Hitbox on LiveJournal
I want to address the questions and concerns we have heard from users about Hitbox code on LiveJournal. There are several points that have been raised and I'll try to touch on each one.
What is Hitbox and why is LiveJournal using it?
Hitbox helps us understand the aggregate usage patterns on LiveJournal. Hitbox collects a small amount of anonymous information about visitors to LiveJournal.com by placing a cookie with a random, unique code on the visitors' browsers via a small amount of code embedded in our web pages. This allows Hitbox to report back to us (and only us) aggregate statistics about how the site is being used. It is very important to note that Hitbox has a strict legal agreement with us that requires them to abide by our privacy policy; they can only report our aggregate statistics back to us. We then use that information solely to make better decisions about how to improve LiveJournal. Some real examples: We can see what percentage of people go from the home page to various other pages and then subsequent navigation paths, seeing at each step how many leave the site -- that helps us a ton in finding problem spots in our navigation and interface. We also now know the most popular languages of users visiting the site which, combined with the most frequently viewed pages stats from Hitbox, can help us know where to focus first on improving LiveJournal's uneven translation readiness (a valuable, happy reminder to us that LiveJournal is used in every corner of the world).
Is Hitbox code on LiveJournal jeopardizing the security of personal information?
There were a number of different questions and concerns about this topic. I'll discuss the main ones in detail below, but I want to emphasize this: we would not have put Hitbox code on LiveJournal if we believed it could harm you. You hold us to a very high standard by entrusting your journals with us and we're glad that you do. We're listening carefully to your concerns. We don't want any doubt to exist about those standards, so we've removed Hitbox code from the site until we can do further work to triple-check the security of this system. We're sorry for any concern we caused.
Could I refuse the cookie from Hitbox?
You could always use your browser's controls to refuse cookies from hitbox.com (or any service for that matter). You could also go here to ask Hitbox to refrain from trying to put more cookies on your browser. The Hitbox javascript would still execute on pages you visit but there would be nothing for Hitbox to report except a page request by an unknown person (slightly distorting our count of unique people using the site, but that's fine).
Where exactly was Hitbox code on LiveJournal.com?
As a rule, we only placed Hitbox code on non-journal pages within LiveJournal. Basically, if the page had the LiveJournal logo/header, then it had Hitbox code on it. This implementation deliberately excluded all journal pages since we wanted to be doubly cautious about treating your sensitive content with the utmost respect.
What information did LiveJournal give to Hitbox's code?
LiveJournal only gave the Hitbox code three pieces of information about a given page -- a unique identifier for our account with them, the name of our site ("LiveJournal.com") and the HTML page title ("Customize Journal"). That's it. There were a few unanticipated instances where a page's title might contain sensitive information, like the subject line of a post on a S1-styled journal's Post Comment page. That was a bug -- an unfortunate oversight. I'm sorry we didn't think ahead about these isolated cases when we decided to use the page title to populate the variable that identifies the page for Hitbox. Even though this data is completely confidential between LiveJournal and Hitbox, we know that it makes some of you uncomfortable. We've fixed it by pulling Hitbox code off of those pages. We didn't want the code on those types of pages as a rule anyway. We missed a couple. I apologize.
Privacy concerns
(1) We only provided to Hitbox some generic info and the title of the page being accessed (which, bug excepted, does not contain sensitive info). That's all we gave them. Since the Hitbox javascript is complex and hard-to-deconstruct, we cannot say unequivocally what else, if anything, the code also tries to collect. We know they are bound legally to follow our privacy policy and their own. In addition to those legal safeguards, we are working with Hitbox to understand what the javascript code does in detail. We'll share back with you as much as we learn and can disclose legally. Finally, to be extra safe, we don't include the Hitbox code on pages that might contain sensitive content (again, excepting mistakes we're fixing).
(2) As mentioned before, Hitbox is under a strict confidentiality agreement with us and we both must abide by our privacy policy. Hitbox has its own privacy policy that Hitbox must follow. We also have zero ability to collect or interest in seeing non-aggregate info -- we just want site-wide page usage info to understand how to prioritize work. Hitbox is legally bound to do nothing with the information other than report it back to us as anonymous and aggregate data. That's a strict legal commitment they've made to us and they make publicly via their privacy policy.
(3) COPPA -- we completely respect the letter and spirit of COPPA (refresher). Again, we do not share personally identifiable information with Hitbox or enable Hitbox to collect it about any users, including those under 13. There are two types of under 13 users on LJ -- those whose parents have given us permission and those who have not and therefore can only view public pages but cannot use the application. For the former, we have permission even though we don't share info with Hitbox. For the latter, we don't have any personal info to collect or share. Just to be safe though, we have added code to turn off Hitbox for users with the COPPA flag set.
