Click (2016)

367

aandrewzeno 2 days ago 99 commentsRead Article on clickclickclick.click

ES version is available. Content is displayed in original English for accuracy.

⚡ Community Insights

Discussion Sentiment

77% Positive

Analyzed from 2752 words in the discussion.

Discussion (99 Comments)Read Original on HackerNews

foxfired•2 days ago

I've always added analytics scripts on websites I worked on. It was second nature for me. Then when I got my own start up, I didn't just add regular analytics but one that tracks mouse movements so you can watch sessions back like a video [0].

I told a friend about my start up and she jumped on it immediately. I opened the tool and watched her interaction. Then I told her "oh so you opened the dev tools" She immediately ended the session. "How did you know? That's creepy". It was the first time I've actually felt like these tools invade privacy.

Yeah, we include it in our terms and condition and privacy page, but I don't think users truly grasp how those tools work. I understand that all analytics tools provide this feature now, but its always creepy to know someone can watch what you are doing.

[0]: https://idiallo.com/blog/spying-on-your-user

jrowen•2 days ago

I think there's a very interesting duality forming around privacy. It seems like most people don't really care if they're being filmed, or if their data is being slurped up six ways from Sunday, as long as it's aggregated and going through automated systems. But as soon as it feels like an actual person is looking at individual behavior, it's creepy (which is, of course, always a possibility, but plausible deniability is a powerful thing).

singpolyma3•2 days ago

Yes. This is it. People are used to "private conversation in public restaurant". It's not private because no one can hear, but because no one is listening.

vitally3643•2 days ago

Right, the very nature of human society for the last several thousand years has been privacy in public. You walk around outside where everyone can see you, but the societal expectation is that you don't watch others. You have conversations in public because that's where life happens, but they're still private conversations.

Every counter-example to this is people being intentionally creepy, inappropriate, or outright malicious. Which was a manageable problem when it was just a single dude being weird, society would eventually exclude and shun them. Trouble is today that we've mechanised malicious inappropriate behavior at scale and ensured we've set up our entire society and government such that the people responsible can never be held accountable in any way. So long as you're being maliciously creepy at scale (and you're wealthy) everything's fine and there's no consequences.

miki123211•1 day ago

The other side of this is that there are aspects of privacy that average people absolutely care about, but that the tech crowd largely ignores.

It's things like hiding your online activity from your partner / boss / parent / ex, making sure nobody knows you just went to a gay club, hiding the fact that you're playing video games from that one guy you don't actually want to play with, not giving out your phone number to the parents of your students, that sort of thing.

For most people, E2E and VPNs are useless gimmicks that just make life unnecessarily difficult, but vanishing messages and incognito mode are life-saving features.

m463•2 days ago

it's not a duality at all. the people don't know.

the people doing the "analytics" (surveillance) like their privacy too, because they are doing creepy stuff and don't want people to know it. And even if they aren't doing creepy stuff, the data might be used that way in the future (profile building, psychological tricks, personalized pricing, sharing behavior with others, etc)

iamacyborg•1 day ago

Which is wild because the aggregation and “big data” element is where the harm actually happens in very real terms. Of course, much harder to explain to typical laymen.

raverbashing•1 day ago

Yes - also it's one thing to say "A user entered the site, clicked here than here" (analyzed in bulk) and another "this specific guy entered the site, clicked here than here"

latexr•2 days ago

> It seems like most people don't really care if they're being filmed, or if their data is being slurped up six ways from Sunday

For the majority of people I don’t think it’s true that they don’t care, but rather that they don’t know, don’t understand the implications, or don’t have the luxury of being able to do anything about it.

In the instances where I was able to have a longer discussion with someone to really explain what’s going on, they did care. Even if they previously said they didn’t.

ryukoposting•2 days ago

Or, they do know and they do care, but they're so exhausted by the hostile patterns of our industry that they've given up.

jrowen•1 day ago

People do know on some level though. There was enough willpower to get the cookie bullshit on every website.

I think it's just that it's more of a visceral lizard-brain thing than a logical thing. Like how you can go through life eating meat every day, then someone sits you down and tells you the horrors of that industry and shows you a cow being butchered, and you go oh that's horrible, and then most likely put it out of mind and continue eating meat.

Rygian•1 day ago

> we include it in our terms and condition and privacy page, but I don't think users truly grasp how those tools work

Since you did collect the metrics, you had direct knowledge of how many users opened the T&C and scrolled down to the place where you mention you're recording their session.

Would be interesting if you can share an aggregate statistic of that.

kmoser•1 day ago

They may have scrolled down to it but that doesn't mean they read it. And even if they read it, they may not have understood it.

account42•about 10 hours ago

And the same goes for other would be conclusions people think they get from their invasive telemetry.

ivanjermakov•1 day ago

I'm surprised browsers don't warn users about every website that has listeners attached to keyboard/mouse events. It's totally fine for something like a game or an experiment website, but might not be something you expect from a blog or a news site.

account42•about 10 hours ago

At some point we really need to split websites from web applications as a concept.

