Hello to the forum staff...

I've started using this forum about 1 1/2 years ago - and I was impressed by the usability and spirit, leading to problem-solving within no time, mostly. Not so long ago (I've been ranting about this matter back then), the forum ownership changed:

Ever since then, users are enforced to activate
JAVASCRIPT for YAHOOAPIS.COM
to have basic functionality like personal serch activated.

Since Javascript is the gate to security hell, I'm refusing to use that crap. I already did and do it again hereby: requesting the forum staff to remove yahooapis.com javascript from this otherwise great website, for the sake of user privacy and security!


Just to get an idea, what's the spirit behind that company, I made the effort and excerpted some passages of their TOS, TOU, Privacy Policies and so on - the passages in exclamation marks are some more or less funny
comments from myself:




Yahoo! APIs Terms of Use:

If your product or service uses or is based upon the Yahoo! APIs, then YOU SHALL comply with the Yahoo! Developer Network Attribution Policy located at http://developer.yahoo.com/attribution/.

"HERE BEGINS A CHAINLINK OF REFERENCES TO OTHER POLICIES, TOU'S AND LICENSE AGREEMENTS"



To comply with the Yahoo! Web Services Terms of Use, you must display a Web Badge or text attribution on your web site or client application if Yahoo! content and data are served from your website or client application.

Using Web Badges:
* Always use only the images we provide to you.
* Comply with our Attribution Terms of Use.
* Comply with our Placement Guidelines.
* Link back to the Yahoo! Developer Network, at http://developer.yahoo.com/.

"NOW, DON'T PANIC THIS IS ONLY FOR DEVELOPERS."



"AND MORE TO COME. WHAT?! I'M SUPPOSED TO READ ALL THIS?
-- COME ON, SONNY. MS IS MUCH WORSE ^_^"

http://info.yahoo.com/privacy/us/yahoo/devel/details.html
http://info.yahoo.com/privacy/us/yahoo/cookies/details.html
http://info.yahoo.com/privacy/us/yahoo/thirdparties/details.html


Yahoo! APIs Terms of Use

http://info.yahoo.com/legal/us/yahoo/api/api-2140.html



MOST IMPORTANT OF ALL:

Yahoo! Privacy Policy

http://info.yahoo.com/privacy/us/yahoo/

Excerpt:

* This policy covers how Yahoo! treats personal information that Yahoo! collects and receives, including information related to your past use of Yahoo! products and services. Personal information is information about you that is personally identifiable like your name, address, email address, or phone number, and that is not otherwise publicly available.

"MAKES A NICE PROFILE OF PEOPLE, HEHE!"

* This policy does not apply to the practices of companies that Yahoo! does not own or control, or to people that Yahoo! does not employ or manage. In addition, some companies that Yahoo! has acquired have their own, preexisting privacy policies which may be viewed on our acquired companies page.

"WE'RE SO NICE, BUT NO GUARANTEE WHATSOEVER FOR OUR 3RD PARTY FRIENDS!!!"

* Yahoo! participates in the Safe Harbor program developed by the U.S. Department of Commerce and the European Union. [...] For more information about Yahoo!'s participation in the Safe Harbor program, please visit our Safe Harbor details page.

"OH, YEAH. IT'S ALL OURS."

Information Collection and Use
General:

Yahoo! collects information about your transactions with us and with some of our business partners [..].

"OF WHICH ARE...?"

[...] When you register with Yahoo! and sign in to our services, you are not anonymous to us.[...]

"OH, REALLY."

Yahoo! automatically receives and records information from your computer and browser, including your IP address, Yahoo! cookie information, software and hardware attributes, and the page you request.

"HEHE, MY IP ADDRESS IS CHANGED ON EACH LOGIN :P --
:) YOU GORGOT ABOUT JAVASCRIPT CAPABLE OF READING YOUR FIXED INTERNAL IP AND MAC ADDRESS :P

SO YOU GOT MY IP, SO WHAT? -- YEAH, WE KNOWS YOUR STREET, SO WHAT?

Yahoo! uses information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.

"CUSTOMIZED ADS? WHAT RESEARCH? I DON'T LIKE THAT!
-- IT'S ALL SAFE AND ANONYMOUS, SONNY. RELAX."


Information Sharing and Disclosure

* Yahoo! does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you've requested, when we have your permission, or under the following circumstances:

"UH-OH, EXCEPTIONS?
-- RELAX, NOTHING TO WORRY ABOUT, PAL."

o We provide the information to trusted partners who work on behalf of or with Yahoo! under confidentiality agreements. These companies may use your personal information to help Yahoo! communicate with you about offers from Yahoo! and our marketing partners. However,[...] do not have any independent right to share this information.

