
Tell HN: Check medium's localstorage if you use adblock - ev1
If you have uBlock or similar, it appears medium logs all analytics pings into HTML5 LocalStorage and will keep retrying to send them (and apparently periodically change domains and subdomains to try and send them).<p>I had tens of thousands of entries in localStorage, wasting quite a bit of space, all of them at least 400-600 characters or more. Each time I scrolled it&#x27;d add a few dozen more in, to the point where devtools was freezing. Ridiculous.<p>Example: <a href="https:&#x2F;&#x2F;i.imgur.com&#x2F;M4E3kqg.png" rel="nofollow">https:&#x2F;&#x2F;i.imgur.com&#x2F;M4E3kqg.png</a>
======
errantspark
Medium is so chock full of anti-features this doesn't surprise me at all. I
often find myself hunting for an archive link to read some article because I'm
past my free article limit. It's absurd that I have to sign up for Medium to
read some random blogger's article.

I miss the days where it felt like software was trying to make my life easier,
nowadays my experience is mostly characterized by a constant struggle to avoid
being taken advantage of.

~~~
an_opabinia
Wouldn’t you agree that it’s really valuable to know if people actually read
the article, how far and which parts?

~~~
jimmyswimmy
No. I'll take an opposing viewpoint. It's not "really" valuable, it's
marginally valuable. If your articles aren't yahoo-style clickbait, anything
you'd do with that data would just make your future articles less authentic.
Alternatively, is your collection and utilization of that information worth
invading the privacy of your readers? The printed version of The Economist
continues to deliver a fantastic product yet they have no idea how far into
each article (or even the entire magazine) I get each week. They simply
publish detailed, excellent articles which draw me back, week after week. Why
should online articles be any different? An incisive author who has put in the
effort to prepare a good, thoughtful article knows it is so before publishing.

Or one can publish thoughtless, banal articles and collect lots of statistics
on how long it takes your readers to figure out that the article is a waste of
their time.

Distinguishing between the two is precisely what we were taught throughout
grade school.

~~~
saaaaaam
You have absolutely nailed it. The cruft medium provides and calls insight is
only valuable to people who want to work out how trick their audience into
reading further in articles where they deliver no value.

------
Meph504
I am honestly baffled at why anyone uses medium, I just flatly refuse. Their
stance on binding arbitration, and that in any disturbed claims that I agree
to pay for the legal defense but give them total control over the defense.

These terms are growing ever more common, and I certainly use services with
similar terms. But I mean this is a fucking blog site, it take very little
time and effort to throw up a WordPress site.

their demands for this service, far out way its value, at least to me anyway.

I think people have gotten far too dependent on sell your soul for bread crumb
services.

~~~
tudorconstantin
It's probably because of the good SEO the articles written there get: I
published a project on GitHub, then an article on my personal blog about it
(with a back link from the repo itself), then an intro article on medium with
a link to repo and a "read more" toward my blog post. Then I submitted the GH
repo and/or my blog post to some reddit threads.

Now, guess what: when googling for _the knests stack_ in the first few weeks,
the top result was the preview article from medium. Even now, it's the second
result, showing up above reddit or my blog post.

~~~
giantrobot
A link's position in a Google search is basically a worthless measure anymore.
Every Google user ends up microtargeted such that the ordering of results or
even which results are displayed is rarely consistent.

~~~
quickthrower2
Use Google Search Console and the data there is far from worthless. Average
position, impressions and clicks for all the keywords visiting your site.

~~~
giantrobot
The GP didn't reference Google Search Console. They mentioned their site's
position on their microtargeted search results.

Which _is_ a worthless metric since it won't be the same depending on a user's
preferences, history, or location. It may be that their site averages as the
top hit for a term but that's not the same as saying it's the top or second
hit.

They're making claims about Medium's SEO chops with a metric that doesn't back
up the claim.

------
AndriyKunitsyn
I had an idea for an article, didn’t really care about where to put it and I
decided to give Medium a shot. I didn’t know it would be that bad.

There’s no way to turn off auto-formatting in Medium editor. No way at all -
support confirmed it. Dashes, quote marks and ellipses in your article will be
placed only in a way Medium wants them to be. So, for example, if you decide
to write in a language other than English and want to surround your dashes
with spaces — like this — according to traditions of this language, there’s no
way to do it in Medium editor. Even if you try to do something smart with
clipboard, your efforts will be overwritten on save.

This is a clear example of a software that tries to be smarter than its user
and fails.

------
llarsson
Medium is much better without JavaScript. No article view limits, no creepy
showing you your Google account and asking you to log in, nothing. And of
course, no messing with your LocalStorage.

It does remove some images, but ok mobile, that is almost a feature in itself.

