
Visiting a site that uses Disqus when not logged in sends URL to Facebook - d2p
https://blog.dantup.com/2017/01/visiting-a-site-that-uses-disqus-comments-when-not-logged-in-sends-the-url-to-facebook/
======
Raphmedia
I wish all website would wait for the user to turn on social features before
offering them. I'm not interested in any of them, the scripts shouldn't be
loaded for nothing.

Take a look at this way to do it:
[http://panzi.github.io/SocialSharePrivacy/](http://panzi.github.io/SocialSharePrivacy/)

~~~
K0nserv
As a user I use uBlock Origin to block all 3rd party JS by default. This
protects me from loading ads, social widgets(trackers), and trackers. A lot of
the web is completely broken when you don't run 3rd party JS so each site
requires a bit of whitelisting before it will function correctly.

As a website owner I try to lead by example by not including any 3rd party
JS(or any JS at all for that matter). Specifically avoiding trackers from
Google or Facebook.

~~~
gorhill
Even without going as far as blocking all 3rd-party js/frames (which I do
personally), one can use the dynamic filtering pane to _at least_ block the
most ubiquitous domain names and allow only on a per-need basis.

I do use facebook.* in one of my tutorial about reducing privacy exposure[1],
but of course this applies to any ubiquitous 3rd-party servers out there (of
which Disqus qualifies in my opinion, same for Gravatar, etc.)

This approach will minimally break the pages with nice benefits in return:
reducing the ability of ubiquitous 3rd-parties to profile browsing history,
faster page load.

[1] [https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-to...](https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-to-easily-reduce-privacy-exposure)

------
codazoda
This tracking stuff is a plaque and I'm part of the problem. I run an
unpopular site with random bits of information on it that uses AdSense to give
me a few bucks a month and Disqus to allow comments.

Uhg. I really need to think about whether I want to be part of the problem.

~~~
em3rgent0rdr
somebody in the other thread mentioned
[https://www.discourse.org/](https://www.discourse.org/) as an open-source
alternative to disqus, although there were some people that downvoted it, so I
don't know how good it is.

~~~
daxelrod
Discourse is primarily a better alternative to bulletin-board style forums.
Here's their docs on embedding, which seems like it would make it act a little
more like disqus. [https://meta.discourse.org/t/embedding-discourse-comments-
vi...](https://meta.discourse.org/t/embedding-discourse-comments-via-
javascript/31963)

Note that a major difference is that you apparently have to go into the forum
page to leave a comment, you can't do it from the page you're discussing.

------
j_s
As mentioned in the article there was a related discussion yesterday, where
removal of ad network stuff doesn't _really_ matter since Disqus is used for
comments:

 _I 've removed all ad network code from my blog (troyhunt.com)_

[https://news.ycombinator.com/item?id=13326792](https://news.ycombinator.com/item?id=13326792)

This included a screenshot of DoubleClick still being blocked on Troy Hunt's
blog.

------
GrinningFool
I'm reviving my blog, and currently plan to explicitly ask:

1\. May we retrieve common libraries from third party CDNs? Doing so helps
support this site by saving on our bandwidth costs, but may expose information
about you to those third parties.

2\. This site allows commenting through Disqus. We have no control over what
Disqus does with your data, and so your information may be exposed to Disqus
and any third parties they communicate with. Would you like to enable
comments?

3\. (Similar for tracking, if I decide to do something other than log
parsing.)

Default 'no' to all, and I still need to find a way to ask the questions in a
way that doesn't disrupt simply viewing a blog post that someone linked.
Perhaps if someone returns, I'll prompt then.

Anyone have thoughts on if this sounds sane?

~~~
d2p
1\. If you're only interested in saving bandwidth and don't care about cache
hits from overlapping with other sites, maybe you can host static content
somewhere free (GitHub Pages?) or even just set a long cache header (ensure
version numbers in filenames, cache for > 1 month) since presumably you're
going to serve them the first time before the user has answered anyway?

2\. I'm thinking of putting a "Click to load comments" box in place of Disqus
on my blog so nothing gets loaded unless the user clicks. Seems better than
bothering the user up-front.

3\. I use Google Analytics - I figure it's common enough that if people don't
like that, they'll already have it blocked, so there isn't really any
additional tracking they won't want (unless the twitter timeline widget is
tracking; which it might be, but I suspect I'll remove it soon anyway).

~~~
Normal_gaussian
Notes;

1\. Serving from github still shares the tracking information. It can be
argued that github is better than cloudflare/facebook, however bear in mind
github has politically motivated staff. Long cache is a great idea.
Alternatively cut out unnecessary js.

2\. Nice idea, it does hamper the ease of use of your blog though - I would
never click to view, though I did read some that were visible when I finished
the article.

3\. Do you find the information from this useful? In a way that isn't
trivially parsable from server logs? I ask because we are reviewing the
quality of our user analytics, and our ga seems rather pointless atm.

~~~
StavrosK
What's wrong with Cloudflare?

