Is YouTube's privacy-enhanced mode actually privacy-enhanced

[welly]

Hi

Say that I embed YouTube videos to my site. As you probably know, YT now offers a new choice to "Enable privacy-enhanced mode". If you do this, then when someone visits your webpage that contains the YT video, YT will not send a cookie to the page's visitor (unless the visitor chooses to actually play the video).

However, if you pick this option, then when someone visits your page, NoScript (or a "similar" program) will block the video, and you'll notice that in order to unblock it, you'll need to set NoScript to allow the URL address youtube-nocookie.com.

Hmm. Is it possible that this address works as "google-analytics.com" or other ones, that have as purpose to track your visits?

Is there a "catch" to enabling the "privacy-enhanced mode"?

Hope my question is clear. If it's not, please let me know and I'll try to rephrase it.

Thanks.

[Tom T.]

Say that I embed YouTube videos to my site. As you probably know, YT now offers a new choice to "Enable privacy-enhanced mode". If you do this, then when someone visits your webpage that contains the YT video, YT will not send a cookie to the page's visitor (unless the visitor chooses to actually play the video).

However, if you pick this option, then when someone visits your page, NoScript (or a "similar" program) will block the video, and you'll notice that in order to unblock it, you'll need to set NoScript to allow the URL address youtube-nocookie.com.

Hmm. Is it possible that this address works as "google-analytics.com" or other ones, that have as purpose to track your visits?

Is there a "catch" to enabling the "privacy-enhanced mode"?
.

I wasn't aware of this new option, because the issue wouldn't affect me. The old way is a tracking method: SiteA.com allows YouTube to send cookies to visitors. Thus, YT can track how may visits the site gets, and what percent of them play any given YT video. For users who allow permanent storage of cookies, YT can now track them across all sites that allow YT to set or read the cookies. Since YT has been a wholly-owned subsidiary of Google for the past five years, this is just typical Google behavior of tracking, profiling, and otherwise gathering as much user data as possible, to sell targeted ads or the data themselves.

The prevention is (in Fx 3) Firefox Tools > Options > Privacy. Check "Accept cookies from sites", but make sure that "Accept third-party cookies" is unchecked. Then "Keep until" = "Ask me every time". You will answer with either "deny" or "for this session only". Therefore, YT would not be allowed to set a cookie at SiteA.com, and *no* cookies will be permanently stored on the machine, to be read by other sites later. Privacy issue solved. Also safer, because if you leave a permanent login cookie, anyone who gets access to your machine can log in to your bank and steal from you, or impersonate you at other sites, which could be damaging. A little less convenient, but a small price to pay for the security. (I may have to double-check that it's the same paths in Fx 8.)

The reason that NoScript is blocking these is that the default whitelist includes YouTube.com and ytimg.com, but not youtube-nocookie.com (because it didn't exist before). So you have to allow, or temp-allow, the new script source, youtube-nocookie.com.

btw, many YT features will work *at the site* without allowing any scripting at all, though advanced features may not.

I don't immediately see a downside to enabling this privacy-enhancing mode. Can you provide a site address (URL) that uses this?

[Tom T.]

No changes to the above recommended settings, or path to them, in Firefox 8.01, although a reminder that "Use custom settings for history" must be chosen from the drop-down window to make these settings choices visible.

[welly]

Thanks for the very informative reply (and sorry for my late response).
But there is an aspect still unclear.

If I do let NoScript to allow youtube-nocookie.com, then will Google (who obviously owns YouTube) be able to track my visit to that page? (If so, it would be similar with the case of allowing google-analytics.com right?)

Maybe in other words my question is, is youtube-nocookie.com a "web-bug" like I think google-analytics.com is?

[Tom T.]

Thanks for the very informative reply (and sorry for my late response).
But there is an aspect still unclear.

If I do let NoScript to allow youtube-nocookie.com, then will Google (who obviously owns YouTube) be able to track my visit to that page? (If so, it would be similar with the case of allowing google-analytics.com right?)

Maybe in other words my question is, is youtube-nocookie.com a "web-bug" like I think google-analytics.com is?