"TRUSTED...
-- SURE, IT'S OUR BUDDIES! HAVE A NICE CHIT-CHAT."

o We have a parent's permission to share the information if the user is a child under age 13. Parents have the option of allowing Yahoo! to collect and use their child's information without consenting to Yahoo! sharing of this information with people and companies who may use this information for their own purposes.

"CHILDREN. OWN PURPOSES. EVEN THE IDEA IS A BIT SCARY, ISN'T IT?
-- HEY, THESE ARE FUTURE CUSTOMERS!"

o We respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims.

"..."

o We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo!'s terms of use, or as otherwise required by law.

"SURE. LAW DEMANDS. LOTSA. SAVE HARBOURS EVEN MORE - BE PREVENTIVE, YEAH. -- ARGHN! WHAT HAVE YOU DONE! DIDN'T YOU READ ABOUT THAT OTHER LAW IAXY434 ENHANCMENT LAST MONTH?! NOW GOT YOU ON RECORD, CRIMINAL! POLICE!"

o We transfer information about you if Yahoo! is acquired by or merged with another company.[...] Yahoo! will notify you before information about you is transferred and becomes subject to a different privacy policy.

"LET'S MERGE OUR PROFILE POOLS TO KNOWS IT ALL ^_^
WHAT, YOU DIDN'T VISIT OUR TOS PAGE LAST YEAR? ROFL!"

* Yahoo! displays targeted advertisements based on personal information. Advertisers (including ad serving companies) may assume that people who interact with [...] targeted ads meet the targeting criteria [...].

"YOU DIDN'T WANT US TO KNOWS ABOUT YOUR BAD TASTE AND EVEN SHOW THAT WE KNOWS? LOL! READ THE ******* MANUAL!"

o Yahoo! does not provide any personal information to the advertiser when you interact with or view a targeted ad. However, by interacting with or viewing an ad [...] the advertiser will make the assumption that you meet the targeting criteria used to display the ad.

"YOU ACTUALLY CLICKED THAT, YA PERVERT! LOL! WELL, YA ASKED FOR IT. WE KNOWS YOUR IP. EXPECT YER PERSONALIZED POSTAL ADS IN A FEW YEARS, HEH."

o Yahoo! advertisers include financial service providers (such as banks, insurance agents, stock brokers and mortgage lenders) and non-financial companies (such as stores, airlines, and software companies).

"HEY, THAT'S A LOT!?? WHAT ABOUT OTHER FIRMS READING COOKIES, DOM OBJECTS AND FLASH OBJECTS, GETTING THEIR HANDS ON MY BROWSING HABITS OR EVEN ONLINE BANKING CREDENTIALS??
-- TOLD YOU DON'T USE JAVASCRIPT BUT U'R BRAIN INSTEAD! LOL! RTFM!!"

* Yahoo! works with vendors, partners, advertisers, and other service providers in different industries and categories of business. For more information [...] "...RTFM."

"HEY! WAIT!! I DIDN'T ASK FOR COMPANY!
-- THAT'S WHAT YOU'RE DOING RIGHT NOW. RTFM, MORON!"


Cookies

* Yahoo! may set and access Yahoo! cookies on your computer.

* Yahoo! lets other companies that show advertisements on some of our pages [...]. Other companies' use of their cookies is subject to their own privacy policies, not this one. Advertisers or other companies do not have access to Yahoo!'s cookies.

* Yahoo! uses web beacons to access Yahoo! cookies inside and outside our network of web sites and in connection with Yahoo! products and services.

"ERM. WEB BEACONS FOR TRACKING, ALL THAT COOKIES STORED. EVEN MORE PRIVACY POLICIES? OH NO! AND WHAT ABOUT CROSS SITE SCRIPTING & JAVASCRIPT INSECURITIES?
-- DID WE TELL YOU TO RTFM'S?!!"



Yahoo! Terms of Service

http://info.yahoo.com/legal/us/yahoo/utos/utos-173.html

Excerpt:

2. DESCRIPTION OF SERVICE

Yahoo! provides users [...] various communications tools, forums, shopping services, search services, personalized content and branded programming through its[...] "Service"). You also understand and agree that the Service may include advertisements [...].
You also understand and agree that the Service may include certain communications from Yahoo!, [...] and you will not be able to opt out of receiving them. [...] any new features that augment or enhance the current Service, including the release of new Yahoo! properties, shall be subject to the TOS.
You understand and agree that [...] Yahoo! assumes no responsibility for the timeliness, deletion, mis-delivery or failure to store any user communications or personalization settings."

"EVERYTHING YOU CLICK AND SAY WILL BE IN OUR DATABASE FOR PROFILING AND MARKETING - FOR YOUR OWN GOOD! MAKE YOUR X HERE, FOOL! AND ON THIS BLANK PAPER, PLEASE, THANKS! (AND DON'T BLAME US FOR, IF WE LOSE OR MIX THAT UP, SOORY!)"

14.

