search

uBlockOrigin / uAssets

Resources for uBlock Origin, uMatrix: static filter lists, ready-to-use rulesets, etc.
GNU General Public License v3.0
4.12k stars 768 forks source link

Reddit redesign has replay tracking "everywhere" #2395

Closed ghost closed 6 years ago

ghost commented 6 years ago

URL(s) where the issue occurs

<https://www.reddit.com/> once the redesign is enabled, if not <https://new.reddit.com/> should do once logged in.

Describe the issue

As per <https://www.reddit.com/r/privacy/comments/8mmybp/psa_the_reddit_redesigned_ui_is_worse_for_privacy/>

Reddit has been trying to redesign their website to feel more "modern", but I have noticed that the redesigned UI also features more tracking. For one, the new UI (and the new userpage) features session replay tracking everywhere (recording of your mouse movements, keystrokes, and how you interact with the website), as evident by its use of the mousemove JavaScript event listener for the entire page. I found out using Luminous (this isn't an endorsement or ad), which is an extension that detects (and can block) JavaScript events. The old UI also listens for the mousemove event but not everywhere (I have only noticed it on the "submit post" page, but there are probably a few other places), though I'm not sure if this is due to session replay tracking. I cannot say for certain that the old UI doesn't have session replay or something similar, but to me it doesn't seem like it for most pages. Perhaps someone who has investigated this further can confirm or deny. Session replay is another form of tracking what you click on (possibly negating attempts to opt out of "regular" tracking of outbound links), can be used to fingerprint a user (how the mouse moves), and will negate attempts to delete posts and comments (for example, ones that accidentally contain personal information or passwords). Even accidentally pasting something like a password in a text box will result in the password being sent to Reddit (and/or a third party) and being stored in plain text. I don't know how Reddit manages user data internally, but with session recording it's possible that a Reddit employee playing back a session to assess user reaction to a new UI update may end up seeing your private messages or posts in private subreddits simply because it was there when you interacted with the page. Also, the Reddit redesign completely breaks without JavaScript enabled, to the point where you can't click on links or even see the page content. The old UI is still available to users, either through a setting in your account or (if you're not logged in) through old.reddit.com. You can also replace the 'www' part of the URL with 'old' on any Reddit page to get back to the old UI. I really, really hope they don't remove this.

Versions

Settings

Notes

u/Frellwit created a filter

uBO can defuse event listeners as well. reddit.com##script:inject(addEventListener-defuser.js, mousemove) or if there's a need to be more specific reddit.com##script:inject(addEventListener-defuser.js, example, example-handler).

ghajini commented 6 years ago

Why not add suggested filters to ublock filters

gwarser commented 6 years ago

You mean this reddit.com##script:inject(addEventListener-defuser.js, mousemove)? This is just example. [edit: This will break stuff] And this post looks like FUD to me.

yourduskquibbles commented 6 years ago

FYI - more research was posted about this a couple of months ago: https://www.reddit.com/r/privacy/comments/87mi06/psa_reddit_has_enhanced_their_tracking_they_now/

ghost commented 6 years ago

If it is not a 3rd party connection, there is no problem with session replay or anything that tracks. I personally have no problem with first party tracking. Besides that, this is FUD. Just a random pseudo research post by someone who is taking it to extreme. The problem is when the 3rd party comes in.

As long as UBO block the shitty get rich quick ads, that is enough.

ghost commented 6 years ago

I verified myself just now that POST requests including at the very least the user agent are sent to reddit.com, which is sufficient for first-party tracking to be blocked according to EasyPrivacy policy.

bobsage123 commented 6 years ago

Surprised so many people have no issue with reddit's tracking\session recording\going closed-source. I don't care if it's first party, if it's closed source they could be doing some shady stuff. Plus, these session replay scripts have been known to record data it shouldn't like passwords\people's credit cards.

Someone apparently wrote a tampermonkey script that will block this tracking pretty well and not break the site - https://www.reddit.com/r/privacy/comments/87mi06/psa_reddit_has_enhanced_their_tracking_they_now/dweil5v

gwarser commented 6 years ago

It would be interesting idea to try blocking these webpack modules selectively.

gorhill commented 6 years ago

Surprised so many people have no issue

It's no a "no issue" thing, it's an issue of having someone willing to volunteer a lot of time investigating a fix that will reliably work -- just assume all volunteers here are already quite busy.

I looked at the userscript and by the look of it it's not something that can be blocked by uBO. Maybe there are other ways to block the tracking but as said, someone needs to volunteer their time to investigate a workable solution, if any.