Announcement to the Community
Hi Everyone,
I want to update you guys about something I’ve been working on for the past couple of months.
When I first started working on Stylish, I understood that this product is incredible, but in order to bring it to its full potential, it would require a tremendous amount of resources I just don’t have.
Realizing this made me start looking for a partner that would be a natural fit with Stylish, adding value and helping me achieve my vision for this amazing Product.
I’m proud to announce that Stylish is now part of the SimilarWeb family.
SimilarWeb has a lot of experience with web products and offers much-needed resources, experience, and data including visibility into which are the most popular websites in each country, information that can help us decide which styles to create. On top of that, SimilarWeb sees the great value of the Stylish community, helping it to better understand the digital world. I believe that together we will bring Stylish to its full potential!
Following this partnership, Stylish users will be joining SimilarWeb’s market research panel. However, I understand that not all Stylish users would like to do so. That’s why I’ve made it easy to opt out of from joining the panel, straight from the Stylish Settings page. You can read more details in the updated Privacy Policy page. You’re welcome to check it out and contact me if you have any questions:
https://userstyles.org/login/policy
I will, of course, continue working on Stylish, only now alongside a talented team that will back me up.
I want to update you guys about something I’ve been working on for the past couple of months.
When I first started working on Stylish, I understood that this product is incredible, but in order to bring it to its full potential, it would require a tremendous amount of resources I just don’t have.
Realizing this made me start looking for a partner that would be a natural fit with Stylish, adding value and helping me achieve my vision for this amazing Product.
I’m proud to announce that Stylish is now part of the SimilarWeb family.
SimilarWeb has a lot of experience with web products and offers much-needed resources, experience, and data including visibility into which are the most popular websites in each country, information that can help us decide which styles to create. On top of that, SimilarWeb sees the great value of the Stylish community, helping it to better understand the digital world. I believe that together we will bring Stylish to its full potential!
Following this partnership, Stylish users will be joining SimilarWeb’s market research panel. However, I understand that not all Stylish users would like to do so. That’s why I’ve made it easy to opt out of from joining the panel, straight from the Stylish Settings page. You can read more details in the updated Privacy Policy page. You’re welcome to check it out and contact me if you have any questions:
https://userstyles.org/login/policy
I will, of course, continue working on Stylish, only now alongside a talented team that will back me up.
Comments
That whole section could use a careful proofreading... actually, the whole document is a bit incoherent.
https://www.similarweb.com
https://addons.mozilla.org/en-US/firefox/addon/similarweb-sites-recommendatio/
https://chrome.google.com/webstore/detail/similarweb-site-traffic-s/hoklmmgfnpapgjgcpechhaamimifchmp?hl=en
Not a fan of the business model you adhere to, but as long as you play fair, in the clear, and real opt-out is given, I won't have problems with that. In the end your behavior will always be counterbalanced by the possibility of the arising of an alternative fork/development competing for your users and style-developers, and the styles "belong" to the style-developers. 1. "... if you wish to be part of the Stylish Community you will need to become a registered user..."
"... creating customized “Web Styles” and uploading and sharing them with other users ("Stylish Community") solely for personal non-commercial use..."
What's this meaning?, until now we share styles in the open Internet through your platform, being them "Stylish Community" or not, for the uses we define in our license, including commercial ones if we allow them, although we don't make business selling anything in userstyles.org (maybe you're referring to this, then you should make it more clear) while we may accept donations.
Also, is this meaning soon userstyles.org styles may be close fenced to be accessed only with Stylish installed?
2. A sentence is reapeated:
"... you may opt out of the data collection and sharing process (by deselecting the checkbox next to the words 'by deselecting the checkbox next to the words 'Send anonymous data to Stylish developers' in the 'Manage Styles' section of the Stylish extension)..."
3. "... Note that once you opt out, part of the Services provided by Stylish will no longer be available, meaning 1) install count won't be save;..."
probably should be
"... install count won't be saved;..." or maybe "... install count won't be showed;..."
Also, what does mean? for a styles-developer opting-out, is it meaning userstyles.org won't provide install statistics of their own styles or any other?, if that's the case I don't find it fair provided the site generates revenue by ads. Or is this only for non-style-developer users? Have I misunderstood this? Could it be more explicit?
4. "... In the event you do not agree to the aforesaid collection, use and sharing of data, please immediately cease using the Service and remove Stylish Extension from your Chrome browser..."
I suppose this won't affect only to Chrome users.
Jason, you're a traitor.
