If you’ve posted a comment on The Tyee — or some 1.3 million other websites — then you’ve registered with Disqus, the commenting platform that powers many of the largest news sites in the world.

Announcements, Events & more from Tyee and select partners This Moment Calls for More Independent Journalism. We Need Your Help to Deliver It We can’t let journalism fade away. Contribute to The Tyee so we can add to our team.

In October, the company revealed a data breach affecting 17.5 million users. The breach, Disqus said, appeared to have occurred in 2014 and involved data dating back to 2012.

It didn’t make big news, perhaps partly because Disqus chose to disclose the breach at 4 p.m. PST on a Friday afternoon.

And it was overshadowed by the September revelation of a larger breach of far more sensitive data at Equifax. Hackers accessed financial information of about 145 million people, including 100,000 Canadians. Equifax, which provides credit ratings on individuals, stumbled again by using a poorly set-up installation of WordPress — content management software generally regarded as a poor option for a secure site without customization — to host a site designed to allow people to check if they were affected by the breach. Then it was hacked a second time, causing its site to serve up malware to anyone still daring to browse for credit information.

Still, despite what was generally considered the exemplary handling of the issue by Disqus, we heard from Tyee readers troubled by the breach.

And it encouraged us to move more quickly in looking at other options to see if there was reason to change.

After the breach Disqus had reset the passwords of many of the readers as a precaution. Passwords, Disqus said, were stored in an encrypted format, but there was still some risk — “however unlikely” — that someone could have decrypted them. (Disqus had stored the passwords in an encryption scheme known as SHA1 that by 2012, when the data was put onto backup where it is thought to have been accessed, was falling out of favour because of security flaws. This was partly due to the availability of large numbers of passwords from other security breaches, which could, with sufficient computing power and time, be matched with the newly obtained passwords to crack the encryption scheme. Disqus also had an additional measure in place known as “salting” that adds random characters to stored passwords to make this process even harder.)

Disqus told The Tyee it had not found any evidence of unauthorized logins since the breach, which would have indicated the passwords were indeed successfully decrypted.

The main concern is that Disqus users might have chosen the same passwords for other websites — a security no-no in any case — and hackers could gain wider access to their accounts.

The reader feedback pushed The Tyee to move more quickly on an ongoing consideration of alternatives to Disqus. The review was launched after Disqus shifted, somewhat ungracefully, to an ad-supported model. On two occasions The Tyee website suddenly had ads provided by Disqus above the comments section, which irked some readers and troubled us. The Tyee does carry ads, but we are mindful and deliberate in deciding what advertisers are appropriate.

The issue was resolved both times by The Tyee opting out of the advertising. Before the third phase of the ad rollout, we were notified in advance and chose to pay a fee — between $10 and $100 — to opt out of the ad program.

The Disqus breach generally only revealed people’s email addresses, user names, sign-up dates and last log-in dates (as of 2012). Some users might get a bit more spam as a result, but there would not likely be other consequences, as Disqus stated in its news release on the breach.

In about one-third of the cases, passwords were also possibly exposed, which does increases risks, especially if people are using the same password for other sites, like banking.

The quiet giant

Disqus has quietly become an unrivalled giant in managing comments on news sites and blogs. (Or at least the ones that haven’t killed comments. The Toronto Star, for instance, ended comments in December 2015, to some critical response.)

Disqus handles comments for more than 1.3 million websites, marketing director Mario Paganini, told The Tyee. Some 215 million users have registered on the site, a tenfold increase since 2012. In the same period the number of website clients quadrupled.

Around 75 per cent of the sites on engagement 1000, which ranks sites based on the number of comments, use Disqus, said Paganini.

Disqus seems to have avoided being drawn into the scrutiny Facebook and Twitter have faced over privacy and questions about whether their platforms were used to co-ordinate misinformation around the U.S. election.

Paganini confirmed Disqus does receive government requests for the identities of users, but only provides the information if there is a subpoena or other lawful demand. He estimated that Disqus receives a couple of requests per month.

The appeal of Disqus is that it offers a free, effective way to manage comments, allowing relatively easy moderation and management of the section. (There are additional charges for extra features.) Many commenters conveniently use their login on multiple sites; the company offers users the ability to log in with a Facebook or Twitter ID.

But Disqus, following in the footsteps of Google and others, built its controlling share of the third-party commenting market by offering a free service, hoping it would reach this strong position and extract a profit and pay its investors. The best value was in creating profiles of users based on their activities across any Disqus powered site and selling ads targeted at them as well as offering an opt-out plan for publishers.

The breach certainly would have been far worse if Disqus had exposed this kind of data.

In fact, hackers — or, more accurately, journalists looking at freely available data — exploited a Disqus design flaw in 2013 to get that kind of information. A group of Swedish journalists examined racist comments on far-right websites and discovered that Disqus was doing a poor job of encoding email addresses. It identified the commenters and confronted them in their homes. The reports resulted in several political resignations and won an investigative journalism award in Sweden. Disqus closed this security hole.

Who owns the comments?

By now, seven years after Gmail began scanning your emails to create a profile and target with ads based your interests or worries, many high-profile data breaches and revelations about government spying, most people are growing concerned about privacy.

But startup tech companies acquire and spend capital on networks because they expect to profit from the information on users. Hackers also know the value of these massive databases too, and no matter how strong the protection, breaches happen.

Disqus assures users that they ultimately control their own information.

“You own your data, period. Further, Disqus makes it easy both to import and export data,” the company website says.

Users can opt out of the aggregated anonymous data collection used for advertising.

And they can also delete their accounts and comment history (though Disqus can’t guarantee the data is removed from the databases of any advertisers it has been shared with already).

But is there another way?

Disqus is a valuable and efficient system. And so far, Internet users are willing to sacrifice privacy for access to free online services. Companies like Disqus will continue to evolve their revenue models and opt-out options as user attitudes change.

But there are alternatives. Mozilla, a free software non-profit, offers Coral, a program focused on engagement in journalism. One product is a commenting platform called Talk. Talk is open source; anyone can contribute to the development of the product and use it for without charge.

The Washington Post adopted the platform in September, the first major news organization to do so.

Coral conducted a massive amount of research on engagement in journalism and civility in comments before creating Talk. It discovered, for example, that there was no difference in civility between sites that required real names of users and those that allow pseudonyms.

Each Talk community runs on the website’s own server, meaning there is no central network containing every user’s comments. This should reduce the scope of any breach and the value of any particular data store, which in turn may reduce the effort put into hacking attempts.

And it would make it hard for any one organization to create a profile based on a user’s activities on a number of sites and sell it to make money.

Disqus has served us very well and many readers are also invested in it.

But we have also heard your concerns about the breach and targeted advertising. So as a Tyee experiment in reader involvement, we are presenting both Disqus and Talk for your review at the end of this story.

The Talk installation here is a raw and not yet customized one embedded simply below, but it will give you some sense of the platform. Check out the comment sections of the Washington Post for fully developed and integrated installations.

Let us know what you think of either platform below.



*Correction, Nov. 2. An earlier version of this story indicated that the New York Times was using Talk. They are not currently using it, according to The Coral Project. (They are listed as one of the creators here.)