Forgot your password?
typodupeerror
Privacy The Internet Your Rights Online

Tynt Insight Is Watching You Cut and Paste 495

Posted by timothy
from the peeking-at-your-poke dept.
jerryasher writes "In recent weeks I've noticed that when I copy and paste text from Wired and other websites, the pasted text has had the URL of the original website appended to it. Cool, and utterly annoying, and how do I make that stop? Tynt Insight is a piece of Javascript that sends what you copy to Tynt's webservers and adds the backlinks. Tynt calls that a service for the site owner, many people call that a privacy invasion. Worse, there are some reports that it sends not just what you copy, but everything you select. And Tynt provides no opt outs. Not cookie-based, not IP-based, but stop-it-you-creeps-angry-phone-call-based. It ain't a pure useful service, and it ain't a pure privacy invasion. But I sure wish they'd go away or have had the decency never to start up in the first place. I block it on Firefox with Ghostery."
This discussion has been archived. No new comments can be posted.

Tynt Insight Is Watching You Cut and Paste

Comments Filter:
  • use noscript! (Score:5, Informative)

    by Anonymous Coward on Thursday January 14, 2010 @01:33PM (#30768096)

    Only run the javascript you want.

    • It seems to me the advantage of ghostery over noscript is that (as I understand it) it has a database to identify what the javascript and urls are. I use noscript occasionally, never used ghostery though so idk
      • in Opera... (Score:5, Informative)

        by AliasMarlowe (1042386) on Thursday January 14, 2010 @02:00PM (#30768634) Journal
        Just make sure that the option "Allow scripts to detect context menu events" is left unchecked (this is the default). Then you can select text/graphics/whatever, and copy operations via right mouse click are not observable by javascript.

        In fact, javascript can't detect any right click actions in Opera unless you explicitly allow it. So copy, paste, translate, search, dictionary, encyclopedia, etc. actions can't be monitored by javascript in a web page.

        This feature was in earlier versions of Opera as well, but the checkbox was named differently.
        • Re: (Score:3, Informative)

          by LordKazan (558383)

          having right click detection disabled breaks some very useful sites.. like Google maps

          • Re:in Opera... (Score:5, Informative)

            by sconeu (64226) on Thursday January 14, 2010 @02:17PM (#30768916) Homepage Journal

            Then allow it in your site preferences for maps.google.com

          • Re: (Score:3, Informative)

            by freeweed (309734)

            Yes and no. It took my slow brain a while, but I eventually realized that when you right click in GM, and the context menu comes up, you can hit escape and it will go away - leaving the Google menu for "directions to here", etc visible.

            Broken, but with a simple workaround.

          • Re:in Opera... (Score:4, Interesting)

            by Sparr0 (451780) <sparr0@gmail.com> on Thursday January 14, 2010 @04:03PM (#30770676) Homepage Journal

            I maintain public and private maps for a number of businesses, organizations, and events. I submit map data corrections both directly to google and previously to their map data providers on a weekly basis. I regularly use their walking directions and topographic maps to plan bicycle treks. I have implemented multiple business and gaming oriented applications including or built around the maps API. I am a Google Maps power-user...

            And I never knew that there was right click functionality on the main maps interface. When I right click, I get the normal right-click-on-an-image context menu (View Image, Copy Image, Copy Image Location, Save Image, etc). What does that menu do for you? In what way is the site broken without it?

        • Re: (Score:3, Insightful)

          by zlexiss (14056)

          I just go to Block Content and put in an entry for *tynt.com*

        • Re: (Score:3, Insightful)

          by JohnQPublic (158027)

          Yeah, this is why I love Opera. Firefox may have lots of add-ons, but Opera always does everything I need it to, right out of the box, and its defaults are extremely sensible.

      • Re:use noscript! (Score:4, Interesting)

        by c0d3g33k (102699) on Thursday January 14, 2010 @02:14PM (#30768854)

        I actually have both installed, and haven't noticed any adverse effects or conflicts. NoScript handles the "selectively allow this", while Ghostery tells me about web bugs and such, and lets me identify the JS and urls, as you point out. Ghostery seems to stay out of the way quite nicely, while NoScript does the heavy lifting.