That whole section could use a careful proofreading... actually, the whole document is a bit incoherent.
Hi Jefferson,
To answer your question, yes, it means that opted out users won't be counted in the style install count. This is actually an old feature that was always there.
Thanks for bringing my to attention the typo. The sentence must have been pasted twice by mistake. Will fix it.
Bottom line, you guys have full control on what's shared and what's not. On the other hand, we're gaining amazing resources that will help improve Stylish and grow it to its full potential.
Trying to take Stylish on as one person, while keeping everyone happy, proved to be very hard. That's why I believe that this change is only for the best and I promise you to continue being completely open with you guys and keeping you updated with any change.
Just created one to say this is utter disgusting.I use this extension to get themes, not to be data mined by an advertising company.
No, having an opt-out is not good enough. Most users won't ever see your post and will have privacy-invading code enabled by default.
This is on pair with Nvidia putting telemetry on a fucking video driver.
Of course, it would be nice if some "maintenance" was done around here, as far as weeding out the older crap from days-gone-by in some manner, and some new features were added to UserStyles.org, like Firefox version numbers as way of searching for applicable Styles.
Ed
https://www.ghacks.net/2017/01/04/major-stylish-add-on-changes-in-regards-to-privacy/
Read the comments.
Time to fork Stylish, the forum and host Userstyles on ANOTHER host.
:bz
BTW: A very good alternative for Firefox user, clean and lean with a better editor for creators: https://addons.mozilla.org/en-US/firefox/addon/stylrrr/
:bz
Maybe a patreon page, or other solution which causes some of us users less privacy and security concerns. This option might be less easy to depend upon, donations can ebb and flow up and down quite a bit I guess.
Author: Tom Hawack
Comment: Well, thanks a lot, gorhill. Detailed and relevant analysis.
1- Opt-out : no data sent;
2- By default, the user is tracked with non-anonymous data collection.
1+2 : behavior of a jackass company who knows the limits (opt-out) and imposes itself until that limit (tracking with ID)
Stylish definitely needs to be forked and the new owner to be forgotten.
Some companies still haven't understood that users are fed up with tracking practices and that some talented coders are fortunately active.
Many thanks, gorhill. I'm sure we've all read you loud and clear.
>As far as tracking is concerned, anonymous information like which styles get installed or which sites visited get collected.
Sounds like "tracking browsing history" in so much words. I installed Stylish (v 1.6.3) from the Chrome store to investigate. I did not install any user styles. I went to the front page of Hacker News, and the Network tab in the dev tools of Stylish showed a POST to "https://api.userstyles.org/tic/stats" (I added a space in URL to prevent URL parsing). I randomly clicked on a link on the page and another POST was made to "api .userstyles.org". I manually entered the URL of the page here in a new tab and another POST was made to "api .userstyles.org".
I then looked at the data sent in the POST. It is a two-pass base64 encoded data, and the data sent is as follow:
vmt=1.6.3
lav=21
wv=1
gr=chrome
di=541
pxe=[a unique identifier reused for each page visited]
knl=https%3A%2F%2Fnews.ycombinator.com%2F
gp=http%3A%2F%2Fmattwarren.org%2F2016%2F12%2F12%2FResearch-papers-in-the-.NET-source%2F
ver=https%3A%2F%2Fnews.ycombinator.com%2F
st=1483716982098
ch=9
Notice the unique id (pxe) and the browsing data, i.e. the URLs navigated to (gp) and from (ver).
So yes, Stylish can now build a profile of your browsing history. The two-pass encoded base64 is something I have seen elsewhere in other such extensions with tracking ability, for example with Web of Trust and Popup Blocker. There is no other purpose than a silly attempt at obfuscating what it is doing. Any rationale to explain this attempt at obfuscation will be pure BS (there is no valid reason AT ALL to encode twice base64 -- so the only explanation left is "let's not make it *too* obvious what we are sending").
When I un-checked the option "Send anonymous data to Stylish developers for determining user counts", the extension ceased to send the browsing history.
It must be noted that the information sent is by no mean anonymous, because of the unique user id in each POSTed request, and on top of this by sending data to "api .userstyles.org" server, the server will be able to match your IP with the data sent (your browsing history). But regardless, even if using a VPN, the POSTed data still identify you through the unique id (very bad -- defeats the purpose of using a VPN as a mean to enhance anonymity).
