I've always added analytics scripts on websites I worked on. It was second nature for me. Then when I got my own start up, I didn't just add regular analytics but one that tracks mouse movements so you can watch sessions back like a video [0].
I told a friend about my start up and she jumped on it immediately. I opened the tool and watched her interaction. Then I told her "oh so you opened the dev tools" She immediately ended the session. "How did you know? That's creepy". It was the first time I've actually felt like these tools invade privacy.
Yeah, we include it in our terms and condition and privacy page, but I don't think users truly grasp how those tools work. I understand that all analytics tools provide this feature now, but its always creepy to know someone can watch what you are doing.
I think there's a very interesting duality forming around privacy. It seems like most people don't really care if they're being filmed, or if their data is being slurped up six ways from Sunday, as long as it's aggregated and going through automated systems. But as soon as it feels like an actual person is looking at individual behavior, it's creepy (which is, of course, always a possibility, but plausible deniability is a powerful thing).
Yes. This is it. People are used to "private conversation in public restaurant". It's not private because no one can hear, but because no one is listening.
Right, the very nature of human society for the last several thousand years has been privacy in public. You walk around outside where everyone can see you, but the societal expectation is that you don't watch others. You have conversations in public because that's where life happens, but they're still private conversations.
Every counter-example to this is people being intentionally creepy, inappropriate, or outright malicious. Which was a manageable problem when it was just a single dude being weird, society would eventually exclude and shun them. Trouble is today that we've mechanised malicious inappropriate behavior at scale and ensured we've set up our entire society and government such that the people responsible can never be held accountable in any way. So long as you're being maliciously creepy at scale (and you're wealthy) everything's fine and there's no consequences.
How do you know what life was like 2000 years ago? I don't think you can truly know when this convention appeared. I suspect it's tied to urbanism at least. If you're living alone in the woods, miles from anywhere, and someone walks past your house, you're probably not going to politely ignore them.
I think creepiness manifests when the observation is one way. Without technology that’s kind of hard. With tech it becomes increasingly easy for everyday people to one-way spy on each other
the people doing the "analytics" (surveillance) like their privacy too, because they are doing creepy stuff and don't want people to know it. And even if they aren't doing creepy stuff, the data might be used that way in the future (profile building, psychological tricks, personalized pricing, sharing behavior with others, etc)
> It seems like most people don't really care if they're being filmed, or if their data is being slurped up six ways from Sunday
For the majority of people I don’t think it’s true that they don’t care, but rather that they don’t know, don’t understand the implications, or don’t have the luxury of being able to do anything about it.
In the instances where I was able to have a longer discussion with someone to really explain what’s going on, they did care. Even if they previously said they didn’t.
> Yeah, we include it in our terms and condition and privacy page
Please be honest with yourself. People don't read terms and conditions. There's a good chance you don't read terms and conditions. And even if you do, odds are better than even that you don't fully understand all the legal implications.
Terms and conditions pages nowadays are there mostly to provide legal protection under the guise of "the user told us that they read these by ticking a box on our signup page; it's hardly our fault if they didn't."
I'm also of the opinion that at lot of T&C are basically signing under duress and I consider them invalid. Like if I have to sign a T&C with Google Play and a T&C with your city's sanctioned parking app in order to park on the street, I consider both of those T&C's invalid. As a legal resident of the country with a legally owned car and legal driving license, I should be able to park and pay, I shouldn't have to agree to anything else.
By reading this website, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.
Everyone knows stores have security cameras. But if you called them up and said 'I saw you pick up the chips' they wouldnt have a good feeling.
Everyone understands websites use analytics and tracking, but people dont want to be reminded of it. Which is why people hate those FB ads which exactly match what you searched for 24 hours ago.
Used this and it replied (in the console): "Such a smart subject."
ETA: It also took a few seconds to get around to telling me (from the bottom up):
Subject has clicked on the button a thousand times.
Subject has clicked on the button one hundred times.
Subject clicks less than most other subjects.
Subject has run script to click on the button ten times within one second.
Subject has clicked on the button nine times within one second.
Subject has clicked on the button eight times within one second.
I wonder if it can distinguish between human clicks and scripted clicks if it's saying "...clicks less than most..." or if everyone is scripting a million clicks.
It was the spring of 1993. UPS dropped a huge package at my door. It was Visual C++ 1.0 in a 50-story-high white box that weighed a ton. I spent the whole day reading manuals and messing with it. When my wife came home that night, I couldn't wait to show her what I finally managed to pull off -- a maximized window that contained a single button that filled the entire space of that window. And the label said "Click Me." My wife clicked that button, and nothing happened.
Awesome. Looking for this as an iOS app, since I learned dismissing notifications phones home. (Useful feature for multidevice cloud services but can be creepy, companies learning the notifications we expand or leftswipe away… learning our sleep schedules and preferences and all that in ways we might not have specifically expected in this exact case)
Apps know when we’re on WiFi, when we force quit, have potential to have motion sensor access if opting in…
Not sure the presentation needed for acceptance into the App Store. As a security checkup tool or something…
I made something related to this with whisper. It would just constantly listen and periodically do a search to find a picture/video/gif from the web, relevant to what you're talking about, and show it.
