Uassets: Reddit redesign has replay tracking "everywhere"

Created on 28 May 2018  路  8Comments  路  Source: uBlockOrigin/uAssets

URL(s) where the issue occurs

<https://www.reddit.com/> once the redesign is enabled, if not <https://new.reddit.com/> should do once logged in.

Describe the issue

As per <https://www.reddit.com/r/privacy/comments/8mmybp/psa_the_reddit_redesigned_ui_is_worse_for_privacy/>

Reddit has been trying to redesign their website to feel more "modern", but I have noticed that the redesigned UI also features more tracking.
For one, the new UI (and the new userpage) features session replay tracking everywhere (recording of your mouse movements, keystrokes, and how you interact with the website), as evident by its use of the mousemove JavaScript event listener for the entire page. I found out using Luminous (this isn't an endorsement or ad), which is an extension that detects (and can block) JavaScript events. The old UI also listens for the mousemove event but not everywhere (I have only noticed it on the "submit post" page, but there are probably a few other places), though I'm not sure if this is due to session replay tracking. I cannot say for certain that the old UI doesn't have session replay or something similar, but to me it doesn't seem like it for most pages. Perhaps someone who has investigated this further can confirm or deny.
Session replay is another form of tracking what you click on (possibly negating attempts to opt out of "regular" tracking of outbound links), can be used to fingerprint a user (how the mouse moves), and will negate attempts to delete posts and comments (for example, ones that accidentally contain personal information or passwords). Even accidentally pasting something like a password in a text box will result in the password being sent to Reddit (and/or a third party) and being stored in plain text. I don't know how Reddit manages user data internally, but with session recording it's possible that a Reddit employee playing back a session to assess user reaction to a new UI update may end up seeing your private messages or posts in private subreddits simply because it was there when you interacted with the page.
Also, the Reddit redesign completely breaks without JavaScript enabled, to the point where you can't click on links or even see the page content.
The old UI is still available to users, either through a setting in your account or (if you're not logged in) through old.reddit.com. You can also replace the 'www' part of the URL with 'old' on any Reddit page to get back to the old UI. I really, really hope they don't remove this.

Versions

  • Browser/version: 62.0a1
  • uBlock Origin version: uBlock Origin v1.16.8

Settings

  • No changes have been made

Notes

u/Frellwit created a filter

uBO can defuse event listeners as well.
reddit.com##script:inject(addEventListener-defuser.js, mousemove)
or if there's a need to be more specific
reddit.com##script:inject(addEventListener-defuser.js, example, example-handler).

picture ghost

Most helpful comment

You mean this reddit.com##script:inject(addEventListener-defuser.js, mousemove)?
This is just example. [edit: This will break stuff]
And this post looks like FUD to me.

picture gwarser on 29 May 2018
👍2

All 8 comments

Why not add suggested filters to ublock filters

ghajini picture ghajini on 29 May 2018

You mean this reddit.com##script:inject(addEventListener-defuser.js, mousemove)?
This is just example. [edit: This will break stuff]
And this post looks like FUD to me.

gwarser picture gwarser on 29 May 2018
👍2

FYI - more research was posted about this a couple of months ago: https://www.reddit.com/r/privacy/comments/87mi06/psa_reddit_has_enhanced_their_tracking_they_now/

yourduskquibbles picture yourduskquibbles on 29 May 2018
👍1

If it is not a 3rd party connection, there is no problem with session replay or anything that tracks. I personally have no problem with first party tracking. Besides that, this is FUD. Just a random pseudo research post by someone who is taking it to extreme. The problem is when the 3rd party comes in.

As long as UBO block the shitty get rich quick ads, that is enough.

ghost picture ghost on 29 May 2018

I verified myself just now that POST requests including at the very least the user agent are sent to reddit.com, which is sufficient for first-party tracking to be blocked according to EasyPrivacy policy.

shimmark picture shimmark on 7 Jun 2018

Surprised so many people have no issue with reddit's tracking\session recording\going closed-source. I don't care if it's first party, if it's closed source they could be doing some shady stuff. Plus, these session replay scripts have been known to record data it shouldn't like passwords\people's credit cards.

Someone apparently wrote a tampermonkey script that will block this tracking pretty well and not break the site - https://www.reddit.com/r/privacy/comments/87mi06/psa_reddit_has_enhanced_their_tracking_they_now/dweil5v

bobsage123 picture bobsage123 on 25 Jul 2018
👍1

It would be interesting idea to try blocking these webpack modules selectively.

gwarser picture gwarser on 26 Jul 2018

Surprised so many people have no issue

It's no a "no issue" thing, it's an issue of having someone willing to volunteer a lot of time investigating a fix that will reliably work -- just assume all volunteers here are already quite busy.

I looked at the userscript and by the look of it it's not something that can be blocked by uBO. Maybe there are other ways to block the tracking but as said, someone needs to volunteer their time to investigate a workable solution, if any.

gorhill picture gorhill on 26 Jul 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

patrickdrd picture patrickdrd  路  3Comments
JulianNorton picture JulianNorton  路  3Comments
pepablock picture pepablock  路  4Comments
wis picture wis  路  4Comments
krystian3w picture krystian3w  路  3Comments