MODIFICATIONS TO SERVICE

Yahoo! reserves the right [...] to modify [...] the Service (or any part thereof) with or without notice.[...]

"ER, WHAT WE'RE DOING HERE? JUST FORGOT TO INSTALL A LITTLE NIFTY GADGET, FOR YOUR CONVENIENCE. TRUST ME SONNY."

16.

DEALINGS WITH ADVERTISERS

Your [...] participation in promotions of, advertisers found on or through the Service, including [...] services, and any other terms, [...] are solely between you and such advertiser. You agree that Yahoo! shall not be responsible or liable for any loss or damage of any sort incurred as the result [...] of the presence of such advertisers on the Service.

"YOUR DATA STOLEN/LOST? AH, SEE. TOLD YOU COMPANY XY WAS WORKING WITH US, DON'T SAY WE DIDN'T WARN YOU."

*EOL*



Even if some of this is aimed at developers in the first place, users are afflicted in practise, too.

YOU WANT MORE OF THAT? R.T.F.M.!!!!


perixx

As far as I know they are doing this to conserve server resources. I'm sure hosting the javascript on another website helps reduce server load severly

I'm sorry, but this has been debated to the ground and you really seem like you are just whining.

In a nutshell:
You will get more cookies and "privacy issues" just by visiting Yahoo! or Google than you will allowing a single browser request to download a JavaScript library.

I'm going to admit, I didn't read your whole post. It lost its validity the moment you pressed that key under Tab. But what I'm saying is that if you are paranoid about a single JavaScript library, you might as well use Lynx. :?

And what do you mean by "forum ownership changed?" Even though Canonical sponsors the server, it is still run by the same group of people and maintained by ubuntu-geek, as it always has been.

But what I'm saying is that if you are paranoid about a single JavaScript library, you might as well use Lynx. :?

And if thats just too unbearable the user always has the option of not using this unbearably privacy impaired forum...

Since Javascript is the gate to security hell, I'm refusing to use that crap. I already did and do it again hereby: requesting the forum staff to remove yahooapis.com javascript from this otherwise great website, for the sake of user privacy and security!

Here are a few issues:


JavaScript is not a gate to security hell. It can't reach outside the browser and it can't access other sites. Only in IE does JavaScript have the capability to reach outside the browser (and that is reduced in IE 7 a lot)
It is not "crap". You are only complaining because it is hosted remotely. It can be hosted locally, and would be the exact same script but you wouldn't complain about it.
The forum software is vBulletin. Canonical paid for the licenses and maintains the servers. The script will be hosted on the yahoo servers to reduce bandwidth usage.


Now, relax and use your head. If you don't like the use of yahooapis, then you should disable all JavaScript, not **** and moan about this.

You can view the script (like I did) and you'll see it shares no information with anybody. Those EULA's you cite reference the use of Yahoo! services like email, not the use of that script.

There are no privacy issues here

Don't spread such unfounded FUD. If you have proof, present it, but don't try to spread fear about using this forum.

If you wish to pay for another server, then I'm sure we can host the javascript.

If you don't like it, nobody is making you use this forum...

If you wish to pay for another server, then I'm sure we can host the javascript.

Actually, it is probably cached locally anyway for most users.


If you don't like it, nobody is making you use this forum...

Speak for yourself. I have a binding contract.

Actually, it is probably cached locally anyway for most users.



Speak for yourself. I have a binding contract.

Joe didn't get the memo. But thats OK, he uses Lynx.

I didn't get the memo you're right...I never get the memo...excuse me I think you have my stapler...

And I use Firefox ;)

And I use Firefox ;)

n00b

n00b

Abort, Retry, Fail?

n00b
:cry:

:cry:
You're OK in my book if that means anything.

You're OK in my book if that means anything.

Don't say that. You may also be on the receiving end of my mockery :-)

Don't say that. You may also be on the receiving end of my mockery :-)

Who isn't? :/

It seems to me that mocking another forum user is a clear violation of the CoC. Yet several mods have done so here. Nice example people. :roll:

It seems to me that mocking another forum user is a clear violation of the CoC. Yet several mods have done so here. Nice example people. :roll:

It's all in good fun...

/me inserts standard line about reporting specific incidents in the Res Center.

Good God, Yab, I'm biting my tongue here trying not to mock you.


(amd I doing a good job?)

Don't say that. You may also be on the receiving end of my mockery :-)I can take it. I even call myself a dork. That's gotta say something.

(amd I doing a good job?)

You might think so.

If they are picking on Joeb454 it is giving me a day off :)


In all serious, Joeb454 know we respect and appreciate to the fullest. [-o<

In all serious, Joeb454 know we respect and appreciate to the fullest.

In all seriousness

Possibly, Joeb45 gets the fullest of my mockery however.

