Hacker News new | comments | ask | show | jobs | submit login
Disqus comments adding third-party ad-tracking (notes.ayushsharma.in)
192 points by heavyrain123 on Sept 25, 2017 | hide | past | web | favorite | 80 comments

Shameless plug : As someone who was fed up with Disqus, I decided to build my own commenting platform ( https://hostedcomments.com/ ) with a focus on privacy : no ads, no tracking scripts. Having come across numerous instances of people complaining about Disqus and some even willing to pay for an alternative, I realized that this could potentially be turned into a SaaS. You can see the commenting system in action here : https://www.ploggingdev.com/2017/08/building-a-disqus-altern...

Any feedback is welcome.

Edit : If you're interested, you can register and add comments to your website. Currently there are no limitations on user accounts and there is no payment processing built in to the signup flow, so no CC required.

Good idea!

Two things:

1. Please make sure you support all languages (utf-8).

2. Some public forums want anonymous posts that they can check and allow manually but still need to know who it came from (newspapers in Sweden does this a lot). Usually requires entering an email adress every time and a checkbox "I preffer to be anonymous".

> 1. Please make sure you support all languages (utf-8).

I'll need to cross check, but I think with the default settings, it's currently supported.

> 2. Some public forums want anonymous posts that they can check and allow manually but still need to know who it came from (newspapers in Sweden does this a lot). Usually requires entering an email adress every time and a checkbox "I prefer to be anonymous".

Good idea, I'll add support for anonymous posting with appropriate moderation policies to prevent spam/abuse.

Thanks for the feedback.

I almost did this, there are a couple around (remarkbox.com for example). What I contemplated, as a way to circumvent ad blocking, was to offer a "white label" service, so the user could configure "comments.mysite.com" with a CNAME to point to www.hostedcomments.com so the comments would appear to be hosted by the same domain.

I guess that would fool most ad blockers, and users would have to blacklist the "comments.mysite.com" on an individual basis. Seems kind of shady to me. Have you considered this?

Two points:

There's nothing wrong with using the CNAME if you're only serving comments off that domain.

Also, I'm pretty sure you can regex adblocking DNS entries, so you could block on comments.. pretty easily with minimal casualties. You'd have to intentionally randomize it to bypass adblockers... Which will probably get your domain listed as a badhost by most peers.

(Smarter adblockers would check for CNAMEs and IP blocks, but let's not ecalate the arms race for no reason.)

Is this open source and can be self-hosted? If not, it's just another Disqus.

It's closed source.

> it's just another Disqus.

The main difference is the privacy aspect since I don't track users or serve ads. Disqus' business model depends on collecting user data and monetizing it, unlike mine where I directly charge website owners to embed comments.

> I don't track users or serve ads.

That's probably what Disqus would have said too if you asked them when they were in your phase. Privacy concerns aren't solved by promises, it's solved by infrastructural and technical decisions that make tracking impossible or/and simply not profitable.

…and if I was looking for a hosted solution I'd probably go for https://www.discourse.org/ as it's open source and possible to self host if I'd like to migrate to that some day.

Closed source means users unable to verify your marketing claims about tracking. Privacy conscious users like myself would prefer an open-source commenting platform, even one with tracking, since we could verify how it worked (and also take it a step further and circumvent tracking by examining the source).

Also, what's to prevent a provider from double-dipping? If you can sell the product plus your users data you can presumably generate even more income. For example, mobile phone carriers sell monthly plans to users and some sell users location and usage data (usually "anonymised") to advertisers.

I don't mean to imply that you are doing these things, or that you ever would, but without independent verification by a trusted third-party, all the users have to go on are your marketing claims. What's your plan for dealing with sceptical users?

I guess I'll have to earn trust the long, hard way :

* clear policies on how user data is handled

* explicit commitment to never sell user data to third parties

* transparency about any specific concerns users might have

* no dark patterns to trick users or website owners

* a track record of good decision making and staying true to the commitment to privacy

And for people who find me through forums (including HN) or via my blog, I think my privacy + no bullsh*t leanings are pretty clear.

Since I'm solo and bootstrapped, I don't know what options I have regarding independent verification of my claims, but if I get to a point where I can explore such options, I'm all for third party verification of my claims.

