Tynt Tracer: The Spy who got into my Cut Buffer?

OK – I am peeved; the Daily Mail has it, the NY Daily News has it, and several blogs have it. Adriana found it yesterday, pointed me at it, and I was horrified when I worked it out.

“It” is Tynt Tracer, and it’s the biggest piece of evil to infest blogs since Snap.COM.

The way it presents to the user is very simple:

  • Go to a page, eg: the NY Daily News article.
  • Highlight a paragraph
  • Copy the Paragraph
  • Paste the paragraph into something else, eg: a Text Editor or blogpost creation window.

You will see something like this:

A shotgun-wielding owner of a Harlem restaurant-supply company blasted two robbers to death and wounded two others on Thursday when he caught them pistol-whipping his employee, police said.

Read more: http://www.nydailynews.com/news/ny_crime/2009/08/13/2009-08-13_harlem_biz_owner.html#ixzz0OEsFnn4x

See that “read more” bit? You didn’t copy that. It wasn’t on the page you copied. It was inserted into your cut-buffer by Tynt Tracer, a bit of javascript which logs what you are copying at a central site and then inserts a URL into your cut buffer, for convenience tagged with a token that (approximately) highlights the section in the original page when someone else clicks the link.

Also: what you copy gets put on the Tynt home page as an advert / for hype purposes.

I am not a great JS guru, but a quick scan of the source code (http://tcr.tynt.com/javascripts/Tracer.js) shows some interesting snippets:

TraceServer.WRITE_URL="http://w1.tcr1.tynt.com";
TraceServer.READ_URL="http://r1.tcr1.tynt.com";
TraceServer.PAGE_TRACKER_URL="http://p1.tcr1.tynt.com";
var COPY_WITH_ATTRIBUTION=0,COPY_WITH_NO_ATTRIBUTION=1,SELECTION=2,IMAGE=3;
var MINIMUM_WORDS_FOR_COPY_WITH_ATTRIBUTION=7;
var MINIMUM_CHARACTERS_FOR_COPY_WITH_ATTRIBUTION=14;
var GENERATED_FROM_TRACE=1,GENERATED_FROM_ADDRESS_BAR=2,GENERATED_FROM_TYNT_COM=3;
var firstAction=1;
var firstCopy=2;

var sponsorText="Sponsored by: ";
var attribution2StaticText="Under Creative Commons License: ";
var attribution2Types=["","Attribution","Attribution Share Alike","Attribution No Derivatives","Attribution Non-Commercial","Attribution Non-Commercial Share Alike","Attribution Non-Commercial No Derivatives"];
var licenseUrl=["","http://creativecommons.org/licenses/by/3.0","http://creativecommons.org/licenses/by-sa/3.0","http://creativecommons.org/licenses/by-nd/3.0","http://creativecommons.org/licenses/by-nc/3.0","http://creativecommons.org/licenses/by-nc-sa/3.0","http://creativecommons.org/licenses/by-nc-nd/3.0"];

if(sponsor!=0){
W=W+"\n<br>"+sponsorText+' <a href="http://tcr'+sValue+".tynt.com/ads/"+encodeURIComponent(sponsor)+"/"+userId+"/"+guid+'">'+decodeURIComponent(sponsor)+"</a>";
}

var tracerBlocked=function(){
if(/disableTracer=/.test(window.location.href)){
var B=window.location.href.match(/disableTracer=([^?$]*)/)[1];
var A=new Date();
A.setDate((B&&B=="on")?(A.getDate()+365):(A.getDate()-2));
writeTopLevelCookie("disableTracer="+userId+";
expires="+A.toUTCString());
document.body.innerHTML='<br><br><br><span style="font-size: 32px;">Tracer has been turned '+((B&&B=="on")?"off":"on")+" in this browser.<br>You may close this window.</span>";
return true;
}

It seems everything goes through central servers at Tynt.com; there is (sigh) apparently some way of electively turning it off, and there seems to be some notion of putting sponsorship information into the text at later date. I am guessing that the cc-license stuff is to do with marking copied text as licensed in some way?

