Hacker News new | past | comments | ask | show | jobs | submit login
Google +1 Chrome extension tracks https traffic (plus.google.com)
102 points by mmastrac on Nov 3, 2011 | hide | past | favorite | 27 comments



As noted in the comments this is hardly an oversight, the plugin page acknowledges the behavior:

"In addition to the practices described in the Google +1 Button Privacy Policy, by installing this extension, all of the pages and URLs you visit will be sent to Google in order to retrieve +1 information. Examples of this information include whether you’ve previously +1’d the page and how many people have already +1’d the page. Google’s use of this information is described further in the following help center article (http://www.google.com/support/profiles/bin/answer.py?hl=en&#...). "

Tracking HTTPS traffic is really the big deal and it will probably be patched. For the rest, it is just like Google Toolbar, Internet Explorer, Bing Toolbar, etc...

Search engines need desperately this kind of data, it is not surprising that they try sneak "trackers" in any browser/extension, it is just unfortunate that they are not clear about it.


The link that you put in your post is in it's entirety about how they are not tracking you and not logging these requests for each user. The quoted portion you mentioned is just pointing out that in order to get a count of the +1's on a page you have to send a request to google to see that count. There is no conceivable way for it to show information without requesting it first.

This isn't some sneaky side effect of the button, it is literally just the only functionality of the extension. They will probably still patch this to at least have a setting to not display +1's on https websites, but I don't really see where all this tracking talk came from.


Google could still uniquely identify sites while protecting your privacy by sending a hash of the URL from your browser, rather than the full URL itself, and comparing that hash to the hashes of all +1ed sites. People are talking about tracking because Google hasn’t chosen to implement their extension like this.


I don't really understand how you imagine it to work. You want them to just have a huge dumb store of hash -> count mappings without them having any meaning? That would completely defeat the purpose of +1s, they couldn't put what +1s you had on your profile or use it for recommendations or whatever. Even if this was the case, it would be trivially easy for them to get the hash -> url mappings at any time since they already effectively crawl the entire internet or a daily or weekly basis, all they would have to do is add a single entry to the pipeline.

If you are saying that they should have a database where the columns are (url, hash, count) and just have the browser send the hash, that is exactly the same as just encrypting the url, and the request is being sent of https. What sort of security do you think you would have from hashing that is lacking in SSL?


A problem with sending a hash of the URL, is that you cannot canonicalize the URL on the server side anymore. A simple example: the hash of "http://www.foo.com/bar/ would differ from the hash of "http://www.foo.com/bar. I guess you could do some canonicalization on the client-side, though...


Would the hash scheme you have in mind be vulnerable to rainbow tables?


I've never understood why people install these types of extensions. It reminds me of the toolbar overload joke image:

http://jimcofer.com/personal/wp-content/uploads/2009/08/tool...

Aren't these kind of extensions all about tracking you anyway? If there's a page or website you think is valuable then bookmark it. If you want to share it among multiple computer systems email the link to yourself.


You're ignoring the primary (marketed) purpose of these extensions - social sharing. The main value-add is that users can easily +1 (share, tweet, whatever) from whatever page they're on. A secondary feature of some (including this one) is to show how many other people +1'd (etc) it. There are other extensions that exist with just the first part and not the second (though they're usually not 'official') and I imagine those wouldn't be "tracking" your activity (except what you're sharing). But, tracking isn't really the main point anyway. Facebook and Google can do enough tracking without browser extensions simply through market saturation. As far as I see it, this extension just provides features that some users want.

Additionally, these extensions take up minimal space in Chrome. The screen real estate each one gets is the same size as the settings (wrench) icon. Sure, you could fill up your browser UI space with them, but it's much more difficult than it is with IE and there are more hoops to jump through in order to get them there. IE users were (are?) plagued by toolbars because they can be installed externally from the application. As far as I know, Chrome extensions can only be installed from within the application after several prompts and confirmations.


The tracking should ocurr when the user performs the +1.

It shouldn't track the way it does, and it certainly shouldn't track HTTPS. It is not even an issue of privacy, it is simple courtesy and common sense.


Here's a happy medium: track it "on demand". Let's say, when you hover the mouse over it.

Or make the +1 a two-gesture event: click the extension button (which is when "tracking" occurs) which opens a balloon, then click a +1 button within the balloon.


If the extension doesn't send the URL to Google anyway, then it can't know how many +1s the page already has (and from whom). That's why it triggers on every page load.


But Google already knows the +1's received by the page, regardless of the visitor's login status.

Granted, it doesn't know if the visitor has friends that shared it. It still doesn't excuse them for sending all url's.

Facebook received a lot of flack for doing this and I don't see why Google should be excused for this intentional "gaffe".


You're missing the point - Google knows how many +1s the page received. But the user's browser doesn't, so it can't display the +1 count without contacting the server (and sending the page URL) to find out.

I have to wonder if this is an unintended side effect of the recent push to have site move to HTTPS - it used to be that HTTPS requests were mostly unique to a user, but now lots of "regular" pages are being requested using HTTP and if you want to make any kind of extension that return data about pages (+1, anti-phishing, etc) you're probably going to to want to send HTTPS URLS as well.


This is why I use ghostery (http://www.ghostery.com/) with Firefox to prevent these sort of things from tracking my online behaviour.


Looks great. I will try that later.

For now, I'm using "disconnect" - downloaded it, read the whole sources and installed it from a local directory. That's my level of paranoia right now.


Does that work with the Chrome Google+ addon? Because Ghostery would prevent it from contacting home...


Would love to use Ghostery or something similar for Chrome. Any suggestions?


Ghostery is available for chrome, among others: http://www.ghostery.com/download


Thanks for the link. Has anyone tried this and the Disconnect extension and can share how they compare?


Haven't tried Disconnect, but use Ghostery and see no need for anything else.


As far as my understanding goes and through comments here[1] Google's other toolbar(s) are also capable of sending clickstream data. The only thing new might be the introduction of UserID as now the +1 Extension has user logged in, but I am not sure how that puts additional risk/privacy concerns.

Secondly, a lot of addons/extensions are actually asking for permissions to all visited pages - it should not be hard to figure out who the current logged in person is, if you do have malicious intent (Scraping opened FB/Gmail web pages) . There is inherent privacy risk in using extensions with a lot of permissions!

[1] http://www.quora.com/Google-Bing-Controversy-February-2011/D...


Hmm, it turned out that information that users send to Google gets sent to Google. Interesting.


wow,that is downright scary! That is why I use incognito mode.


Unless incognito mode is something much different from what I think (temporary browser session with none of the existing cookies etc) that does not prevent this kind of issue. Pages you would visit in that session/mode would still get tracked.


Incognito mode blocks all extensions by default, so you'd be safe from those extensions that track your data by using tab events.


Users have to whitelist extensions for Incognito mode. Which would theoretically solve this issue, but at that point, I doubt the user would install the extension at all.


The etc includes extensions, that as callahad said, haven't been approved by the user for Incognito. For active extensions, when you go to the Extensions page and click the triangle next to an extension to expand it, it shows a checkbox for "Allow incognito" that is unchecked by default.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: