Why does Google +1 record my mouse movements? [closed]
Asked Answered
C

9

195

This is only on pages with a Google +1 box on my website:

enter image description here

It seems to be firing off an event on every mouse move. Anyone know what it is doing? I searched on Google (perhaps I should try Bing for once on this one!) but no one seems to have written about it. Is it recording information about my visitors browsing habits? Is it some sort of CAPTCHA to detect human like behviour?

Example URL, press F12 in chrome, go to timeline and press record, then move your mouse around this page (it plus ones this question, don't worry):

https://plusone.google.com/u/0/_/+1/button?hl=en-US&jsh=r%3Bgc%2F22224365-adc8a19e#url=https://mcmap.net/q/128089/-why-does-google-1-record-my-mouse-movements-closed&size=tall&count=true&id=I1_1310488711647&parent=https://plusone.google.com/u/0/_/+1/button?hl=en-US&jsh=r%3Bgc%2F22224365-adc8a19e#url=https://mcmap.net/q/128089/-why-does-google-1-record-my-mouse-movements-closed&size=tall&count=true&id=I1_1310488711647

For what it's worth (I can see this is going to be a popular question), I don't think there is anything sinister behind it, it might even be a useless artifact/bug, but if it is doing some sort of tracking, well, it seems a little deceptive to me.

Google +1 privacy policy

http://www.google.com/intl/en/privacy/plusone/

Google +1 Button Privacy Policy

June 28, 2011

The Google Privacy Policy describes how we treat personal information when you use Google’s products and services, including information provided when you use the Google +1 button. In addition, the following describes our additional privacy practices specific to your use of the +1 button.

Information we collect and how it is shared

The Google +1 button is a way for you to share information publicly with the world. The Google +1 button helps you and others receive personalized content from Google and our partners. The fact that you +1’d something will be recorded by Google, along with information about the page you were viewing when you clicked on the +1 button. Your +1’s may appear to others as an annotation with your profile name and photo in Google services (such as in search results or on your Google Profile) or elsewhere on websites and ads on the Internet.

We will record information about your +1 activity in order to provide you and other users with a better experience on Google services.

In order to use the Google +1 button, you need to have a public Google Profile visible to the world, which at a minimum includes the name you chose for the profile. That name will be used across Google services and in some cases it may replace another name you’ve used when sharing content under your Google Account. We may display your Google Profile identity to people who have your email address or other identifying information.

Use of the collected information

In addition to the above-described uses, the information you provide to us is used subject to our main Google Privacy Policy.

We may share aggregate statistics related to users’ +1 activity with the public, our users, and partners, such as publishers, advertisers, or connected sites. For example, we may tell a publisher that “10% of the people who +1’d this page are in Tacoma, Washington.”

Your choices

You may view the list of items you have +1’d on the +1 tab on your Profile. You can remove individual items from that list.

You may opt out of seeing +1 recommendations on third-party websites (including on ads on third-party sites) from people you know.

We will store data (such as your recent +1’s) locally in your browser. You may be able to access and clear this information in your browser settings.

More information

Google adheres to the U.S. Safe Harbor privacy principles. For more information about the Safe Harbor framework or our registration, see the Department of Commerce’s website.

Ciliary answered 12/7, 2011 at 16:17 Comment(5)
Human like behavior? That's interesting thought. I saw a similar mouse tracking code once which was simply recording X/Y coordinates in global variables. They were later used to start/stop/cancel out custom scrolling on a jQuery plugin. There was a better implementation than this global tracking thing (which I changed eventually).Tackett
@Mrchief, some poker clients use mouse movements to detect automated players, I was thinking maybe Google might consider it an effective defence against bots building up profiles and +1ing lots of sites but weighting it towards their sites giving them an unfair competitive edge. Who knows though.Ciliary
Wonder why Facebook is not doing anything like that... (or does it?)Tackett
It might be for some sort of UI testing. I know google likes to do a lot of a/b testing, hence their 41 shades of blue test a while back. Perhaps they're trying to track how the user moves through the page, in order to provide a better UI.Rubicon
What is the tool that you are using?Athens
L
122

It appears to be seeding a random number generator with your mouse movements.

