
How Ghostery breaks simple websites - gnur
http://www.troyhunt.com/2013/11/fixing-ghoulish-html-behaviour-after.html
======
tech-no-logical
> [...] send Ghostery into the abyss [...]. I want the web to work like it’s
> intended to 99% of the time and I know how to control my privacy the
> remaining 1% of the time. You don’t need a plugin for that.

I want to control my privacy 99% of the time, and unfortunately I can't seem
to do it without plugins. yes, it's a pity that me protecting my privacy kills
your website. yes, I'd rather all these measures weren't necessary, but we're
at a point where I simply don't trust any third party, disqus included.

if all this screws your revenue, please use ad-providers that don't track me.
there aren't any ? well shucks, looks like I won't visit your website anymore
then.

(really, I wouldn't mind ads on a website, if that didn't also mean I'm
tracked everywhere. as it is now, I block almost everything, using ghostery
and/or disconnect, adblock(plus) and noscript. and I have no qualms about it).

~~~
sdoering
I can only agree, but it goes farther still. I do not(!) have Ghostery, but I
kill external requests by default (Plugin == RequestPolicy) and I block
scripts by default (== NoScript).

There are 8 foreign domains, that this site sends requests to. One or two seem
to be a CDN, one is creativecommons.

BUT:

I do not accuse anyone but myself for making this experience of visiting this
site a horrible one. As I do not want any foreign, plugged in web-servers, to
know, that I visited site a or b, I have to live with these kind of
experiences.

And I love RequestPolicy for the Job it does, enabling me to exclusively
control, who gets to know, I visited site a or b.

Sorry ajax.google, webfonts, disqus, addthis and so on.

~~~
ronaldx
I mostly agree with you but I _do_ blame the webmasters.

Every piece of third party content reduces the quality of the experience, even
assuming it works 100% correctly. I have never visited a site to check out its
third party content; it's rare that third party content has remotely enhanced
my experience.

Including third party content which tracks people across the web without any
concept of consent (here I am referring to Disqus) is unethical.

~~~
sdoering
Some third party content is fine by me. But why this tracking insanity?

If someone talks about some great tutorial on YouTube, I love it, if they
embed the video. OK, I would certainly block it non the less, but I could jump
to the vid if I wanted.

If they wanted statistics, they could use some OpenSource tools like Piwik.

------
Nursie
Yeah it breaks stuff.

But it also means that FB, Google et al don't get notified of every website I
ever go to ever. So I'll live with it. I wouldn't complain to website owners
about it, but I would probably stop going to their sites.

~~~
ams6110
Yes, I browse with NoScript and also an extensive /etc/hosts file to block
known ad/mal sites.

Sorry site owners, I browse on my terms, not yours. If I can't view your site,
that's your problem. I'll just move on.

~~~
subpixel
I use Privoxy, which is frankly more of a pain b/c there's no simple browser
tool to toggle on/off when it breaks a site (I have to occasionally turn the
proxy off in my Mac network settings).

But you know what? It's worth it. I'm not being tracked all over the web, I'm
not being served re-targeted ads, etc. I'll never go back.

~~~
stopthemadness
Since you're on OSX I would recommend using Privoxy with Little Snitch (which
is quite easy to toggle and tweak quickly).

~~~
subpixel
Do you mean control Privoxy with little snitch? I'd be interested in any links
about that, I'm not finding any.

~~~
stopthemadness
No, not directly. That possibility is somewhat intriguing though.

I simply meant Privoxy appears as a single "application" for Little Snitch
rules. It also provides fine grained rules for cases where Little Snitch is
too blunt, and each can be quickly and independently disabled when necessary.

------
bbx
AdBlock blocks the ads, Ghostery blocks the scripts. It's an interesting
combination that is less radical than NoScript, and still prevents loading
most of the annoying stuff.