XCSme•about 6 hours ago

Ethical question: is there a huge difference between seeing the dev tools being opened in a re-created session replay AND simply storing an event with [dev_tools_opened at 1min 3s].

If you have only the event, you can basically re-create a playback of that action if you want.

Now, if you track all actions of interest, than that's basically almost the same as a full session recording.

Sophira•2 days ago

> Yeah, we include it in our terms and condition and privacy page

Please be honest with yourself. People don't read terms and conditions. There's a good chance you don't read terms and conditions. And even if you do, odds are better than even that you don't fully understand all the legal implications.

Terms and conditions pages nowadays are there mostly to provide legal protection under the guise of "the user told us that they read these by ticking a box on our signup page; it's hardly our fault if they didn't."

dheera•2 days ago

I'm also of the opinion that at lot of T&C are basically signing under duress and I consider them invalid. Like if I have to sign a T&C with Google Play and a T&C with your city's sanctioned parking app in order to park on the street, I consider both of those T&C's invalid. As a legal resident of the country with a legally owned car and legal driving license, I should be able to park and pay, I shouldn't have to agree to anything else.

somewhatgoated•2 days ago

By reading this website, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

taneq•1 day ago

Especially clickthrough license for software on devices that you've already bought. You turn on your new phone and it shows 300 pages of legalese. You cannot use your new phone until you press 'I accept.' If you don't like it, return the phone. All the other phones have their own equivalent T&C.

komali2•2 days ago

Your city doesn't have a way to pay for parking with cash on public roads? It's not a private lot? That should simply be illegal.

bruce511•1 day ago

Look, I understand the hate against terms and conditions. They're not a lot of fun. But the alternative is worse. Let's imagine a world where terms and conditions don't apply;

Firstly, businesses can do whatever they like. There are no terms to agree to. They simply function in whatever way they "consider to be valid". If a customer disagrees with what is valid or not, hey, that's what courts are for. And given there's no agreement between business and customer, who's to say who is right?

The business can equally terminate you as a customer, with no notice, for no reason, at any time. They can delete all your data. They can spam your contact list. (Ok, they do all that already, but you know what I mean.)

Secondly, customers can do whatever they like. They payed their $9.95. They can do whatever they like. Sure, sharing logins is fine (if they "consider that valid".) They can abuse the system, scrape data out and resell it, anything goes. And of course the only recourse is back to the courts. Which is ultimately no recourse at all.

Even your analogy to parking breaks down. Should you have to prove legal residency to park? Should I be able to park a car on the street (unmoved) for a year? Should I be allowed to park next to a fire-hydrant? Can I park it in the middle of the road? Can my neighbor "reserve" his parking space using an orange cone? Clearly there's a lot more to parking a car than "I should be able to park".

T&C might not be fun, and you may not agree with them (hint: if you don't, then don't use the service) but they at least set out the business behavior that you can expect. Read them, don't read them, that's up to you. But don't complain that the fault is on them when they do something that are in the T&Cs.

And yes, I get they're one sided. customers never bother to submit their own T&C's so they're not fairly represented. Again, that's on you for using that service.

account42•about 10 hours ago

We really need to update all relevant laws to the same standard as GDPR's "informed consent" where hiding something in a wall of legalese doesn't cut it.

matheusmoreira•1 day ago

> Yeah, we include it in our terms and condition and privacy page

Nobody reads that stuff.

htx80nerd•2 days ago

Everyone knows stores have security cameras. But if you called them up and said 'I saw you pick up the chips' they wouldnt have a good feeling.

Everyone understands websites use analytics and tracking, but people dont want to be reminded of it. Which is why people hate those FB ads which exactly match what you searched for 24 hours ago.

philipwhiuk•1 day ago

> Everyone understands websites use analytics and tracking, but people dont want to be reminded of it.

People don't want it to be misused is the actual point.

wrRS•2 days ago

Are there any good browser extensions that can block this and protect user privacy?

matheusmoreira•1 day ago

uBlock Origin should block it.

hactually•2 days ago

yes - a fair few

dang•2 days ago

Related. Others?

Click (2016) - https://news.ycombinator.com/item?id=35841679 - May 2023 (35 comments)

Click - https://news.ycombinator.com/item?id=26518290 - March 2021 (243 comments)

Click click click - A browser-based game on online profiling. - https://news.ycombinator.com/item?id=18636038 - Dec 2018 (1 comment)

A demonstration of browser events used to monitor online behaviour - https://news.ycombinator.com/item?id=12985644 - Nov 2016 (165 comments)

BudaDude•2 days ago

Nice! It shouted "Bot" when I ran this in the console

for (let i = 0; i < 1000; i++) { document.querySelector(".button")?.click(); }

jagged-chisel•2 days ago

Used this and it replied (in the console): "Such a smart subject."

