

Google +1 Chrome extension tracks https traffic - mmastrac
https://plus.google.com/115459243651688775505/posts/CDiwzBti5G9

======
ot
As noted in the comments this is hardly an oversight, the plugin page
acknowledges the behavior:

 _"In addition to the practices described in the Google +1 Button Privacy
Policy, by installing this extension, all of the pages and URLs you visit will
be sent to Google in order to retrieve +1 information. Examples of this
information include whether you’ve previously +1’d the page and how many
people have already +1’d the page. Google’s use of this information is
described further in the following help center article
([http://www.google.com/support/profiles/bin/answer.py?hl=en&#...</a>).
"</i><p>Tracking <i>HTTPS</i> traffic is really the big deal and it will
probably be patched. For the rest, it is just like Google Toolbar, Internet
Explorer, Bing Toolbar, etc...<p>Search engines need desperately this kind of
data, it is not surprising that they try sneak "trackers" in any
browser/extension, it is just unfortunate that they are not clear about it.

~~~
esrauch
The link that you put in your post is in it's entirety about how they are
_not_ tracking you and not logging these requests for each user. The quoted
portion you mentioned is just pointing out that in order to get a count of the
+1's on a page you have to send a request to google to see that count. There
is no conceivable way for it to show information without requesting it first.

This isn't some sneaky side effect of the button, it is literally just the
only functionality of the extension. They will probably still patch this to at
least have a setting to not display +1's on https websites, but I don't really
see where all this tracking talk came from.

~~~
roryokane
Google could still uniquely identify sites while protecting your privacy by
sending a hash of the URL from your browser, rather than the full URL itself,
and comparing that hash to the hashes of all +1ed sites. People are talking
about tracking because Google hasn’t chosen to implement their extension like
this.

~~~
esrauch
I don't really understand how you imagine it to work. You want them to just
have a huge dumb store of hash -> count mappings without them having any
meaning? That would completely defeat the purpose of +1s, they couldn't put
what +1s you had on your profile or use it for recommendations or whatever.
Even if this was the case, it would be trivially easy for them to get the hash
-> url mappings at any time since they already effectively crawl the entire
internet or a daily or weekly basis, all they would have to do is add a single
entry to the pipeline.

If you are saying that they should have a database where the columns are (url,
hash, count) and just have the browser send the hash, that is exactly the same
as just encrypting the url, and the request is being sent of https. What sort
of security do you think you would have from hashing that is lacking in SSL?

------
aninteger
I've never understood why people install these types of extensions. It reminds
me of the toolbar overload joke image:

[http://jimcofer.com/personal/wp-
content/uploads/2009/08/tool...](http://jimcofer.com/personal/wp-
content/uploads/2009/08/toolbar400gif-thumb.gif)

Aren't these kind of extensions all about tracking you anyway? If there's a
page or website you think is valuable then bookmark it. If you want to share
it among multiple computer systems email the link to yourself.

~~~
synae
You're ignoring the primary (marketed) purpose of these extensions - social
sharing. The main value-add is that users can easily +1 (share, tweet,
whatever) from whatever page they're on. A secondary feature of some
(including this one) is to show how many other people +1'd (etc) it. There are
other extensions that exist with just the first part and not the second
(though they're usually not 'official') and I imagine those wouldn't be
"tracking" your activity (except what you're sharing). But, tracking isn't
really the main point anyway. Facebook and Google can do enough tracking
without browser extensions simply through market saturation. As far as I see
it, this extension just provides features that some users want.

Additionally, these extensions take up minimal space in Chrome. The screen
real estate each one gets is the same size as the settings (wrench) icon.
Sure, you could fill up your browser UI space with them, but it's much more
difficult than it is with IE and there are more hoops to jump through in order
to get them there. IE users were (are?) plagued by toolbars because they can
be installed externally from the application. As far as I know, Chrome
extensions can only be installed from within the application after several
prompts and confirmations.

~~~
Hrundi
The tracking should ocurr when the user performs the +1.

It shouldn't track the way it does, and it certainly shouldn't track HTTPS. It
is not even an issue of privacy, it is simple courtesy and common sense.

~~~
adgar
If the extension doesn't send the URL to Google anyway, then it can't know how
many +1s the page already has (and from whom). That's why it triggers on every
page load.

~~~
Hrundi
But Google already knows the +1's received by the page, regardless of the
visitor's login status.

Granted, it doesn't know if the visitor has friends that shared it. It still
doesn't excuse them for sending all url's.

Facebook received a lot of flack for doing this and I don't see why Google
should be excused for this intentional "gaffe".

~~~
tomkarlo
You're missing the point - Google knows how many +1s the page received. But
the user's browser doesn't, so it can't display the +1 count without
contacting the server (and sending the page URL) to find out.

I have to wonder if this is an unintended side effect of the recent push to
have site move to HTTPS - it used to be that HTTPS requests were mostly unique
to a user, but now lots of "regular" pages are being requested using HTTP and
if you want to make any kind of extension that return data about pages (+1,
anti-phishing, etc) you're probably going to to want to send HTTPS URLS as
well.

------
FlightOfGrey
This is why I use ghostery (<http://www.ghostery.com/>) with Firefox to
prevent these sort of things from tracking my online behaviour.

~~~
aam1r
Would love to use Ghostery or something similar for Chrome. Any suggestions?

~~~
invisiblefunnel
Ghostery is available for chrome, among others:
<http://www.ghostery.com/download>

~~~
skystorm
Thanks for the link. Has anyone tried this and the Disconnect extension and
can share how they compare?

~~~
lanstein
Haven't tried Disconnect, but use Ghostery and see no need for anything else.

------
mayanksinghal
As far as my understanding goes and through comments here[1] Google's other
toolbar(s) are also capable of sending clickstream data. The only thing new
might be the introduction of UserID as now the +1 Extension has user logged
in, but I am not sure how that puts additional risk/privacy concerns.

Secondly, a lot of addons/extensions are actually asking for permissions to
all visited pages - it should not be hard to figure out who the current logged
in person is, if you do have _malicious_ intent (Scraping opened FB/Gmail web
pages) . There is inherent privacy risk in using extensions with a lot of
permissions!

[1] [http://www.quora.com/Google-Bing-Controversy-
February-2011/D...](http://www.quora.com/Google-Bing-Controversy-
February-2011/Does-Google-Toolbar-send-clickstream-data-like-Bing-Toolbar)

------
gujk
Hmm, it turned out that information that users send to Google gets sent to
Google. Interesting.

------
suyash
wow,that is downright scary! That is why I use incognito mode.

~~~
aw3c2
Unless incognito mode is something much different from what I think (temporary
browser session with none of the existing cookies etc) that does not prevent
this kind of issue. Pages you would visit in that session/mode would still get
tracked.

~~~
mmastrac
Incognito mode blocks all extensions by default, so you'd be safe from those
extensions that track your data by using tab events.