    • Re:use noscript! (Score:5, Informative)

      by melikamp (631205) on Thursday January 14, 2010 @01:36PM (#30768200) Homepage Journal

      I have to second this. NoScript is now my favorite extension, with ABP being a close second.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        NoScript users are going to be a minority of internet users, but you have to be INSANE to browse without it.
        I whitelist base 2nd level domains, but noscript really highlights the amount of CRAP that many sites use, like fuck-up-you-shit-apis.com

        A page rarely appears, or functions differently with all 3rd party scripts blocked. It also might be blocking some advertising, but I can't tell if Adblock got there first.

        • Re:use noscript! (Score:4, Insightful)

          by melikamp (631205) on Thursday January 14, 2010 @03:24PM (#30770056) Homepage Journal

          but noscript really highlights the amount of CRAP that many sites use

          OMG, yes. I have temp allow button on my toolbar and I click it for fun sometimes. On wired.com, 29 scripts are blocked, and the site seems to work fine. Inside an article, 47 scripts are blocked, but I can still read the article, probably because the bulk of Wired content is plain text with pictures, which is being handled (very well) by a super-tech known as plain HTML.

          Seriously? They want my poor rig to plow through 47 scripts, while all I get, as a Web reader, are 6 paragraphs of text and a stupid photo?

    • Re: (Score:2, Interesting)

      by Montezumaa (1674080)

      I read their website, and it looks like they offer a program for users to install. Is this what the article is referring to, or are webmaster running a script to allow Tynt Insight to track what I copy and paste, irrespective of whether or not I install Tynt's program? If it is the former, then do not install the damned program. This is just like the whole social-networking sites and people bitching about privacy.

      If it is the latter, then install No-Script(which everyone should have) and block the shit o

    • by Itninja (937614)
      I am also a NoScript fan. I love it's use of the 'whitelist' security model. Instead of making me tell it everything I want to block, it blocks it all by default and I tell it what I want to see. I wish all security products used this model.
    • Re: (Score:3, Insightful)

      by Hurricane78 (562437)

      There’s a giant problem with this:
      - You are not going to inspect every JavaScript you want to allow.
      - Which means that you only might know what it does, when you enabled it.
      Which makes the whole exercise kind of pointless.

      An example is a MySpace or YouTube XSS script. Those sites are not usable without JS. So you enable it. But they are also the sites that are targeted the most. And that’s the problem.

      Does NoScript have a automatically updated white-list? And if yes, who decides what gets in the

      • Re:use noscript! (Score:4, Insightful)

        by epine (68316) on Thursday January 14, 2010 @03:58PM (#30770584)

        I'll take my solutions in half measure, thank you very much. A half-measure here, a half-measure there, pretty soon I'm better off than the chump beside me.

        The absolute win with NoScript is that no scripts run on a site you didn't mean to visit. Maybe the mouse slipped, or you clicked something dubious in a late night haze, or a google search result looked good in précis but you land with a giant OMG! thump. With NoScript you can bail, and you still know where you've been.

        Most sites work with just scripts from the base URL. I'm on a lot of sites with half a dozen or more scripts blocked, and it works fine.

        For places that look a bit dubious, I use temporary mode.

        I'm sure there's some monkey business going on with the base scripts I'm permitting on many sites, but a lot less than shacking a rugby team in a convent. I say it's a pretty good first measure if they have to sneak across the quad.

        All in all, it sounds very much like a half-assed illusion of a solution.

        Quoting the forefathers of gender-segregation are we?

  • by tjstork (137384) <todd@bandrowsky.gmail@com> on Thursday January 14, 2010 @01:34PM (#30768124) Homepage Journal

    I thought that to allow JavaScript to access the clipboard, you had to opt in, and even then, you can't really do it the right way under FireFox or Chrome. Like, JavaScript clipboard access is an IE only thing.