If they are picking on Joeb454 it is giving me a day off :)


In all serious, Joeb454 know we respect and appreciate to the fullest. [-o<

Thanks overdrank :)

In all seriousness

Possibly, Joeb45 gets the fullest of my mockery however.

Funnily enough...I noticed ;)

Possibly, Joeb45 gets the fullest of my mockery however.

Meh, he deserves it.

Excuse the ignorance here, but why not just block the script in AdBlock Plus if you're that worried?

Excuse the ignorance here, but why not just block the script in AdBlock Plus if you're that worried?

Because that would solve the problem and there would be nothing to complain about.

Why is this thread still alive, anyway? The person who started it did not contribute anything at all after the OP.

Why is this thread still alive, anyway? The person who started it did not contribute anything at all after the OP.

Agreed. Thread Closed

Agreed. Thread Closed

One final insult, n00b.

:-)

Thread re-opened at OP request

Thread re-opened at OP request

And you're giving in? n00b.


/me knows mods usually reopen at OP's request

As far as I know they are doing this to conserve server resources. I'm sure hosting the javascript on another website helps reduce server load severly

I'm sorry, but this has been debated to the ground and you really seem like you are just whining.

In a nutshell:
You will get more cookies and "privacy issues" just by visiting Yahoo! or Google than you will allowing a single browser request to download a JavaScript library.


Here are a few issues:


JavaScript is not a gate to security hell. It can't reach outside the browser and it can't access other sites. Only in IE does JavaScript have the capability to reach outside the browser (and that is reduced in IE 7 a lot)
It is not "crap". You are only complaining because it is hosted remotely. It can be hosted locally, and would be the exact same script but you wouldn't complain about it.
The forum software is vBulletin. Canonical paid for the licenses and maintains the servers. The script will be hosted on the yahoo servers to reduce bandwidth usage.


Now, relax and use your head. If you don't like the use of yahooapis, then you should disable all JavaScript, not **** and moan about this.

You can view the script (like I did) and you'll see it shares no information with anybody. Those EULA's you cite reference the use of Yahoo! services like email, not the use of that script.

There are no privacy issues here

Don't spread such unfounded FUD. If you have proof, present it, but don't try to spread fear about using this forum.

Excuse the ignorance here, but why not just block the script in AdBlock Plus if you're that worried?

Thread re-opened at OP request

Moving to recurring discussions at moderator discretion :) It's one of those threads that will not be solved since the decision has been made- additional debating and complaining won't change it.

Heh...

I'll simply put in here my conversation with the forum master that re-opened the thread, for my convenience - remember, I can't quote anything because I shut down Javascript (with 'NoSript', by the way, I know a few tricks here and there ^^)...


"Well, I thought it was well-placed (in the Forum-related category), unless I blew there - if so, sorry. I appreciate that you've read all of what I wrote so far, but some did not and seemingly didn't understand what I wanted to point out.
But I really don't understand what all the fud-fuzz is about; some (forum staff-) guy called my paranoid - err... what do you call this, locking out uncomfortable criticism on first sight..?

It was told that Canonical is still in charge of the forums. But if that's so, I can't understand why Yahoo is being let getting their fingers in all this - is the money so sparse?. And by what I've learned in their 'TOS' and privacy statements, there's good reason to doubt their intentions.

When some state, that 'googling' might be a (major) threat to privacy, I agree - I rarely use it. As I don't use flash, dom-storage, cookies and javascript where possible. And it's annoying to be forced using it. A clever person here said that theres a remedy to solve the problem - disabling Yahooapis. I don't agree, because there's no decent forum-editing possible anymore by doing so (quoting, smileys and so on)...

You see, there are some thoughts to be discussed about this matter, still.

If you'd re-open the thread and put those statements here in it, I'd be most glad...

best regards,

perixx"

Oh, and please forgive my 'non-responsiveness'... I am quite busy these days.

:]

Heh...

I'll simply put in here my conversation with the forum master that re-opened the thread, for my convenience - remember, I can't quote anything because I shut down Javascript (with 'NoSript', by the way, I know a few tricks here and there ^^)...


"Well, I thought it was well-placed (in the Forum-related category), unless I blew there - if so, sorry. I appreciate that you've read all of what I wrote so far, but some did not and seemingly didn't understand what I wanted to point out.
But I really don't understand what all the fud-fuzz is about; some (forum staff-) guy called my paranoid - err... what do you call this, locking out uncomfortable criticism on first sight..?

It was told that Canonical is still in charge of the forums. But if that's so, I can't understand why Yahoo is being let getting their fingers in all this - is the money so sparse?. And by what I've learned in their 'TOS' and privacy statements, there's good reason to doubt their intentions.

When some state, that 'googling' might be a (major) threat to privacy, I agree - I rarely use it. As I don't use flash, dom-storage, cookies and javascript where possible. And it's annoying to be forced using it. A clever person here said that theres a remedy to solve the problem - disabling Yahooapis. I don't agree, because there's no decent forum-editing possible anymore by doing so (quoting, smileys and so on)...

