I added the Disqus commenting platform to my blog some time ago. And then I found out that it was loading WAY TOO MANY tracking cookies inline and profiling my website users. This is how you build Orwellian software. And shitty software.

Introduction

In order to start figuring out how to speed up and optimise this website, I thought I would start by using some popular website speed test tools to figure out the current situation, and go from there. Two of the very popular ones out there are GTMetrix and Pingdom. So I chose one page URL from my blog, and used the tools to see what improvements were recommended. And that’s when I found out that Disqus was loading a bunch of junk ad-tracking domains behind the scenes.

GTMetrix raised some red flags…

I started with GTMetrix. It reported a horrible score, and recommended that I minimise redirects and leverage browser caching, among other things.

… and so did Pingdom

Running tests with Pingdom didn’t get any better. It too recommended minimising redirects and leveraging browser caching.

Now, this is a fairly simple blog: it uses static HTML compiled using Jekyll, some images, CloudFlare CDN, Google Analytics, Google Fonts, and the usual social connect buttons. That’s about it. None of this should account for over 100 requests, not to mention the insane amount of redirects, etc.

Diving down into the redirects, I started seeing a lot of this:

The ad-tracking URLs

Pingdom helpfully allowed me to download the above report as JSON, and I extracted all of the domains that occurred in the report. Here is the list:

aa.agkn.com accounts.google.com apis.google.com beacon.krxd.net c.disquscdn.com c.disquscdn.com cdn.krxd.net cdn.viglink.com cm.dsp.linksynergy.com cm.g.doubleclick.net connect.facebook.net cts.w55c.net d.agkn.com disqus.com disqus.com dpm.demdex.net e.nexac.com ei.rlcdn.com fonts.googleapis.com fonts.gstatic.com glitter.services.disqus.com googleads.g.doubleclick.net gpush.cogocast.net i.liadm.com ib.adnxs.com idsync.rlcdn.com io.narrative.io links.services.disqus.com loadus.exelator.com match.adsrvr.org notes.ayushsharma.in p.adsymptotic.com personalnotes.disqus.com pippio.com pixel.sojern.com pixel.tapad.com pm.w55c.net rc.rlcdn.com referrer.disqus.com s.cpx.to sp.adbrn.com ssl.google-analytics.com ssl.gstatic.com stags.bluekai.com staticxx.facebook.com stats.g.doubleclick.net sync.mathtag.com tag.apxlv.com tag.cogocast.net tags.bluekai.com usermatch.krxd.net www.facebook.com www.google-analytics.com x.bidswitch.net x.dlx.addthis.com

If you browse through the list above, you’ll be able to quickly identify the few domains that actually belong on that list. There’s the domain for this blog, for Disqus comments, for Google Analytics, Google Fonts… and that’s about it. The rest of them are all ad-tracking domains. But the domains weren’t enough, because they came with their assortment of cookies as well. And since these cookies were placed by Disqus’s Javascript, which I had already placed in my code, they became authorised as well. Feels like I got Trojan-Horse-ed. This sneakily gets around the Same-origin policy and essentially becomes a Cross-site scripting attack. The difference becomes important when I trust Disqus not to load third-party scripts on my site behind my back. Which I don’t. Not anymore.

So… why is this happening?

This is happening because Disqus, “the web’s largest network of discussion communities”, and Xaxis, “the world’s largest programmatic media and technology platform”, decided to team up in 2014 to use the comments you leave using Disqus on any website to build anonymous profiles on you and target ads and sponsored stories. This is great news, because, you see, “Creative possibilities for brands include text, images and embedded video, tailored to specific audiences, topics under discussion, or both”. Of course, as a corporation, you might be worried that your information might be placed on websites where there are comments which might be damaging to your brand, but fear not, because “The platform will continually scan the words and expressions used on sites and in comments to ensure ads are only placed in brand safe environments.”. And so the words you leave behind, even outside the walled gardens of social media websites, are now open to be monetised. Reminds of that one episide from Black Mirror.

I don’t know how you feel about ad-tracking technology. Personally, I think its a little creepy. So I’m ditching Disqus comments on this blog until there is a safer alternative. There is an opt-out option, but that only works for users who know there is one. Maybe I should place it in the footer of the blog, warning users that ad-tracking is on.

But that’s a conversation for later. For now, I’m nuking the comments section.

Resources