Forgot your password?
typodupeerror
Mozilla The Internet Your Rights Online

Firefox 's Ping Attribute: Useful or Spyware? 575

Posted by CmdrTaco
from the wear-your-foil-hats dept.
An anonymous reader writes "The Mozilla Team has quietly enabled a new feature in Firefox that parses 'ping' attributes to anchor tags in HTML. Now links can have a 'ping' attribute that contains a list of servers to notify when you click on a link. Although link tracking has been done using redirects and Javascript, this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."
This discussion has been archived. No new comments can be posted.

Firefox 's Ping Attribute: Useful or Spyware?

Comments Filter:
  • by eldavojohn (898314) * <eldavojohn AT gmail DOT com> on Wednesday January 18, 2006 @10:01AM (#14499401) Journal
    This isn't a question, it's obviously a little of both. Sacrifice some information about the sites you visit to allow those who run the servers (anyone, really) some feedback and statistics.

    It's simply the user's choice as to whether or not the pros outweigh the cons. And I'm sure the massive response that ensues on Slashdot will reveal that everyone values these pros and cons differently.

    Doesn't seem to be much argument other than I think they should have a very simple way to disable this if the user so chooses. As with the iTunes fiasco [slashdot.org], I would recommend Firefox be distributed with this option disabled.
    • by Stevyn (691306) on Wednesday January 18, 2006 @10:04AM (#14499429)
      Nooo! Here in the US, the media polarizes two options and have people in bow ties argue it. You're either in agreement with this idea or totally against it.
      • by Art Tatum (6890) on Wednesday January 18, 2006 @10:38AM (#14499771)
        You were moderated as funny, but it should've been insightful. I have a friend who describes the American political scene as two armies in trenches, shooting at straw men in no-man's-land.
      • I don't agree, prepare to die!
    • by timeOday (582209) on Wednesday January 18, 2006 @10:08AM (#14499470)
      As with the iTunes fiasco, I would recommend Firefox be distributed with this option disabled.
      I'm racking my brain to imagine why a user would ever want to enable it.
      • RTA (Score:5, Informative)

        by Morosoph (693565) on Wednesday January 18, 2006 @10:14AM (#14499540) Homepage Journal
        I'm racking my brain to imagine why a user would ever want to enable it.
        So as to avoid expensive and hidden redirects.
        • Re:RTA (Score:5, Informative)

          by nicklott (533496) on Wednesday January 18, 2006 @10:41AM (#14499801)
          but they're not expensive to the user. No website can use this as a primary mechanism in a process as less than 1% of their users will have it enabled. So, it can only be used for things that are optional to the website, for example user tracking. And in this case it actually generates more traffic, as now you just parse your logs (or put an image in, wherein we have a mechanism that does exactly the same thing anyway).
          • Re:RTA (Score:5, Informative)

            by malsdavis (542216) * on Wednesday January 18, 2006 @11:03AM (#14499997)
            Firstly they are expensive to the user, as you have to wait for the response to come back before being able to move onto the next page and secondly being expensive for the web server does indirectly effect users.

            Sure your one redirect query may not effect you much but tens of thousands of people doing it could slow a server right down.

        • I agree that would be the reason to enable it.

          But it's a lousy scenario. There shouldn't *be* expensive, hidden redirects, and we're just encouraging what I consider (at best) stupid. even (worse) anti-social, possibly evil behavior.

          I'm completely in favor of progress, but it seems the net is always taking at least one step back (in some cases a few dozen) for every step forward.

          We should be encouraging content providers to produce clean web page sthat do what we expect them to do, simply, instead of to be
    • by dmoen (88623) on Wednesday January 18, 2006 @10:08AM (#14499481) Homepage
      I would recommend Firefox be distributed with this option disabled.

      Are you also recommending that Firefox be distributed with Javascript disabled? Because this ping functionality is easy enough to implement in javascript. If ping is disabled by default, then nobody will have it enabled, which means that web developers will continue to do it the old fashioned way, and the ability to disable ping will be worthless.

      Doug Moen.

      • by grub (11606) <slashdot@grub.net> on Wednesday January 18, 2006 @10:12AM (#14499526) Homepage Journal

        Use the Firefox NoScript extension and you can be selective about what javascript you run on a per-site basis.
      • by Hurga (265993) on Wednesday January 18, 2006 @10:25AM (#14499645)
        Are you also recommending that Firefox be distributed with Javascript disabled?