The mouse move handler itself does something along the lines of the following:

var b = ((event.X << 16) + event.Y) * (new Date().getTime() % 1000000);
c = c * b % d;
if (previousMouseMoveHandler) previousMouseMoveHandler.call(arguments);

d is (screen.width * screen.width + screen.height) * 1000000, and c is a variable that starts out as 1.

All of this is wrapped in the scope of an anonymous function, which itself is immediately evaluated to return a function that is assigned to a property named "random". That returned function looks something like this:

var b = c;
b += parseInt(hash.substr(0,20), 16);
hash = MD5(hash);
return b / (d + Math.pow(16, 20));

hash, BTW, is a variable that starts out as the MD5 hash of the page's cookies, location, the new Date().getTime(), and Math.random().

(Note, of course, that Google may change the script returned at any time and hence invalidate this analysis)

Leatriceleave answered 18/7, 2011 at 17:1 Comment(14)
Great answer thanks, any idea why it would need a random number? I understand mouse movements is a pretty good way of generating a random number, but wouldn't this fail with mobile devices (they don't have a mouse)Ciliary
@TomGullen: I have no idea why Math.random isn't good enough for them. Even without mouse movement data, the phone would still have a bit of randomness just from the initial seeding (cookies, page location, timestamp, and one output from Math.random).Leatriceleave
Isn't Math.random() seeded from the current timestamp? If so, with a widely deployed button like this, you'd expect a lot of collisions. Might explain the extra efforts.Dipole
@yahelc: This may help. In short, in 2008 most browsers seeded with the time just once, either at process start or the first time Math.random() is called (in the process or in the window/tab). Things may have changed since then, of course.Leatriceleave
This seems weird though – if this was the purpose, wouldn't they just use window.crypto.getRandomValues: (function(){var buf = new Uint8Array(1); window.crypto.getRandomValues(buf); alert(buf[0]) } )()Platelayer
Is this to prevent hacking the system via scripts that do auto-clicking?Paradise
@RichBradshaw: Is that available on anything besides Firefox?Leatriceleave
@sym3tri: Doubtful, as the initial seed involves enough randomness that they'd be pressed to tell if the mouse has been moved or not. And it would be trivial enough for the attacker to get around, as events can be synthesized.Leatriceleave
@ltamake: CSRF protection requires the server to know ahead of time what value the client is going to send. It could be being used to create a nonce of some sort, although more randomness than Math.random shouldn't really be necessary either since Google tends to use https anyway which should itself be using even better randomness.Leatriceleave
Heh looks like you cleaned up on rep on this one :) Thanks for your answer!Ciliary
@TomGullen: Sure did. Upvotes on this maxed me out for the day today before I could even do anything else. Thanks for an interesting question.Leatriceleave
@Anomie, yes, I'm in Safari and it works. I suspect all newer webkits + Firefox 4+? I perhaps should have embellished my last comment to state that I'd expect that to be used in browsers that support it, rather than the mouse thing.Platelayer
Supposing it was to give a better random generator seed, a seed provided by Google would be enough, no? Or at least just one or two mouse moves. The current way seem a bit suspicious indeed. It would be nice to have Google show some transparency here where others have failed giving it.Mcglothlin
YIKES 700 reputation yesterday @anomie, only jon can do better than thatRanket
P
47

The actual code that is being executed is derived from the Shindig code found here:

http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/shindig.random/random.js

A secure random number is needed to ensure that the secure postMessage channel created here cannot be compromised by scripts on the page to execute arbitrary actions.

Here's an article that explains why using Math.random() is bad:

http://baagoe.com/en/RandomMusings/javascript/

Philippians answered 24/7, 2011 at 5:46 Comment(0)
J
32

If you can get your script loaded first, you could hook addEventListener and log everyone who is setting addEventListener and see who's doing it and then, by looking at the relevant code, see what they're doing.

