Previous Entry | Next Entry

Privacy Alert: LiveJournal Tracking Outbound Links!

  • Mar. 3rd, 2010 at 1:11 PM
global catastrophic risks

Heads Up, Everyone!



LiveJournal has started snooping on outbound clicks, sliently redirecting outbound links through "outboundlink.net." This is enabled even for paid users, and the opt-out is so hidden/out of the way that what they're doing is simply unconscionable.

Here's an example link: http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/
Javascript is used to make the url in the status bar appear normal when you hover over it, until you actually click on the link. To see that it is actually being redirected for tracking, right-click on the link and copy the url, then paste it into something like notepad.

Fortunately, there is a way to opt out:
  1. Open the Admin Console at http://www.livejournal.com/admin/console/
  2. Execute the following command: set opt_exclude_stats 1

I also recommend adding the following to your ad-blocker:
  • outboundlink.net
  • outboundlink.me
  • l-stat.livejournal.com/js/pagestats/dRev.js
  • l-stat.livejournal.com/js/pagestats/DR_v4u2.js

Brought to my attention by a post on DamnPortlanders.

Edit 1:

[info]eevee and I got through the JS obfuscation. It works by setting links' onclick and oncontextmenu, so the reason why links appear normal is that it doesn't change them until you actually click on them.
If you're unclear about SUP/LJ's intent, realize that this a technique that would only be used by someone who wanted to hide the fact that they are manipulating outbound links.

Edit 2:

As posted in comments, this (for now) is only affecting links to a long but finite list of domains.

It also appears to be financially motivated, as the net effect (when it isn't breaking links to crittersbythebay.com due to sloppy programming) seems to be the insertion of LJ/SUP or their Partner's referral/kickback code in the url. This finer manipulation is done on the "outboundlink.net" servers, though, instead of in the javascript.

Every click going through LJ's partner-in-crime will of course be logged by this third party, so the call-to-arms on privacy grounds still stands.

Edit 3:

To quote a post by LJ Advisory Board member [info]kylecassidy:

LJ was indeed redirecting about 150 urls to advertisers, even for paid users. They are now aware how Not Good an Idea that was. They're pulling that code tonight.

I'll post an update again when I know more.

*** EDIT ***

[info]marta has posted some information saying the code was supposed to add "this link came via lj" affiliate info to non affiliated links -- which makes a lot more sense (and sounds thankfully less sinister) than hijacking people's links and taking them to advertisers, but didn't work as expected. It's still being scrapped.

*** EDIT ***
*** EDIT ***

The code should be gone now.

*** EDIT ***

Please repost/link as appropriate.

Thanks,

your LJ advisory board rep


Edit 4:

They're doing it again. The script is now at a different url, and the service is using a different domain name so if you're relying on an ad blocker or noscript to block the tracking, you need to add two new entries:
  • outboundlink.me
  • l-stat.livejournal.com/js/pagestats/DR_v4u2.js
The opt-out via the console does still work, for now.
  • Mood:annoyed

Tags:

Comments

( 74 comments — Leave a comment )
Page 1 of 3
<<[1] [2] [3] >>
[info]shep_shepherd wrote:
Mar. 3rd, 2010 09:33 pm (UTC)
Thanks for the heads-up :)
| Reply | Thread
[info]mooglepower wrote:
Mar. 3rd, 2010 10:14 pm (UTC)
Thanks for the PSA.
| Reply | Thread
[info]ysengrin wrote:
Mar. 3rd, 2010 10:31 pm (UTC)
Thanks for bringing this up :)

EDIT: more info here -- http://shatterstripes.livejournal.com/1065670.html

Edited at 2010-03-03 10:49 pm (UTC)
| Reply | Thread
(Deleted comment)
[info]caffeinepuppy wrote:
Mar. 4th, 2010 01:11 am (UTC)
The setting is old, but I'm quite sure the link-rewriting is a more recent change.
| Reply | Parent | Thread
(Deleted comment)
[info]caffeinepuppy wrote:
Mar. 4th, 2010 01:16 am (UTC)
For now it's only re-writing links to a random but fairly long list of domains. The post [info]ysengrin linked to includes the complete list: http://shatterstripes.livejournal.com/1065670.html
| Reply | Parent | Thread | Expand
(no subject) - [info]eriscontrol - Mar. 4th, 2010 05:09 am (UTC) - Expand
(no subject) - [info]atara - Mar. 4th, 2010 01:39 pm (UTC) - Expand
[info]harliquinnraver wrote:
Mar. 4th, 2010 03:14 am (UTC)
thank you for the heads up. this shit is shady as hell! >:(
| Reply | Thread
[info]svxkitty wrote:
Mar. 4th, 2010 12:45 pm (UTC)
In Soviet Russia, LINK CLICK YOU!
| Reply | Thread
[info]svxkitty wrote:
Mar. 4th, 2010 12:47 pm (UTC)
Also, I wanted to clarify for people who opt out, it doesn't just seem to opt out on the links you post yourself, but normalizes the links others post on their journals as well.

Thanks for posting this man!
| Reply | Thread
[info]salemkitty wrote:
Mar. 4th, 2010 02:19 pm (UTC)
Thanks for pointing this out, dawg. Steps followed.
| Reply | Thread
[info]freakylynx wrote:
Mar. 4th, 2010 02:20 pm (UTC)
Interesting.
| Reply | Thread
[info]shabm wrote:
Mar. 4th, 2010 04:16 pm (UTC)
Thanks for the warning.

I wouldn't be surprised if they start editing links to these pages, though...
| Reply | Thread
[info]jim_ghote wrote:
Mar. 4th, 2010 04:58 pm (UTC)
Thanks for for the info.
| Reply | Thread
[info]atara wrote:
Mar. 4th, 2010 06:02 pm (UTC)
Shadier and shadier. I posted my entry about this thing here, and did some digging for who outboundlinks.net is.

The domain was registered via GoDaddy, which is all most whois services give you. But BetterWhois shows that the URL was registered by Domains by Proxy, a service that allows you to anonymously register domain names.

WTF, LJ?

*edit: This morning the connection between Outboundlink.net and Domains by Proxy was listed on the WHOIS, and now it's not. Interesting. I wish I'd taken a screen shot.

*edit edit: The info is listed on the WHOIS at GoDaddy. Duhr. :)

Edited at 2010-03-04 09:30 pm (UTC)
| Reply | Thread
[info]trialia wrote:
Mar. 5th, 2010 04:35 pm (UTC)
Actually, a lot of people I know use Domains By Proxy for their personal sites so as to avoid revealing their home address to anyone who looks the domain up in whois. I do, too. That part isn't really shady. But the rest...!
| Reply | Parent | Thread
[info]auronlu wrote:
Mar. 4th, 2010 07:49 pm (UTC)
Gah. Squidoo does that, but at least it TELLS people it's doing that, and the whole point of that site is to make money through webpages -- half of which goes to Squidoo, half to the webpage's creator. Also, their Skimlinks code only applies to links where you haven't added your own affiliate tags.

And Squidoo is not intended for sharing highly personal content.

On the one hand, I'm appalled, and on the other hand, I'm so not surprised that the web is becoming more and more monetized every day.

Ah, for the good old days of the early internet when making money on the internet was actually ILLEGAL, as it was entirely for sharing information.

Edited at 2010-03-04 07:51 pm (UTC)
| Reply | Thread
[info]mecurtin wrote:
Mar. 4th, 2010 09:21 pm (UTC)
My husband surfs the Web with JS disabled. I've been thinking that he was overreacting, but apparently not so much.

FFS.
| Reply | Thread
[info]ladynorbert wrote:
Mar. 4th, 2010 09:37 pm (UTC)
Am I the only one getting an error message?

"There is no such command 'opt_exclude_stats'."
| Reply | Thread
[info]caffeinepuppy wrote:
Mar. 4th, 2010 10:35 pm (UTC)
The whole command is "set opt_exclude_stats 1", without the quotes.
| Reply | Parent | Thread | Expand
(no subject) - [info]ladynorbert - Mar. 4th, 2010 10:38 pm (UTC) - Expand
[info]mermaidkween wrote:
Mar. 4th, 2010 09:39 pm (UTC)
That exact Javascript link has been messing up my browser (Camino) for days. I wondered what it was and why it randomly popped up. Thanks.
| Reply | Thread
[info]phaetonschariot wrote:
Mar. 5th, 2010 04:19 am (UTC)
Yeah I was getting a dialog every time I loaded a page, saying a script was running that was slowing the browser down, do I want to continue?
| Reply | Parent | Thread
[info]zaphod_groupie wrote:
Mar. 4th, 2010 10:11 pm (UTC)
Thanks for posting about the opt-out for those of us who'd have no bloody clue how to do it otherwise!
| Reply | Thread
(Anonymous) wrote:
Mar. 4th, 2010 10:31 pm (UTC)
Is there a way to do 'set opt_exclude_stats 1" for communities?
| Reply | Thread
[info]caffeinepuppy wrote:
Mar. 4th, 2010 10:38 pm (UTC)
set for communityname opt_exclude_stats 1, according to the No LJ Ads Wiki.

I'm not sure it would actually work, though, because for this link re-writing, the setting seems to apply to the user regardless of where they are. IE: I have the opt-out enabled, but if you didn't, you'd still see the links on my journal re-written. I don't see why communities would be any different.

Edited at 2010-03-04 10:47 pm (UTC)
| Reply | Parent | Thread
[info]puppetmaker40 wrote:
Mar. 4th, 2010 11:05 pm (UTC)
You are a wonderful person. Thank you.
| Reply | Thread
[info]cluegirl wrote:
Mar. 4th, 2010 11:13 pm (UTC)
I think I'd seen something to this effect earlier in the week, but that poster mentioned something about the browser one was using having an effect as well -- to whit, Firefox users mightn't have the problem all the time?

I ask because, when I tried the copy-paste trick on the link you posted, it copied clean and unaltered.

I went ahead and implemented the opt-out all the same though, but I did want to ask folks who were better-tech-headed than I before I boosted the signal and possibly got something wrong.
| Reply | Thread
[info]chameleongirl79 wrote:
Mar. 4th, 2010 11:28 pm (UTC)
I think this isn't working in Chrome. If I right-click and paste the link from FF, you can see the redirect code, but not if I do the same from Chrome.
If I actually click the link in FF, a new tab opens and the redirect shows up in the url before going to the site.
In Chrome, no redirect URL is seen and the site opens in the same tab.
| Reply | Thread
[info]caffeinepuppy wrote:
Mar. 4th, 2010 11:39 pm (UTC)
Using a Chrome-like browser (SRWare Iron), I just disabled the opt-out and the links were again affected for me. Specifically, after right-clicking on the link, but not choosing anything, the link now points to the redirect site.
| Reply | Parent | Thread | Expand
(no subject) - [info]chameleongirl79 - Mar. 4th, 2010 11:41 pm (UTC) - Expand
(no subject) - [info]reddragdiva - Mar. 5th, 2010 01:15 am (UTC) - Expand
[info]sparkymonster wrote:
Mar. 4th, 2010 11:33 pm (UTC)
Is there a way to fix this for the communities I moderate?
| Reply | Thread
[info]caffeinepuppy wrote:
Mar. 4th, 2010 11:37 pm (UTC)
It appears to be per-user. That is, if a user doesn't have the opt-out enabled, they will be affected, even if the journal they are viewing does have the opt-out enabled.
| Reply | Parent | Thread
[info]ducktapeddonkey wrote:
Mar. 5th, 2010 12:26 am (UTC)
Cheers for the admin console fix. Thanks. :)

Jeers to LJ for sneaky about this.
| Reply | Thread
[info]nrr wrote:
Mar. 5th, 2010 12:36 am (UTC)
My response to this is just to stop using JiveUrinal entirely. I suppose there's a good reason why I have a domain name and a publically accessible machine running something that speaks HTTP.
| Reply | Thread
Page 1 of 3
<<[1] [2] [3] >>
( 74 comments — Leave a comment )

Profile

kilojara
[info]caffeinepuppy
Koinu
Website

Latest Month

January 2012
S M T W T F S
1234567
891011121314
15161718192021
22232425262728
293031    

View All Archives

Tags

View my Tags page

Page Summary

Powered by LiveJournal.com
Designed by Tiffany Chow