I've always added analytics scripts on websites I worked on. It was second nature for me. Then when I got my own start up, I didn't just add regular analytics but one that tracks mouse movements so you can watch sessions back like a video [0].
I told a friend about my start up and she jumped on it immediately. I opened the tool and watched her interaction. Then I told her "oh so you opened the dev tools" She immediately ended the session. "How did you know? That's creepy". It was the first time I've actually felt like these tools invade privacy.
Yeah, we include it in our terms and condition and privacy page, but I don't think users truly grasp how those tools work. I understand that all analytics tools provide this feature now, but its always creepy to know someone can watch what you are doing.
I think there's a very interesting duality forming around privacy. It seems like most people don't really care if they're being filmed, or if their data is being slurped up six ways from Sunday, as long as it's aggregated and going through automated systems. But as soon as it feels like an actual person is looking at individual behavior, it's creepy (which is, of course, always a possibility, but plausible deniability is a powerful thing).
The other side of this is that there are aspects of privacy that average people absolutely care about, but that the tech crowd largely ignores.
It's things like hiding your online activity from your partner / boss / parent / ex, making sure nobody knows you just went to a gay club, hiding the fact that you're playing video games from that one guy you don't actually want to play with, not giving out your phone number to the parents of your students, that sort of thing.
For most people, E2E and VPNs are useless gimmicks that just make life unnecessarily difficult, but vanishing messages and incognito mode are life-saving features.
Yes. This is it. People are used to "private conversation in public restaurant". It's not private because no one can hear, but because no one is listening.
Right, the very nature of human society for the last several thousand years has been privacy in public. You walk around outside where everyone can see you, but the societal expectation is that you don't watch others. You have conversations in public because that's where life happens, but they're still private conversations.
Every counter-example to this is people being intentionally creepy, inappropriate, or outright malicious. Which was a manageable problem when it was just a single dude being weird, society would eventually exclude and shun them. Trouble is today that we've mechanised malicious inappropriate behavior at scale and ensured we've set up our entire society and government such that the people responsible can never be held accountable in any way. So long as you're being maliciously creepy at scale (and you're wealthy) everything's fine and there's no consequences.
> Every counter-example to this is people being intentionally creepy, inappropriate, or outright malicious
Or you just...overhear something in public and strike up a conversation. Doesn't happen here in North-East USA often but that southern hospitality is a different animal
I think creepiness manifests when the observation is one way. Without technology that’s kind of hard. With tech it becomes increasingly easy for everyday people to one-way spy on each other
How do you know what life was like 2000 years ago? I don't think you can truly know when this convention appeared. I suspect it's tied to urbanism at least. If you're living alone in the woods, miles from anywhere, and someone walks past your house, you're probably not going to politely ignore them.
the people doing the "analytics" (surveillance) like their privacy too, because they are doing creepy stuff and don't want people to know it. And even if they aren't doing creepy stuff, the data might be used that way in the future (profile building, psychological tricks, personalized pricing, sharing behavior with others, etc)
Which is wild because the aggregation and “big data” element is where the harm actually happens in very real terms. Of course, much harder to explain to typical laymen.
Yes - also it's one thing to say "A user entered the site, clicked here than here" (analyzed in bulk) and another "this specific guy entered the site, clicked here than here"
> It seems like most people don't really care if they're being filmed, or if their data is being slurped up six ways from Sunday
For the majority of people I don’t think it’s true that they don’t care, but rather that they don’t know, don’t understand the implications, or don’t have the luxury of being able to do anything about it.
In the instances where I was able to have a longer discussion with someone to really explain what’s going on, they did care. Even if they previously said they didn’t.
People do know on some level though. There was enough willpower to get the cookie bullshit on every website.
I think it's just that it's more of a visceral lizard-brain thing than a logical thing. Like how you can go through life eating meat every day, then someone sits you down and tells you the horrors of that industry and shows you a cow being butchered, and you go oh that's horrible, and then most likely put it out of mind and continue eating meat.
> we include it in our terms and condition and privacy page, but I don't think users truly grasp how those tools work
Since you did collect the metrics, you had direct knowledge of how many users opened the T&C and scrolled down to the place where you mention you're recording their session.
Would be interesting if you can share an aggregate statistic of that.
I'm surprised browsers don't warn users about every website that has listeners attached to keyboard/mouse events. It's totally fine for something like a game or an experiment website, but might not be something you expect from a blog or a news site.