~~~
dawnerd
Googles one tap is sooooo creepy. I have it blocked in ub origin. I’m always
afraid of accidentally logging in - probably something they hope for.

~~~
d3nj4l
As soon as I see Google's sign in I disable javascript for that domain. It's
like a glowing red sign that website doesn't care about my privacy at all.

------
dvaun
Interesting. Something like this can be mitigated by blocking localstorage
access or using container-like solutions such as Firefox containers[0][1].

A nice project to work on would be to write a Chrome and Firefox extension
that could watch, notify, and store localstorage and other tool usage on a
per-site basis with an admin panel for whitelisting or blacklisting sites,
similar to how uBlock functions.

Personally I run a few extensions that attempt to block or obfuscate
fingerprinting attempts by sites inspecting system fonts, canvas rendering,
etc. Some sites break altogether with these extensions.

[0]: [https://addons.mozilla.org/en-US/firefox/addon/multi-
account...](https://addons.mozilla.org/en-US/firefox/addon/multi-account-
containers/)

[1]: [https://addons.mozilla.org/en-US/firefox/addon/temporary-
con...](https://addons.mozilla.org/en-US/firefox/addon/temporary-containers/)

------
1vuio0pswjnm7
Here is one way to clear localStorage without using Javacript, Add-Ons or
Extensions:

[https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/Cl...](https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/Clear-Site-Data)

This response header can be added with a localhost-bound proxy server like,
e.g., haproxy:

    
    
         http-response add-header Clear-Site-Data *
    

Of course, the simplest solution is to just turn off JS before visiting
medium; that should prevent any use of localStorage. I have never needed JS to
read medium; it's just text. Text-only browser like links works fine.

~~~
aembleton
Or, just block it, as you're using Firefox:

1\. Open about:preferences

2\. Go to Privacy & Security

3\. Under Cookies and Site Data, click on 'Manage Exceptions'

4\. Enter medium.com, click Block and then Save Changes.

~~~
1vuio0pswjnm7
Is there a way to disable Site Data globally for all sites?

By using a proxy, I disable Site Data for all sites and if I need it for a
specific site I can add an exception.

It seems like Firefox, Chrome and probably others take the opposite approach.
The default policy with these browsers is to enable Site Data globally for all
sites. "Manage Exceptions" appears to refer to manual changes for every
individual site that are required to deviate from this default "Go ahead and
collect, store and track" policy.

------
JakeStone
Sometime over a year ago, I finally got tired of medium's shenanigans, so I
threw together a Q&D TemperMonkey script to just remove the temptation.

It's nothing complex, just looks for links to medium.com and removes them from
the page.

[https://gist.github.com/RichardVasquez/5d46ffe01053162562a79...](https://gist.github.com/RichardVasquez/5d46ffe01053162562a7951a6a3f3c02)

------
edude03
Thanks for the heads up. I looked at mine and it seems like the major of the
events in localstorage are getting sent successfully as my adblocker isn't
blocking the medium activity or batch API calls, however the lightstep events
are blocked and stuck in my localstorage.

As an aside, I'm appalled they'd do this as I'm a paying customer of their
service, but as an engineer I have to respect the work & ingenuity that went
into this solution.

~~~
arthurcolle
It's not exactly that hard to imagine. I've thought about a solution like this
for 2 separate products across 2 different companies, and it was separately
rejected for ethics concerns both times. You'd be surprised what company
decided to reject it in the first case. This is an abuse of web APIs to
achieve targeted data monitoring of users and probably a severe violation of
GDPR.

Any European residents want to confirm this is happening with them?

~~~
vikbytes
Can confirm that this is the case for me as well. (EU resident.)

~~~
arthurcolle
Have you considered filing a GDPR complaint? I would really encourage you to
do so.

I found this: [https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-
personal-data-protection-rights-havent-been-respected_en)

You should use the Euro judicial framework to get resolution for this 100%.

Americans like to complain about European legislation but this is a perfect
example of government powers done right! (I'm a dual American/French citizen
living in the US).

~~~
msadowski
I've just spend good 15 minutes on it and in case of France it seems far from
trivial. It doesn't look like it's a matter of sending a single e-mail.

~~~
arthurcolle
Can you kindly opine? I am not in France at the moment so I'd love to learn
what issues you are facing. Sorry to waste your time but I think this is a
critically important topic if we want to preserve our data, privacy, and
related rights into the future.

------
nottorp
With the default settings on firefox (with the built in tracking protection
on) plus ublock origin, I have nothing in local storage from Medium. I do have
6 cookies from medium.com and 2 from elemental.medium.com.