If you access a YT video from a different site, of course YT will know the site from which the request was made, script or no.
Some complex sanitization could be done with various ABE rules, as in this thread, but if you truly don't want YT to know the site that referred you, here are some simpler ideas:

1) Get the RefControl add-on, and set "Forge" as the default, and/or

2) R-click the link, "copy link location", paste it into a separate browser tab or window, and before pressing "Enter", look for any data other than the YT address and video identifier, which typically look like this:

Code: Select all

http://www.youtube.com/watch?v=Z-DVi0ugelc

Anything beyond that ?v=(random string) should be removable, and probably contains some of the info we're talking about.
Again, if you can point me to a site that uses this method, it would be easier to see it than to speculate.

If you want to examine the contents of youtube-nocookie.com, the JSView add-on will let you read that, or any other, script.

From what I understand so far, this script isn't triggered unless you try to click the link while denying YT cookies, right? And it only shows at sites that host links to YT videos. Whereas google-analytics shows up almost *everywhere*.

So I doubt the data-mining capability is anywhere near that of G-A.com. If youtube-nocookie starts showing up on 90% of web sites, we'll re-evaluate.

[welly]

Thanks, now I understand.

BTW, it was about whether it would be a good idea to use YT's privacy enhanced mode when embedding vids on my site (I want my site to be as respectful of users' privacy as possible).

I guess using this mode is better than using the normal mode because of these reasons:

1) In privacy-enhanced mode, my site will not send YT cookies to my visitors, unless they choose to actually play the videos.

2) In both cases, Google would still track my visitors visiting of the video, and the referrer (unless they use a referrer blocker like you said).

3) Having your visit tracked by youtube-cookie.com is better than having it tracked by google-analytics.com (even though I still don't understand why).

So that's about all information I needed to make up my decision, unless someone has the time to explain #3 to me...

In any case, thanks very much to Tom for these clarifications.

[Tom T.]

Thanks, now I understand.

BTW, it was about whether it would be a good idea to use YT's privacy enhanced mode when embedding vids on my site (I want my site to be as respectful of users' privacy as possible).

Yes.
I wish all sites felt that way about visitors' privacy.

1) In privacy-enhanced mode, my site will not send YT cookies to my visitors, unless they choose to actually play the videos.

Actually, you can play YT videos *at YT* while denying their cookies, as per this thread, though there were some minor inconveniences being worked on.

It may be possible to play your embedded videos without the YT cookie, if they temp-allow the no-cookie script. At the risk of sounding like a broken record, can you point me to an existing site that does this already, so I can poke around and see what goes on? As said, your OP was the first I'd heard of the new YT no-cookie script.

If/when your site is up, I'd be happy to take a look. Feel free to PM me with the URL if you don't want to post it here, but hey, it's not often we actually invite users to spam their sites here. ... if PM'd, all will remain in confidence, rest assured.

3) Having your visit tracked by youtube-cookie.com is better than having it tracked by google-analytics.com (even though I still don't understand why).

G-A is more than just a tracker of where you've been. It attempts to mine other data. Not having seen the YT script, I don't yet know what it does besides substitute for a cookie. More on that in a minute.

No one forces you to allow g-a to be run at your site, unless you're not hosting it yourself, and the hosting company/ISP/whatever requires g-a to be run. But that is why NoScript, *by default*, out of the box, without user configuration, runs Surrogate Script for G-A, so long as the user doesn't allow or TA it. This surrogate makes the page happy, but sends back a lot of *nothing* to Google. Privacy protected. Same if GA tries to run at YT, or anywhere else on the planet.

So the other thing you can do to help protect your visitors' privacy *and* security, across almost all of the Web, is to recommend NoScript to them, along with a compatible browser. (Firefox, SeaMonkey; some Fx forks may work, but not guaranteed.) I'm sure Giorgio won't object to your putting a link to his page at your site.
http://noscript.net/

I'd still like to see the YT no-cookie in action, so if you can ever point me ...

In any case, thanks very much to Tom for these clarifications.

You're very welcome.

[welly]

I haven't read all your message yet but I will in a bit.