Of course, if you want to limit the features of a website (whether it's a
feature for you, the user, or the website owner), you'll end up breaking some
stuff. It's a compromise between privacy and ease of browsing. Still, it's
very rare for me to reach a page that becomes totally unusable due to a script
blocked by Ghostery. The only example I have in mind is Adobe's Kuler [1].
It's a web app, and it's the kind of websites that tend to break with
Ghostery. But the UI is simple enough to circumvent those ponctual failures,
by temporarily (or permanently) whitelist the script and/or the domain.

[http://jgthms.com/adobe-kuler-analytics-make-it-
unusable.htm...](http://jgthms.com/adobe-kuler-analytics-make-it-
unusable.html)

~~~
huhtenberg
A good chunk of AdBlock blacklists is scripts.

------
r0h1n
As an ex-Ghostery user, I can vouch for this. I switched to Disconnect after
recommendations from HN-ers and thus far it seems to be doing a better job of
not breaking sites and leaving users scratching their heads wondering what to
do.

[https://disconnect.me/](https://disconnect.me/)

~~~
simias
I concur. Not to mention this controversy:

[http://www.businessinsider.com/evidon-sells-ghostery-data-
to...](http://www.businessinsider.com/evidon-sells-ghostery-data-to-
advertisers-2013-6)

~~~
nimbs
I wouldn't call that controversy, from what I can tell they've always been
clear about what they are. Ghost Rank option is literally the first thing you
see in the Ghostery options. As long as they respect that, I have no problems
with them.

~~~
spurgu
Plus it is disabled by default IIRC.

~~~
oneeyedpigeon
Yup, I've just installed it, and 'GhostRank' is disabled by default, as is any
blocking - you have to specifically ask for individual 'trackers' to be
blocked. Interesting how many are reported for various sites - twitter.com: 1,
apple.com: 1, facebook.com: 3, bbc.co.uk: 0, the author's site: 14,
theguardian.com: 21, news.ycombinator.com: 0.

------
matthewmacleod
Wow, he's a little pissed, isn't he?

This is a good case of a third-party extension going wrong. Yeah, ideally it
shouldn't happen, but I actually haven't seen this effect on any other site -
indeed, sites usually fail because of slooppy JS by the developer - depending
on Google Analytics being there or something similar. Ideally, sites should
not be totally dependent on external JS to work (what's going to happen when
Analytics goes down!?)

Honestly, I wish I didn't have to use this plugin. But whenever I'm not using
it, I get immediately irritated by a lot of sites - it's not so much the
tracking, which I'm pretty ambivalent about, but how _slow and janky_ many
sites become when they load so many scripts. Example:
[https://pbs.twimg.com/media/BVK2FLZCMAAkxKh.png](https://pbs.twimg.com/media/BVK2FLZCMAAkxKh.png)
\- totally nuts.

~~~
kosinus
So an extension breaks a site, and the web developer is to blame for sloppy
coding? How can he ever predict all extensions and different versions of
extension visitors might have on their systems?

Taking Google Analytics as an example, it guarantees the availability of
`window._gaq = []`, even if the external resource fails to load. If an
extension were to just detect and remove the script block, it'd kill the site.

This is an innocent and unlikely example, because no extension actually does
this. But extensions do other bad things much like it, and this post points
out _exactly_ one of those very bad things. It simply looks for a specific DOM
element, then goes and deletes _its parent_ from the page.

But yes, websites that have an abundance of trackers are crap. Remember that
it may also not have been the developers decision.

~~~
hobs
The only thing I can say is degrade gracefully as possible.

I am completely unwilling to unblock a sites main items (noscript user) unless
there is a pressing need for their content, and there rarely is. (Also, his
content works fine with noscript on. I dont get why ghostery would want to
inject more content into a site, that does seem a bit ridiculous.)

However, I dont blame the person who makes the site, we just have different
priorities.

------
jafaku
TL;DR: The author thinks using the browser in private mode is enough to avoid
being tracked, or at least he wants us to think that. He also wants everybody
to use the web in the same way he does.

~~~
xerophtye
Seriously? that's your take-away from the blog post? And not how a faulty
plugin was destroying the website, and how he solved the problem?