Third-party software/services on LiveJournal
We'd all prefer to have a homegrown solution doing this -- in fact, we already have spent serious money on servers for this purpose, but we put things that would quickly improve your experience on LJ, like the My LJ feature, the datacenter move and ScrapBook improvements, ahead in line. Some dead-simple log processing could give us a fraction of what we'd get from Hitbox, but to get equivalent detail ourselves is a big project given the size and complexity of our log files. We decided that the benefits to LiveJournal of having the Hitbox data now were too many to wait. Hitbox is a service that's already being used by our parent company, Six Apart, and 1,000 other major web sites. It's run by a public company that must satisfy the scrutiny of huge customers, strict audits, and tough regulators. That's good enough for most, but it's probably not good enough for LiveJournal. You have a very high expectation of us and so we need to dig deeper into this technology and make sure it lives up to those standards. I'm sorry that we didn't do that before implementing -- my mistake. I'm confident that the safeguards we have -- not putting the code on sensitive content pages and legal contraints -- are strong, but we should also do this investigation. If we're not satisfied, we won't put the code back on the site. To the concerns that Hitbox is flagged by spyware programs, I won't speak for Hitbox, but I'd say that we believe that our implementation of Hitbox does not in any way fall in the category of spyware and our uses are quite the opposite of the "malicious" label often added to that term. If people want to block them, that's fine with us. (As an aside: spyware-detection companies have very diverse definitions of what qualifies as spyware, which makes it very tough for reputable companies like Hitbox to satisfy these vague and shifting requirements and so they're often included unfairly or fairly.)
Does Hitbox slow down LiveJournal?
Some users have reported that they believe Hitbox code caused loading a LiveJournal page to timeout for them. The code itself is small and adds little to the weight of any given page. It should in theory also execute very quickly. We didn't see slowness problems ourselves, but we're going to do more testing on that issue to try to get to the bottom of any problems.
Communication
We didn't communicate well with you when we implemented Hitbox. We weren't trying to pull a fast one on you -- the changelog commits are there in the open -- but we just didn't take the time to spell it all out clearly. I know that some folks might assume that we were trying to sneak something by them. We weren't, but what's done is done. I apologize for the poor communication. It felt slimy to some of you and that's a big bummer for me -- I know you love LiveJournal and I do too. The communication (and the site) will improve.
I also want to aplogize in particular to our great volunteers in Support and Abuse. I should have thought about this situation ahead of time, anticipated that we should have discussed it in detail, and worked with you to address concerns before we did anything. You all rock. Thank you for doing what you do.
What is Hitbox and why is LiveJournal using it?
Hitbox helps us understand the aggregate usage patterns on LiveJournal. Hitbox collects a small amount of anonymous information about visitors to LiveJournal.com by placing a cookie with a random, unique code on the visitors' browsers via a small amount of code embedded in our web pages. This allows Hitbox to report back to us (and only us) aggregate statistics about how the site is being used. It is very important to note that Hitbox has a strict legal agreement with us that requires them to abide by our privacy policy; they can only report our aggregate statistics back to us. We then use that information solely to make better decisions about how to improve LiveJournal. Some real examples: We can see what percentage of people go from the home page to various other pages and then subsequent navigation paths, seeing at each step how many leave the site -- that helps us a ton in finding problem spots in our navigation and interface. We also now know the most popular languages of users visiting the site which, combined with the most frequently viewed pages stats from Hitbox, can help us know where to focus first on improving LiveJournal's uneven translation readiness (a valuable, happy reminder to us that LiveJournal is used in every corner of the world).
Is Hitbox code on LiveJournal jeopardizing the security of personal information?
There were a number of different questions and concerns about this topic. I'll discuss the main ones in detail below, but I want to emphasize this: we would not have put Hitbox code on LiveJournal if we believed it could harm you. You hold us to a very high standard by entrusting your journals with us and we're glad that you do. We're listening carefully to your concerns. We don't want any doubt to exist about those standards, so we've removed Hitbox code from the site until we can do further work to triple-check the security of this system. We're sorry for any concern we caused.
Could I refuse the cookie from Hitbox?
You could always use your browser's controls to refuse cookies from hitbox.com (or any service for that matter). You could also go here to ask Hitbox to refrain from trying to put more cookies on your browser. The Hitbox javascript would still execute on pages you visit but there would be nothing for Hitbox to report except a page request by an unknown person (slightly distorting our count of unique people using the site, but that's fine).
Where exactly was Hitbox code on LiveJournal.com?
As a rule, we only placed Hitbox code on non-journal pages within LiveJournal. Basically, if the page had the LiveJournal logo/header, then it had Hitbox code on it. This implementation deliberately excluded all journal pages since we wanted to be doubly cautious about treating your sensitive content with the utmost respect.
What information did LiveJournal give to Hitbox's code?
