tags:

views:

51

answers:

2
+2  Q: 

Are global comment systems a privacy concern?

I more and more see these global login-once comment-everywhere systems on every page. I didn't do my homework of tinkering debugging and search before asking, so my question is as follows:

  1. You login on site A and leave a comment.
  2. Now you go on site B, which uses the same global comment system. At the bottom of the page a request form with your name and data appears for you to add a comment on B page. You don't leave any comment and browse away.

Does the global-comment provider get information about the fact that you visited page B, even if you don't leave any comment ?

I will dig into the code as soon as I have time, but in the meanwhile I would like to ask your insights on this regard.

+1  A: 

Yes, they certainly can. This is typically made available several ways. First, there's the Referer header. For Disqus at least, they use script URLs like http://subdomain.disqus.com/thread.js?url=main_page_url&trackback_url=null&trackbacks=null .

so even if you have the Referer header disabled they can still tell you went to main_page_url. If you have scripting disabled, you can't use the service. However, you could disable the Referer and enable scripting for that domain only temporarily. NoScript can help with this.

Matthew Flaschen  2010-05-20 06:26:05
ok but how is the binding between your disqus account, your browser and the page you visit is done ? cookies ? I guess that the XHR allows another site to access its own cookies even if the main URL of the page is different, right ?
Stefano Borini  2010-05-20 06:37:45
Yes, besides your IP (which they get for any connection), if you're logged in your browser will send cookies (a sessionid in Disqus's case) for every script you access.
Matthew Flaschen  2010-05-20 06:52:49
A: 

For a few people it is, like the EFF.

For the rest of the world it's really not considered. Sure there are some Facebook privacy groups and alike.

The kind of tracking you are asking about exists but about 20 times the magnitude you are worrying about. Tracking a user between several sites is done by every web service provider whose contents are linked from third party pages, such as google-analytics, digg/stubleupon/facebook widgets, gravatar images.

For example the gravatar service which can be considered quite simple, only a linked image, no JavaScript. This service will be able to track every individual surfing all sites with gravatar images on them. They will also know all sites where a single user has commented. Even if a user hasn't registered their email with gravatar they still has enough to make a profile about that user.

If you are writing any kind of global web service that is included on others websites best bet is to not mention privacy, unless you have to - that will reduce the privacy concern.

Update, gravatar

Although gravatar is not a commenting system it is a subset of features but with the same privacy concerns that is being asked about. Using JavaScript and having users logging in makes it only easier not possible.

phq  2010-05-20 06:54:20
gravatar does not know which site I am visiting. it sees a request that gets rendered on my page as an image, but knows nothing about who triggered that request, unless the referrer entry gives it away... but I assume that referrer is given only for clickable links. Wrong assumption ?
Stefano Borini  2010-05-20 06:57:49
@Stefano, yeah, your assumption is wrong. I currently have Gravatar disabled mainly for speed, but partly for privacy. See also http://meta.stackoverflow.com/questions/4553/non-gravatar-avatar/5658#5658 (look at the image in the post).
Matthew Flaschen  2010-05-20 07:06:33
Tracking of IP address is not really a concern for me, since it most likely change, and there's not my name and surname slapped on him unless a legal inquire is performed to my provider. What is a concern for me is that my unique login gets associated to what I visit, and this information is made available to a third party. This is the exact reason why I installed my own OpenID provider instead of relying on common available solutions. Ok, an objection to this would be that my provider knows what I browse and google knows what I search, so I'm torn.
Stefano Borini  2010-05-20 07:19:35

related questions

RSS feeds from Gallery2
User authentication on Resin webserver
Recommendation for straight-forward python frameworks
Why no favicon for my web site?
Preferred way to use favicons?
IE6: To support or not to support.
FF3 WinXP != FF3 Ubuntu - why?
Source control for web projects.
Drag and drop ftp file upload web widgets
Accessing post variables using Java Servlets
Anyone have experience creating a shared library in MATLAB?
The Difference Between a DataGrid and a GridView in ASP.NET?
Options for Google Maps over SSL
Is there an Unobtrusive Captcha for web forms?
How can I detect if a browser is blocking an popup?
How to curl or wget a web page?
What Hosting Service is best for Django applications?
What are some web-based knowledge-base solutions?
What is a good web-based Grid that accepts Excel clipboard data?
What's the best online payment processing solution?
What are effective options for embedding video in an ASP.NET web site?
How can I tell if a web client is blocking ads?
How do I make a checkbox toggle from clicking on the text label as well?
Can you recommend a good CSS online resource or book?
Class views in Django