        I know that I HAVE JavaScript disabled (using the NoScript extension) for this and other reasons, and I don't want to have that functionality back whithout me noticing.

        Hurga
      • Why would a web developer use the ping attribute now? AFAIK only Firefox supports it.
        • by SethJohnson (112166) on Wednesday January 18, 2006 @11:12AM (#14500092) Homepage Journal
          Why would a web developer use the ping attribute now?

          I think the main developer who would want to use it is Google with their adwords program. They're probably trying to minimize the bandwidth those redirects consume for all the clicking that happens on their ads. This is on top of the bandwidth of every page view requesting the ads to be embedded in the first place, which can't be avoided...

          Even if Google can shave off 6% of unneccessary redirects (all Firefox users), that's a big bandwidth savings.

          Seth
          • by gr8_phk (621180) on Wednesday January 18, 2006 @12:05PM (#14500707)
            "I think the main developer who would want to use it is Google with their adwords program. They're probably trying to minimize the bandwidth those redirects consume for all the clicking that happens on their ads.

            Google gets paid for those clicks on their ads. They don't need to be altering my browser to help their business anyway. As bender would say, Google can bite my shiney metal 4$$. Hopefully distros will patch firefox, so their users won't need to fret about this. Just those windows users who get it straight from the firefox site.

            I've been thinking it's time for a firefox fork that drops the MPL. The dual licensing is preventing integration of other GPLed work - like a built in PDF viewer so we can avoid Adobe. A GPL only fork would help prevent folks like Google from creating their own branded browser with stupid features no user would ever want.

          • And we should compromise our security (arguably) and our knowledge of what the system is doing (certainly) for their profit margin why?
        • It's not that they'd use the ping attribute -- it's that they'd use other tactics to do the exact same thing, but via a mechanism that slows down render time.

          Webmasters already have the ability to have a page load cause a HTTP request to some other server -- at minimum, they can just have a . This doesn't impact rendering time (as that single-pixel image does), and has the same effect -- plus you can turn it off, while you can't turn off all the single-pixel images without turning off other images as well.

          I
      • Possible fix (Score:5, Interesting)

        by spitzak (4019) on Wednesday January 18, 2006 @10:29AM (#14499683) Homepage
        Why not limit the ping to the server that made the current page? This should prevent people from embedding pings into blogs, and still allow the replacement of redirects for tracking where you go. I would think unless this is done, too many people will disable it for any real sites to use it, and it will *only* be used for nefarious purposes.
        • Re:Possible fix (Score:5, Informative)

          by RevDobbs (313888) * on Wednesday January 18, 2006 @10:59AM (#14499955) Homepage

          Did you read the article, or the WHATWG spec?

          It specifically mentions:

          1. Links with the "ping" attribute should be diffrentiated from other links.
          2. There should client-side options to control "ping" behavior, similar to current cookie options: "respond to all", "ignore 3rd party", "ignore all".

          FWIW, this really seems dead in the water. First, not too many users will have it enabled (or even available, for that matter). Second, this information is already being reliably collected with cookies, mod_usertrack [apache.org], javascript, and page redirect tricks -- mostly with no knowledge of the enduser.

          Why go with a little-available, easily disable mechanisim when the tried-and-true method is already available?

          • ...or more specifically the comments below:

            Out of interest, how did you implement the 'informed user' requirement? ("When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URIs.")

            Posted by: Malcolm at January 17, 2006 12:14 PM

            The UI component of this feature is currently unimplemented. We did not see that as a blocker to enabling this on the
      • Sure, the basic functionality can be duplicated with javascript. However, tying this behavior explicitly to a "ping" attribute makes it much easier to identify and block/disable the behavior. If someone doesn't want to mess around with a NoScript extension, script whitelists, etc... then this makes life easier.

        Look at it this way: I'm lazy. I don't want to be a security/privacy Nazi about any/every script on webpages I view. However, if there's an "easy" way to block something I view as potentially abu
      • by Hard_Code (49548) on Wednesday January 18, 2006 @10:45AM (#14499829)
        Ever heard of cross-site scripting? "ping" needs at the least to be implemented in such a fashion that only the originating site can get a ping. Any pings to non-originating site should either be blocked wholesale or at least present the user a dialog (Site A is attempting to convey information about your browsing to Site B).
    • by heavy snowfall (847023) on Wednesday January 18, 2006 @10:12AM (#14499528) Journal
      As I see it this will only make it easier to avoid tracking. At the moment tracking links are often obfuscated like this one [slashdot.org]. With this new attribute and the ability to disable it you get a plain non-tracked destination URL.

      Because of this, and it being mozilla-specific for now, websites that currently use tracking URL's will see no value in switching over.

      As for privacy concerns, it's already quite easy to track people on the web. Those who avoid it now are more in the know and would probably just add this to the list of things to disable.
    • by oneiros27 (46144) on Wednesday January 18, 2006 @10:16AM (#14499568) Homepage
      I would recommend Firefox be distributed with this option disabled
      Which would give web developers no reason to ever bother using it, and they'll continue doing the same little tricks they've been using for years to keep you from seeing that they're tracking the links.

      Take a look at the HTML source on Fark -- you'll see javascript to overwrite the status line so it doesn't show it's tracking you ... and there are hundreds, if not thousands or millions of other sites that do the same.
      • Which would give web developers no reason to ever bother using it, and they'll continue doing the same little tricks they've been using for years to keep you from seeing that they're tracking the links.

        Sure, but is that a reason to just hand the data to them on a silver platter? I mean, why keep spammers out of your MTA? They'll just resort to various tricks to spam anyway, so why not just give them an account?

        Firefox should provide new ways to ensure our privacy, not new ways to violate it. I'm disappoint
    • by kawika (87069) on Wednesday January 18, 2006 @10:23AM (#14499634)
      The blog is right that from a user perspective this is good because it makes the target page load faster and makes the tracking transparent. However, this gives the marketer or website even less control than they have now.

      Today, ad or other link tracking is generally handled like this: The link target specifies a tracking page and passes in a magic word or number that specifies the campaign or other info (e.g., "go.php?id=123" or "click.asp?campaign=A1254S"). That page logs the click in some database and issues a redirect to the actual destination page. Sometimes the web server log acts as the "database" and the click stats are processed from the logs.

      With this new scheme, idea is supposed to be that the href target would be the actual destination and there would be no need for the time-consuming redirect. The separate ping attribute would take care of notifying the server similar to what happens today. But now the target page is out in the open for the client to see, and it is not essential to use the ping URL at all! Once users start blocking ping URLs, as they inevitably will, this transparency means that click stats will be very unreliable.

      Since a lot of revenue depends on click numbers, this outcome is bad for commercial web sites. Therefore, very few money links will ever use this scheme and will instead stay with the tried-and-true redirect pages.

      • Relying on the user to submit the right statistics is asinine. No company will trust user-submitted stats ("I stayed on your web page and read every word...lol"). This is why redirects are essential: the site owner has concrete numbers about the clicks.

        Once again, Firefox/Mozilla folks are showing their arrogance (anyone else remember "blink"?). When their marketshare was down, they would never have done such a thing; but now that their marketshare is noticeable, they are back to their old ways.

        If Micro

      • Once users start blocking ping URLs, as they inevitably will, this transparency means that click stats will be very unreliable.

        A very small portion of people (including apparently a number of needlessly alarmed people on Slashdot) will bother to turn this off. The vast majority of humanity will continue not to care. This will add a small amount of unreliability to click stats, but that unreliability will be swamped by the normal apparent unreliability of the web caused by different configurations, different
  • by suso (153703) * on Wednesday January 18, 2006 @10:02AM (#14499411) Homepage Journal
    I think the first thing any browser developer should consider when adding a new tag or tag attribute to the DOM is "How can this be abused?" and explore that question to its fullest. Because all of you know that it will be abused and that users will implement it wrong or find new uses for it that the developers didn't intend. Some of them may be good, some bad.
    • Heh - with this philosophy we won't have anything and be in stone-age (hey - stones can be (ab)used for head-smashing!). _ANYTHING_ CAN & WILL BE ABUSED!
      • by suso (153703) *
        What I'm saying is that just because you thought of something neat, you shouldn't just implement it (and I know that this isn't how it happens of course). Cookies and javascript weren't just implemented. A lot of thought went into how they could be used, abused, what the gotchas are and how to solve them. Test models were done and analyzed. This seems like the kind of feature that is comparable to that level of change in the way browsers work. I wonder if the WhatWG people really tested the concept and
    • "How can this be abused?"
      I don't particularly like the feature, but I also don't think a user reveals any extra information by turning it on. Following a link already reveals precisely the same information, and sites no less than google.com already use redirects so they know every link followed from their site. They could already implement this same feature on the server side by notifying whomever they choose.
      • Not that simple (Score:3, Insightful)

        by dereference (875531)
        Following a link already reveals precisely the same information

        No, it's not really that simple. This is much like the difference between first-party cookies and third-party cookies. In fact, I'd be happy if they decided to limit them at that level of granularity. I honestly wouldn't mind first-party pings. This provides--as you correctly note--nothing more than they can already collect now. It does, however, significantly enhance the developers' ability to directly collect stateful click-through info

    • I think the first thing any browser developer should consider when adding a new tag or tag attribute to the DOM is "How can this be abused?" and explore that question to its fullest.

      The BODY tag fails that test.
    • I think the first thing any browser developer should consider when adding a new tag or tag attribute to the DOM is "How can this be abused?"

      Personally, I think that should be second.

      The first thing they should consider is "where in the W3C specs is the behavior of this element specified"? If it ain't in any of 'em, it don't belong in the browser engine.

      For every IMG tag or XmlHttpRequest a browser dev team has decided to extend the W3C specs with, there's been a dozen BLINK and MARQUEE tags.
  • Required! (Score:5, Funny)

    by Shadow Wrought (586631) <shadow.wroughtNO@SPAMgmail.com> on Wednesday January 18, 2006 @10:03AM (#14499417) Homepage Journal
    At least for childbirth. Bring in the machine that goes, PING!
  • by Whiteout (828544) on Wednesday January 18, 2006 @10:03AM (#14499418)
    One ping-disabling Firefox extension.
  • Out of control (Score:2, Interesting)

    by RuiFerreira (791654)
    kind of abusive, no? I'm just imagining slashdotting more than one server... hum? another issue is the pre fetch directive on firefox... i'm starting to think my bandwidth is out of my control..
    • Re:Out of control (Score:3, Interesting)

      by peragrin (659227)
      Actually I kind of like it. With this tool Slashdot could finally Slashdot all the advertisers in one shot. Talk about a major DDOS.

      Create a link with an image to a story site. Embed that link with this. You could slashdot The big sites with this. Go Open Source innovation.
  • Very useful (Score:5, Interesting)

    by dada21 (163177) * <adam.dada@gmail.com> on Wednesday January 18, 2006 @10:05AM (#14499447) Homepage Journal
    This feature is extremely useful for any website that wants to give their users better content by parsing what they're going through. It also lets you figure out who is clicking advertisements (which are usually off site) and even gives you the ability to run a multitude of websites but aggregate all the statistics on one of your machines.

    Sure it can be abused -- I don't see why more of these abusive features can't be set up in a whitelist fashion. I'm already shocked that web browsers make it so difficult to white lists sites you feel are safe (or don't mind giving up some information to make your experience better).

    That comes to the point of this post -- how about a standard "setup" logo/button committee that helps create a "setup" web profile that sites can use to give the users options on how they want to be configured? We've got some standard buttons already (RSS feed, etc), why not one that users could be familiar with so that they can white list or opt-in to certain additional "anti-privacy" features?

    I know many websites (including a few of mine) could use more user information, and I don't see why we can't work to just setting a standard for how to do it.
    • Not very useful (Score:3, Insightful)

      by everphilski (877346)
      1. Javascript does it already

      2. Now you alienate any user using another browser

      3. Mozilla team is pulling an IE (implementing their own extensions... read the blog... "w3c doesn't have to make all the rules" ... if Microsoft said that /. would be up in arms)

      • Re:Not very useful (Score:3, Insightful)

        by AVee (557523)
        3. Mozilla team is pulling an IE

        Perhaps we should call this one 'pulling a google'? I mean, who is the biggest sponsor for the Mozilla Foundation? And who has a huge interest in 'features' like this?
      • Re:Not very useful (Score:5, Informative)

        by Fastolfe (1470) on Wednesday January 18, 2006 @11:03AM (#14499992)
        Mozilla team is pulling an IE (implementing their own extensions... read the blog...

        WHATWG != Mozilla

        Mozilla is attempting an implementation of a standard set by an independent standards body. No, they're not the W3C, but like you pseudo-quoted out of context, "w3c doesn't have to make all the rules."
      • Re:Not very useful (Score:3, Insightful)

        by QuantumFTL (197300) *
        Mozilla team is pulling an IE (implementing their own extensions... read the blog... "w3c doesn't have to make all the rules" ... if Microsoft said that /. would be up in arms)

        The difference here is that the ping tag does not affect loading or rendering of the page. It can be safely ignored, and does not create any compatibility problems for the user.

        Also, you must remember that Microsoft shoves its browser down people's throats, in the form of OS integration and prebundling, whereas this piece of sof
  • Does this feature track and retain your surfing habits without your consent? Can you not opt-out of it?

    If the answers are yes, I would say it is Spyware.
    • by ivan256 (17499) * on Wednesday January 18, 2006 @10:09AM (#14499486)
      Does this feature track and retain your surfing habits without your consent?

      No.

      Can you not opt-out of it?

      Disable the feature. Easy.

      It's not spyware by your definition. It has the added benefit of giving the user some control instead of being secretly tracked by the server side.
      • by spectrumCoder (944322) on Wednesday January 18, 2006 @10:24AM (#14499636) Homepage
        Disable the feature. Easy.

        This kind of misses the point. If Firefox is to become a mainstream internet browser, it needs to be anti-spyware and usable from a clean install onwards. Making it the ideal browser for the tweakers, where it's at its most usable after multiple options have been changed and several extensions installed, is not going to make it the browser of choice for the general public.

        As far as grabbing market share goes, it's the default settings that make the difference.
  • Extension (Score:5, Interesting)

    by nes11 (767888) on Wednesday January 18, 2006 @10:05AM (#14499449)
    This is firefox we're talking about. There will be an extension available within the first day to strip out those attributes. Or even more likely a built-in option to not acknowledge them.
  • How is this different from the web server logging every page and image you load?

    Is the concern that the 'ping' comes from your browser and not any proxy server you may be using? In most cases your proxy server is also your NAT server so the 'ping' isn't going to give much of anything about your IP....

    Of course this should be disabled by default, I just don't see this as a huge privacy issue.
    • by Bogtha (906264) on Wednesday January 18, 2006 @10:34AM (#14499731)

      How is this different from the web server logging every page and image you load?

      It's different because web server logs only record what you ask that server for. Web server logs don't record what you ask other servers for.

      This is essentially what the Referer header does, except in reverse. Instead of telling a new server where you have come from, it tells the old server where you are going.

      This is already possible with Javascript, and it was possible with CSS too - I'm not sure if it still is, but the technique was basically to suggest a local background image to style :active links - so when the link becomes :active (when it gets clicked on), the browser downloads the background image and you know the link was clicked.

    • Is the concern that the 'ping' comes from your browser and not any proxy server you may be using?

      That would be incredibly stupid if they did it that way. Every request the browser makes should adhere the proxy settings. Most of the time, a proxy is not optional but mandatory.

      In most cases your proxy server is also your NAT server so the 'ping' isn't going to give much of anything about your IP....

      Quite the contrary. Most of the time, if people are to use a proxy, it's because their clients are _not_ allowed
  • It's great! (Score:3, Insightful)

    by ivan256 (17499) * on Wednesday January 18, 2006 @10:07AM (#14499460)
    Websites can do all that stuff with a redirect script on the server side and the user has no control or knowledge of who is being notified. If site developers start using the ping tag instead we can selectively disable it with an extension. It gives the user control where before there was none.
  • by grahams (5366) * on Wednesday January 18, 2006 @10:07AM (#14499463) Homepage
    1. You are talking about a feature just added to a development tree, not something in a released version of Firefox.
    2. This feature can already be disabled (if you happen to be running a development version) using the 'browser.send_pings' preference.
    3. They didn't "quietly enable" a feature, they did it in front of everyone interested. There are plenty of bugs in bugzilla talking about the implementation of this feature. If you are running a development version of Firefox and can't be bothered to keep up with what is going on in the development community, that's your problem.

    Check out: https://bugzilla.mozilla.org/show_bug.cgi?id=31936 8 [mozilla.org]

    // check prefs to see if pings are enabled
    nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
    if (prefs) {
    PRBool allow = PR_TRUE;
    prefs->GetBoolPref("browser.send_pings", &allow);
    if (!allow)
    return;
    }
  • by Matt Perry (793115) <perry.matt54@NoSpam.yahoo.com> on Wednesday January 18, 2006 @10:08AM (#14499475)
    Add this to your userContent.css file to make links with the ping attribute have a green border when hovered:
    a:hover[ping]
    {
    -moz-outline: 1px solid green;
    }
    • by booch (4157) <slashdot2010.craigbuchek@com> on Wednesday January 18, 2006 @11:00AM (#14499970) Homepage
      That should be:
      a:hover[ping] { -moz-outline: 1px solid green !important; }
      in order to keep the web site from overriding your setting.
      • That should be:
                a:hover[ping] { -moz-outline: 1px solid green !important; }
        in order to keep the web site from overriding your setting.


        User style sheets are always to supercede site style sheets, according to the CSS specification. The "!important" modifier shouldn't be necessary.

        I don't know if Mozilla implements that aspect of CSS correctly though, so it couldn't hurt to put it in there anyway.
        • User style sheets are always to supercede site style sheets, according to the CSS specification.

          This is not true, and isn't true in two different ways, depending on which specification you count as "the" CSS specification (there's more than one).

          According to the CSS 1 specification [w3.org], the author stylesheet will override the user stylesheet in most cases, and even if the user has !important rules, the author stylesheet can override them with !important. Quote:

          This strategy gives author's style she

  • by to_kallon (778547) on Wednesday January 18, 2006 @10:08AM (#14499476)
    as i read the summary i became overcome with fear when the updates are available dialogue popped up at the bottom of my screen. coincidence....?
  • by hkgroove (791170) on Wednesday January 18, 2006 @10:08AM (#14499478) Homepage
    This will make it easier for Ramius to declare his intention is to defect.
  • I've used redirects a lot and if properly set up, the transfer time between the redirect and the page the user wants is minimal. If you want a redirect to a lot of complicated things or collect a lot of data, of course it's going to be slow. The idea is to keep it simple. As long as this is something I'm not forced to use, I'm fine with it, though I can see the bitching down the road when someone finds a novel way to abuse it.

  • by Basje (26968)
    compared to before? It's not as if this functionality isn't already employed through other ways (javascript or redirects on the serverside). Now, it's just a little bit easier.

    Of course you can disable javascript, but most people don't. People who do so, can also turn off this ping functionality. I'm sure an extension will allow to do this the easy way (NoScript notably).

  • by Idimmu Xul (204345) on Wednesday January 18, 2006 @10:10AM (#14499499) Homepage Journal
    A lot of websites use redirect pages to get this exact same information, and off the top of my head I imagine it is pretty simple to notify multiple urls of where you are going using some tricky javascript and even cookies and referrers can be used across sites to track visitors. This is just making a very common, and needlessly complex, mechanism infinitely simpler for the web developer.
  • by blazerw11 (68928) <blazerw&bigfoot,com> on Wednesday January 18, 2006 @10:11AM (#14499511) Homepage
    So, I don't mean to go all "Senstionalist Title" on your ass, but the post links to a mozilla blog explaining how they've added this feature to the TRUNK. Announcing a new feature in a blog is not quite a press release, but it's a hell of lot more forthcoming that what "quietly added" implies. Also, it's been added to the Trunk, so it's not likely to actually show up in any Mozilla build for a while, much longer, if ever, in a release. This is really the way to add something like this. Put it in to see where and how it will be used and whether that's good or bad.
  • by nganju (821034) on Wednesday January 18, 2006 @10:18AM (#14499587)

    My first thought was "How can you track clicks with a ping?". After RTFA, it's not literally a ping to some server, it's a request to a URI, most probably an HTTP request that will contain request parameters indicating what link was clicked.

    Second of all, this is not any more of a privacy intrusion than previously existed. It was always possible to track clicks within a single website via cookies, and clicks on external links (i.e. banner ads) by using a redirect first. If the author of the website wants to track what you're doing, he's already got the means, and he's had them for years.
  • Don't worry yet (Score:5, Interesting)

    by courtarro (786894) on Wednesday January 18, 2006 @10:19AM (#14499595) Homepage
    "Quietly" refers to Mozilla's inclusion of this feature in the nightly trunk versions, not the official version available for download. That's hardly cause for concern. I'll bet most of the features added to nightlies are "quiet", so that's just a bit of fear mongering. It's a development version! I personally don't like the idea of pings that much, but I'm willing to bet it will have a UI to allow disabling when it's released to the masses. According to the bug request to implement it [mozilla.org]:

    We should try and do an experimental implementation of , to see if there are any unexpected real-world problems.

    That's what nightlies are for! We now see that it's a controversial tag (and they're probably already well-aware), so they're giving it a shot. Would you rather them just say "no, we don't like that potential standard [whatwg.org], so we're not going to try implementing it"?
  • by SmallFurryCreature (593017) on Wednesday January 18, 2006 @10:19AM (#14499598) Journal
    I click a link in a slashdot article to an external site and slashdot is notified about this. Mmm, okay. I can see that it might be considered usefull for deteriming how people use their website.

    It could enable a user comments vs people who actuall RTFA statistic. Knowing slashdot it would crash on a divide by zero error offcourse.

    But wait a minute, a infinite number of pings? So the story submitter himself can also add his pings? Knowing the quality of slashdot editors (HA!) any story submitter would know who read what links in his article. Do I want him to know?

    Imagine that someone puts a goatse.cx link on a forum. You don't of course admit that you been tricked but the next post is a record of all the pings the link submitter received proving that all of slashdot wanks to the goatse man.

    The abuse of this feature is clear and the benefits? If slashdot really cared to know wich external links are followed or not then that is their business isn't it?

    Do I really want websites to know wich external links I follow? I think this is a solution looking for a problem and in the few cases where a website needs to know the users need for privacy is superior.

    Bad mozilla. This is something I would have expected of MS or the old Netscape. Now go sit in a corner and don't come out until you stop adding crap features that tattle on me without informing me.

  • by BestNicksRTaken (582194) on Wednesday January 18, 2006 @10:19AM (#14499599)
    If this can't be disabled (in preferences, about:config, or easily in the source, or via some extension/Greasemonkey script) then I'm sticking with the current 1.5 build, or possibly off to Opera or Epiphany.

    Jesus if this was put into MSIE then people would be writing to their MP/senator by now!

    I cannot think of any good use for this.

    People who run servers do not need that specific kind of stats, their server logs should be good enough. Only marketing (aka spyware) types would want this kind of info.
    • This is already happening. Most comercial sites ALREADY track all of the link clicks on their sites. The majority of them use 302 redirects so, you can't turn them off.

      The only thing use of this attribute would do is make transparent what has ALREADY been happening for years.

      When I worked at a media company, we had a cluster of servers dedicated to link tracking. All links on the site would send you here, and it would send you a 302 to your destination. Try disabling redirects, and you will see the web stop
    • It can be disabled (Score:3, Informative)

      by Kelson (129150) *
      1. It can already be turned off via about:config (RTFA), and if it actually makes it into Firefox 2.0 there will probably be a checkbox in Preferences.

      2. As a guy with a website, I'm actually curious as to which links people click on to leave. Server logs will tell me which pages on my site are most popular and where visitors are coming from, but they won't tell me where they're going unless I go to the effort of creating a redirect script and linking through that -- and while I'm curious, I don't care eno
  • by Panaflex (13191) <convivialdingo AT yahoo DOT com> on Wednesday January 18, 2006 @10:21AM (#14499612)
    One, this is in the trunk builds - NOT the released versions.

    From a technical POV it's actually nicely thought out, as it separates logically the intended action and the "log."

    I'm sure that Google, Yahoo, and others are BEGGING for this. I've worked in Design and Dev at two of the biggest travel sites - it's a huge problem tracking clicks. If we could remove our tracking javascript then users would get a MUCH snappier web site.

    But we can't because our advertisers specify that we must have third party click/view audits that "verify" our intended audience numbers.

    On the one hand, I know (having designed and built some of the auditing and log analysis systems) that we're tracking every click on our sites. We do use cookies. And the tag would bring it all out in the open instead of buried 3 layers deep in javascript.

    But from an individual POV, it's like acknowledging that they really ARE watching me. And I am now consenting to that.

    Solution: In my mind, the big(and little) sites could offer users the "option" of using the ping tag for a nicer user experience. It would be disabled by default, and a web site would have to specifically request and get permission from the user before the browser would "unlock"

    Just me $0.02
  • by Shimmer (3036) <brianberns@gmail.com> on Wednesday January 18, 2006 @10:23AM (#14499628) Homepage Journal
    Assuming that IE implements the same feature, will sites use this? If clients can turn it off, I suspect that web sites won't trust it. This is something that is most accurately done on the server, and I think that's where it will stay.
  • by octaene (171858) <bswilson AT gmail DOT com> on Wednesday January 18, 2006 @10:53AM (#14499896) Homepage
    From the article:

    "Websites even employ "onmousedown" event handlers that change the href attribute at the very last second before a click occurs. This makes it so that hovering over the link displays the location that you want to go to, but it still ends up taking you someplace else."

    Gee, thanks for handing the spyware creators, spammers, and phishers even MORE ammunition. Let's trick the user into thinking he's clicking on one thing, and at the last minute send data to another URL. YES! Let's make it MORE difficult for users to trust their online banking applications (etc.)!!!

  • by sheldon (2322) on Wednesday January 18, 2006 @10:54AM (#14499912)
    I see it mentioned in a working group, but I see no confirmation this is part of any final adopted spec.

    That's my only concern... that Mozilla is once again off on a path of implementing stuff before the spec is adopted, and we're going to have "Best if using Mozilla" icons showing up on websites.
  • by CTho9305 (264265) on Wednesday January 18, 2006 @11:40AM (#14500357) Homepage
    If you add this to your userContent.css [mozillazine.org], links that have a ping attribute will be green:

    a[ping] {
        color: green !important;
    }

    You could also do something like this:

    a[ping] {
        -moz-opacity: 0.5 !important;
    }
    a[ping]:hover {
        -moz-opacity: 1 !important;
    }

    so that the links would be transparent until you hover over them
  • Standards? (Score:3, Insightful)

    by HunterZ (20035) on Wednesday January 18, 2006 @11:54AM (#14500549) Journal
    My question is where did this idea come from? Is it in an HTML standard somewhere? If not, they shouldn't have bothered putting it in IMHO. How can I tell my friends that Firefox aims to be more standards compliant if the Mozilla team is putting in proprietary HTML features?
  • by Spy der Mann (805235) <spydermann.slash ... m ['ail' in gap]> on Wednesday January 18, 2006 @12:04PM (#14500697) Homepage Journal
    Do not confuse this feature with spyware. Tracking cookies have always been used by advertising companies, yet they can be disabled. But I'd rather stick with tracking cookies than having to navigate through sites with embedded flash because the sponsors require them to. This "cookies = spyware" is just paranoia to me.

    Anyway, if a website gives you a "ping" attribute, what prevents the same site from obfuscating the link and doing some redirections? It's EXACTLY THE SAME! If there can be any abuse, it's because the attribute is provided BY THE WEBSITE'S CONTENT. And who controls the website content?

    One major abuse I could see are phishing sites, but if you already entered a phishing site it's your own fault, and I *REALLY* doubt a bank site would add ping attributes to their website.

    In comparison, SPYWARE steals resources, bandwith, CPU and Memory, and makes your system unstable, stealing also YOUR VALUABLE TIME.

    So, no, the ping attribute is NOT SPYWARE. I think the article submitter was too sensationalist by putting this in the headline.
  • The Obvious Answer (Score:3, Insightful)

    by UID30 (176734) on Wednesday January 18, 2006 @12:35PM (#14501098)
    Saying that you'd stop using Firefox if this is deployed is like saying you'd stop going to Wal-Mart if they have cameras watching you ... but wait ... they do. Face it. You're on the web. You're being tracked. OMG! Slashdot is tracking me now!!1!!1

    but seriously ... as a tool to improve user experience, this is a GREAT idea. decouple the link tracking from the target page loading. however, until it's adopted in a standard way by all browsers, it's useless. this can already be done in numerous ways thru javascript, proxy pages, inventive link creation, mod-rewrite ... there are as many ways to track user clicks as there are competent developers.

    sure, make it disableable. additionally, make it configurable to set the maximum number of PINGs per click. and lastly, limit the URLs to the originating site only.
  • by Giorgio Maone (913745) on Wednesday January 18, 2006 @12:48PM (#14501292) Homepage
    I'm already testing and I'm about to release a NoScript [noscript.net] version (1.1.3.6) which neutralizes this lovely ping attribute on untrusted sites, and offers also an user-accessible option, not implemented by Firefox (yet?), to disable it globally. I hope this will calm down the tinfoil hats ;)

"Well, social relevance is a schtick, like mysteries, social relevance, science fiction..." -- Art Spiegelman

Working...