There’s not much critical discussion out there at the moment http://www.ericlander.com/324.html seems to be “it”; Eric’s posting is from September last year, so I am wondering why it’s taken so long to go mainstream? That said, discussion from last year seems to have a different bent, which may help explain the delay:

http://www.techvibes.com/blog/ready-set.-tynt

[…] In essence, Tynt allows you to share your thoughts/perceptions/highlights with your closest friends.

And, in that thought, lies the power of Tynt. In this wired world of expanding and limitless information, we rely more and more on people we know and trust to give us the straight dope. We pay attention to recommendations and thoughts from our friends. For those that have read “The Tipping Point,” Tynt is evangelism on steroids.

For example, Guy Kawasaki, noted technology evangelist, Twitters to 18,000 followers. Guy is going to start using Tynt to put some thoughts on a web page and then send out a tweet with a link to his Tynt. That’s part of Tynt’s release yesterday; Tynt for Twitter … Tynt gives Twitter context. Another big name that’s going to start using Tynt for Twitter is Mark Silva from Realbranding.com.

Think of the power of Tynt for social networks, where you already connect with many of your friends … being able to give each other context with your surfing would be, like, way awesome (Or, maybe you just want to put funny glasses and a bowtie on your buddy’s Facebook page picture for giggles). Tynt for bloggers (yes, you’ll see Tynt’s in my future blogs). For people doing market and industry research. Digg users could really use Tynt. Google’s new Chrome browser’s weak bookmarking could adopt Tynt for contextual bookmarks.

Communication from a corporate website to a surfer is usually controlled and one-way. You read the words that the marketer or the public relations person want you to read. Now all that stuff you find in blogs, forums and communities about a company can be read directly on the website, in the context it’s meant to be in. Click here to see what I think of the Canon FS 100 Camcorder:

http://www.usa.canon.com.tynted.net/consumer/controller?act=ModelInfoAct&fcategoryid=2544&modelid=16185

(if that doesn’t make CMO’s shake in their boots, I don’t know what will!)

Tynt is officially in public Beta as Derek and his team continue to press forward on this ground breaking technology. There’s still some glitches, for sure (especially on my Mac Firefox browser), and I can imagine they’re going to have some scaling issues as they become more popular, but it’s already a great “Wow” experience. Tynt comes as a browser plug-in, or as a web browser app … to find out more, check out their blog: http://tynt.wordpress.com/.

…which makes it sound like a technology in search of a problem to solve: in a year it has gone from “letting users mark up pages”, to “what’s being copied from your site?”

Plus “Tynt gives Twitter, context!” – who would have thought it needed “context” to be successful?

In any case – I leave this open for your comments, analyses and discussion; I for one do not like the “Read more:…” markup, I don’t like waiting for Tynt to book-in my copy actions, I don’t like them, measuring how many people click on links that I tweet and mail (“influence marketing”, anyone?) and I don’t like the intrusion.

As soon as I can, I am blocking them.

22 thoughts on “Tynt Tracer: The Spy who got into my Cut Buffer?

  1. Brad

    Anything that changes the expected behavior of *my* computer is evil. Shoving something in my copy/cut buffer that I don’t see is simply malware. It’s right up there with the old VT100 control code hacks.

    Reply
  2. Chris Samuel

    Carl, I suspect that won’t work as the redirection is being done by the shell which is running as the user, not as root.

    Simpler to just sudo vi /etc/hosts ;-)

    Reply
  3. Pingback: != » Tynt

  4. Andrew McRae

    NoScript may or may not work against Tynt, it depends on the site you’re viewing.

    The “Same Origin Policy” honoured by web browsers ensures Javascript code can only send data to the same web site that the javascript code was loaded from.

    However NoScript only adds a site address level of trust, in which you either trust or don’t trust all javascript at a given two-level domain name suffix. This means if you don’t trust “evil.com” you cannot permit javascript hosted from “nested.evil.com”.