You see, there are some thoughts to be discussed about this matter, still.

If you'd re-open the thread and put those statements here in it, I'd be most glad...

best regards,

perixx"

Oh, and please forgive my 'non-responsiveness'... I am quite busy these days.

:]

While I agree with your sentiments regarding Yahooapis, you are incorrect about not being able to quote or use smilies without JS. I don't have any active content enabled in my browser as I type this. You can quote a single post, but not multi-quote. You can include smilies by learning the correct BBCode to enter manually. (enable JS and hover your mouse over the various smilies that you would use and you will see the BBCode needed to create them) By the way, you are just the latest in a long line users who have complained about the excessive use of JS by the forum (Most of us gave up complaining about it a long time ago ;)).

Now, relax and use your head. If you don't like the use of yahooapis, then you should disable all JavaScript, not **** and moan about this.
The author of the original post stated that he had disabled JavaScript. The concern being expressed was for other visitors of the forum. If one does not agree with the concern, they are free to voice their dissent and their reasons. It is not reasonable to criticize the OP for voicing his concerns.

You can view the script (like I did) and you'll see it shares no information with anybody. Those EULA's you cite reference the use of Yahoo! services like email, not the use of that script.
The script does not have to share the information for there to be a concern. The information is being sent to Yahoo's servers for processing and might be handled (and shared) by a separate program from the script.

Also, I can find neither an exception nor an alternative TOS (or EULA) for the search service and I see no reason why the Yahoo search service would not fall under their Terms Of Service (http://info.yahoo.com/legal/us/yahoo/utos/utos-173.html).

There are no privacy issues here

Don't spread such unfounded FUD. If you have proof, present it, but don't try to spread fear about using this forum.
"Proof" should not be a requirement for proposing a discussion on these forums.

While I personally disagree with the OP's viewpoint, I see nothing wrong with his expression of concern. He provided some evidence, offered some commentary, and provided some links for readers to investigate for themselves. I see no indication that he misrepresented any aspect of the situation (the agreements he presented were "just to get an idea, what's the spirit behind that company") or that, if he did, the misrepresentation was intentional.

"Proof" should not be a requirement for proposing a discussion on these forums.


Yes, proof is essential when claims of "unbearable privacy issues" because of the software used.

I could say that Windows will send all your personal documents to Microsoft servers without notifying you. I could say that, and without proof that would be anti-Microsoft trolling, not real concerns.

The software used for this forum is used for a reason over open source software packages. If people don't like it, then they can either make a seemless way to port this forum to an open source version without any loss of function (impossible), not use it or be quiet about it.

The script does not have to share the information for there to be a concern. The information is being sent to Yahoo's servers for processing and might be handled (and shared) by a separate program from the script.


Um, there is no information sent to Yahoo servers. The script is just served (like a hotlinked image) and used by the forum software.

"you are incorrect about not being able to quote or use smilies without JS. I don't have any active content enabled in my browser as I type this. You can quote a single post, but not multi-quote. You can include smilies by learning the correct BBCode to enter manually."

Sure, you are right about that! Sometimes I even get unintentional smiley's, e.g. when using '8' and ')' in combination occasionally. That's a - rather inconvenient, but nonetheless possible - workaround.
Glad to hear, that I'm not the 'only' or 'first' one complaining about this (which would've been non-credible anyway), but ppl. are often using such statements as a killer phrase to cut off further discussions. :]


"If one does not agree with the concern, they are free to voice their dissent and their reasons. It is not reasonable to criticize the OP for voicing his concerns."

Couldn't have said that better. Thanks.


"I see no reason why the Yahoo search service would not fall under their Terms Of Service."

I've been digging through the various TOS's and privacy statements of Yahoo (as much as I was able to dig) and that suggests, that most if not all of those are kind of reference-linked to each other. Basically routing back to the TOS's and the namely privacy statements. So, I see that your way. If someone doesn't agree, he should go looking there for himself and decide.


"Proof" should not be a requirement for proposing a discussion on these forums."

While I would agree to that, I still tried to 'provide proof' by giving referencing excerptions and links.


"The software used for this forum is used for a reason over open source software packages. If people don't like it, then they can either make a seemless way to port this forum to an open source version without any loss of function (impossible), not use it or be quiet about it."

I favour the idea of open source very much and my usage of it keeps growing each day. While I would like to provide a port, that'd be beyond me - but I'd use php or Java for it, if I could. Anyway, just because you are being confronted with a certain situation, that doesn't mean you have to accept it. While I suppose you're living in a democratic country, I don't know if you've heard about the right to protest against unpleasant situations. That's what I'm doing here, if you will so.