      Are we sure this isn't a Java application or something?

  • by srmalloy (263556) on Thursday January 14, 2010 @01:34PM (#30768142) Homepage

    NoScript will also block it, and if you configure it to block by default, Tynt's code will never execute unless you specifically permit it.

  • by geminidomino (614729) * on Thursday January 14, 2010 @01:35PM (#30768148) Journal

    Epic Win for Irony.

    Currently on the front page of Wired.Com

    "WebMonkey:

    Warning: This site may be sharing your data"

  • by DarkOx (621550) on Thursday January 14, 2010 @01:35PM (#30768160) Journal

    If its just J/S it must be useing the browser to get or post the information back to their web server. Figure out what there net block is and black configure your firewall to send you a nice reset packet anytime your box tries to hit it.

  • Scripting? (Score:3, Interesting)

    by Nexzus (673421) on Thursday January 14, 2010 @01:35PM (#30768180)

    Probably uses the script onmousedown or onselect events for the page. So don't allow scripting for that site, and you should be fine.

  • NoScript (Score:5, Insightful)

    by leoc (4746) on Thursday January 14, 2010 @01:36PM (#30768188) Homepage

    Personally I have stopped browsing without NoScript enabled. I sincerely hope that the functionality it provides is adapted as a base feature in future browsers. Javascript is simply too dangerous to be trusted by default. Sites need to earn that trust, IMHO.

    • Re:NoScript (Score:4, Interesting)

      by apoc.famine (621563) <apoc.famine@gm[ ].com ['ail' in gap]> on Thursday January 14, 2010 @02:49PM (#30769524) Homepage Journal

      It's interesting how transparent NoScript is on the pages I visit often, and how much it complains about sites I don't visit often. It's an extra irritation, definitely. But when you watch someone browsing without it, you get a damn good refresher on why you use it.
       
      I'm blown away by the amount of abuse that most people put up with from scripts. It's mind-boggling to me. I put up with exactly one bit of abuse - sometimes I have to reload a page a time or two as I selectively enable scripts to get to the content I want. I'd rather not do that, but it sure beats the alternative.

    • Re:NoScript (Score:5, Informative)

      by inviolet (797804) <slashdot.ideasmatter@org> on Thursday January 14, 2010 @03:08PM (#30769790) Journal

      Personally I have stopped browsing without NoScript enabled. I sincerely hope that the functionality it provides is adapted as a base feature in future browsers. Javascript is simply too dangerous to be trusted by default. Sites need to earn that trust, IMHO.

      It is in Opera. Opera has built-in site prefs that include java, javascript, plugins, 1st and 3rd party cookies, send referer, right-clicks, etc. These can be configured per site, per domain, and both. Then you turn all that crap off browser-wide, so that your site prefs become a whitelist.

      Opera is so far ahead of its time.

  • Snopes (Score:2, Interesting)

    by Itninja (937614)
    Snopes was (is?) using java to prevent site viewers from right-clicking and selecting text at all (not to mention using java to present copious pop-up and pop-under ads). I had no idea until I was watching a friend go to Snopes in a browser without NoScript running. Showed him how to user get NoScript and now he is free to copy/paste text with impunity!
  • Habits (Score:5, Interesting)

    by Hatta (162192) on Thursday January 14, 2010 @01:40PM (#30768272) Journal

    I have a habit of repeatedly selecting and deselecting text as I read it. I probably selected the story blurb here 10 times while reading it. It would be hard for them to mine that data for anything useful. Not that I run strange javascript anyway.

  • More of the same? (Score:3, Insightful)

    by Qubit (100461) on Thursday January 14, 2010 @01:41PM (#30768292) Homepage Journal

    So let me get this straight. Because there are websites that are doing shady stuff with the text I select and such, you want me to install a Firefox Extension [mozilla.org] that theoretically won't do anything shady with my stuff, even though its license [mozilla.org] consists of

    Source code license for Ghostery 2.0.2
    Copyright Ghostery, Inc. All Rights Reserved.