The manifest shows that the extension contains hook for Google Analytics (this fulfills the "user counts" explanation). However I see a "object-src 'self'" content security policy, and I question this: this gives the extensions the ability to embed plugins in its own code[1], though through a quick glance I can't see any file as of now in the extension itself which could be loaded as a plugin.
> This information powers some of the extension's functionality such as the ability to reveal styles to users when they visit sites in the browser
So things to keep in mind if you are eager to believe the above explanation from Stylish representative:
- the attempt at obfuscation (no valid reasons whatsoever).
- the unique id "appUniqueId" (no valid reasons whatsoever).
- the full URL visited (could be just the hostname and only on 1st visit + possibly a user-initiated update manifest in case new user styles become available for a specific site already visited.)
- the full referrer URL (no valid reasons whatsoever).
All these are not necessary for the official stated goal -- and of course the worst is that the claim that the data is anonymous is false. If the will to not collect browsing history was really genuine, the extension would have been written in a very different way to accomplish the stated goal.
My advice is if you *really* need that extension, disable the option to send supposedly anonymous data -- so far, as of writing, it seems it does what it says. Unfortunately as is too often the case, the default is not pro-user i.e. not opt-in so a lot of people will end up having their browsing history collated (even if using a VPN).
TL; DR: The data Stylish is collecting is nowhere near anonymous (it can now build a profile of your browsing history), it is collecting far more data than necessary for any functionality, and it is encoding the data twice to try to hide what it is doing.
gorhill 's comment and others on this topic:
https://www.ghacks.net/2017/01/04/major-stylish-add-on-changes-in-regards-to-privacy/#comment-4086083
But if I opt back in to data collection, all returns to stable again. Very odd.
Also thanks to ❤gorhill❤ (Ublock Origin author), ❤anagrammar❤ and others for their contribution in investigating further.
● Now that this atrocious info has come to light.... not sure why so many of you here have continued with helping out on this forum with solving others problems when it is Justins responsibility. He's the one profitting from userstyles site through data collection.
Sit back and let Justin answer ALL the forum questions and do all the helpful work here. day after day after day... until the data collection is permanently abandoned.
And without the authors styles posted on userstyles... this is all that userstyles would ever be https://userstyles.org/users/285465?per_page=10
Just one test style with no Star Rating.
● My concern is that it will suddenly without warning start the data collecting after a set time of a few days or more... even if set to "No". Which would mean that the code collection system would have to be continuously checked to be sure that the Data collection is off. Who has time for that? And we would discover it after much damage has already been thrown at us.
● However... this is happening in UK now and I would expect to America and other countries soon too.
Internet Service Providers must log every user's web browsing history for a year. And in the future for 5yrs or more maybe?
https://www.bleepingcomputer.com/news/government/uk-passes-the-most-extreme-surveillance-law-in-the-history-of-western-democracy/
My name is Natalie and I’m the new Product Manager of Stylish. I’m happy to join the conversation and get to know you all.
I understand there are several concerns about the future of Stylish and the types of information that are used. Let me give you a quick rundown of how it works: every time a browser navigates to a new page, the extension queries the servers for saved and available styles. The data collected includes the current, previous and referrer pages and for each new install a random user ID is created. All communication runs through https, to provide a layer of protection. The collected data is cleaned from PII in the client and server side, to make sure privacy is preserved and personal information isn’t used at any point. The only data that is ultimately used is the aggregated anonymized data that helps SimilarWeb create the counters of unique visits to certain websites.
Regarding product features, some community members raised concerns about Stylish becoming commercialized and leaving its main audience - the style creators, behind. I can tell you that we consider you guys as our partners in continuing to improve Stylish. The first step I’d like to take in making sure you have a say in what’s happening is to create a beta group where versions of Stylish are shared with you before anyone else.
Anyone who is interested in joining the beta group, send me an email to - contact@userstyles.org with the subject line - ‘Beta Group’. I’d like to reach a diverse group, composed of developers as well as users who are using styles created by others.
Since building this group will take a bit of time, the upcoming version of Stylish will be released without a beta group, so we don't delay the version I know you've all been waiting for.
Feel free to ask me anything about our plans for Stylish.
that stylish is now removed from palemoon.
i would have rather seen stylish get outdated.
bye bye
A beta group sounds like a good step to take. But still concerns are valid over this 3rd party company that might be doing things with our IP and browsing data we most of use might not like or consent to.
Finding an open and more transparent way forward would be the best option and to limit what data is shared to any other 3rd party company. Maybe give us end users a few types/levels of opt out/in options to choose from if possible. This might a way forward instead of just one option, that also cripples the add-ons tool bar icon features.