> Yeah, we include it in our terms and condition and privacy page
Please be honest with yourself. People don't read terms and conditions. There's a good chance you don't read terms and conditions. And even if you do, odds are better than even that you don't fully understand all the legal implications.
Terms and conditions pages nowadays are there mostly to provide legal protection under the guise of "the user told us that they read these by ticking a box on our signup page; it's hardly our fault if they didn't."
I'm also of the opinion that at lot of T&C are basically signing under duress and I consider them invalid. Like if I have to sign a T&C with Google Play and a T&C with your city's sanctioned parking app in order to park on the street, I consider both of those T&C's invalid. As a legal resident of the country with a legally owned car and legal driving license, I should be able to park and pay, I shouldn't have to agree to anything else.
By reading this website, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.
Especially clickthrough license for software on devices that you've already bought. You turn on your new phone and it shows 300 pages of legalese. You cannot use your new phone until you press 'I accept.' If you don't like it, return the phone. All the other phones have their own equivalent T&C.
As an example, most of Boston's public street parking meters use a collection of various parking apps. A large number have broken quarter slots and broken card readers but you're still expected to make payment via app or you can get towed.
This is also why I wish we could make anti-towing (anti-car-theft) devices that physically resist and fight the tow people to make their lives uncomfortable and miserable, because predatory jobs like that should just not exist. But any time I suggest this, 5000 people come out of the woods and say "pay your bill" and "don't park where you're not supposed to" whereas my point is really "you shouldn't have to accept a T&C in order to pay for parking" and "you should still have a right to park even if the cash/card reader is broken".
Look, I understand the hate against terms and conditions. They're not a lot of fun. But the alternative is worse. Let's imagine a world where terms and conditions don't apply;
Firstly, businesses can do whatever they like. There are no terms to agree to. They simply function in whatever way they "consider to be valid". If a customer disagrees with what is valid or not, hey, that's what courts are for. And given there's no agreement between business and customer, who's to say who is right?
The business can equally terminate you as a customer, with no notice, for no reason, at any time. They can delete all your data. They can spam your contact list. (Ok, they do all that already, but you know what I mean.)
Secondly, customers can do whatever they like. They payed their $9.95. They can do whatever they like. Sure, sharing logins is fine (if they "consider that valid".) They can abuse the system, scrape data out and resell it, anything goes. And of course the only recourse is back to the courts. Which is ultimately no recourse at all.
Even your analogy to parking breaks down. Should you have to prove legal residency to park? Should I be able to park a car on the street (unmoved) for a year? Should I be allowed to park next to a fire-hydrant? Can I park it in the middle of the road? Can my neighbor "reserve" his parking space using an orange cone? Clearly there's a lot more to parking a car than "I should be able to park".
T&C might not be fun, and you may not agree with them (hint: if you don't, then don't use the service) but they at least set out the business behavior that you can expect. Read them, don't read them, that's up to you. But don't complain that the fault is on them when they do something that are in the T&Cs.
And yes, I get they're one sided. customers never bother to submit their own T&C's so they're not fairly represented. Again, that's on you for using that service.
> customers never bother to submit their own T&C's so they're not fairly represented
You can't. Not a question of bother.
> if you don't, then don't use the service
The problem is that this is mostly not an option. The service doesn't have competition or competitors don't have better T&C. Sometimes, like in the original commenter's example, there is a legally enforced monopoly.
At least the government has to enforce certain rights when using government provided services.
The problem with this line of thinking is that businesses don't expect you to read T&Cs.
This site itself is, funnily enough, a good example of this (and, to be fair, an outlier). When you sign up to an account here, you're not asked to agree to any terms. There's nothing that forces you to agree to any terms of service. The site does have them[0], but you can only access them by clicking the "Legal" link in the footer, and you're never required to do so. Yet people here are, by and large, behaving themselves, largely due to good moderation on the part of dang and others.
But if there were to be a lawsuit, for whatever reason, it's potentially possible that someone could successfully argue that they never had to agree to any terms. It's a technicality, of course - again, very few people read terms of service, and if they did, you'd think somebody would have noticed this omission by now - but an arguably legally actionable one.
Which leads me back to my point - the only reason that businesses make you agree to terms of service is because if they didn't, they could get lawsuits that might be found in favour of the plaintiff. Businesses don't want that, so they include the checkbox.
Every single terms and conditions document is just legal boilerplate that boils down to "we can do whatever we want, while you can do nothing we don't want".
Everyone knows stores have security cameras. But if you called them up and said 'I saw you pick up the chips' they wouldnt have a good feeling.