Kudos man. You deserve a Medal

~~~
Dylan16807
The post was part analysis, part opinion. The analysis was spot-on, but the
opinion seems to be based on a faulty understanding of web tracking.

------
ohwp
My bad, I didn't notice this was Ghosterys fault but commented that his site
didn't work.

I really like how Troy Hunt step in to this.

First the "it's my fault attitude". I can learn from this because I blamed his
site but in fact it was my own problem because I used Ghostery. I think you
can become better at a lot of things when you first blame yourself :|

Second his dive into the problem and notifying Ghostery.

So, sorry for my 'way to quick comment' about the site not working. I'm now
using Disconnect and am enjoying your site :)

~~~
troyhunt
Oh hey, welcome back :)

------
kybernetyk
Yes, this annoys me a little with Ghostery. But overall the benefit it
provides me outweighs the few bugs it induces. (And honestly it's not that
hard to notice that something's wrong when the whole pages stays white after
loading so you can temporarily disable ghostery.)

~~~
ben0x539
Doesn't that defeat the purpose? Anyone who really wants to track you is just
gonna have a failure mode under ghostery that requires you to turn it off.

~~~
pessimizer
I only do this with sites I really want to visit. My usual response to a site
that doesn't work with Ghostery or needs to set a cookie for anonymous
browsing is to go to another site for the same information.

------
DanielBMarkham
I find myself going through several phases when it comes to online ads.

At first, I was fine with online ads. Show me the cool stuff! And companies
did. And it was good.

Then there were blinking text, animated graphics, pop-ups to keep your from
the text, and forced waits while you were "served". And it was bad. So I
decided I never wanted to see an ad again.

I stayed with that for some time, until I started running my own web content.
Now it's like: but who's going to _pay_ for all of this? So ads don't seem so
bad -- as long as they behave themselves.

I'm okay with ads. Heck, I'm okay with paid promotional content, as long as it
identifies itself. But I'm not okay with FB inserting ads in my even stream,
Forbes making me watch ads before content loads, or advertisers getting into
my private life. And that's where we are.

So I'll take ghostery and lose access to a bunch of websites before I'll let
people's search for a buck turn me into some kind of open book for the rest of
the world to read.

------
marrs
Every time I use disqus I think that the site owner is being rather foolhardy,
not only outsourcing a key component of his site to a 3rd party, but making
Javascript a hard dependency as well.

Seems a bit naive to then blame the user for "breaking the web".

~~~
davidgerard
JS is effectively a hard dependency for the web these days.

~~~
walshemj
Not if you want to be crawled properly by Google and bing it isn't

~~~
victorhooi
Err, actually, the Google crawler has supported JS (in some form) for a number
of years:

[https://developers.google.com/webmasters/ajax-
crawling/docs/...](https://developers.google.com/webmasters/ajax-
crawling/docs/specification)

~~~
walshemj
"in some form" hides a plethora of ways to screw your site up - just suck it
up and develop so your site has a clean URL structure and is fast and easily
crawlable (JS can case problems with all 3 of these key features).

------
ds9
Ghostery is a kind of fallacy. Whenever I see talk on the web about tracking
and privacy, someone jumps in with "Just use Ghostery!". It's almost cult-
like.

If you use it or think you might, consider: Ghostery is closed-source; it's in
bed with advertisers; it reports to the mothership; and its blocking is based
on criteria set by someone other than the user. Oh, and in case that's not
enough, it breaks pages as described.

The better alternative in my opinion is Request Policy. It simply prevents
requests to third-party domains by default, and lets the user whitelist
selectively, each permission being either for the session or persistent, your
choice. Or you can reconfigure it as a blacklist. And it's open source and
non-commercial. (But please support the dev, if you like it.)

