Rogers Cadenhead left a comment on my blog about a new PHP class library he's developed that "can receive click pings and report on the most popular links." It shows how <a ping> can be used to help you get a better feel for the usage of off-site links on your website.
Posted by darin at January 20, 2006 3:07 PMIt's useless.
The sites that are trustworthy may use it, sure - but the sites that are interested in hijacking your privacy - the ones we really need to worry about - won't.
AND - since it's not in IE, it's not useful anyways, because they'll have to resort to the old methods to track IE clicks.
So far, I'm failing to see its usefulness. Especially to the user (NOT the same thing as the web developer, mind you).
From your first article on this:
"This change is being considered in large part because some very popular websites have asked for a solution to this problem."
In other words, this is for the benefit of big websites, and not really for the user. Thanks for telling me where your loyalties lie.
"this feature comes along with the intent of giving the user more control than they previously had"
Control over what? The bad guys aren't going to use it, and you know it. Even most of the good guys probably aren't going to use it, or just supplement it with other tracking methods, negating its advantages.
And if it's hidden in the config stuff, only techies and power users will really know about it. It MUST be in the UI to be useful to the average joe.
"I'm really quite shocked that so few people seem to realize this."
Really? I'm not shocked at all. Your average joe probably doesn't even know (or care) what HTML is.
"Ping is just another tracking mechanism that will be exploited for marketing purposes. There is already cookies, javascript, web logs to record web bugs etc; will ping mean these will no longer be used? I honestly can't see that."
I agree . . .
And quite honestly, you're cherry picking the feedback to listen to.
You ignore some of the more intelligent feedback, and listen to somebody who calls you "assholes" instead.
Posted by: CobraA1 at January 25, 2006 6:31 AMCobraA1,
This feature is not about trying to limit what bad guys can do. I never said otherwise. Instead, it is about providing an explicit click tracking mechanism that has advantages to both users and websites. Providing advantages (such as better performance) to websites encourages them to use this mechanism. Meanwhile, when websites use this mechanism, the browser can in turn inform the user about it or do other things to assist the user. Without something explicit like this, the user is simply left in the dark.
> In other words, this is for the benefit of big websites, and not really for the user. Thanks for telling me where your loyalties lie.
You are completely misinterpreting my comment. I was being honest about how I first learned of this problem. However, the <a ping> solution is something that I chose to pursue because I believe that it provides advantages to both users and websites, such as those that I mentioned above.
> Control over what?
Users can turn off the feature. That equals control in my book.
> It MUST be in the UI to be useful to the average joe.
I disagree. I'd wager that average users don't even look in the preferences panel.
This feature is similar to HTTP referrers. That feature tells websites you visit where you came from, and this feature tells websites you leave where you are going. Are you similarly upset about HTTP referrers? (There's no preferences UI to disable HTTP referrers.)
> Really? I'm not shocked at all. Your average joe probably doesn't even know (or care) what HTML is.
Sorry for not making the context of my comment more clear. I was speaking of the technical audience that happens to visit my blog. I wasn't talking about users in general. My mistake for not being clear in that comment.
> Ping is just another tracking mechanism that will be exploited for marketing purposes.
So? Please explain this argument to me. Why do we care that this feature makes it possible for marketing people to do what they can already do without this feature?
> And quite honestly, you're cherry picking the feedback to listen to. You ignore some of the more intelligent feedback...
Untrue. I've tried to respond to as much of the feedback as I can. Again, developing this feature in my spare time doesn't leave enough time for me to respond to everyone. If I've missed some compelling arguments against <a ping>, then please point them out to me.
You do realize that my blog where I mentioned that "assholes" comment was meant to be funny, right? It isn't every day that one wakes up to such a flurry of "fun" :-/
Posted by: Darin Fisher at January 25, 2006 8:05 AMsince you seemed to miss my comment in a previouse entry, so here's the copy/paste.
Darin said:
Have you ever uses personalized search (or search history) on google? It tracks your clicks so that it can show you a historical record of all of the searches you did and the search results you chose. Google does not do this by default of course.