Everyone understands websites use analytics and tracking, but people dont want to be reminded of it. Which is why people hate those FB ads which exactly match what you searched for 24 hours ago.
Used this and it replied (in the console): "Such a smart subject."
ETA: It also took a few seconds to get around to telling me (from the bottom up):
Subject has clicked on the button a thousand times.
Subject has clicked on the button one hundred times.
Subject clicks less than most other subjects.
Subject has run script to click on the button ten times within one second.
Subject has clicked on the button nine times within one second.
Subject has clicked on the button eight times within one second.
I wonder if it can distinguish between human clicks and scripted clicks if it's saying "...clicks less than most..." or if everyone is scripting a million clicks.
Using HTTP/1.1, the norm in 2016, I counted 233 chunks
Might as well just ask the user to download a 15 MB executable, e.g., a "game", and run it
Developers often refer to this idea of the "browser sandbox" but there are lots of things that are permitted inside this "sandbox" that some users would consider part of their "threat model"
For example, gratuitous data collection, surveillance and advertising
It was the spring of 1993. UPS dropped a huge package at my door. It was Visual C++ 1.0 in a 50-story-high white box that weighed a ton. I spent the whole day reading manuals and messing with it. When my wife came home that night, I couldn't wait to show her what I finally managed to pull off -- a maximized window that contained a single button that filled the entire space of that window. And the label said "Click Me." My wife clicked that button, and nothing happened.
Awesome. Looking for this as an iOS app, since I learned dismissing notifications phones home. (Useful feature for multidevice cloud services but can be creepy, companies learning the notifications we expand or leftswipe away… learning our sleep schedules and preferences and all that in ways we might not have specifically expected in this exact case)
Apps know when we’re on WiFi, when we force quit, have potential to have motion sensor access if opting in…
Not sure the presentation needed for acceptance into the App Store. As a security checkup tool or something…
I made something related to this with whisper. It would just constantly listen and periodically do a search to find a picture/video/gif from the web, relevant to what you're talking about, and show it.
HN comments really can't beat the spectrum stereotypes...
But seriously, the parent comment isn't saying the technical fact a browser can see your cursor's coordinate is unnerving. They're saying the experience of being reminded of this fact is unnerving.
Technically, every time you take a bus ride the driver can just decide to crash the vehicle and kill the passengers and himself. This fact itself isn't unnerving -- it's just how buses work. But if there were a poster on the bus reminding passengers of that, that'd be quite unnerving.
I was disappointed that it didn't catch me editing the HTML when I tried changing the button's class to button2 or adding other classes. I wanted it to call me out when I clicked after that edit.
I'm guessing this is supposed to illustrate how tracking is ubiquitous, given what I see in the source code.
In my case, though, after carefully enabling only scripts from the site and the Cloudflare CDN, but not enabling XHR/websockets back to the source page, or any cookies, the only thing that happens for me is:
1. I see a button and an exhortation to click the button.
2. I click the button.
3. The site goes "Subject has clicked the button."
4. The site goes "...".
...and then nothing else happens, no matter where I click or move my mouse. In the background I can see attempted websocket connections, but I'm blocking those so they can't happen.
If the aim of the game is to open people's eyes to the dangers of online tracking, it feels like there should be a reward mechanism if such tracking is blocked!
I seem to be getting random events that have nothing to do with my activity. I'm on Brave on an iPad mini. I'm guessing the JS activity looks like fingerprinting and it's being spoofed.
As a semi-savvy programmer, but with little experience in web-dev, I'm actually a bit ignorant of what a site can measure -- client side -- versus collect server side.
Presumably it's a simple matter to send something back to a server, but I've really never thought about the mechanisms involved.
I told a friend about my start up and she jumped on it immediately. I opened the tool and watched her interaction. Then I told her "oh so you opened the dev tools" She immediately ended the session. "How did you know? That's creepy". It was the first time I've actually felt like these tools invade privacy.
Yeah, we include it in our terms and condition and privacy page, but I don't think users truly grasp how those tools work. I understand that all analytics tools provide this feature now, but its always creepy to know someone can watch what you are doing.
[0]: https://idiallo.com/blog/spying-on-your-user
It's things like hiding your online activity from your partner / boss / parent / ex, making sure nobody knows you just went to a gay club, hiding the fact that you're playing video games from that one guy you don't actually want to play with, not giving out your phone number to the parents of your students, that sort of thing.
For most people, E2E and VPNs are useless gimmicks that just make life unnecessarily difficult, but vanishing messages and incognito mode are life-saving features.