~~~
j_s
Depends on the definition of wrong! CloudFlare is a bit of an HN darling
thanks to their employees' active contributions and submitting every technical
post on their blog. Free distributed DNS and potential DDoS protection is also
a tempting offer.

To privacy-conscious users: CloudFlare is the man-in-the-middle for more and
more of the Internet, potentially tracking at Google-like levels.

 _CloudFlare may: ... Add script to your pages to, for example, add services,
Apps, or perform additional performance tracking._ (Unfortunately this is opt-
out rather than opt-in.)

[https://www.cloudflare.com/terms](https://www.cloudflare.com/terms)

To Tor users: CloudFlare implements a captcha to protect servers from
malicious traffic; the implementation has caused tremendous annoyance in the
past and the company may have been slow to address this problem.

[https://news.ycombinator.com/item?id=7977780](https://news.ycombinator.com/item?id=7977780)
(example complaint, 3 years ago)

[https://news.ycombinator.com/item?id=11388560](https://news.ycombinator.com/item?id=11388560)
(9 months ago, from cloudflare)

[https://news.ycombinator.com/item?id=11404770](https://news.ycombinator.com/item?id=11404770)
(the tor project response)

[https://news.ycombinator.com/item?id=12122268](https://news.ycombinator.com/item?id=12122268)
(6 months ago, additional discussion of tor vs. captcha)

To DDoS victims: CloudFlare protects several DDoS vendors while gaining
business protecting DDoS victims, citing free speech.

[https://krebsonsecurity.com/2016/10/spreading-the-ddos-
disea...](https://krebsonsecurity.com/2016/10/spreading-the-ddos-disease-and-
selling-the-cure/)

[https://news.ycombinator.com/item?id=7242377](https://news.ycombinator.com/item?id=7242377)

To CloudFlare customers: CloudFlare has a "target on its back" and has
faltered against DDoS in the past, causing outages for all of its customers.
AFAIK: It's been a while.

To CloudFlare freeloaders like me: CloudFlare doesn't have much incenctive to
protect its free-tier users from DDoS.

Related: Akami stopped helping DDoS'd pro-bono client Brian Krebs.
[https://news.ycombinator.com/item?id=12561928](https://news.ycombinator.com/item?id=12561928)

~~~
StavrosK
Ah, thank you for the detailed reply. I started using CF more extensively
yesterday, due to their free CDN (which is working great), but I agree that
their MITMing the internet is worrisome. Maybe I should switch to MaxMind, if
it's cheaper than CloudFront.

~~~
j_s
Like Ghostery, it is important to be aware of the cons but I'm still using
CloudFlare.

In my book CloudFront easily ranks ahead of had-been "do no evil" Google's
irrevocably merging it's entire history on me ex post facto.
[https://news.ycombinator.com/item?id=12760003](https://news.ycombinator.com/item?id=12760003)

------
foxhop
I'm working on an alternative to Disqus called Remarkbox -
[http://www.remarkbox.com](http://www.remarkbox.com)

One of my early design decisions is to be as lightweight and fast as possible.
This means no oauth, no ads, and only core features that you would expect to
find in a comment system.

~~~
ploggingdev
Just tried it out, very cool man.

My suggestion would be to make the design more appealing, it looks a little
bland now.

And also promote the privacy oriented mission of the service a lot more.
Currently there is no mention of privacy/tracking, you only mentioned no ads.

And https is a must in 2017.

Just a few question:

* When do you plan to launch?

* What is the backend built with?

Good luck man.

~~~
foxhop
* When do you plan to launch?

I'm soft launching with beta users right now.

* What is the backend built with?

Python, Pyramid, SQLAlchemy (which supports PostgreSQL, Mysql, and SQLite3),
uWSGI, Nginx, Ubuntu

------
rsync
Just a note ...

It is _possible_ for someone to say "hugs"[1] at the end of their discourse
and still be a _liar and a cheat and a terribly bad actor_.

No idea, of course, about any of these people - but don't let cost-free,
content-free expressions alter your (bullshit/fraud) detector.

[1] See comment on OPs blog from "disqus here"

~~~
BYK
Thanks for calling my honest reply a lie and me a liar, really appreciate it.

I'm @madbyk on Twitter and you can also Google my full name to catch my other
lies and bad acting on some of my recorded talks.

~~~
rsync
"Thanks for calling my honest reply a lie and me a liar"

I did no such thing. In fact, I specifically admit to having "No idea ...
about any of these people".

~~~
BYK
True that. I reread your comment and realized I misinterpreted it.

Skepticism is good :)

------
em3rgent0rdr
PrivacyBadger blocked his Disqus embed. I think a good test of whether your
site/blog is privacy conscious is to see if PrviacyBadger reports any tracker.

------
d2p
FWIW - Disqus commented on my article - there's a link to their comment right
at the top of the article now.

~~~
dmix
TLDR: it was because Disqus added the Facebook SDK in the last week or so, for
some new feature they're testing. They're looking into this.

^ That sounds legit to me... I believe this was the primary reason why
Facebook made an SDK and Like button in the first place...for data mining.
Pretty clever.