For now, here is an example of the situation: http://experiment23.nfshost.com/

[Tom T.]

I haven't read all your message yet but I will in a bit.

For now, here is an example of the situation: http://experiment23.nfshost.com/

Thanks. I did want to poke under the hood, and the news looks pretty good.

Upon visiting your link, no YT cookie was set, as promised.
Even after temp-allowing youtube-nocookie.com, no cookie was set.

On Fx. 3.6.24, I can play vids directly at YT with *no* scripting allowed, as well as no cookies. Per another thread, Fx 8.x may require allowing youtube.com and ytimg.com, even directly at YT.

However, using your embedded video, the two scripts above must be allowed or temp-allowed even on Fx 3.x, or the video won't load. They're already in the default whitelist, which means most users won't notice, and also that Giorgio considers them reasonably "safe", as much as such things can ever be.
No change for 8.x users.

Anyway, the video plays, still no cookies from YT, or Google for that matter. And the no-cookie script looks innocuous to me, though I'll throw it up here for anyone who can put a magnifying glass and find any evil that might have been missed. Please don't trouble yourself with it, welly, unless you're into such things.

Bottom line, unless someone finds something different (and I'll recheck with Fx 8.01): It's a good feature from Google/YouTube - who knew they were capable of it? Props to them for providing it, and to you for your efforts to protect privacy.

For the tinfoil-hat crowd , one can obtain the URL of the video, then go to YT directly. But I don't see much of a reason to do that.

Youtube-nocookie.com script for the video linked in the "experiment", in the above post: (some line breaks removed to save space):

Code: Select all

<!DOCTYPE html>
  <html lang="en" dir="ltr" >

<head>
    <title>Funny Cats - YouTube</title>

      <link  rel="stylesheet" href="http://s.ytimg.com/yt/cssbin/www-embed-refresh-vflCCinZA.css">


    <link rel="canonical" href="/watch?v=IytNBm8WA1c">

</head>
  <body id="" class="date-20111213 en_US ltr" dir="ltr">

<div id="watch-longform-ad" class="hid">
  <div id="watch-longform-text">
Advertisement
  </div>
  <div id="watch-longform-ad-placeholder"><img src="//s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif" height="60" width="300"></div>
</div>

  <div id="player" class="full-frame"></div>
       
    <script  src="//s.ytimg.com/yt/jsbin/www-embed_core_module-vfl5vmUXz.js"></script>

  <script>
    yt.setConfig({
      'EMBED_BINARY_URL': '//s.ytimg.com/yt/jsbin/www-embed_core_module-vfl5vmUXz.js',
      'ORIGIN': "*",
      'IS_OPERA_MINI': false
    });
    yt.setMsg({
      'FLASH_UPGRADE': '<div  class=\"yt-alert yt-alert-error yt-alert-player yt-rounded \"><span class=\"yt-alert-icon\"><img src=\"\/\/s.ytimg.com\/yt\/img\/pixel-vfl3z5WfW.gif\" class=\"icon master-sprite\" alt=\"Alert icon\"><\/span><div  class=\"yt-alert-content\">        You need to upgrade your Adobe Flash Player to watch this video. <br> <a href=\"http:\/\/get.adobe.com\/flashplayer\/\">Download it from Adobe.<\/a>\n<\/div><\/div>'
    });
      yt.setConfig({
      'PLAYER_CONFIG': {"assets": {"html": "\/html5_player_template", "css": "http:\/\/s.ytimg.com\/yt\/cssbin\/www-player-vfl1bxWVE.css"}, "url": "http:\/\/s.ytimg.com\/yt\/swfbin\/watch_as3-vflPZYogr.swf", "min_version": "8.0.0", "args": {"el": "embedded", "fexp": "903309,914022,902400,911614,916201", "is_html5_mobile_device": false, "allow_embed": 1, "allow_ratings": 1, "hl": "en_US", "use_tablet_controls": "0", "eurl": "http:\/\/www.youtube-nocookie.com\/", "iurl": "http:\/\/i2.ytimg.com\/vi\/IytNBm8WA1c\/hqdefault.jpg", "view_count": 32256636, "title": "Funny Cats", "avg_rating": 4.92024212891, "video_id": "IytNBm8WA1c", "length_seconds": 470, "sendtmp": "1", "enablejsapi": "0", "sk": "A0xv5TtUVR8rzYPkunY2zfR7pxRh4VptC", "use_native_controls": false, "rel": "0", "playlist_module": "http:\/\/s.ytimg.com\/yt\/swfbin\/playlist_module-vfl0B63K3.swf"}, "url_v9as2": "http:\/\/s.ytimg.com\/yt\/swfbin\/cps-vfleSxV5Q.swf", "params": {"allowscriptaccess": "always", "allowfullscreen": "true", "bgcolor": "#000000"}, "attrs": {"width": "100%", "id": "video-player", "height": "100%"}, "url_v8": "http:\/\/s.ytimg.com\/yt\/swfbin\/cps-vfleSxV5Q.swf", "html5": false},
    'EMBED_HTML_TEMPLATE': "\u003ciframe width=\"__width__\" height=\"__height__\" src=\"__url__\" frameborder=\"0\" allowfullscreen\u003e\u003c\/iframe\u003e",
    'EMBED_HTML_URL': "http:\/\/www.youtube.com\/embed\/__videoid__"
  });
  yt.net.ajax.setToken('html5_ajax', "lTmUoGubjI9Ql-DEaP9Y4IulQV98MEAxMzIzNzY4MDUy");