Every counter-example to this is people being intentionally creepy, inappropriate, or outright malicious. Which was a manageable problem when it was just a single dude being weird, society would eventually exclude and shun them. Trouble is today that we've mechanised malicious inappropriate behavior at scale and ensured we've set up our entire society and government such that the people responsible can never be held accountable in any way. So long as you're being maliciously creepy at scale (and you're wealthy) everything's fine and there's no consequences.
Or you just...overhear something in public and strike up a conversation. Doesn't happen here in North-East USA often but that southern hospitality is a different animal
the people doing the "analytics" (surveillance) like their privacy too, because they are doing creepy stuff and don't want people to know it. And even if they aren't doing creepy stuff, the data might be used that way in the future (profile building, psychological tricks, personalized pricing, sharing behavior with others, etc)
For the majority of people I don’t think it’s true that they don’t care, but rather that they don’t know, don’t understand the implications, or don’t have the luxury of being able to do anything about it.
In the instances where I was able to have a longer discussion with someone to really explain what’s going on, they did care. Even if they previously said they didn’t.
I think it's just that it's more of a visceral lizard-brain thing than a logical thing. Like how you can go through life eating meat every day, then someone sits you down and tells you the horrors of that industry and shows you a cow being butchered, and you go oh that's horrible, and then most likely put it out of mind and continue eating meat.
Since you did collect the metrics, you had direct knowledge of how many users opened the T&C and scrolled down to the place where you mention you're recording their session.
Would be interesting if you can share an aggregate statistic of that.
Please be honest with yourself. People don't read terms and conditions. There's a good chance you don't read terms and conditions. And even if you do, odds are better than even that you don't fully understand all the legal implications.
Terms and conditions pages nowadays are there mostly to provide legal protection under the guise of "the user told us that they read these by ticking a box on our signup page; it's hardly our fault if they didn't."
This is also why I wish we could make anti-towing (anti-car-theft) devices that physically resist and fight the tow people to make their lives uncomfortable and miserable, because predatory jobs like that should just not exist. But any time I suggest this, 5000 people come out of the woods and say "pay your bill" and "don't park where you're not supposed to" whereas my point is really "you shouldn't have to accept a T&C in order to pay for parking" and "you should still have a right to park even if the cash/card reader is broken".
Firstly, businesses can do whatever they like. There are no terms to agree to. They simply function in whatever way they "consider to be valid". If a customer disagrees with what is valid or not, hey, that's what courts are for. And given there's no agreement between business and customer, who's to say who is right?
The business can equally terminate you as a customer, with no notice, for no reason, at any time. They can delete all your data. They can spam your contact list. (Ok, they do all that already, but you know what I mean.)
Secondly, customers can do whatever they like. They payed their $9.95. They can do whatever they like. Sure, sharing logins is fine (if they "consider that valid".) They can abuse the system, scrape data out and resell it, anything goes. And of course the only recourse is back to the courts. Which is ultimately no recourse at all.
Even your analogy to parking breaks down. Should you have to prove legal residency to park? Should I be able to park a car on the street (unmoved) for a year? Should I be allowed to park next to a fire-hydrant? Can I park it in the middle of the road? Can my neighbor "reserve" his parking space using an orange cone? Clearly there's a lot more to parking a car than "I should be able to park".
T&C might not be fun, and you may not agree with them (hint: if you don't, then don't use the service) but they at least set out the business behavior that you can expect. Read them, don't read them, that's up to you. But don't complain that the fault is on them when they do something that are in the T&Cs.
And yes, I get they're one sided. customers never bother to submit their own T&C's so they're not fairly represented. Again, that's on you for using that service.
It already works like that.
> customers never bother to submit their own T&C's so they're not fairly represented
You can't. Not a question of bother.
> if you don't, then don't use the service
The problem is that this is mostly not an option. The service doesn't have competition or competitors don't have better T&C. Sometimes, like in the original commenter's example, there is a legally enforced monopoly.
At least the government has to enforce certain rights when using government provided services.
This site itself is, funnily enough, a good example of this (and, to be fair, an outlier). When you sign up to an account here, you're not asked to agree to any terms. There's nothing that forces you to agree to any terms of service. The site does have them[0], but you can only access them by clicking the "Legal" link in the footer, and you're never required to do so. Yet people here are, by and large, behaving themselves, largely due to good moderation on the part of dang and others.
