HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

If you've ever considered Disqus...

R_JR_J Ex-FanboyMunich Admin

Cloud services do mainly two things: they offer some functionality and they host the data that is needed to do so.
Hosting data and providing services has to be paid and while some services directly take your money, other services sell the information they collect from you: they sell your private data.

Facebook is a great example for a company which makes millions by letting their customers run marketing campaigns against their users. If you want Facebook, you have to live with adverts. But you are not only target for campaigns, you are also feeding the monster with even more information.
But that is a fair deal: you have a direct benefit in form of a free service.

Disqus has been bought by a company (Zeta Global) that earns their money with the same principle: they run marketing campaigns for their customers against "their" users.
The big difference in comparison to services like Facebook is, that they are collecting data from people who do not know about that and do not have any benefit. Disqus is used on many blogs as an embedded commenting system. While the admin takes benefit from the service and thus might be okay with the "data against service" deal, the blog users do not know that their comments and mail addresses are directly fed into the mouth of a marketing company, making them marketing campaign targets.

If you want to be a fair admin and you want to stick to Disqus, you should at least inform your users that their personal info will be processed for marketing purposes.

But in my opinion, if you are a fair admin and want to have interaction even with those people who do not like to feed marketing companies, you should think about hosting your data yourself.




  • SistinekoSistineko Margate New

    As usual, corporate greed ruining good things...

    Disqus was a great embeddable commenting system, I can see its use declining as admins realise this news will impact their sites for privacy-focused people.

  • R_JR_J Ex-Fanboy Munich Admin

    I would have sold my mother for that amount... :mrgreen:

  • R_JR_J Ex-Fanboy Munich Admin

    By the way: I've stumbled upon that by reading a blog entry from someone who has moved from Disqus to schnack and when looking at the repo of schnack, I saw several alternatives linked.

    Obviously there are quite nice alternatives to a simple commenting engine when you are concerned about your users privacy.

  • I think it is highly unlikely that Disqus didn't inform user of this service of this. If they didn't they would have been in breach of US and European laws. It is pretty likely they had their lawyers hadn't set out terms. People don't read terms but in Europe the responsibility is with the site owner in this case.

    The comment themselves even in a private blog are arguably still public domain. Email and other data is a bit more shaky.

    grep is your friend.

  • R_JR_J Ex-Fanboy Munich Admin

    Yeah, it's already in their Privacy Policy:

    To use the Disqus Service, an email address, username and password are required. That’s it. As described further in this Privacy Policy, we use personally identifiable information to deliver the Service, to comply with reasonable requests of law enforcement, and recommend additional content to you, some of which may include content from advertisers. We may share your personally identifiable information with our vendors to perform services for us, and we may share encrypted email addresses, device identifiers or anonymous information with third parties who want to market to or communicate with you about products and services, in each case as described below.
    Advertising is the primary way Disqus makes money. We are paid by advertisers to serve and share content.

    At least they don't lie about their intentions.

  • "personally identifiable information" is a data protection term which goes beyond privacy law and into data protection law.. That means you have a right to ask them to remove it and they have to comply.

    I don't really see what is egregious, they do directly warn user of the service, when you sign up. They have a responsibility to warn those that singed up when this policy was not in place.

    Free stuff has to be paid for.

    grep is your friend.

  • vanilla itself get statistic from most of people using the software, and even their vanillaicons could raise privacy questions.

    Sure it may be Anonymised but Anonymisation is not full proof:

    grep is your friend.

  • R_JR_J Ex-Fanboy Munich Admin

    @x00 said:
    I don't really see what is egregious

    I hope I haven't sounded like that.

    It is just that it feels different to me if a service uses advertising to be able to provide the service or if its only purpose is to fish for personal data.
    And I also think that there is a difference if you trade your own data for some service or if you "pay" with your users data.

  • LincLinc Detroit Admin
    edited December 2017

    @x00 said:
    vanilla itself get statistic from most of people using the software, and even their vanillaicons could raise privacy questions.

    One neat thing about our company is that collecting personal info isn't part of our business model, and therefore we have no incentive to do it.

    You can audit what is sent to us for analytics because it's open source, and you can disable it via config. It's essentially: IP, hostname, PHP version, Vanilla version, and server version. It is never shared outside Vanilla (and frankly, used precious little even inside it besides justifying things like requirement changes).

    Nothing identifiable at all is stored by Vanillicon's database. We don't even track IPs. I'm sure it's in the logs for diagnostics for however long those stick around for, but it's certainly not permanent or even long term.


  • x00x00 MVP
    edited December 2017

    I wasn't actually criticising vanilla, more making a point about awareness.

    I suggested update reminders before you did that. Though such facilities obviously you need to be mindful of the security.

    Btw the practice of hashing email like gravatar and vaniacon falls into the anonymisation problem. There is no perfect way to deal with that, though if you use already public username rather than email that it better. Salting at least provides some dissociation from other sites.

    grep is your friend.

  • phreakphreak Vanilla*APP (White Label) & Vanilla*Skins Shop MVP
    edited December 2017

    Good info @R_J.

    I'm in digital advertising since several years and quiet bad things have happened under the hood. Programmatic Buying, DMP (Data Managment Platforms), Audience Data and whatever buzzwords and underlying technologies provide, gather user data whenever you visit the New York Times website or whatever big publisher web portal. Often more than 30 cookies are stored on the client side and technologically advanced software is deanonymizing people on the web every second. Putting pieces of websites you visit together in the background. Even the free Google Analytics is basically made to build qualitative audience data for Adwords and so on. This data is valuable to advertisers and is a game many digital publishers have to play.

    Different integration I (parenting media) tested went so far, that another web publisher (real estate vertical) could sell adverts to my clients (parenting biz) because they bought in data from a DMP (Data Managment Platform) to enrich their visitors as those that have been to my community before. So this page basically bought my "cookied" users and sold advertising to my client cheaper, even it was not operating in the parenting niche. To me this integration was sold as an opportunity to make more revenue, while actually it was in place to sell my data to create new competitors who don't even write publish about parenting but could extend their reach to whatever nice due to tagged users.

    I dropped out of this way of selling advertising and all forms I consider as unethical user data aggregation. Only Google Analytics is in my set up (not that I am happy about but it's a very strong tool for publishers, Piwik simply doesn't do the job).

    So if anyone has questions on digitale advertising and why you should implement as less tools as possible, don't hesitate to contact me.

    New to this? I highly recommend the talk of Wolfie Christl on the 32C3 (Chaos Communications Congress):

    ... and also Andreas Dewes:

    Besides that. The library of talks of the CCC is amazing. Start diving in here (though some are in German, most of the talks are in English):

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
  • x00x00 MVP
    edited December 2017

    The public need to be educated too.

    The current European legislation has missed the mark. It focused on cookies when you don't need cookies or anything stored to track people. It hurt most of all people using cookies for where there was no other substitute and has no actual personal data involved, whilst doing little to deal with security and privacy violations.

    The next privacy law that are about to be enacted, take a lot to responsibility away from the individual, which in fact is irresponsible. It is blurring line between public domain and private and creating the illusion you can reverse that, rather than properly informing them.

    grep is your friend.

  • I've been exploring the Discourse option and it seems a fairly modest API upgrade to their current comments plugin would give us all a robust opensource alternative, backed by one of the best open-source communities on the web. Its exactly what everyone here is asking for.

    If you want to bring this into reality you can join in the development, or donate a few coins so we can set up a bounty and have it built.

    Come over and show your support, share your opinions and hopefully your coding skills. If enough people join in we'll all have this tool available by the end of next month!


Sign In or Register to comment.