    And there's no source available.

    Why should we trust the people behind Ghostery any more than a random website out there? If you're writing software to protect privacy and prevent data snooping, why make people trust more closed-source software?

  • by CritterNYC (190163) on Thursday January 14, 2010 @01:42PM (#30768326) Homepage

    Just add a filter to to Adblock Plus in Firefox. Go to Adblock Plus's preferences page, click Add Filter and enter:

    http://tcr.tynt.com/* [tynt.com]

    Then just click OK or Apply.

  • by gmueckl (950314) on Thursday January 14, 2010 @01:44PM (#30768360)

    The URL appending when cutting and pasting is easily defeated by pasting using the middle mouse button. That script still sends selection information, though. Can anybody tell me what this data is collected for? I don't see any value in it.

  • This isn't the first instance of Javascript messing with the clipboard. One of my former co-workers encountered a real estate search site that repeatedly overwrote his clipboard. He had the page open while he was working and discovered the issue while trying to copy-paste some database queries from one file to another or something.

    My first thought was that the browser shouldn't even allow that. But since each of the individual components (looking at the selection, capturing keystrokes, writing the clipboard

  • I don't get it - why does the JavaScript even need to send the text to a server? I mean, the browser knows what page you are on. Why not just have the JS snag the URL from the browser and append it to the text, so the selected text never leaves your computer? This whole setup just sounds like an excuse to send something back to the server, when it's technically completely unnecessary.

  • by eldavojohn (898314) * <eldavojohn AT gmail DOT com> on Thursday January 14, 2010 @01:50PM (#30768448) Journal
    I can't get it to work when I copy paste from Wired (must be something with my setup and javascript) but I will make the unpopular statement of saying that 1) you are copying and pasting Wired's content and 2) as early as high school I was taught that if I was copying information verbatim, I had better have some sort of reference (MLA preferred [cornell.edu]).

    Now, on Slashdot I drop in a link on some text like just did up there. But if I'm quoting it, I'll throw in a quote block and lead up to who said it and call it a day. Now, let's imagine a world where all that was automated when you copied something and the text you copied came with XML metadata saying all the things like where you got it, when you got it, who wrote it, etc. That could potentially be pretty useful. If you think of the web as actual works belonging to people then you can start to see how legitimately referencing other works could be made a lot easier with stuff like this. And maybe text editors could have plugins to digest it?

    Unfortunately the submitter and editor of this site seem to cry privacy violation at any attempt to move past the wild wild west anything goes attitude of the world wide web. That's fine as this has an element of privacy concerns what with the phoning home. But please consider the issue from Wired's side, from the side of the author and content creators. They might just trying to help us with what we were taught in school.

    Lastly, I would like to point out that another solution aside from Ghostery or Noscript is just to not use Wired's site at all. Vote with your feet and bring your eyeballs elsewhere for pageviews and adclicks. I'm sure Wired's not losing a whole lot of adclicks if you do.
    • by LMacG (118321) on Thursday January 14, 2010 @01:58PM (#30768608) Journal

      Part of the problem is that the script seems to want to communicate to the server even when you've only highlighted text. As mentioned in another post (that the mods on acid seem to have gotten to), I highlight when I read. I don't know why, but it's what I do. I'm NOT copying, but tynt is still tracking me; the "cite your references" argument doesn't apply.

      As far as just not using Wired.com, that completely ignores the fact that many other sites have this POS JS running; I first noticed it at the New Yorker magazine site.

    • by guido1 (108876) on Thursday January 14, 2010 @02:02PM (#30768678)

      The copy/paste/autolink behavior is not the privacy concern. I didn't read anyone here saying that it was.

      The privacy concern is (from the summary): sends what you copy to Tynt's webservers...

      So I, as a user of a random webpage, copy something for later pasting. That info, and my IP address, is sent to a third-party, theoretically for the purpose of appending a URL to the end of the text. Is that data also used for something else? Most likely. What company wouldn't try to make use of data it receives?

      Since the same append functionality can be done trivially with some JS without contacting a home server, we immediately hop on the privacy horn.

      • Re: (Score:3, Informative)

        That info, and my IP address, is sent to a third-party, theoretically for the purpose of appending a URL to the end of the text. Is that data also used for something else? Most likely.

        There's nothing theoretic about it - they spell it out in large letters on their website [tynt.com]. It's all about data mining first and foremost; autolinking is actually an optional add-on, and even then it's advertised as "driving up more visits" - i.e. it's a feature for site owners, not for end users.

    • Re: (Score:3, Informative)

      by pdboddy (620164)
      Yes, it is Wired's content, but there are rules for fair use.

      Some folks just use the highlighting part of copy to read.

      Some folks copy and paste links to email themselves so they can find it later. Likewise some folks copy and paste articles, in part or in whole, to themselves to read later.

      People do get annoyed when websites do things without saying such things are being done. Wired has every right to defend its content, however, it should do so in an open manner.
  • Noscript FTW.

  • by landrew (45088) on Thursday January 14, 2010 @01:52PM (#30768504)

    This from their FAQ - Technical Topics (http://www1.tynt.com/faq-technical-topics):

    Q. How can I block Tynt Insight from monitoring my actions?

    A. Tynt understands that some people are uncomfortable having events from their web browsing recorded in a database. We take your privacy concerns seriously and we are therefore investing considerable effort into developing a feature that will allow users to block Tynt software across all the sites that are using it, from within their own browser. Until we have this blocking feature ready, it is possible to achieve a similar effect by using one of the many ad blocking components available on the net. For Firefox users, we have found Adblock plus to work well, and Super Ad Blocker is effective for IE users.

    I can't wait to download and install software they've written to help me block them from tracking me with their software. Good thing I'm using Ad Block Plus and NoScript while I wait, or they'd know I cut-n-pasted that...

    • Re: (Score:3, Informative)

      by clone53421 (1310749)

      AdBlock Plus filter:

      ||tynt.com

  • Trolls? (Score:5, Interesting)

    by jgtg32a (1173373) on Thursday January 14, 2010 @01:53PM (#30768510)

    Does Tynt have multiple /. accounts or something? I've never seen so many posts marked Troll

  • by TibbonZero (571809) <.Tibbon. .at. .gmail.com.> on Thursday January 14, 2010 @01:53PM (#30768512) Homepage Journal
    "Not cookie based, not IP based, but stop it you creeps angry phone call based. It ain't a pure useful service, and it ain't a pure privacy invasion. But I sure wish they'd go away and have had the decency to never start up in the first place."

    Please tell me that the writer is either a non-native English speaker, or they didn't read that twice?
  • by jtroutman (121577) on Thursday January 14, 2010 @01:54PM (#30768550)

    I seem to have stopped this by adding the following to my hosts file:
    127.0.0.1 www1.tynt.com
    127.0.0.1 tynt.com
    127.0.0.1 www.tynt.com
    127.0.0.1 w1.tcr112.tynt.com

    • Re: (Score:3, Informative)

      by jtroutman (121577)

      and... fail. For some reason it stopped and has now started again. I'll look into it further when I'm back in front of a computer.

  • A comment from Tynt (Score:5, Informative)