    This means if the Tynt JS code is referenced by (eg) a DailyMail site but hosted by Tynt then Tynt can be blocked by NoScript.

    However if the DailyMail (or other Tynt collaborators) hosted the Tynt JS file and the backend services for receiving the copy-and-paste data, then you could not enable the conventional menu and layout javascript effects of the DailyMail and still block Tynt at the same time – because Tynt would have become a “blended threat” indistinguishable (by NoScript) from normal operation of Daily Mail.

    So it depends on how closely your formerly trustworthy web site wishes to collaborate with the enemy.

    My guess is their technical staff won’t bother to go to that much effort to integrate, so NoScript will be sufficient in most cases both present and future. My advice is eternal vigilance.

    Reply
  5. Pingback: @GuyKawasaki supports Tynt Tracer? – dropsafe

  6. Pingback: Twitter Updates for 2009-08-21 – dropsafe

  7. Andy

    I came across tynt because the National Assembly for Wales appears to use it pervasively on their website… and there is not hide nor hair of the fact they are using it in their privacy policy.

    tynt.com seems to go a little bit too far for my taste – I have now installed NoScript in case I encounter this somewhere else also.

    Reply
  8. JD

    Firefox users running AdBlock Plus (v1.1 or higher) can use the following optimised filter to block all tynt functionality and prevent any callbacks to tynt.com:

    ||tynt.com^$third-party

    Reply
  9. No one

    The way Tynt works is fairly simple. They attach a listener to the browser’s copy event that creates a hidden div with your selected text + two line breaks + attribution + sponsorship and they select the new text using either setBaseAndExtent for Safari, selectNodeContents and addRange for FF/Opera, or moveToElementText and select for IE. The browser copies the new hijacked selection to your clipboard. The script then reselects the range of text you had selected originally to make it look as if nothing is going on behind the scenes — using Tamper Data or Firebug’s Net panel will easily tell another story though, as you’ll notice requests going out whenever you Ctrl+C.

    Reply
  10. Roadcrosser

    Google chrome has a Tynt blocker extension. Thank goodness because I never realized so many sites use Tynt!

    Reply
  11. Jamie

    For those of you using Hosts files to block Tynt:

    The addition of new domains over time mean IMO that blocking Tynt with Adblock Plus would be a better idea (as also the indication in the Tynt script that some sort of dynamic domains are in use.)

    Nevertheless, I do like to use the Hosts file to protect my “spare” browsers, so to save you the bother of tracking down Tynt subdomains to add here’s the appropriate section of mine:

    127.0.0.1 tynt.com
    127.0.0.1 asa.tynt.com
    127.0.0.1 cluster1.tynt.com
    127.0.0.1 cluster10.tynt.com
    127.0.0.1 cluster11.tynt.com
    127.0.0.1 cluster2.tynt.com
    127.0.0.1 cluster3.tynt.com
    127.0.0.1 cluster4.tynt.com
    127.0.0.1 cluster5.tynt.com
    127.0.0.1 cluster6.tynt.com
    127.0.0.1 cluster7.tynt.com
    127.0.0.1 cluster8.tynt.com
    127.0.0.1 cluster9.tynt.com
    127.0.0.1 feedback.tynt.com
    127.0.0.1 ic.tynt.com
    127.0.0.1 id.tynt.com
    127.0.0.1 signup.tynt.com
    127.0.0.1 sneaky.tynt.com
    127.0.0.1 tcr.tynt.com
    127.0.0.1 tcr1.tynt.com
    127.0.0.1 p1.tcr1.tynt.com
    127.0.0.1 r1.tcr1.tynt.com
    127.0.0.1 w1.tcr1.tynt.com
    127.0.0.1 tcr10.tynt.com
    127.0.0.1 tcr100.tynt.com
    127.0.0.1 tcr111.tynt.com
    127.0.0.1 tcr112.tynt.com
    127.0.0.1 tcr121.tynt.com
    127.0.0.1 tcr34.tynt.com
    127.0.0.1 tcr42.tynt.com
    127.0.0.1 tcr50.tynt.com
    127.0.0.1 tcr51.tynt.com
    127.0.0.1 tcr60.tynt.com
    127.0.0.1 p1.tcr62.tynt.com
    127.0.0.1 r1.tcr62.tynt.com
    127.0.0.1 w1.tcr62.tynt.com
    127.0.0.1 tcr7.tynt.com
    127.0.0.1 tcr70.tynt.com
    127.0.0.1 tcr71.tynt.com
    127.0.0.1 tcr80.tynt.com
    127.0.0.1 tcr81.tynt.com
    127.0.0.1 tcr9.tynt.com
    127.0.0.1 tcr92.tynt.com
    127.0.0.1 tyntapp.tynt.com
    127.0.0.1 wau.tynt.com
    127.0.0.1 waudist.tynt.com
    127.0.0.1 http://www.tynt.com
    127.0.0.1 www1.tynt.com