"Um, there is no information sent to Yahoo servers. The script is just served (like a hotlinked image)"

I haven't reviewed the code, maybe I will if I'm bored at a given time. But if it's true that the code is processed server-based, then I guess that, e.g. for quoting functions, your text is also being transferred there for processing. The ip address is, that's for sure. And, as the TOS's read, even if the script-code is 'clean' now, that hasn't have to stay that way forever - it can change any time. Now, the ip address alone isn't such a big issue, if not linked to any info.
But that changes, if such info or search keywords are being sent for processing along with your ip. Remember, thing's discussed in the forums often have private character or reflect personal beliefs. And that data can be used for profiling. This naturally applies to many other web services, not the least to Google, which is why ppl. should use them with some cautiousness.

perixx

I haven't reviewed the code, maybe I will if I'm bored at a given time. But if it's true that the code is processed server-based, then I guess that, e.g. for quoting functions, your text is also being transferred there for processing. The ip address is, that's for sure.

No, again, it's a JavaScript library:


You load Ubuntu Forums.
UF chainloads Yahoo! APIs.
Yahoo! APIs are downloaded to your browser. Server requests stop here.
Any processing with text or other information is processed by your browser, no one else.
Once any forms are submitted, only Ubuntu Forums has access to submitted forum data not made public.

Um, there is no information sent to Yahoo servers. The script is just served (like a hotlinked image) and used by the forum software.
And how does Yahoo find out when and to whom to serve the script? Of course information is sent to them (just like in the case of a hotlinked image). To my understanding, this would be limited to the user's IP address and the webpage which invoked the service; to a large degree innocuous information (IMO), but information nonetheless.

Personally, I don't find it overly disconcerting that Yahoo may be retaining such information about my webbrowsing activities on Ubuntuforums (Yahoo is actually partnered with my ISP), or even that JavaScript is required for some of the more advanced functionality provided. For the present, I "trust" Yahoo and find their terms of service acceptable (excepting those for Yahoo Groups). Nonetheless, I remain open to listening to others' viewpoints on the issue and feel Ubuntuforums' employment of Yahoo's services to be a reasonable topic for discussion in Ubuntuforums.

As a final note, while the opening post may have been overly blistering in its tone, I find the behavior of some of the staff members in the ensuing three pages of off-topic and mocking blather within this thread to be the complete opposite of what one would expect from those deputed the task of bringing moderation to the forums. Those who participated might consider reviewing their contributions and decide if they can't improve upon their approach in the future.

"Yahoo! APIs are downloaded to your browser. Server requests stop here."

As I said, I haven't had a look at the scripting code yet.
Well, generally, Javascript can be as 'save' as PHP or Java, depending on how the code is designed. But there's also no doubt, that it can be much more insecure than Java - but that's merely about security and is not the main topic here.

Correct me if I'm wrong with the following statements, that with Javascript you can:

- read and set cookies (also other's site's cookies, if designed for it)
- read the computer's real ip- and mac-address, browser and OS-cofig
- read and set DOM-objects (Firefox-default), if cookies are enabled, (for each website several MB's), also on other's site's DOM-objects.
- collect and store data within cookies and DOM-objects and retrieve that data later
- establish a connection to the originating server through the browser

That should be more than enough to gather information of any kind about the user. Even if the scripts are not designed to do so, the TOS explicitly mention the possibility of changes of any kind to the code - anytime. Also, the privacy statement leaves no doubt, that any kind of gathered information through any of Yahoo's services (which include Yahooapis) can be used for literally any kind of processing and may partly be shared with 3rd-party companies. What they do with your data is mostly left to them.

But if Yahoo is profiling users through their services and is getting aquired by some big player, like MS or Google someday (which is rather likely) all of that data is going there. Plus, this certain company has a tool at hand to analyse and take influence on the forums - in theory.

If I remember correctly, it's not that long ago, since Microsoft has tried to annex Yahoo.

perixx

As I said, I haven't had a look at the scripting code yet.
Well, generally, Javascript can be as 'save' as PHP or Java, depending on how the code is designed. But there's also no doubt, that it can be much more insecure than Java - but that's merely about security and is not the main topic here. Java is much more insecure than JavaScript if allowed. If proper privileges are set and allowed on a Java applet, it can function as any other full-featured application on your computer.

Correct me if I'm wrong with the following statements, that with Javascript you can:

- read and set cookies (also other's site's cookies, if designed for it)
No - JS can only read and set cookies from its own domain. If the "domain" flag is set on a cookie, then that cookie can *only* be read by the specified domain. So a site can't just go poking around in your cookies.
- read the computer's real ip- and mac-address, browser and OS-cofigIP address maybe, if done right thru AJAX and whatnot. MAC address, no. Browser config, no, unless you have some sort of extension that can. OS config, no. The only information that can be obtained about your OS and browser is already sent to the web server (no JS required) and includes browser version, arch (x64 or x86_64), OS (Linux, Ubuntu version) and probably the browser build ID. JavaScript can read a limited amount of other data, such as your screen resolution, but it is unable to do anything that deals directly with your system.