I'm guessing this is supposed to illustrate how tracking is ubiquitous, given what I see in the source code.
In my case, though, after carefully enabling only scripts from the site and the Cloudflare CDN, but not enabling XHR/websockets back to the source page, or any cookies, the only thing that happens for me is:
1. I see a button and an exhortation to click the button.
2. I click the button.
3. The site goes "Subject has clicked the button."
4. The site goes "...".
...and then nothing else happens, no matter where I click or move my mouse. In the background I can see attempted websocket connections, but I'm blocking those so they can't happen.
If the aim of the game is to open people's eyes to the dangers of online tracking, it feels like there should be a reward mechanism if such tracking is blocked!
As a semi-savvy programmer, but with little experience in web-dev, I'm actually a bit ignorant of what a site can measure -- client side -- versus collect server side.
Presumably it's a simple matter to send something back to a server, but I've really never thought about the mechanisms involved.
I've always added analytics scripts on websites I worked on. It was second nature for me. Then when I got my own start up, I didn't just add regular analytics but one that tracks mouse movements so you can watch sessions back like a video [0].
I told a friend about my start up and she jumped on it immediately. I opened the tool and watched her interaction. Then I told her "oh so you opened the dev tools" She immediately ended the session. "How did you know? That's creepy". It was the first time I've actually felt like these tools invade privacy.
Yeah, we include it in our terms and condition and privacy page, but I don't think users truly grasp how those tools work. I understand that all analytics tools provide this feature now, but its always creepy to know someone can watch what you are doing.
[0]: https://idiallo.com/blog/spying-on-your-user
I think there's a very interesting duality forming around privacy. It seems like most people don't really care if they're being filmed, or if their data is being slurped up six ways from Sunday, as long as it's aggregated and going through automated systems. But as soon as it feels like an actual person is looking at individual behavior, it's creepy (which is, of course, always a possibility, but plausible deniability is a powerful thing).
Yes. This is it. People are used to "private conversation in public restaurant". It's not private because no one can hear, but because no one is listening.
Right, the very nature of human society for the last several thousand years has been privacy in public. You walk around outside where everyone can see you, but the societal expectation is that you don't watch others. You have conversations in public because that's where life happens, but they're still private conversations.
Every counter-example to this is people being intentionally creepy, inappropriate, or outright malicious. Which was a manageable problem when it was just a single dude being weird, society would eventually exclude and shun them. Trouble is today that we've mechanised malicious inappropriate behavior at scale and ensured we've set up our entire society and government such that the people responsible can never be held accountable in any way. So long as you're being maliciously creepy at scale (and you're wealthy) everything's fine and there's no consequences.
How do you know what life was like 2000 years ago? I don't think you can truly know when this convention appeared. I suspect it's tied to urbanism at least. If you're living alone in the woods, miles from anywhere, and someone walks past your house, you're probably not going to politely ignore them.
I think creepiness manifests when the observation is one way. Without technology that’s kind of hard. With tech it becomes increasingly easy for everyday people to one-way spy on each other
it's not a duality at all. the people don't know.
the people doing the "analytics" (surveillance) like their privacy too, because they are doing creepy stuff and don't want people to know it. And even if they aren't doing creepy stuff, the data might be used that way in the future (profile building, psychological tricks, personalized pricing, sharing behavior with others, etc)
> It seems like most people don't really care if they're being filmed, or if their data is being slurped up six ways from Sunday
For the majority of people I don’t think it’s true that they don’t care, but rather that they don’t know, don’t understand the implications, or don’t have the luxury of being able to do anything about it.
In the instances where I was able to have a longer discussion with someone to really explain what’s going on, they did care. Even if they previously said they didn’t.
Or, they do know and they do care, but they're so exhausted by the hostile patterns of our industry that they've given up.
Are there any good browser extensions that can block this and protect user privacy?
yes - a fair few
> Yeah, we include it in our terms and condition and privacy page
Please be honest with yourself. People don't read terms and conditions. There's a good chance you don't read terms and conditions. And even if you do, odds are better than even that you don't fully understand all the legal implications.
Terms and conditions pages nowadays are there mostly to provide legal protection under the guise of "the user told us that they read these by ticking a box on our signup page; it's hardly our fault if they didn't."
I'm also of the opinion that at lot of T&C are basically signing under duress and I consider them invalid. Like if I have to sign a T&C with Google Play and a T&C with your city's sanctioned parking app in order to park on the street, I consider both of those T&C's invalid. As a legal resident of the country with a legally owned car and legal driving license, I should be able to park and pay, I shouldn't have to agree to anything else.
By reading this website, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.
Your city doesn't have a way to pay for parking with cash on public roads? It's not a private lot? That should simply be illegal.
Everyone knows stores have security cameras. But if you called them up and said 'I saw you pick up the chips' they wouldnt have a good feeling.
Everyone understands websites use analytics and tracking, but people dont want to be reminded of it. Which is why people hate those FB ads which exactly match what you searched for 24 hours ago.
I show this in my interface programming class to introduce people to the concept of input events.
Thinking of input as a series of discrete events is an interesting cognitive model that many experienced programmers take for granted!
Related. Others?
Click (2016) - https://news.ycombinator.com/item?id=35841679 - May 2023 (35 comments)
Click - https://news.ycombinator.com/item?id=26518290 - March 2021 (243 comments)
Click click click - A browser-based game on online profiling. - https://news.ycombinator.com/item?id=18636038 - Dec 2018 (1 comment)
A demonstration of browser events used to monitor online behaviour - https://news.ycombinator.com/item?id=12985644 - Nov 2016 (165 comments)
Nice! It shouted "Bot" when I ran this in the console
for (let i = 0; i < 1000; i++) { document.querySelector(".button")?.click(); }
Used this and it replied (in the console): "Such a smart subject."
ETA: It also took a few seconds to get around to telling me (from the bottom up):
I wonder if it can distinguish between human clicks and scripted clicks if it's saying "...clicks less than most..." or if everyone is scripting a million clicks.It was the spring of 1993. UPS dropped a huge package at my door. It was Visual C++ 1.0 in a 50-story-high white box that weighed a ton. I spent the whole day reading manuals and messing with it. When my wife came home that night, I couldn't wait to show her what I finally managed to pull off -- a maximized window that contained a single button that filled the entire space of that window. And the label said "Click Me." My wife clicked that button, and nothing happened.
"What's the point?" she asked.
I said, "You can click it."
"But what's the big deal?" she was baffled.
"You can click it,“ I said.
“That's the big deal."
This brings me back to the glory days of StumbleUpon. Highly recommend.
I was thinking of the paper clip universe simulator game
Where you're just sitting there clicking over and over
Awesome. Looking for this as an iOS app, since I learned dismissing notifications phones home. (Useful feature for multidevice cloud services but can be creepy, companies learning the notifications we expand or leftswipe away… learning our sleep schedules and preferences and all that in ways we might not have specifically expected in this exact case)
Apps know when we’re on WiFi, when we force quit, have potential to have motion sensor access if opting in…
Not sure the presentation needed for acceptance into the App Store. As a security checkup tool or something…
I made something very similar 2 weeks ago, re the upcoming OpenAI phone.
https://news.ycombinator.com/item?id=48040327
The image processing is neat. Local model ran in the browser?
This is really neat, and disturbing.
I enjoyed playing with this. Wild how much it knows.
Looks like it got HN’d to death
thats pretty creepy. I find it unnerving that they know exactly where my cursor is.
You might like Pointer Pointer. It's pretty funny. https://pointerpointer.com
(It might not work on touch screens.)
would be creepiest if your cursor moved somewhere related to what you were saying outloud.
the capability is there, your local hardware determines how seamless it would be.
I made something related to this with whisper. It would just constantly listen and periodically do a search to find a picture/video/gif from the web, relevant to what you're talking about, and show it.
So does every advertiser and data broker in the world
And yet, so many people think Cursor-camp[0] is great.
Mental framing of a tech is weird.
[0]https://neal.fun/cursor-camp/
Heads up: there's audio. It does add something.
I'm guessing this is supposed to illustrate how tracking is ubiquitous, given what I see in the source code.
In my case, though, after carefully enabling only scripts from the site and the Cloudflare CDN, but not enabling XHR/websockets back to the source page, or any cookies, the only thing that happens for me is:
1. I see a button and an exhortation to click the button.
2. I click the button.
3. The site goes "Subject has clicked the button."
4. The site goes "...".
...and then nothing else happens, no matter where I click or move my mouse. In the background I can see attempted websocket connections, but I'm blocking those so they can't happen.
If the aim of the game is to open people's eyes to the dangers of online tracking, it feels like there should be a reward mechanism if such tracking is blocked!
I unlocked at least one "achievement" by blocking camera access.
I'm getting a PR_END_OF_FILE_ERROR when I try to open the page in Firefox on Linux.
Very fun, I enjoyed seeing what it would react to.
As a semi-savvy programmer, but with little experience in web-dev, I'm actually a bit ignorant of what a site can measure -- client side -- versus collect server side.
Presumably it's a simple matter to send something back to a server, but I've really never thought about the mechanisms involved.
Hmmm. Clever and a little spooky!
This is a great POC about how you give up privacy just using the web. This data is bought and sold and more and used against you every day
I am not sure what I am looking at. It's telling me things which I expect any website to know via basic javascript. What am I missing?
That you’re not the target audience.
clever
kind of weirded me out lol...
Another one like this -
https://sinceyouarrived.world/taken