[Infowarrior] - Subtle web privacy risk (content script)

Richard Forno rforno at infowarrior.org
Mon Jul 20 01:42:44 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


FYI here is an exchange I had with some securitygeek friends about an  
interesting web script I came across over the weekend. Subtle yet scary!


 From Rick:

Go to Politico.Com and pick an article.   Highlight a word, a  
paragraph, or paragraphs, cut and paste into another document or email  
message, and you see a built-in "Read More" link at the bottom of the  
selection you cut.   Kind of a convenient way of 'marking' one's  
content in the age of cut-and-paste.....not exactly DRM or airtight  
security, but it seems to be a fair, though easily-circumvented (if  
you want) way of trying to make sure you get credit for your work.

For example, visit this story's page @  http://www.politico.com/news/stories/0709/25083.html

.... I highlight the second paragraph, cut and paste into the message  
below:

"The number of people searching for the term “economic depression” on  
Google is down to normal levels, Summers said.

Read more: http://www.politico.com/news/stories/0709/25083.html#ixzz0LcaU3Omx 
"

(Note the "Read More..." is appended to my paste into this message.  
Sure not there in the article.)

.... same paragraph, by word count.  7 words is the non-URL threshold,  
as it seems 8 words gets you the URL.

The number of people searching for the   (no URL in the cut)
The number of people searching for the term (you get the URL when you  
cut)

....same article, further down:

"We pledged at the time the Recovery"    (no URL in the cut)
"We pledged at the time the Recovery Act" (you get the URL when you cut)

Interesting.  I gather it's some embedded script, but haven't the time  
to go check it out.  Still, I commend Politico for what seems to be a  
convenient and unobtrusive way of trying to mark one's content in the  
age of blogs and Twitter. Can it be cirvumvented? Sure.  But IMHO  
perhaps the intent is to shame folks who go the extra step to remove  
the URL from said extracts of Politico articles in reposting that  
content around the web.   Then again maybe the script does some spying  
on what's being done @ the site and with the content for enforcement  
or tracking purposes??

(That was my original message to some securitygeek friends who  
cmmented below.  Turns out it is not only a handy URL inclusion to  
extracts of Politico's content, but also a potentially serious and  
sneaky privacy threat as well.  If you're not using a good browser  
script blocker such as NoScript or YesScript already, you might want  
to!!  My thanks to those who commented and allowed their thoughts put  
forward here.   - rick)

===  begin securitygeek comments ===

(securitygeek comments anonymized per their request.)

===== Securitygeek #1::

!-- Tynt Tracer--
script type="text/javascript"
src="http://tcr.tynt.com/javascripts/Tracer.js?user=bKDyiUp9mr3OhNab7jrHcU&s=22 
"
/script
!-- //Tynt Tracer--

see www.tynt.com

I noticed every time I highlighted something that it was being sent to  
them.
It's a free service right now, capturing people's highlights and copies.

http://tracer.tynt.com/faq-general-product-info

===== Securitygeek #2:

All the more reason to be using NoScript. This seems worse than all
the uproar over DoubleClick tracking in the past. Now they are
tracking the specific words you are interested in in addition to the
URLs.

I can see the future. You cut a paragraph about the accuracy of a
search engine and when you paste you get an ad banner and link to
Bing.

Unless you turn off JavaScript you are potentially sending everything
you do in the browser to 3rd parties and they can also control your
experience beyond the browser as in this clipboard usage. Quite
ingenious.

=======Securitygeek #3:

So I went to Tynt's site.  The first thing that is interesting is to
see the flash description of what Tynt is on the front page you need
to enable JavaScript from tynt.com.  Nice trick guys. How many people
will then disable it later?

Then from the FAQ:

Q. What about user privacy?

A. None of the data that Tynt Tracer tracks can be used to uniquely
identify an individual user.

Then from the Privacy Policy

TYNT may use information you have provided in registering for, or use
in, TYNT Products without directly or indirectly identifying you, to
third parties.  This may be done, for example, in order to identify
the number of people visiting a specific web site, or commenting on a
certain product, person, or idea.  This may be used to provide
advertisements to you on products or services that will potentially be
more interesting or relevant to you.  Under no circumstances will we
provide information identifying you to a third party, rather we will
pass on an advertising announcement to you, but we will not tell the
third party who you are.

The interesting thing is people are using Tynt products without even
really knowing it.  If a blog is using Tynt and you interact with that
blog then you are using Tynt.  How many people are going to know to
read this privacy policy?
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3.4028
Comment: Rick's Current Public Key @ http://infowarrior.org/pgpkey.txt

wj8DBQFKY8uWKWZyO29ebPYRAmbBAJwK9HDt6zZl1+lJivZ93/KGlWuOtACeK00Z
6/xfHg2BOP1rX/+M14GpOlU=
=NLtV
-----END PGP SIGNATURE-----

More information about the Infowarrior mailing list