    by TyntGuy (1721234) on Thursday January 14, 2010 @02:00PM (#30768638)
    I work for Tynt. I appreciate the discussion here and want to make sure that everyone knows we want to be respectful of the opinions here. Not sure i I will get flamed just for wading in, but I hope not. To clarify on a few points 1. Tracking and Attribution – the attribution feature is separate from the tracking features. The tracking features work very much like any other analytics tool. We do not store any personally identifiable information, but we do want to help publishers learn what content people are choosing to preserve and promote. In addition, publishers can turn the attribution feature on or off on their sites. If you want to see what is actually collected - sign up for an account and look at the dashboard, you will see that we are tracking the content, not the user. 3. What if I don’t want this behavior? We are currently working on a global opt out for users who would rather not have Tynt monitor them. In the interim you can opt out on a site by site basis (i.e. the opt out for the SF Gate is here: http://www.sfgate.com/chronicle/faq.shtml#faq1.5%23ixzz0bxLIAbL7 [sfgate.com]). More info on how to not have Tynt monitor you is available in our FAQs here: http://www1.tynt.com/faq-technical-topics#ixzz0bxGzIgPZ [tynt.com] but as pointed out in the comments here, NoScript is a very effective tool for this. Derek
    • by Hatta (162192) on Thursday January 14, 2010 @02:12PM (#30768822) Journal

      we are tracking the content, not the user.

      And when the content is personally identifiable?

      We are currently working on a global opt out

      Why not an opt in?

      • by thesolo (131008) * <slap@fighttheriaa.org> on Thursday January 14, 2010 @03:45PM (#30770382) Homepage

        Why not an opt in?

        Do you really need to ask? Because no one would opt-in for it! But just do it without telling anyone, and most people outside of tech groups don't even know what it is or that it's operating in the background.

        Quoth Grace Hopper, "It's easier to ask forgiveness than it is to get permission."

    • by ibpooks (127372) on Thursday January 14, 2010 @02:45PM (#30769436) Homepage

      If you want to see what is actually collected - sign up for an account and look at the dashboard, you will see that we are tracking the content, not the user.

      Doesn't signing up for an account with you kinda defeat the purpose of not giving you any of my information? Even signing up for your vaporware opt out gives you information about me that you will no doubt exploit in some way. In order to opt me out you need to be able to uniquely identify me.

    • by Dolohov (114209) on Thursday January 14, 2010 @02:54PM (#30769606)

      I can't speak for anyone else, but I find a couple things wrong with this:
      1) Like a number of people, I tend to highlight text as I read -- it's a good way to mark my place, and it helps overcome some of the stupid font and coloring decisions that sites make. That means you're not just telling publishers what I want to preserve and promote, but snippets of what I'm reading. That bugs me, and I can't imagine that it's useful.
      2) Maybe you're not storing or tracking personally identifiable information, maybe you are -- I have no way of knowing. (I appreciate the offer of the dashboard access, but that's just what you choose to share) I have to trust you not to, and you are not behaving in a manner that makes me want to trust you: silently sending data? Asking me to opt-out rather than opt-in? Sorry, no. I've been to a couple of the sites mentioned here and had no idea that my reading habits were being monitored in this way -- that makes me feel like I'm being spied on, and I have to wonder what else you're doing that you just haven't been caught at yet. You guys launched without an opt-out, that tells me that you consider privacy concerns an afterthought.
      3) Even if I trust you not to mistreat my data, how do I know that you're sending this in an intelligent fashion? I haven't done a TCPdump yet, but when I do, am I going to discover that you're sending what I highlight plain-text? Can someone who isn't you track me personally based on what you're collecting and sending? Is there any effort to make sure that the sites who use this are not being stupid and applying your tool to text on secure pages? How can I know without stopping and peering at the source for every page I visit?
      4) If my choices are individual opt-out on your customers who are polite enough to offer it versus either blanket blocking or global opt-out, I'm going to have to pick global opt-out even if I don't mind the polite folks using it. Otherwise I have no control over how the less-trustworthy people use it -- as an opt-out service, your whole service is only as trustworthy as your least honest customers. And I cannot imagine that your customers who rely on ad revenue are happy to have you recommending that people who don't want to be spied on use an ad blocker.

      I actually don't mind the attribution tool, I think it's clever and potentially useful -- but also something that could have been accomplished without tracking my reading habits.

      If you want to be trusted and not "flamed", it's simple: make it opt-in, and give me a good reason to opt in. You make money off monitoring my browsing habits, maybe I ought to get a cut.

"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken

Working...