Could you tell why you choose to make it closed source?

Not op, but here is an obvious and valid one: Because it is easier to monetize that way.

To prevent people self-hosting and selling an overpriced service to people who do not know better and will be disappointed when the service closes or when they want to migrate their data to another service.

You don't make money with open source unless you are big enough.

Appreciate the quick response. That's a very good list, and I would only add "all user data will be deleted if service is sold to another company" to it.

What do you mean user data ? As in every commenter owns his comment or as in the paying customer owns the data from the commenters ?

This may make quite a legal difference when the justice system gets eventually involved.

Most of those are not a problem with closed source per-se (closed source binaries you run yourself can still be inspected, monitored and even reversed). It's a problem with SaaS model. Even if you open-source everything, how can I know you're actually running the same code you've open-sourced? I can't. And since most SaaS businesses track users like there's no tomorrow, you get perfectly reasonable distrust by default.

You have the ability to turn off data sharing in your admin settings. You can also opt for a paid plan to turn off ads or if you are small enough then you can use the service for free w/o ads. There are options.

> The main difference is the privacy aspect since I don't track users or serve ads.

If history has shown us anything, it's that everyone has a price and if someone comes along with enough money you'll change your tune. No thanks.

Closed source means there is no way to migrate from you as a provider and no way to keep the comments when your service eventually folds. That's a "no deal" proposition, thank you - but no thank you.

what do you mean privacy aspect ? Is there any encryption going on ? Who has the key ? How is the code audited ? What's your stance with law enforcement ? Is there zero knowledge ? Is it possible to export all data to migrate to another service ?

AFAIK I agree that this is another disqus, third party hosted, no privacy expectation, vendor lock-in, etc. also very expensive.

>Just copy paste a little code snippet and we manage everything.

It's another Disqus.

This does not mean that ads are the only possible model, of course.

Following that logic any non-open-source comment platform would be another disqus.

Yes, that's exactly what it means.

Still, I would say the problem isn't open source or not, it's the SaaS model. SaaS is the ultimate closed source, because you have no way (nor right) to tell what the service is doing with your data.

Are facebook comments "just another disqus" then?

In the sense that is under discussion, yes.

Will it survive sesta ?

You lose virtually nothing if you just block Disqus wholesale with an ad blocker. I'll admit it's quite nice for replying to comments on blogs, but there's no reason that a) needs to happen in a public comment and b) that you cannot provide an email for people to reach you at. In any case, almost all the good conversation is in a secondary place—reddit, hacker news, social media.

I'm far more likely to send you an email than I am to sign into an unaffiliated third party and trust their cookies.

>You lose virtually nothing if you just block Disqus wholesale with an ad blocker.

Unfortunately, that's not true for the blogs I read.

I used to block Disqus because (#1) it loads slowly, and (#2) it is a memory hog (Disqus' javascript code always has a memory leak in both Firefox and Chrome)

However, I ended up missing out on critical information that readers left in the Disqus comments. For example, if a blogger might review a power tool and a commenter might ask "what's that accessory you're attaching to it?", the blogger will then reply with the answer and may attach a link to the product in Disqus.

Similar situation with programming blog. Some followup Disqus comment may have a correction of syntax, etc.

(I wish people would stop leaving useful information in Disqus comments so I can go back to blocking it again.)

Any advice on blocking disqus junk-related stuff while still being able to view the comments? I've tried tweaking my ad blocking in the past, and I could either let all of disqus through, or end up with their scripts behaving crazily, repeatedly trying to reach blocked contents and eating CPU.

In uBlock/AdBlock, try blocking third-party domains like .doubleclick.net or .tapad.com (but not .disquscdn.com) and block third-party cookies in your browser's settings.

I modified my blog recently to require users to click a button before disqus is even loaded on the page. I think it gives the best of both worlds.

I'd say that the simplest default is to just block Disqus by default. You can always opt in for one of the like five sites in the world with tolerable comments sections.

Disqus usually still "shows" when blocked; it just doesn't load the comments, so it's not like it'll be hidden from you that way.