Also, the bug with Opera v42 onwards of making stylish kind of sluggish when applying styles to and opening page/tab or page refresh. Since the very first Opera v42 this bug has been present and also confirmed by one or two others. Using dark styles on websites this briefly exposes the original bright websites from between 0.5-2 seconds on each page refresh or page/tab load.
And also finding a solution to Palmoon would also be good since the recent palemoon update.
just as ironmash said, rather be outdated than some spy ware
I’m glad you’ve asked about the IP, since I’ve read here several posts about it and it's a good opportunity to explain how it works in Stylish. Immediately after we receive the IP (like any other server does) we only save the first 3 subnets of the IP so that no identification will be possible, or more accurately, identification will be extremely difficult. It’s important to understand that when we’re talking about the type of data used in statistical algorithms, personal information has no value and isn’t needed.
We can definitely talk about creating more variants of the extension when in opt-out mode. Let me know what will work for you. I’ll be building the roadmap for Stylish in the coming weeks and your input should be in it!
About Opera, I’ve looked on the Trello board and it seems updating that extension received only 2 votes, so right now it’s not prioritized. If you’ll send me steps to reproduce the bug you’re talking about (including which styles you’re using), I’ll see if we can squeeze it in the pipeline and bring it at least to functioning level.
Palemoon is something we’re just now starting to deal with, so I don’t have answers yet. If you, or any other community member, have suggestions, I’ll be happy to hear it.
For now, the easiest way to reach me with suggestions or for asking to join the beta group is through contact@userstyles.org, but once our beta group is up, I’d be happy to use something that all members of the group can can communicate through. Does Slack makes sense? Or should be open a private thread in this forum?
With Opera (latest), and the stylish add-on. I and most others use the Chrome store stylish addon in Opera. Using that add-on that allows chrome store add-ons to be used. The opera add-on version of stylish gets little love these days so using the chrome store one is the best option.
The bug first started for me on the very first Opera v42.xx and just seemed to delay stylish applying the style for a brief second or two as a new page loads in a tab or on page refresh. Its still here after x a number of Opera updates. So persistent for me at least.
So my suggestion is, you to be more transparent and post publicly what is happening and what the plans are, so that everyone can have a say in it, be them in a group or not.
2. It is almost impossible to completely anonymize that data properly. I mean, the NSA also filters out all traffic from inside the country. Sure, that's easy and we promise...
Stripping down to the pure (sub)domain name only would be a first step. But even if you don't do cookie- and browser fingerprinting and so on, just by the knowledge of your browser history it is possible to deanonymize you. E.g. it is VERY unlikely that two persons have visited the same 10 youtube videos (randomly chosen from history) the same day [see link at the end of the post]. You can see what facebook profiles I clicked on, you can see which tax declaration forms I downloaded, what banks I am a customer to, you can see what kind of porn I like and which medication I bought.
3. https is nice against man-in-the-middle attacks but almost meaningless if you sell the the info to a data-driven third company anyway.
4. Why is the https-encrypted data sent obfuscated by double base64 encoding? More security is not a valid argument here.
5. By having extensive statistics on style installs we still don't know what and why users want what they installed besides the points we already figured out like "darkstyle" and "getting rid of ads". Statistics are no feedback. And as the new statistics will only count people who have the "no privacy" option enabled, the outcome will be altered even more than the current pure download-counter.
6. With the first three blocks of the IP adress you presumably know the country and the Internet Service Provider. How hard is it to locate me then if you know I was searching for pizza delivery in Berlin every week? The data-driven companys can and will analyze anything that is possible out of their raw data with fancy algorithms. You will be amazed and shocked when you see what is possible with data-mining today. And personal information always has a value to someone, needed or not. The data that is saved should always be reduced to a minimum (see item 1) and actually it shouldn't be sent anywhere at all.
7. I noted that you didn't confirm or deny the first point.
8. I am not happy with the current situation and hope mozilla will never allow the extension to be on their website with opt-out as default. I consider this very reasonable.
Link:
https://media.ccc.de/v/33c3-8034-build_your_own_nsa
A very interesting talk about user data in the net, its analysis and how they revealed Web of Trust's practices.
From Chaos Communication Congress 2016-Dec-29, an annual meeting of computer hackers organized by the Chaos Computer Club. Live interpreted english and french audio is available in the video download as separate tracks. Unfortunately the translation is not very good in my opinion, but the content is well presented and understandable. Usually / hopefully they also give english subtitles later.