- read and set DOM-objects (Firefox-default), if cookies are enabled, (for each website several MB's), also on other's site's DOM-objects.DOM is not a stored object, it is just an element on a page. If a site wanted to browse to another and have a peek at how that page was made, the browser would probably raise a cross-domain error depending on the situation. Also, this has nothing to do with cookies. :)

- collect and store data within cookies and DOM-objects and retrieve that data later Again, DOM is just a piece of HTML code used to display a bit of a web page, and has nothing to do with data storage.
- establish a connection to the originating server through the browserYes, this is called AJAX.


Really - browser makers have been through all of this stuff, and there are no major privacy issues with JavaScript.

EDIT: Clarification: DOM objects are not stored permanently, but they can be kept in memory as long as the page is open. They can't really do anything though; it's just an (X)HTML blob.

And how does Yahoo find out when and to whom to serve the script? Of course information is sent to them (just like in the case of a hotlinked image). To my understanding, this would be limited to the user's IP address and the webpage which invoked the service; to a large degree innocuous information (IMO), but information nonetheless.

It uses http. It is no more than what is sent to your ISP or any other server in the world. If one is concerned about that information, they shouldn't be using the internet (or using a trusted proxy, but at this level of paranoia, I don't think it exists)

"Yahoo! APIs are downloaded to your browser. Server requests stop here."

As I said, I haven't had a look at the scripting code yet.
Well, generally, Javascript can be as 'save' as PHP or Java, depending on how the code is designed. But there's also no doubt, that it can be much more insecure than Java - but that's merely about security and is not the main topic here.

Correct me if I'm wrong with the following statements, that with Javascript you can:

- read and set cookies (also other's site's cookies, if designed for it)
- read the computer's real ip- and mac-address, browser and OS-cofig
- read and set DOM-objects (Firefox-default), if cookies are enabled, (for each website several MB's), also on other's site's DOM-objects.
- collect and store data within cookies and DOM-objects and retrieve that data later
- establish a connection to the originating server through the browser


JavaScript cookies are usually not used and are temporary. They can't be used to read other cookies. (This site can't get cookie information from another site).

JavaScript can read information like browser name and version if the browser lets it. It can't read such personal information, although there are ways of getting that information in an unsecure connection.

DOM objects? What does that have to do with anything? The Document Object Model is just a tree representation (and a way of maninpulating it) of a page. The DOM is just the browsers internal representation of an XML document.

Cookies can be set, and this site uses cookies, but it is only communicated between the ubuntuforums servers and the clients.

JavaScript can communicate with the server, but this site's servers are not owned by yahoo so it doesn't matter.


That should be more than enough to gather information of any kind about the user. Even if the scripts are not designed to do so, the TOS explicitly mention the possibility of changes of any kind to the code - anytime. Also, the privacy statement leaves no doubt, that any kind of gathered information through any of Yahoo's services (which include Yahooapis) can be used for literally any kind of processing and may partly be shared with 3rd-party companies. What they do with your data is mostly left to them.


Ignorance is scary in this isn't it?

It is a plague, because "targeted advertisement" means more
and more spams. I use Mozilla with a setting to erase all
cookies and accumulated junk each time I close it, I often
browse with javascript turned off, I use www.scroogle.org
instead of google and I NEVER click on an add.

Don't think browser setting must be set once and for all, I
think this is the solution. If you read a site infested by
adds, turn off javascript and image loading. Then turn it
back on again. It will actually save time because pages then
load much faster.

You know what? Since I started applying these rules of conduct
the amount of spam I'm receiving has actually decreased, even
though I still have the same email address.

Mariane

Hallo again!


"Java is much more insecure than JavaScript if allowed. If proper privileges are set and allowed on a Java applet, it can function as any other full-featured application on your computer."

Java is more capable of Javascript, true. Though, from what I know, Java has a better security layout, which has to be circumvented first. Plus, it's running in its own sandbox, which Javascript doesn't. But that's maybe more a question of general security, not privacy in special.
__________________________________________________ ____________________________


"No - JS can only read and set cookies from its own domain. If the "domain" flag is set on a cookie, then that cookie can *only* be read by the specified domain. So a site can't just go poking around in your cookies."

I admit that you're right on this point. Unless, perhaps, some security hole is being exploited.
__________________________________________________ ____________________________


"DOM is not a stored object, it is just an element on a page. If a site wanted to browse to another and have a peek at how that page was made, the browser would probably raise a cross-domain error depending on the situation. Also, this has nothing to do with cookies."

"Again, DOM is just a piece of HTML code used to display a bit of a web page, and has nothing to do with data storage."