While it's true that almost all the good conversation is in a secondary place, it's also true that a lot of it would not reach the author, especially if the discussion happens in a secondary place that the author would not expect it to.

Right. It's on the author to provide any means of communication that doesn't go through disqus—say, twitter, email, slack, github, keybase, etc etc. I can't think this would be onerous for anyone.

Call me old-school but email works. Everyone has an email address. It's so simple, is a standard. They can even do a fancy portal to email, as a form. Email even sits there until you have time to deal with it.

I've been using email successfully, since the early 1980s. It's easy enough for us old people to understand. Well, some of us understand it. Some folks insist on doing it in emacs, but they are few and far between.

Email in Emacs has come a long way in the past few years.


How does that saying go?

Emacs, it's a great operating system but a really lousy text editor.

When I first learned to use a computer, you were fancy if you had an amber screen. These days, I don't even get involved in the vi vs. emacs wars. Instead, I recommend gedit.

The other day, someone was pointing out that you could use one of the image libraries and browse in emacs with ASCII art images being generated on the fly. They were seemingly proud of this. I kinda felt bad for then and I wanted to send then a mouse.

I'm only half joking. So long as it works for the individual, who am I to tell them what to do? It does seem pretty crazy, but the world needs crazy people.

Great observation about the secondary place hosting of comments. Once I read about some of the privacy weaknesses surrounding Disqus I have dropped out of all such conversations even when strongly tempted to add my 2 cents.

    there's no reason that a) needs to happen in a public
    comment and b) that you cannot provide an email for
    people to reach you at
I blog a decent amount, and I don't like getting emails about my posts. I'd much rather have the discussion publicly. When we talk in the open other people can contribute to and learn from the discussion. Putting lots of effort in a careful back and forth conversation with a reader is much less worth it if it's a private 1:1.

(If I wanted to talk about things where people couldn't be honest in public it would be different)

I mean this is fine, so long as you realize a lot of people prefer any other method of communication and you're likely missing out on feedback.

The feedback I was getting when I explicitly invited people to send me email wasn't generally that good, plus was a lot more hassle to respond to for less benefit. People can still find my email on my contact page, but pushing people to comment publicly has definitely been better.

I agree with you but third party commenting system are terrible and hosting your own means legal liability.

I deal with this in a weird way: people comment on fb/g+/hn/reddit and then I pull the comments onto my blog via a server-side script. For example, comments on my most recent post: http://www.jefftk.com/p/paypal-giving-fund

The (terrible) server-side code is https://github.com/jeffkaufman/webscripts/blob/master/commen...

I don't think this article is correct.

As the blog owner you opt into ads on your blog in disqus. If you don't want the ads go check the settings in the disqus control panel and all 3rd party requests disappear.

checking my own blogs using disqus I see no 3rd party requests at all with my ad blocks off

Tracking is turned on by default, but it's pretty simple to turn it off as the site owner. It's clearly marked in the administration section. As you said, with ad tracking turned off there are no such requests.

Thanks for the reminder to install ublock origin. https://github.com/gorhill/uBlock#installation

I've never made it more than 30 seconds on fresh browser install without getting several harsh reminders.

Time and time again we see "free" companies on the internet have three Lorenz attractors that they evolve towards: 1) users being heavily limited in features without paying a large enough sum of subscription money to subsidize others, 2) sell everyone's data and continue to operate, or 3) disappear.

The tracking ad bubble is one of my favorite topics right now.

I'm still hoping for #3 with Disqus.

Use Talk, part of the Coral Project by Mozilla (http://coralproject.net/products/talk.html) instead of Disqus. It is open source and respects your privacy.

I only recently created a disqus account to post a comment somewhere. Thanks for the heads up. I won't be making any more comments through their platform. I'll also block them using NoScript.

One of the best alternatives I've found is https://intensedebate.com/ from WordPress.

Copy a line of JavaScript onto your page and you can host comments. Commenters can sign in with various SNS, or email. Easy to manage and filter. Email alerts.

Only one problem - WordPress have abandoned it. It still works, but there are no updates. So some of the icons look dated. And who knows what security holes are present :-/

Any alternatives to Disqus for personal blogs?

Also Talk [1], which you can self host! (Disclaimer, engineer on the team!)