IMHO this functionality should be a default part of a browser in the first
place. Now I will shut up before I start ranting about how web developers give
away their site's data, and compromise user privacy by throwing in unlimited
numbers of third-party requests for functionality they could easily source
from own-domain.

~~~
luxpir
My thoughts exactly. Switching away from Chrome I loaded Ghostery/NoScript/ABP
into FF. Then became concerned about system resources (FF still bloated,
moreso now with extra plugins), then heard about the NoScript/ABP feud (as
well as NoScript having a Russian dev), then finally that Ghostery was run by
an ad company. All started to sound a bit ridiculous.

Currently have disabled Ghostery as a first step. Still running the other two,
but I like the sound of Request Policy and Disconnect mentioned elsewhere to
replace them. Happy to enable ads on sites I support, but not keen on the rest
of the creepy tracking.

Oh for the simple life...

------
belorn
> If you don’t want tracking then this is why we have in-private browsing.

I have never heard anyone thinking that "private browser mode" protects
against tracking. I wonder how common it is, particularly by web developers.

It should also be a nice hint to Firefox that their idea of incorporate tor
into the browser by default is a good idea. If used, then private browser mode
would actually be helping against tracking. as it is now, it simply a do-not-
save-a-local-history-file option.

------
voyou
So Ghostery has an option to remove chunks of the DOM that it thinks have been
added by Disqus, in an attempt to stop Disqus from tracking you. It's not
clear to me that this would actually stop Disqus from tracking you, because by
this point you've already loaded Disqus's JavaScript; and it's certainly not
clear to me how it would protect you better than just blocking the Disqus
JavaScript from loading, which would also have the advantage of not breaking
the non-Disqus related parts of pages.

~~~
hpaavola
Ghostery prevents you from loading the Javascript (at least on Firefox).

It does not protect you better than say hosts file base blocking, but it does
protect you equally well and still lets you load and run that JS just once if
you really need it.

------
j_s
Someone should call the wahmbulance¹ for this guy! In contrast, here is how
another company responded much more professionally when I informed them of an
issue caused by Ghostery:

    
    
      I believe I fixed this issue.
    
      Looks like the Ghostery plugin not only deletes the LinkedIN script tag, but every 
      sibling element around it (just to be safe?), which includes our entire blog 
      content. I've wrapped the LinkedIN script tag in its own span so Ghostery stays 
      away from our content. :)
    
      Please let me know if you can read our blog now.
    

¹
[http://www.urbandictionary.com/define.php?term=wahmbulance](http://www.urbandictionary.com/define.php?term=wahmbulance)

------
fixanoid
Hi everyone! I'm one of the Ghostery devs.

Ghostery started offering Click-to-Play (c2p) functionality a little while
back for some of the most common elements. Its very useful and our users love
it -- it simply and quickly answers the questions like where did my video or
comments go. Click-to-Play is configurable through Ghostery options and may be
disabled if the user wants.
([http://purplebox.ghostery.com/?p=1016023750](http://purplebox.ghostery.com/?p=1016023750))

Heres a how Click-to-Play works in Ghostery. We have several databases that
are shipped with Ghostery, one of them is a click to play mapper that is
associated to particular trackers in the database. If a user happens to block
a tracker thats on the c2p map, Ghostery will take an extra step to examine
the DOM of the page where it blocked the tracker to find the visible anchor
where the element was supposed to sit and inserts its own Ghostery control to
let the user know at the expected place that Ghostery took action. In some
cases, we advise Ghostery to attach to the parent node because the element we
anchor to may be hidden or invisible. The anchors are provided by our
developers when c2p entries are created.

Troy runs his blog on Blogspot, and the integration Disqus has with Blogspot
is non-standard. Because of this, Ghostery selector for c2p relied on specific
Blogspot format and attached c2p warning at the parent. A recent change in
Blogspot templates have created a condition in which Ghostery sometimes
removes the content of the site, like in Troy's case. This is a bug that will
be resolved in the next release.