Exactly. Google does not do this by default. The user makes a informed decision to enable it. They understand their search results are being stored when they agree to the service. Downloading and installing Firefox should not automatically mean that any type of client side tracking device is turned on by default. Even if you include information in the agreement notice, how many people really read and understand that legalese?
Using your example above, I should have to "turn on" such a feature after I have read and understand the implications of enabling such thing. Personally, I would like to see Firefox distributed with cookies turned off and the Permit Cookies extension and NoScript installed by default. This would give the user alot more control, BY DEFAULT, over what their web broswer should and shouldn't be able to do, out of the box...so to speak.
You once said that web developers count on 99.99% of the people on the web not changing their browser settings. This is true...this is also what the "bad guys" count on as well. Hence viruses, worms, script kiddies, et al. are all over the place. I grant you, the ping tag might be useful to news sites that rank headlines by the number of clicks it's recieved, but if history is any teacher, it will be abused at the first opportunity.
As it is right now, you can only do so many redirects before users would get tired of waiting for the page to load and go somewhere else. With 'ping', an unlimited number of servers could be notified by a single click, since I read in the design discussion you mentioned in the original post, that the spec is not going to have an upper limit of URIs. That pretty much benefits only an advertiser. If your target was really to help news, blog or personal sites have the ability to track clicks for ranking purposes and allow control over adveristers, you would design in some means of preventing it from being used for "super bad" purposes.
You say that Google wouldn't be able to "strongarm" this kind of thing into the Firefox browser. Two months ago, in your own blog you post about a job opening at Google for "software engineers to join us in our collaborative development efforts with the Mozilla Foundation on the Firefox browser". And then someone who works for Google and has been working on the Firefox project comes out with "(sic)..the point of this feature is to enable link tracking mechanisms commonly employed on the web...(sic)", I think that would raise the suspicions. Granted they may be unfounded, but kinda of difficult to ignore.
And in closing, I think fixing the memory and caching problems in the past few releases of the software would be a better use of your time, drive and desire to make the browser better. I've put up with Firefox's tendency to suck up RAM and then start flooding my swap file with 300MB of data and bring my system to it's knees until I can get to the task manager I now keep in the systray and kill the process. However, this new "feature", makes me think that I've reached the end of the official Firefox development project. I'll wait for a version that will give me real tools to help keep the advertisers, spammers & virus writers from knowing anything and everything about where I've been and where I'm going to.
Posted by: at January 25, 2006 10:32 PMDarin said:
> Control over what?
Users can turn off the feature. That equals control in my book.
> It MUST be in the UI to be useful to the average joe.
I disagree. I'd wager that average users don't even look in the preferences panel.
So you admit that this change really isn't about giving the average user more control, it's about giving advertisers an easy, standardized way to track clicks with the Firefox browser.
And that is the problem I'm having. If the feature isn't easy to turn off to Average Joe, it won't be. about:config is about as far away from user friendly as you can get.
You claim it gives users more control and then turn around and say you won't be able to do it with the UI (by default, granted extensions will be written to turn it off, but if you really wanted to give users an easy way to do it, you would include that ability by default.)
I don't know how to tell you this, but your hypocrisy is showing.
Posted by: at January 25, 2006 10:47 PM> So you admit that this change really isn't about giving the average user more control, it's about
> giving advertisers an easy, standardized way to track clicks with the Firefox browser.
Good grief. That's not what I said at all. You're just cherry-picking my words to try to string together some new meaning. That's bogus.
* Average users avoid dialogs as complex as the preferences dialog.
* <a ping> can be turned off.
* Ability to turn off a feature is control over that feature.
* <a ping> is not a feature that is easy to explain.
Conclusion: Presenting UI in the preferences panel to disable <a ping> isn't going to help average users. If people are concerned about the privacy implications of this feature, then they can follow instructions to disable it via about:config.
Elsewhere I said that I would be in favor of preferences UI that enabled the user to "browse anonymously." That sort of preference is easier to explain to users, and it makes good fodder for the preferences panel IMO.
Posted by: Darin Fisher at January 26, 2006 6:41 AM"I disagree. I'd wager that average users don't even look in the preferences panel."
I agree - it should be handled like popups - in the main window as well as the option to turn it off completely in the preferences.
"This feature is similar to HTTP referrers."
I happen to disagree with the philosophy of "if everybody is doing it, that makes it OK for me to do it also" - it's the bandwagon fallacy.
"Sorry for not making the context of my comment more clear. I was speaking of the technical audience that happens to visit my blog."
If this is going into the trunk of Firefox, then forget this blog, this impacts everybody who's going to download a future version of Firefox.
If this manages to get news/media attention then you're going to find a LOT of people who "miss the point" of your feature.
Now, if this were an extention, I wouldn't mind at all. I simply wouldn't download the extention, and you can target only techies all you please.
But if it's going into the trunk, and is going to be released as part of a future Firefox, it's going to affect everybody who downloads Firefox all the way down to the average joe - and you had better design it around the average joe.
And let's say I'm a web developer - what's the advantage of this over, say, a few of lines of JavaScript?
Posted by: CobraA1 at January 26, 2006 7:13 AMI guess we just see the web in different ways.
When it was shiny and new, the assumption was that every website out there was good and pure and that it was ok to let any website set cookies, run javascript etc. Then the bad element moved in and set up shop. With their spam, pop up ads, ActiveX exploits, spyware, malware, marketing cookies from hell, they began to take over the internet.
The "default" settings don't work anymore. The thought shift should be to the concept that every website out there is bad and looking to harm my machine until it has proven otherwise.
I've been using Firefox for several years as my default browser with strict control over cookies, javascript, pop up windows, referrers and the like. I have 9 websites that are allowed to set unexpired cookies, 23 are allowed to set session cookies, all else are rejected and 34 domains are allowed to run JavaScript. Hardly default settings.
Looking at IE's cookie folder shows 524 of them, most advertising based. Sure I could turn off cookies in IE or set it for "ask everytime", but when websites want to place 15 ad cookies or more per visit, that gets old. I like the Permit Cookies extension's keyboard shortcut for cookie control. I get to choose which sites are allowed to set what kind of cookies. Same with NoScript, I get a safer web all around because I moved away from the "default" settings.
As I said before, the bad element out there depends on the "everything is ok to do whatever it wants" default settings of web browsers. Why not turn off all the defaults and make people learn why enabling JavaScript on that pr0n site might not be the best idea. Or do you really want 75 cookies on your hard drive showing you saw ads for the latest ED drug that don't expire until 2035?
Your ping idea has merit, and if this was the beginning of the internet before all the other methods of tracking came along, I'd say go for it. But when weighing the perceived gain against the potential for abuse, I still say toss it and work on giving me tools to fight those bad guys and I'll stick beside you, telling all I know about the browser who wants to provide the user with a safer web. The one that is proactive in protecting you from malicious JavaScript, crazy cookies and the like. The one that detects a possible redirect and asks you if you really want to do that. The one that doesn't treat you like sheep and tries to inform you to the dangers of the internet, because knowledge is power.
Or maybe I'll just have to wait for the next big thing to come along and hope that they "get it". /shrug Guess only time will tell.
Posted by: at January 26, 2006 10:36 AMIf you must include this rather invasive feature, at least have the common decency to turn it off by default.
Darin - straight question - do you ever forsee websites dropping redirects, onmousedown (etc) methods in an effort to track FF uses solely by PING? Exactly...
Turn it off or have a HUGE dialog box saying "This click if being tracked by [list of the domains included]. This has privacy implications that allow websites to track you, do you want to allow this tracking?" and have a yes, no and remember setting and have the NO button the default.
By your own admission, the average user DOESNT get this. Give them the visible option to make up their own minds. We dont need you making up our minds for us. Microsoft did this and they got it wrong, dont make the same mistake.
Posted by: Paul at February 7, 2006 6:30 AM