"DOM objects? What does that have to do with anything? The Document Object Model is just a tree representation (and a way of maninpulating it) of a page. The DOM is just the browsers internal representation of an XML document."


>>
You mean the DOM object model, right? I'm talking about DOM storage objects - introduced and enabled by default by Mozilla (v1.6, I believe) -
please refer to this:


"What is DOM Storage?

DOM Storage is often compared to HTTP cookies. Like cookies, Web developers can store per-session or domain-specific data as name/value pairs on the client using DOM Storage. However, unlike cookies, DOM Storage makes it easier to control how information stored by one window is visible to another.

For example, a user might open two browser windows to buy airline tickets for two different flights. However, if the airline's Web application uses cookies to store its session state, information could "leak" from one transaction into the other, potentially causing the user to buy two tickets for the same flight without noticing. As applications become more capable of offline behaviors, such as storing values locally for later return to the server, the potential for this sort of information "leak" becomes more prevalent.

DOM Storage also offers significantly more disk space than cookies. In Internet Explorer, cookies can store only 4 kilobyte (KB) of data. This byte total can be one name/value pair of 4 KB, or it can be up to 20 name/value pairs that have a total size of 4 KB. By comparison, DOM Storage provides roughly 10 megabytes (MB) for each storage area."

See also:
http://msdn.microsoft.com/en-us/library/cc197062(VS.85).aspx
__________________________________________________ ____________________________


Regarding netiquette:


"Now, relax and use your head. If you don't like the use of yahooapis, then you should disable all JavaScript, not **** and moan about this."
_______________________________________


"There are no privacy issues here" (bold)
_______________________________________


"Don't spread such unfounded FUD. If you have proof, present it, but don't try to spread fear about using this forum."
_______________________________________


"n00b"
_______________________________________


"Quote:
Originally Posted by LaRoza View Post
Don't say that. You may also be on the receiving end of my mockery"

>>"Who isn't? :/"
_______________________________________


"Originally Posted by Kernel Sanders View Post
Excuse the ignorance here, but why not just block the script in AdBlock Plus if you're that worried?"

>>"Because that would solve the problem and there would be nothing to complain about."
_______________________________________


"If one is concerned about that information, they shouldn't be using the internet (or using a trusted proxy, but at this level of paranoia, I don't think it exists)"
_______________________________________


>>"It seems to me that mocking another forum user is a clear violation of the CoC. Yet several mods have done so here. Nice example people."

>>"While I personally disagree with the OP's viewpoint, I see nothing wrong with his expression of concern. He provided some evidence, offered some commentary, and provided some links for readers to investigate for themselves."

>>"As a final note, while the opening post may have been overly blistering in its tone, I find the behavior of some of the staff members in the ensuing three pages of off-topic and mocking blather within this thread to be the complete opposite of what one would expect from those deputed the task of bringing moderation to the forums. Those who participated might consider reviewing their contributions and decide if they can't improve upon their approach in the future."
_______________________________________


"Ignorance is scary in this isn't it?"
_______________________________________


Couldn't have said that better ^^)

__________________________________________________ ____________________________



"I use Mozilla with a setting to erase all cookies and accumulated junk each time I close it"

Yes, that's what I'm doing, too. Turning off cookies completely would be even worse, because URL-encoding is used by most sites then, which can't be controlled at all by simple means from the user.

__________________________________________________ ____________________________


All in all, I'd say that changing the title of this thread from 'Unbearable' to 'Uncomfortable' would apply.
While I see that some of the concerns I had were too hefty, I still don't feel all relaxed, when thinking of Yahoo providing code for this website. The reasons for this, I have already named them here.

greetz

perixx

All in all, I'd say that changing the title of this thread from 'Unbearable' to 'Uncomfortable' would apply.
While I see that some of the concerns I had were too hefty, I still don't feel all relaxed, when thinking of Yahoo providing code for this website. The reasons for this, I have already named them here.


I'm trained in data mining and I'm more concerned about,
not only all the people who have an yahoo email account,
but even all the people who send mail to someone with a
yahoo account... There's a big breach in privacy there,
which practically no-one seems too worried about. This
would definitely qualify as 'unbearable'... But this is
also off topic I'm afraid.

Mariane

I'm trained in data mining and I'm more concerned about

What do you mean? Are you professional data miner ?

^^

perixx

What do you mean? Are you professional data miner ?


I'm a scientist. I've used data mining for research and I've taught it.

Mariane

I'm getting feeling comfortable with Yahooapis disabled bit by bit...
since BB codes are pretty much similar to HTML tags, I think I can get used to them - sort of a free HTML training :)

perixx

P.S. thx to Joeb454 for renaming the thread to better match the topic!

I'm a scientist. I've used data mining for research and I've taught it.

Mariane

Have you had a professorship at an University then? And on what topic did you specialize - what were your findings so far?

perixx