    Reply
  12. Jamie

    The www dot domain above seems to have been automatically parsed into a full URL. If adding the above to your Hosts file, DON’T include the http colon slash slash

    (Hopefully the comment can be moderated to fix this, I’m sending an email to request this now.)

    Reply
  13. B. Anonymous

    Well, I don’t see things as you fellows seem to.

    If I’ve written something worth copying, I want to know what it is that my readers are finding so useful so I can write more of it. I also want to be credited with its creation when someone else uses it in their “blogpost creation window” which, at the moment, is highly unlikely.

    Instead, my original work is going to simply be stolen. Those extra two lines at the bottom of the pinched material let me at least call a thief a thief. Moreover, the assertion of the CC license is binding, whether you delete the lines or not. If you don’t like the license, don’t use the material.

    It’s easy to delete those lines from your “blogpost creation window” or from your text editor … a whole lot easier than it was for me to create the original material that you stole.

    So, put a sock in it.

    Reply
    1. alecm Post author

      >So, put a sock in it.

      Actually, perhaps you should? If you don’t want people to discuss, comment and copy stuff that you write and put in the digital domain, on your blog, then either protect it properly (Tynt is not protection, and it’s trivially circumventable) or else stop bothering.

      Tynt is not a security device, to so say that it prevents theft is wrong in several ways; moreover if it were just you wanting to “protect’ your stuff in the harlf-arsed manner Tynt provides then you would not need to involve Tynt as a third party, you could in fact do it for yourself. There are any number of right-click-capture widgets available for use.

      So I still lack a reason for Tynt to exist, even with your arguments.

      Reply
  14. CJ

    “If I’ve written something worth copying, I want to know what it is that my readers are finding so useful so I can write more of it. I also want to be credited with its creation when someone else uses it in their “blogpost creation window” which, at the moment, is highly unlikely.”

    Whenever I’m copying something, I’m not posting it on some blog. I’m usually pasting a link in a chat room, then my friends and I read through it and paste and comment on sections of the text we find relevant. What I paste over AIM or IRC is none of your damn business. It’s the equivalent of me sitting in a coffee shop with a newspaper in my hand, talking to a friend, and discussing the article.

    You don’t have any control over the latter, so you shouldn’t get any control over the former, either. I doubt even 1% of the people copying text from these articles are actually plagarizing and trying to credit work as their own. That is thievery. Copying a few sentences and discussing the story is not. You would have no right to come into my home and find out who I’m discussing your article with (or even that I am) so you have no right to track it on my computer either.

    Reply
  15. Adam Marsh

    Hi all,

    I suppose Tynt looks useful from a commercial standpoint. It works in building backlinks which are needed for SEO. I personally use tynt, but I suppose easier opt out processes and transparency.

    It is a useful, and yes it is also invasive. This is a choice for webmasters to make depending on their community, and also for tynt to create safeguards for visitors.

    I definitely wouldnt put this on forums or sensitive matter websites. Too pervasive

    Reply
  16. Kosuke

    Use the blocking software from google chrome extensions. It effectively blocks all tracking from various locations, and is “originally” the reason I decided to find out about tynt.

    Reply

Leave a Reply