ETA: It also took a few seconds to get around to telling me (from the bottom up):

    Subject has clicked on the button a thousand times.
    Subject has clicked on the button one hundred times.
    Subject clicks less than most other subjects.
    Subject has run script to click on the button ten times within one second.
    Subject has clicked on the button nine times within one second.
    Subject has clicked on the button eight times within one second.

I wonder if it can distinguish between human clicks and scripted clicks if it's saying "...clicks less than most..." or if everyone is scripting a million clicks.

sheept•1 day ago

It can[0] but I'm not sure if it's using that for the comparison.

[0]: https://developer.mozilla.org/en-US/docs/Web/API/Event/isTru...

zhxiaoliang•1 day ago

It was the spring of 1993. UPS dropped a huge package at my door. It was Visual C++ 1.0 in a 50-story-high white box that weighed a ton. I spent the whole day reading manuals and messing with it. When my wife came home that night, I couldn't wait to show her what I finally managed to pull off -- a maximized window that contained a single button that filled the entire space of that window. And the label said "Click Me." My wife clicked that button, and nothing happened.

"What's the point?" she asked.

I said, "You can click it."

"But what's the big deal?" she was baffled.

"You can click it,“ I said.

“That's the big deal."

jml7c5•about 18 hours ago

That reminds me of this story, from developing for the Playstation:

>In the main engineering room, there was a whoop and cry of success.

>Our company financial controller and acting HR lady, Jen, came in to see what incredible things the engineers and artists had come up with. Everyone was staring at a television set hooked up to a development box for the Sony Playstation. There, on the screen, against a single-color background, was a black triangle.

>“It’s a black triangle,” she said in an amused but sarcastic voice. One of the engine programmers tried to explain, but she shook her head and went back to her office. I could almost hear her thoughts… “We’ve got ten months to deliver two games to Sony, and they are cheering over a black triangle? THAT took them nearly a month to develop?”

https://rampantgames.com/blog/?p=7745

rtgfhyuj•about 23 hours ago

it took a day to do that?

zhxiaoliang•about 20 hours ago

Yes. It was 1993 -- there was no Internet to search for anything. The manual that came with Visual C++ could fill a small library, and the program itself came on two dozen floppy disks. And me being a not-so-bright junior programmer didn't help either.

preinheimer•2 days ago

Heads up: there's audio. It does add something.

ivolimmen•1 day ago

I can clearly hear a fellow countryman. There is something very distinctive when Dutch people speak English. Very nice website. Very informative.

tommit•1 day ago

sübject has clicked the bütton

or ist it more of an ö? (im German btw but can also definitely spot a dutch English speaker :) best way to tell is to have them say "I have an idea!"

CSMastermind•2 days ago

This brings me back to the glory days of StumbleUpon. Highly recommend.

ge96•2 days ago

I was thinking of the paper clip universe simulator game

Where you're just sitting there clicking over and over

RetroTechie•1 day ago

Aka incremental game

ge96•1 day ago

lol reminds me https://www.youtube.com/watch?v=aOw1uR-q3pA

Barbing•2 days ago

Awesome. Looking for this as an iOS app, since I learned dismissing notifications phones home. (Useful feature for multidevice cloud services but can be creepy, companies learning the notifications we expand or leftswipe away… learning our sleep schedules and preferences and all that in ways we might not have specifically expected in this exact case)

Apps know when we’re on WiFi, when we force quit, have potential to have motion sensor access if opting in…

Not sure the presentation needed for acceptance into the App Store. As a security checkup tool or something…

pixelmelt•1 day ago

Try blackbox, its a puzzle game that will have you messing with device settings to beat levels

Barbing•1 day ago

ooh neat! (https://apps.apple.com/us/app/blackbox/id962969578)

1vuio0pswjnm7•1 day ago

http://cdnjs.cloudflare.com/ajax/libs/socket.io/1.7.3/socket...

http://cdnjs.cloudflare.com/ajax/libs/gsap/1.18.0/TweenMax.m...