Not a heavy Medium reader though, I just click when something interesting
shows up on HN.

www.bbc.com is my highest user of local storage, with 24 Mb.

~~~
toyg
I had half that. My worst offenders was transferwise (60mb). Apart from that
and a couple of technical websites that I thought were justified, most others
were under 30mb. It's still a lot of stuff to store though. And to think that
we used to be limited to a couple of cookies...

------
re
I use this extension for Firefox: [https://addons.mozilla.org/en-
US/firefox/addon/temporary-con...](https://addons.mozilla.org/en-
US/firefox/addon/temporary-containers/)

medium.com is one of the domains that I have set to always open in a temporary
container.

------
aembleton
In Firefox, you can prevent it from using site data and cookies. This also has
the advantage of reseting the count of the number of articles that you can
read when you close the tab.

1\. Open about:preferences

2\. Go to Privacy & Security

3\. Under Cookies and Site Data, click on 'Manage Exceptions'

4\. Enter medium.com, click Block and then Save Changes.

------
sxp
You can use localStorage.clear() in the dev console to clear this info and
chrome://settings/content/javascript to blacklist JS on a domain in Chrome.

------
newscracker
I've never relied on uBlock Origin alone to block trackers and ads. I always
clear cookies (and local*storage) using Cookie AutoDelete. [1] You can
configure this extension to clear cookies as well as local storage a specific
duration after closing a tab or clear them all manually. You can also select
specific sites whose cookies should not be cleared.

I also use tracker blockers like Privacy Badger. [2]

That said, I avoid visiting Medium links as much as I can. The whole
experience is user hostile in many ways.

[1]: [https://addons.mozilla.org/en-US/firefox/addon/cookie-
autode...](https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/)

[2]: [https://privacybadger.org](https://privacybadger.org)

------
alkonaut
Couldn’t browsers ask before using local storage? Then I can approve it for
sites where I believe it would make a positive difference (Once/Always/Never),
and with an option to clear when the browser is closed. Bonus points if I can
preview what’s being stored.

~~~
lucgommans
There are many legitimate uses for localStorage, e.g. see the API key field at
[https://beanstack.io](https://beanstack.io) (disclosure: a site I helped
build): it will remember the value for you if you enter a value and hit
submit. If you then, upon clicking submit, had to click through a browser pop-
up asking if you want to let the website store data in your browser, that
would feel like we're indeed tracking you when really what we're doing is
trying to make your life easier _without_ doing tracking. We could have used a
cookie, but why should we if we can use localStorage which is privately yours
and not sent to the server with every request?

Adding a warning upon localStorage would be like adding a warning upon setting
cookies. The banners that websites add for setting non-essential cookies are
annoying enough already without having to click past browser permission
screens for essential cookies as well.

Also note that privacy laws or "cookie laws" don't ever mention the word
cookie. If you are being tracked using localStorage, canvas fingerprinting,
ETags, etc., they have to disclose the tracking. Not the method, I think, but
_what data_ they are collecting, for what purpose, with which retention
period, and what their legal basis is (e.g. "we collect your address on the
basis of fulfilling the contract to ship your package" or "we track you on the
basis of consent"). LocalStorage is not something to be more or less afraid of
than cookies, etags, etc.; the browser doesn't ask for those either, and I
personally think that's better.

------
quirkot
I use "Quick Javascript Switcher" on Chrome and it's amazing. Turning off
javascript on certain sites improves usability by a ton.

------
toastal
More people need to be publishing on federated platforms like WriteFreely and
Plumo so we don't have this sort of lock-in and readers can use existing
fediverse accounts to comment and boost without signing up for and into these
sorts of services.

~~~
toastal
Plume _

------
sascha_sl
It doesn't seem to do that for me, it instead just uses these two endpoints
instead of the "report" endpoint to send the same data.

[https://medium.com/_/api/activity](https://medium.com/_/api/activity)

[https://medium.com/_/batch](https://medium.com/_/batch)

These aren't blocked on the default uBlock Origin setup it seems, and the
batch endpoint seems like a possibly bad idea to block.

After blocking them, the behavior of filling up local storage can be seen.

------
kohtatsu
The people who write this code need to fucking smarten up.

If you're being blocked don't try to circumvent it. Minute scroll and mouse
movement data is biometric data.

------
rs23296008n1
Lets face it, localstorage is just cookies with extra space for more chips.
Controls around cookies need to apply to localstorage as well.

I'd really like to be able to edit cookie lifetimes on a site-by-site basis.
Overlap where cookies are reused by multiple sites. Plenty of cookies should
be discarded a minute after last use. Others should stay around because
they're useful.

------
kofejnik
While we're at it, just noticed that weather.com had 114 Mb stored, wtf?

~~~
giantrobot
Must have been cloud data.

