content, as long as it identifies itself. But I'm not okay with FB inserting ads in my even stream, Forbes making me watch ads before content loads, or advertisers getting into my private life. And that's where we are.
So I'll take ghostery and lose access to a bunch of websites before I'll let people's search for a buck turn me into some kind of open book for the rest of the world to read.
Every time I use disqus I think that the site owner is being rather foolhardy, not only outsourcing a key component of his site to a 3rd party, but making Javascript a hard dependency as well.
Seems a bit naive to then blame the user for "breaking the web".
From the screenshot it looks like that's what was happening. Update: I take it back. It looks like it's doing more than that. So there's a bug in this plugin. Even so, not relying omn disqus would have avoided this issue.
Exactly - I think the sweetspot here is 'disabling disqus via Ghostery should block disqus, but not anything else' - the author of the original article appears to be arguing against the use of Ghostery altogether as a result of being burned by choosing disqus in the first place.
"in some form" hides a plethora of ways to screw your site up - just suck it up and develop so your site has a clean URL structure and is fast and easily crawlable (JS can case problems with all 3 of these key features).
Ghostery is a kind of fallacy. Whenever I see talk on the web about tracking and privacy, someone jumps in with "Just use Ghostery!". It's almost cult-like.
If you use it or think you might, consider: Ghostery is closed-source; it's in bed with advertisers; it reports to the mothership; and its blocking is based on criteria set by someone other than the user. Oh, and in case that's not enough, it breaks pages as described.
The better alternative in my opinion is Request Policy. It simply prevents requests to third-party domains by default, and lets the user whitelist selectively, each permission being either for the session or persistent, your choice. Or you can reconfigure it as a blacklist. And it's open source and non-commercial. (But please support the dev, if you like it.)
IMHO this functionality should be a default part of a browser in the first place. Now I will shut up before I start ranting about how web developers give away their site's data, and compromise user privacy by throwing in unlimited numbers of third-party requests for functionality they could easily source from own-domain.
My thoughts exactly. Switching away from Chrome I loaded Ghostery/NoScript/ABP into FF. Then became concerned about system resources (FF still bloated, moreso now with extra plugins), then heard about the NoScript/ABP feud (as well as NoScript having a Russian dev), then finally that Ghostery was run by an ad company. All started to sound a bit ridiculous.
Currently have disabled Ghostery as a first step. Still running the other two, but I like the sound of Request Policy and Disconnect mentioned elsewhere to replace them. Happy to enable ads on sites I support, but not keen on the rest of the creepy tracking.
> If you don’t want tracking then this is why we have in-private browsing.
I have never heard anyone thinking that "private browser mode" protects against tracking. I wonder how common it is, particularly by web developers.
It should also be a nice hint to Firefox that their idea of incorporate tor into the browser by default is a good idea. If used, then private browser mode would actually be helping against tracking. as it is now, it simply a do-not-save-a-local-history-file option.
So Ghostery has an option to remove chunks of the DOM that it thinks have been added by Disqus, in an attempt to stop Disqus from tracking you. It's not clear to me that this would actually stop Disqus from tracking you, because by this point you've already loaded Disqus's JavaScript; and it's certainly not clear to me how it would protect you better than just blocking the Disqus JavaScript from loading, which would also have the advantage of not breaking the non-Disqus related parts of pages.
Ghostery prevents you from loading the Javascript (at least on Firefox).
It does not protect you better than say hosts file base blocking, but it does protect you equally well and still lets you load and run that JS just once if you really need it.
Someone should call the wahmbulance¹ for this guy! In contrast, here is how another company responded much more professionally when I informed them of an issue caused by Ghostery:
I believe I fixed this issue.
Looks like the Ghostery plugin not only deletes the LinkedIN script tag, but every
sibling element around it (just to be safe?), which includes our entire blog
content. I've wrapped the LinkedIN script tag in its own span so Ghostery stays
away from our content. :)
Please let me know if you can read our blog now.
Ghostery started offering Click-to-Play (c2p) functionality a little while back for some of the most common elements. Its very useful and our users love it -- it simply and quickly answers the questions like where did my video or comments go. Click-to-Play is configurable through Ghostery options and may be disabled if the user wants. (http://purplebox.ghostery.com/?p=1016023750)
Heres a how Click-to-Play works in Ghostery. We have several databases that are shipped with Ghostery, one of them is a click to play mapper that is associated to particular trackers in the database. If a user happens to block a tracker thats on the c2p map, Ghostery will take an extra step to examine the DOM of the page where it blocked the tracker to find the visible anchor where the element was supposed to sit and inserts its own Ghostery control to let the user know at the expected place that Ghostery took action. In some cases, we advise Ghostery to attach to the parent node because the element we anchor to may be hidden or invisible. The anchors are provided by our developers when c2p entries are created.
Troy runs his blog on Blogspot, and the integration Disqus has with Blogspot is non-standard. Because of this, Ghostery selector for c2p relied on specific Blogspot format and attached c2p warning at the parent. A recent change in Blogspot templates have created a condition in which Ghostery sometimes removes the content of the site, like in Troy's case. This is a bug that will be resolved in the next release.
To cover some other topics raised in comments:
- Incognito mode is a good defense, but its not foolproof. Blocking and running incognito mode is even better
- Disconnect is an alternative to Ghostery, but the reason you don't see this issue with them is that it does not offer click-to-play nor does it block Disqus
Others have mentioned NoScript. I find that when NoScript particularly bombs is when the referenced JavaScript domains themselves reference 3rd party domains. I am not update on how JavaScript is dynamically loaded but this is what I have pieced together.
For example, suppose you are using NoScript to view www.somedomain.com. You check the NoScript menu to find and enable www.somedomain.com, www.somedomaincdn.com, and youtube.com. But suppose whatever youtube.com scripting is done, in turn, relies on say www.youtubecdn.com. You are not going to see this "3rd party domain" on the NoScript menu.
I have found by trial and error, mostly just visiting the "2nd party" domains and looking at their dependencies, I can often tell a site owner how to make their site work with NoScript. Basically they just need a reference to the indirect dependency, even though it isn't needed per se.
First off, I appreciate the points this post highlights and it's encouraged me to check my own site which has two items blocked by Ghostery - google analytics and typekit. Fair enough on the former, the latter is less understandable, although I guess that any third-party javascript requests can expose the user to tracking, so I still don't have a problem with that. That leads me onto my main point:
As soon as you outsource functionality, you give up layers of control. The relevant website is outsourcing not only to Disqus for comments, but blogger; the author then complains that they don't have as much control over their content - go figure. I've never really considered that the benefits of disqus outweigh the disadvantages - why not just own your own comments, have more control over them, deliver a faster experience, etc.?
Agreed; but I'd rather have the problem solved server-side, and allow a publication to own its comments. That said, comments in general appear to be falling out of favour.
Why is he using disqus for primary content? If I want to see the discussion, I'll turn disqus on. When the primary content is hidden like this, I just go elsewhere.
I want to control my privacy 99% of the time, and unfortunately I can't seem to do it without plugins. yes, it's a pity that me protecting my privacy kills your website. yes, I'd rather all these measures weren't necessary, but we're at a point where I simply don't trust any third party, disqus included.
if all this screws your revenue, please use ad-providers that don't track me. there aren't any ? well shucks, looks like I won't visit your website anymore then.
(really, I wouldn't mind ads on a website, if that didn't also mean I'm tracked everywhere. as it is now, I block almost everything, using ghostery and/or disconnect, adblock(plus) and noscript. and I have no qualms about it).