To cover some other topics raised in comments:

\- Incognito mode is a good defense, but its not foolproof. Blocking and
running incognito mode is even better

\- Disconnect is an alternative to Ghostery, but the reason you don't see this
issue with them is that it does not offer click-to-play nor does it block
Disqus

\- Ghostery, while not open-source, hosts its source for review here:
[https://www.ghostery.com/ghosteries/chrome/](https://www.ghostery.com/ghosteries/chrome/)
or
[https://www.ghostery.com/ghosteries/safari/](https://www.ghostery.com/ghosteries/safari/).
Additionally, you may simply unzip the contents of any extension to see what
it does and how it works

~~~
wreegab
I noticed Ghostery doesn't prevent this tracker: betrad.com. Any idea why?

EDIT: my bad I meant betrad.com.

~~~
fixanoid
Hi troll! You are mistaken, betrad.com is in our database under Evidon.

~~~
wreegab
You're right, my mistake. There was a typo in my grep ('btrad.com')

------
levosmetalo
I'd rather use a broken website with Ghostery than allow my private browsing
data and history be available to someone free of charge.

You want your site working nicely for Ghostery users? Great, then just remove
privacy invader scripts from it, and you won't be affected.

~~~
jasonlotito
So you didn't read the article. It had nothing to do with scripts invading
privacy. The issue was Ghostery's fault. They admitted to it.

~~~
levosmetalo
Yes, I read it. I'm just saying that even if it's Ghostery fault, I would
rather use it than not for the privacy reasons.

------
threepipeproblm
Others have mentioned NoScript. I find that when NoScript particularly bombs
is when the referenced JavaScript domains themselves reference 3rd party
domains. I am not update on how JavaScript is dynamically loaded but this is
what I have pieced together.

For example, suppose you are using NoScript to view www.somedomain.com. You
check the NoScript menu to find and enable www.somedomain.com,
www.somedomaincdn.com, and youtube.com. But suppose whatever youtube.com
scripting is done, in turn, relies on say www.youtubecdn.com. You are not
going to see this "3rd party domain" on the NoScript menu.

I have found by trial and error, mostly just visiting the "2nd party" domains
and looking at their dependencies, I can often tell a site owner how to make
their site work with NoScript. Basically they just need a reference to the
indirect dependency, even though it isn't needed per se.

Hope this helps someone out there!

------
oneeyedpigeon
First off, I appreciate the points this post highlights and it's encouraged me
to check my own site which has two items blocked by Ghostery - google
analytics and typekit. Fair enough on the former, the latter is less
understandable, although I guess that any third-party javascript requests can
expose the user to tracking, so I still don't have a problem with that. That
leads me onto my main point:

As soon as you outsource functionality, you give up layers of control. The
relevant website is outsourcing not only to Disqus for comments, but blogger;
the author then complains that they don't have as much control over their
content - go figure. I've never really considered that the benefits of disqus
outweigh the disadvantages - why not just own your own comments, have more
control over them, deliver a faster experience, etc.?

~~~
GhotiFish
a well made comment system is a fair amount of work, and you are vulnerable to
spam.

I agree with you though, it's not worth having disqus whore your patrons to
the highest bidder and make product suggestions in your name.

~~~
oneeyedpigeon
Agreed; but I'd rather have the problem solved server-side, and allow a
publication to own its comments. That said, comments in general appear to be
falling out of favour.

------
NanoWar
> I want the web to work like it’s intended to 99% of the time and I know how
> to control my privacy the remaining 1% of the time.

I want the absolute opposite, is it just me?

------
sqqqrly
Why is he using disqus for primary content? If I want to see the discussion,
I'll turn disqus on. When the primary content is hidden like this, I just go
elsewhere.

------
hoopism
Thanks for this post... I noticed that there were several things I had
neglected to turn off on ghostery and I went ahead and added them.

------
csmuk
Perhaps similarly, the EasyList tracking protection list for IE browsers stops
you from signing up for a Windows Azure account.

------
spurgu
I've learned this the hard way so the first thing I do after installing
Ghostery is disabling everything but Disqus.

------
throw7
How javascript breaks simple websites.