LiveJournal only gave the Hitbox code three pieces of information about a given page -- a unique identifier for our account with them, the name of our site ("LiveJournal.com") and the HTML page title ("Customize Journal"). That's it. There were a few unanticipated instances where a page's title might contain sensitive information, like the subject line of a post on a S1-styled journal's Post Comment page. That was a bug -- an unfortunate oversight. I'm sorry we didn't think ahead about these isolated cases when we decided to use the page title to populate the variable that identifies the page for Hitbox. Even though this data is completely confidential between LiveJournal and Hitbox, we know that it makes some of you uncomfortable. We've fixed it by pulling Hitbox code off of those pages. We didn't want the code on those types of pages as a rule anyway. We missed a couple. I apologize.
Privacy concerns
(1) We only provided to Hitbox some generic info and the title of the page being accessed (which, bug excepted, does not contain sensitive info). That's all we gave them. Since the Hitbox javascript is complex and hard-to-deconstruct, we cannot say unequivocally what else, if anything, the code also tries to collect. We know they are bound legally to follow our privacy policy and their own. In addition to those legal safeguards, we are working with Hitbox to understand what the javascript code does in detail. We'll share back with you as much as we learn and can disclose legally. Finally, to be extra safe, we don't include the Hitbox code on pages that might contain sensitive content (again, excepting mistakes we're fixing).
(2) As mentioned before, Hitbox is under a strict confidentiality agreement with us and we both must abide by our privacy policy. Hitbox has its own privacy policy that Hitbox must follow. We also have zero ability to collect or interest in seeing non-aggregate info -- we just want site-wide page usage info to understand how to prioritize work. Hitbox is legally bound to do nothing with the information other than report it back to us as anonymous and aggregate data. That's a strict legal commitment they've made to us and they make publicly via their privacy policy.
(3) COPPA -- we completely respect the letter and spirit of COPPA (refresher). Again, we do not share personally identifiable information with Hitbox or enable Hitbox to collect it about any users, including those under 13. There are two types of under 13 users on LJ -- those whose parents have given us permission and those who have not and therefore can only view public pages but cannot use the application. For the former, we have permission even though we don't share info with Hitbox. For the latter, we don't have any personal info to collect or share. Just to be safe though, we have added code to turn off Hitbox for users with the COPPA flag set.
Third-party software/services on LiveJournal
We'd all prefer to have a homegrown solution doing this -- in fact, we already have spent serious money on servers for this purpose, but we put things that would quickly improve your experience on LJ, like the My LJ feature, the datacenter move and ScrapBook improvements, ahead in line. Some dead-simple log processing could give us a fraction of what we'd get from Hitbox, but to get equivalent detail ourselves is a big project given the size and complexity of our log files. We decided that the benefits to LiveJournal of having the Hitbox data now were too many to wait. Hitbox is a service that's already being used by our parent company, Six Apart, and 1,000 other major web sites. It's run by a public company that must satisfy the scrutiny of huge customers, strict audits, and tough regulators. That's good enough for most, but it's probably not good enough for LiveJournal. You have a very high expectation of us and so we need to dig deeper into this technology and make sure it lives up to those standards. I'm sorry that we didn't do that before implementing -- my mistake. I'm confident that the safeguards we have -- not putting the code on sensitive content pages and legal contraints -- are strong, but we should also do this investigation. If we're not satisfied, we won't put the code back on the site. To the concerns that Hitbox is flagged by spyware programs, I won't speak for Hitbox, but I'd say that we believe that our implementation of Hitbox does not in any way fall in the category of spyware and our uses are quite the opposite of the "malicious" label often added to that term. If people want to block them, that's fine with us. (As an aside: spyware-detection companies have very diverse definitions of what qualifies as spyware, which makes it very tough for reputable companies like Hitbox to satisfy these vague and shifting requirements and so they're often included unfairly or fairly.)
Does Hitbox slow down LiveJournal?
Some users have reported that they believe Hitbox code caused loading a LiveJournal page to timeout for them. The code itself is small and adds little to the weight of any given page. It should in theory also execute very quickly. We didn't see slowness problems ourselves, but we're going to do more testing on that issue to try to get to the bottom of any problems.
Communication
We didn't communicate well with you when we implemented Hitbox. We weren't trying to pull a fast one on you -- the changelog commits are there in the open -- but we just didn't take the time to spell it all out clearly. I know that some folks might assume that we were trying to sneak something by them. We weren't, but what's done is done. I apologize for the poor communication. It felt slimy to some of you and that's a big bummer for me -- I know you love LiveJournal and I do too. The communication (and the site) will improve.
I also want to aplogize in particular to our great volunteers in Support and Abuse. I should have thought about this situation ahead of time, anticipated that we should have discussed it in detail, and worked with you to address concerns before we did anything. You all rock. Thank you for doing what you do.