This is the consequence of building on a platform like FB, you exchange your
visitors browsing habit data for access and FB expands their graphs of
IP<>websites to improve their ad targeting. And with Disqus is won't be as
obvious because the publisher might not be aware that it leads to an FB
connection.

So regardless if it was unintentional this is a relevant story for the trade
offs of using platforms.

------
chubot
I noticed the same thing about a week ago when I was setting up comments for
my blog [1]. I hate bloated websites, so I copied the Disqus markup and opened
up Chrome dev tools, and saw the Facebook URL along with dozens of other
resources being loaded.

I ended up researching WAY too many comment systems, and eventually settled on
Reddit. Not ideal, but better than all the alternatives.

Blog commenting is pretty broken right now, I guess due to the dominance of
social networks. I wanted to write my own blog comment service in rage but
thought better of it.

Disqus seems pretty sloppy. I was surprised to learn that they were an early
YC company.

[1]
[http://www.oilshell.org/blog/2016/12/29.html](http://www.oilshell.org/blog/2016/12/29.html)

~~~
daurnimator
How did you use reddit as a commenting system? It's something I've thought
about before but didn't know someone has already built it

~~~
ChristianBundy
I'm guessing they've just set up a subreddit, which they post in each time
they make a new blog post. In the past I've seen "Join the conversation on
Reddit: ${link}" at the end of blog posts, but maybe they're doing it
differently.

~~~
daurnimator
As the sibling poster suggests: I was thinking of somehow embedding a reddit
comment thread onto the page. Either via an iframe (if you own the subreddit
you can control the CSS on the other side to make it match), or some JS
library that did XHRs to reddit's API.

------
jzl
Ugh, thanks for this. I've made it a goal to start understanding all the
little tricks and details of modern day tracking techniques that allow
Facebook, Amazon, etc., to know everything that I do. Anyone know if there's a
good one-stop-shop website for this topic? I've found lots of separate
articles about the it but no central clearinghouse of information.

------
brlewis
Some years ago I looked at Facebook's ToS for implementing "log in with
Facebook" and at that time it looked like it precluded an implementation that
would only send requests to Facebook if the user chose Facebook login. I don't
think it's for sure that disqus could fix this problem if they wanted to.

~~~
j_s
Back in the day, Heise apparently caught some flack for protecting their
readers while still allowing Facebook "likes".

It feels to me like the typical Facebook approach: do what they want to do or
a little bit more, monitor the blowback and walk it back as little as possible
only if required to keep everyone happy.

[https://yro.slashdot.org/story/11/09/03/0115241/heises-
two-c...](https://yro.slashdot.org/story/11/09/03/0115241/heises-two-clicks-
for-more-privacy-vs-facebook)

[https://www.heise.de/extras/socialshareprivacy/](https://www.heise.de/extras/socialshareprivacy/)
->
[http://panzi.github.io/SocialSharePrivacy/](http://panzi.github.io/SocialSharePrivacy/)

~~~
sp332
That was basically just a trademark dispute. They claimed it was confusing to
show a Facebook "like" button that didn't work like Facebook's actual "like"
button. It's fine if you use your own assets to indicate what the button does,
but you can't use a Facebook logo or their thumb icon.

~~~
j_s
I understand Facebook chose to use trademark law to threaten to block the
Heise app id and even their entire domain (any sharing of the paper's content
on Facebook).

Facebook continues to use every tool at their disposal to protect their
expansion of the privacy invasion of their product.

~~~
sp332
But nothing came of it, and other sites have implemented similar safeguards
without being blocked.

~~~
j_s
Yes. As stated above:

 _monitor the blowback and walk it back as little as possible_

In this specific case it was indeed only possible to walk it all the way back.

------
the8472
> Troy cited tracking as one of the reasons for removing ads

Ads should be loaded into <iframe sandbox referrerpolicy="no-referrer">

It would still give them some information (affiliate ID and user IP) but no
cookies or tracking of user interaction with the page itself.

~~~
rebuilder
Do ad networks allow doing this?

~~~
Karunamon
It would probably break Google Adsense, since the ads that are generated are
based on the page content.

------
d2p
Today Disqus deployed a fix for this issue; you can read their comment on the
blog posts here:

[https://blog.dantup.com/2017/01/visiting-a-site-that-uses-
di...](https://blog.dantup.com/2017/01/visiting-a-site-that-uses-disqus-
comments-when-not-logged-in-sends-the-url-to-facebook/#comment-3091263180)

------
Spooky23
It's an unfortunate reality. Once Amazon figures out who you are, they send a
feed of everything to you at or buy to FB.

------
sfblah
I think Ghostery stops this.

~~~
grp
I believe ghostery is one of those kind of adblockers that checks if the ads
and trackers target the right people, no?

Sort of a meta-tracker. But maybe I'm too paranoid.

------
rasz_pl
>I’m certain Disqus could fix this,

most likely they are getting paid for this tracking

~~~
d2p
I think this is unlikely, it seems like a silly accident to me.