But if there were to be a lawsuit, for whatever reason, it's potentially possible that someone could successfully argue that they never had to agree to any terms. It's a technicality, of course - again, very few people read terms of service, and if they did, you'd think somebody would have noticed this omission by now - but an arguably legally actionable one.
Which leads me back to my point - the only reason that businesses make you agree to terms of service is because if they didn't, they could get lawsuits that might be found in favour of the plaintiff. Businesses don't want that, so they include the checkbox.
[0] https://www.ycombinator.com/legal/#tou
Already the case.
Every single terms and conditions document is just legal boilerplate that boils down to "we can do whatever we want, while you can do nothing we don't want".
No, they would function in the manner courts deem to be valid.
...what? How is residency tied to parking now?
Nobody reads that stuff.
Everyone understands websites use analytics and tracking, but people dont want to be reminded of it. Which is why people hate those FB ads which exactly match what you searched for 24 hours ago.
People don't want it to be misused is the actual point.
Click (2016) - https://news.ycombinator.com/item?id=35841679 - May 2023 (35 comments)
Click - https://news.ycombinator.com/item?id=26518290 - March 2021 (243 comments)
Click click click - A browser-based game on online profiling. - https://news.ycombinator.com/item?id=18636038 - Dec 2018 (1 comment)
A demonstration of browser events used to monitor online behaviour - https://news.ycombinator.com/item?id=12985644 - Nov 2016 (165 comments)
for (let i = 0; i < 1000; i++) { document.querySelector(".button")?.click(); }
ETA: It also took a few seconds to get around to telling me (from the bottom up):
I wonder if it can distinguish between human clicks and scripted clicks if it's saying "...clicks less than most..." or if everyone is scripting a million clicks.[0]: https://developer.mozilla.org/en-US/docs/Web/API/Event/isTru...
http://cdnjs.cloudflare.com/ajax/libs/gsap/1.18.0/TweenMax.m...
Some of the Javascript is served via plain HTTP as well as HTTPS
https://clickclickclick.click/bundle.js
This is 14 MB of Javascript
Using HTTP/1.1, the norm in 2016, I counted 233 chunks
Might as well just ask the user to download a 15 MB executable, e.g., a "game", and run it
Developers often refer to this idea of the "browser sandbox" but there are lots of things that are permitted inside this "sandbox" that some users would consider part of their "threat model"
For example, gratuitous data collection, surveillance and advertising
"What's the point?" she asked.
I said, "You can click it."
"But what's the big deal?" she was baffled.
"You can click it,“ I said.
“That's the big deal."
or ist it more of an ö? (im German btw but can also definitely spot a dutch English speaker :) best way to tell is to have them say "I have an idea!"
Where you're just sitting there clicking over and over
Apps know when we’re on WiFi, when we force quit, have potential to have motion sensor access if opting in…
Not sure the presentation needed for acceptance into the App Store. As a security checkup tool or something…
https://news.ycombinator.com/item?id=48040327
Thinking of input as a series of discrete events is an interesting cognitive model that many experienced programmers take for granted!
(It might not work on touch screens.)
the capability is there, your local hardware determines how seamless it would be.
Mental framing of a tech is weird.
[0]https://neal.fun/cursor-camp/
But seriously, the parent comment isn't saying the technical fact a browser can see your cursor's coordinate is unnerving. They're saying the experience of being reminded of this fact is unnerving.
Technically, every time you take a bus ride the driver can just decide to crash the vehicle and kill the passengers and himself. This fact itself isn't unnerving -- it's just how buses work. But if there were a poster on the bus reminding passengers of that, that'd be quite unnerving.
It’s unnerving because people don’t like being watched.
Some of my favorite projects:
https://studiomoniker.com/projects/radio-garden
https://studiomoniker.com/projects/do-not-touch
https://studiomoniker.com/projects/do-not-draw-a-penis
In my case, though, after carefully enabling only scripts from the site and the Cloudflare CDN, but not enabling XHR/websockets back to the source page, or any cookies, the only thing that happens for me is:
1. I see a button and an exhortation to click the button.
2. I click the button.
3. The site goes "Subject has clicked the button."
4. The site goes "...".
...and then nothing else happens, no matter where I click or move my mouse. In the background I can see attempted websocket connections, but I'm blocking those so they can't happen.
If the aim of the game is to open people's eyes to the dangers of online tracking, it feels like there should be a reward mechanism if such tracking is blocked!
Presumably it's a simple matter to send something back to a server, but I've really never thought about the mechanisms involved.
https://sinceyouarrived.world/taken