------
Santosh83
How do I check LocalStorage in Firefox? I assume it is the 'Manage Data'
button under 'Cookies and Site Data' section of the 'Privacy & Security' tab
under settings?

~~~
dylz
Press F12 on medium, Storage tab, left side.

------
ComodoHacker
I'm using Cookie AutoDelete extension (along with uBO) on Firefox, which also
deletes LocalStorage. Just have checked up, I have only 5 cookies for
medium.com and no LocalStorage.

------
sc00bz
Related but you should be doing this regardless. Ctrl+Shift+Del and clear
everything since forever ago. I do "Ctrl+Shift+Del, Enter" several times a day
and use 2 browsers: stuff I'm logged into and everything else. Sometimes 3
browsers to segment logged in accounts.

P.S. If you have Chrome installed (on Windows) set this folder
"C:\Users\\*\AppData\Local\Google\Chrome\User Data\SwReporter\" to deny all
access for each group and user.

------
pragmaticpirate
Despite the shortcomings medium continues to be one of the top domains posted
on hn
[https://news.ycombinator.com/from?site=medium.com](https://news.ycombinator.com/from?site=medium.com)

~~~
type0
submitted, yes, but as time goes on it signals more and more the poor quality
of those articles. Anecdotally it feels mediums articles are up-voted less now
then they were in the beginning, if anyone has stats on it I would be happy to
see if that's true.

------
brainlessdev
I've created an extension to block links to domains you dislike, I've got mine
set up to block Medium links.

[https://github.com/fnune/nay](https://github.com/fnune/nay)

~~~
aembleton
Can't you just do this with uBlock Origin? Something like

    
    
      ##a[href*="medium.com"]

~~~
brainlessdev
Maybe! My extension offers a different set of features. It shows an angry
emoji next to the blocked links, and lets you click on them. When you click on
them, you're prompted to confirm that you want to follow the link, alongside a
reminder of why you blocked the domain.

------
lynndotpy
To check in Chromium:

1\. Press F12 to open the Developer Tools 2\. Inside the Developer Tools,
Click the "Application" tab on the top of the pane. 3\. You should see "Local
Storage" on the left side of the pane.

------
est
Is there a way to disable WebGL, WebRTC and localStorage on browsers for good?

~~~
ev1
Firefox lets you turn off all 3 independently. This breaks some sites that
demand device fingerprinting, though.

~~~
dependenttypes
I wonder if there is any api that allows you to disable them per site (similar
to how umatrix/ublock origin can block cookies/js per site)

------
bambax
If you disable JavaScript for Medium, it's fine. You still have access to the
article in my experience.

------
svnpenn
Medium is garbage, and better options are available now, like SubStack. Here
is example article:

[https://bigtechnology.substack.com/p/the-brilliance-of-
all-g...](https://bigtechnology.substack.com/p/the-brilliance-of-all-gas-no-
brakes)

------
stabbles
Someone should write a fake event generator that clutters their analytics

------
benologist
This is why NoScript is complementary to uBlock.

~~~
gorhill
You can block JavaScript with uBO[1], with the added ability vs. NoScript of
being able to create rules on a per-site basis.[2]

* * *

[1] [https://github.com/gorhill/uBlock/wiki/Per-site-
switches#no-...](https://github.com/gorhill/uBlock/wiki/Per-site-switches#no-
scripting)

[2] [https://github.com/gorhill/uBlock/wiki/Blocking-
mode:-medium...](https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-
mode)

------
sidcool
How can I move my blog from Medium to Blogger?

------
znpy
Medium is trash.

------
red_admiral
MS Edge/Win10, Europe, "do not track", cookies from medium.com blocked and
uBlock origin - doesn't seem to be happending on my system but of course that
doesn't mean anything if it's geo-targeted. Also gets rid of the paywall, for
now.

------
rusl1
On Android I use this app to bypass the paywall

[https://github.com/a-chris/medium-no-
thanks](https://github.com/a-chris/medium-no-thanks)

------
inetknght
The idea that a website can store things locally on my machine -- especially
without my knowledge or permission -- is !@#$ing absurd. The idea that a
different website can then access that data is beyond infuriating.

~~~
wmichelin
Hey, have you ever heard of cookies?

~~~
toastal
Yeah, I'd be pretty mad if I had to log into a website every time I opened it
or be blinded by a white screen at night when I toggled the dark theme last
time I visited. There's so many good uses for storage to make things behave as
one would expect. And it'd be a lot of friction to have permission dialogs for
things as basic as cookies or localStorage.

~~~
laumars
I agree cookies have proven to be a largely pro-user feature over time but do
you remember the backlash from techies and reporters alike when browsers first
started implementing cookies back in the 90s?