Some of the Javascript is served via plain HTTP as well as HTTPS

https://clickclickclick.click/bundle.js

This is 14 MB of Javascript

Using HTTP/1.1, the norm in 2016, I counted 233 chunks

Might as well just ask the user to download a 15 MB executable, e.g., a "game", and run it

Developers often refer to this idea of the "browser sandbox" but there are lots of things that are permitted inside this "sandbox" that some users would consider part of their "threat model"

For example, gratuitous data collection, surveillance and advertising

mrkn1•2 days ago

I made something very similar 2 weeks ago, re the upcoming OpenAI phone.

https://news.ycombinator.com/item?id=48040327

ZeWaka•2 days ago

The image processing is neat. Local model ran in the browser?

mrkn1•1 day ago

thank you! actually it's an API call to a VL model on Deepinfra (model is Qwen3-VL-30B-A3B-Instruct)

danielrmay•2 days ago

This is really neat, and disturbing.

mrkn1•1 day ago

thank you and alas yes, the image understand is the only LLM, the rest has been available on browsers through js since the 2000s

lovegrenoble•1 day ago

Just as fun as Poke, poke, poke... https://calm.ovh

maxverse•2 days ago

I enjoyed playing with this. Wild how much it knows.

pokpokpok•1 day ago

I show this in my interface programming class to introduce people to the concept of input events.

Thinking of input as a series of discrete events is an interesting cognitive model that many experienced programmers take for granted!

herpdyderp•2 days ago

Looks like it got HN’d to death

hspeiser•2 days ago

thats pretty creepy. I find it unnerving that they know exactly where my cursor is.

LeoPanthera•2 days ago

You might like Pointer Pointer. It's pretty funny. https://pointerpointer.com

(It might not work on touch screens.)

ProAm•2 days ago

So does every advertiser and data broker in the world

rolph•2 days ago

would be creepiest if your cursor moved somewhere related to what you were saying outloud.

the capability is there, your local hardware determines how seamless it would be.

nomel•2 days ago

I made something related to this with whisper. It would just constantly listen and periodically do a search to find a picture/video/gif from the web, relevant to what you're talking about, and show it.

_carbyau_•2 days ago

And yet, so many people think Cursor-camp[0] is great.

Mental framing of a tech is weird.

[0]https://neal.fun/cursor-camp/

nihapmrm•1 day ago

It’s making me feel like I’m being tracked 24/7 :)

adychandra•1 day ago

Avast is flagging website as malicious

mwigdahl•1 day ago

Is it capturing and selling user data? Avast would certainly know.

10000truths•2 days ago

I'm getting a PR_END_OF_FILE_ERROR when I try to open the page in Firefox on Linux.

briandw•2 days ago

Very fun, I enjoyed seeing what it would react to.

gblargg•1 day ago

I was disappointed that it didn't catch me editing the HTML when I tried changing the button's class to button2 or adding other classes. I wanted it to call me out when I clicked after that edit.

Sophira•2 days ago

I'm guessing this is supposed to illustrate how tracking is ubiquitous, given what I see in the source code.

In my case, though, after carefully enabling only scripts from the site and the Cloudflare CDN, but not enabling XHR/websockets back to the source page, or any cookies, the only thing that happens for me is:

1. I see a button and an exhortation to click the button.

2. I click the button.

3. The site goes "Subject has clicked the button."

4. The site goes "...".

...and then nothing else happens, no matter where I click or move my mouse. In the background I can see attempted websocket connections, but I'm blocking those so they can't happen.

If the aim of the game is to open people's eyes to the dangers of online tracking, it feels like there should be a reward mechanism if such tracking is blocked!

jagged-chisel•2 days ago

I unlocked at least one "achievement" by blocking camera access.

agys•1 day ago

This is another gem by Amsterdam based Studio Moniker, the guys behind “Radio Garden”.

Some of my favorite projects:

https://studiomoniker.com/projects/radio-garden

https://studiomoniker.com/projects/do-not-touch

https://studiomoniker.com/projects/do-not-draw-a-penis

neuroelectron•1 day ago

I seem to be getting random events that have nothing to do with my activity. I'm on Brave on an iPad mini. I'm guessing the JS activity looks like fingerprinting and it's being spoofed.

pranshuchittora•1 day ago

Peak unemployment ;)

ProAm•2 days ago

This is a great POC about how you give up privacy just using the web. This data is bought and sold and more and used against you every day

jamiek88•2 days ago

Hmmm. Clever and a little spooky!

MagnoApi•1 day ago

Cool website

michaelevensen•1 day ago

Roel and Luna?!

grumpymuppet•2 days ago

As a semi-savvy programmer, but with little experience in web-dev, I'm actually a bit ignorant of what a site can measure -- client side -- versus collect server side.

Presumably it's a simple matter to send something back to a server, but I've really never thought about the mechanisms involved.

alexwwang•1 day ago

what does it make for?

xiaoluolyg•2 days ago

clever

busymom0•2 days ago

I am not sure what I am looking at. It's telling me things which I expect any website to know via basic javascript. What am I missing?

layer8•2 days ago

That you’re not the target audience.

claysmithr•2 days ago

kind of weirded me out lol...

d4rkp4ttern•2 days ago

Another one like this -

https://sinceyouarrived.world/taken