  yt.setMsg('HTML5_DEFAULT_FALLBACK', "Your browser does not currently recognize any of the video formats available.\u003cbr\u003e\u003ca href=\"\/html5\"\u003eClick here to visit our frequently asked questions about HTML5 video.\u003c\/a\u003e");
  yt.setMsg('PLAYER_FALLBACK', "\u003cdiv  class=\"yt-alert yt-alert-error yt-alert-player yt-rounded \"\u003e\u003cspan class=\"yt-alert-icon\"\u003e\u003cimg s\u0072c=\"\/\/s.ytimg.com\/yt\/img\/pixel-vfl3z5WfW.gif\" class=\"icon master-sprite\" alt=\"Alert icon\"\u003e\u003c\/span\u003e\u003cdiv  class=\"yt-alert-content\"\u003e        The Adobe Flash Player or an HTML5 supported browser is required for video playback. \u003cbr\u003e \u003ca href=\"http:\/\/get.adobe.com\/flashplayer\/\"\u003eGet the latest Flash Player\u003c\/a\u003e \u003cbr\u003e \u003ca href=\"\/html5\"\u003eLearn more about upgrading to an HTML5 browser\u003c\/a\u003e\n\u003c\/div\u003e\u003c\/div\u003e");
  yt.setMsg('HTML5_QUALITY_SETTING', "quality");
  yt.setMsg('HTML5_SPEED_SETTING', "speed");
  yt.setMsg('HTML5_SPEED_NORMAL', "normal");
  yt.setMsg('HTML5_VOLUME_SETTING', "volume");
  yt.setMsg('HTML5_VOLUME_MUTED', "muted");
  yt.setMsg('HTML5_VOLUME_MUTE', "mute");
  yt.setMsg('HTML5_VOLUME_UNMUTE', "unmute");
  yt.setMsg('HTML5_CONTROL_TOGGLE', "toggle");
  yt.setMsg('HTML5_SUBS_TRANSCRIBED', "transcribed");

      yt.embed.writeEmbed();
  </script>

</body>
</html>

@ ALL GEEKS:
I assume the setting of the HTML5 token

Code: Select all

  yt.net.ajax.setToken('html5_ajax', "lTmUoGubjI9Ql-DEaP9Y4IulQV98MEAxMzIzNzY4MDUy");

is a substitute for a cookie, but with F3 (presumably) not supporting HTML5, there does appear to be a graceful fallback to Flash player vs. H5 video, as therube and I speculated at the thread linked, about "Problem with YouTube videos if cookies are disabled"?

And said token would persist ... how long? Sorry, but with the personal preference for F3.x, I'm not fully up to speed on HTML5. (and may stay that way, LOL.) TIA.