[1]: https://github.com/coralproject/talk

Cheers, I've used it on WashPo and thought it was a great experience as an end-user.

Yes, Isso [1] if you can self host. Whilst it doesn't track you like Disqus, it does have issues. For one you must have unsafe-eval in your CSP policy. That's something I'm not very fond of, so I've started to build an alternative: Oration [2], but it's not ready just yet.

[1] - https://posativ.org/isso/ [2] - https://github.com/Libbum/oration

I looked into this recently--Isso is heavily tied to sqlite w/o good reason. I would not recommend from a high availability or even simple backup perspective.

The other key feature I'm curious about w/ Disqus alternatives is spam filter performance. Isso does not have any besides manual curation of comments.

Both points you make are certainly valid. I'd say that Isso really targets low readership blogs that do just fine on a cheap unmanaged VPS instance though, so a high availability alternative isn't a requirement for that demographic.

Unfortunately this also rolls over to the spam filter portion. There were discussions in the bug tracker about this a while back, where the main Isso dev stated that it's a mostly obscure piece of software and spammers are not currently targeting it, so why bother worrying...

sqlite3 is really easy to backup. You can dump out SQL or just copy the .sqlite files.

Scaling it horizontally is where is starts to get tricky.

https://staticman.net/ if the idea of having static comments is a plus for you.

There's always Echo Chamber: https://github.com/tessalt/echo-chamber-js

I wrote a self-hosted alternative:

* https://github.com/skx/e-comments/

You can see the demo-page here:

* https://tweaked.io/guide/demo/

Let me be silly: go back to the nineties.

Provide your email address as an image, receive the comments in your inbox, append the really interesting ones to your blog article.

You really want to remove the spam and will have to do some moderation in order to keep your comments feed clean and interesting anyway. Making it a bit more difficult for your readers to comment has the advantageous effect that they'll think twice before writing. Moreover it also changes the way they write, because now they are addressing to a specific person instead of talking to everyone.

For sure it will probably drastically reduce the number of comments you get, but which one do you prefer: quantity or quality?

Putting your email in an image is a hassle for the user. A better option is to wrap a link in javascript that "constructs" your email from an encoded string and sets the link's href to the appropriate mailto on hover. This is user friendly but incredibly hard to harvest in an automated fashion.

As a self hosted blogger who uses Jekyll to build the site, and Emacs to do email, that sounds like a workflow that would be easy to automate.

Provide a form so people can write to you without disclosing their email or even having one.

Old mate at plogging dev is working on one as we speak. He got a bit of traction here a while ago (can't find link)

Blog here: https://www.ploggingdev.com/

Thanks for the mention, I just deployed the code : https://www.hostedcomments.com/

Demo page where you can comment : https://www.ploggingdev.com/2017/08/building-a-disqus-altern...

I'm building a Disqus alternative called Remarkbox.

You should add your list to the private beta to join the other active testers.

Check it out here: https://www.remarkbox.com

One note as to the doubleclick ad server. That's coming from Google Analytics where your page view tags require the demographics add on (the name of which escapes me at the moment).

GA uses the double click network to give you those age, gender, and interest category information.

While at it, OP might also get rid of CloudFlare, Google Analytics, Google Fonts, and the social buttons as they all track users for ad purpose (ok maybe not cloudflare but it is still a smart move to get rid of them)

A few years ago I migrated my company's dynamic site with blogs, articles and marketing info to a static site generator (Pelikan? Nikola? I don't remember). Part of that was moving our commetns all over to Disqus, and converting a few small marketing functions to Javascript (showing testimonials).

Disqus was pretty cool at the time, including their presentations to Pycon and their design. I wondered how the funding would go but was a pretty big fan.

Switching to a static site generator was the right choice, since 2-3 new blog posts have been written since I left. ;-)

I am using WPDiscuz: https://wordpress.org/plugins/wpdiscuz/

The free version is good enough for casual blogging. No ads, no tracking, visually appealing.

Is Viglink from Disqus as well? They overwrite links to turn them into affiliate links. Would not be surprised if this was happening in Disqus comments.

I removed Disqus from my static blog when I realized how much it downloads JavaScript to work.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact