![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Hitbox
An update on LiveJournal goings-on, for those of you who don't tend to follow these things. (This post is a summary, and the numerous links provide more information, if you're interested.)
Last week, LiveJournal started using the Hitbox service for anonymous usage statistics and tracking. LiveJournal started sending out a Hitbox cookie and there was Hitbox javascript on many pages on LiveJournal. You can block the cookie, but in most browsers you can't stop the javascript from executing without disabling javascript entirely.
To make things worse, the javascript was obfuscated so badly that the LiveJournal developers probably didn't know exactly what it did. And, while the intention was to leave this tracking code off of all journal pages, it was accidentally left on old-style comment pages. (The ones that have the LiveJournal logo on the top-left of the page, which is probably what most of you see when you read most journal comments.) Any friends-only or private entry that you or anyone else read had its subject line sent to Hitbox along with other tracking information.
Due to these security concerns, the general manager of LiveJournal posted that Hitbox is being removed from LiveJournal until the problems can get worked out.
I suggest those of you interested in this monitor the situation, and don't hesitate to register your thoughts with feedback@livejournal.com if the situation becomes something you find problematic. (I did email that address before Hitbox was removed.) Everything sent there is read and responded to (probably by someone I know).
Last week, LiveJournal started using the Hitbox service for anonymous usage statistics and tracking. LiveJournal started sending out a Hitbox cookie and there was Hitbox javascript on many pages on LiveJournal. You can block the cookie, but in most browsers you can't stop the javascript from executing without disabling javascript entirely.
To make things worse, the javascript was obfuscated so badly that the LiveJournal developers probably didn't know exactly what it did. And, while the intention was to leave this tracking code off of all journal pages, it was accidentally left on old-style comment pages. (The ones that have the LiveJournal logo on the top-left of the page, which is probably what most of you see when you read most journal comments.) Any friends-only or private entry that you or anyone else read had its subject line sent to Hitbox along with other tracking information.
Due to these security concerns, the general manager of LiveJournal posted that Hitbox is being removed from LiveJournal until the problems can get worked out.
I suggest those of you interested in this monitor the situation, and don't hesitate to register your thoughts with feedback@livejournal.com if the situation becomes something you find problematic. (I did email that address before Hitbox was removed.) Everything sent there is read and responded to (probably by someone I know).
no subject
LiveJournal decided to use a third-party company to do this so they didn't have to write tracking stuff themselves. [DO: not a great idea.]
That third party company said to LJ, "Here's some code to put on your site, and we'll do all the work for you. Trust us, this does what you want, and nothing more than that". The code was designed in such a way that the LJ programmers couldn't verify this. (This is called "obfuscated code".) LJ basically took them at their word (though there was a contract involved). [DO: terrible idea.]
LJ accidentally put the code in too many places, and so some of the information sent to the third-party company was the subject line of many entries. What determined whether the subject was sent was who viewed the entry, not the security setting. [DO: Absolutely horrible mistake.]
LJ has since removed all the code, and will evaluate it to see when, if, and how it should be re-added. [DO: good idea.]
There's a good chance that LJ will add the code back at some later point, without that mistake, but also without letting the users see the real code rather than the obfuscated code, the code-designed-to-make-it-impossible-to-see-what's-going-on. [DO: bad idea.] With almost everything else on LJ, the code is freely available so that people who understand this stuff (such as the people I linked to in this post) can review it and alert the community if there's something to be concerned about. Hopefully at least the developers get to see the unobfuscated code before it goes back on the site; otherwise, nothing's really been fixed.
no subject
no subject