Put this in place before the Google code loads:

var oldListener = document.addEventListener;
document.addEventListener = function(type, listener, capture) {
    if (type == "mousedown" || type == "mouseup" || type == "mousemove") {
        console.log("type=" + type + " listener=" + listener.toString().slice(0, 80));
    }
    return (oldListener.apply(this, arguments));
}

To see what was listening to window.onmousemove, you'd have to do it afterwards because it's just a variable assignment, not a function that you can intercept. So sometimes after the initialization code of the page runs, you would do this to log what was hooked up to it:

if (window.onmousemove) {
    console.log(window.onmousemove.toString().slice(0,80));
}
Jensen answered 12/7, 2011 at 16:59 Comment(4)
Good idea, but this won't work if the script sets the old-style window.onmousemove instead (as Google's script does).Leatriceleave
If that was the case, on can hook that too in the same way.Jensen
@Ben Alpert - I added some code for window.onmousemove to my answer above.Jensen
The function code itself could be arbitrarily long. We don't want to dump multiple kb into the console so I just picked some shorter limit that won't overwhelm the log window. If that isn't enough code to be able to identify where it is, the number can be increased, but it may not be practical to view things in the log window if there was no upper bound to the length.Jensen
H
17

In the uncluttered code as of Jul 22, you'll notice the onmousemove is part of the Gb.random class:

Gb.random = function () {
    function a(a) {
        var b = Jb();
        b.update(a);
        return b.ib()
    }
    var b = la.random(),
        c = 1,
        d = (screen[za] * screen[za] + screen[J]) * 1E6,
        e = i.onmousemove || Db();
    i.onmousemove = function (a) {
        if (i.event) a = i.event;
        var b = a.screenX + a.clientX << 16;
        b += a.screenY + a.clientY;
        b *= (new Date)[Ta]() % 1E6;
        c = c * b % d;
        return e[G](i, ka[x][Aa][G](arguments))
    };
    var f = a(k.cookie + "|" + k[B] + "|" + (new Date)[Ta]() + "|" + b);
    return function () {
        var b = c;
        b += ia(f[cb](0, 20), 16);
        f = a(f);
        return b / (d + la.pow(16, 20))
    }
}();

It's multiplying sum of x and y by 2^16 using bitshift, then adding some other dimensions and multiplying all this by time in milliseconds mod 1000000. This definitely looks like a randomizing algorithm.

I'm not sure why the page would need something like this, perhaps it's using a cookie, preventing automated +1 clicking? When you click the "+1" the login screen that pops up appears to have a random number appended as the hash, the url ends with "&hl=en-US#RANDOMNUMBER"

Hirohito answered 23/7, 2011 at 2:18 Comment(0)
D
4

I bet you its "In-Page Analytics" Beta. Making a cursor and click heat-map.

Danadanae answered 21/7, 2011 at 6:38 Comment(3)
There are also some good projects that does exactly the same this node.js app, for examplePolston
+1 (sic). It's good to know where people click to know what is useful and whate place is best for advertisements.Philippa
Nice idea, but nothing to do with the subject ;)Indus
V
2

I think that the paper by Guo and Agichtein from CHI 2010 http://www.mathcs.emory.edu/~qguo3/wip287-guo11.pdf can provide further ideas on why Google is doing that.

Apparently mouse movements is a rough proxy for eye movement and allows people to approximate eye tracking results.

Vivisection answered 24/7, 2011 at 3:4 Comment(0)
F
1

They probably use it to measure how quickly users move from one UI item to another, how often clicks miss etc.

I normally have a deeply cynical view of invasive features but I don't think this is a privacy risk. It's shocking because it's so unusually fine-grained, but it's not very revealing. Does your mouse movement encode bank details? Porn?

Google and the like have plenty of high-quality data to track you with. Mouse coordinates have very limited application.

To go off-topic a bit:

To an extent, the more data you collect about people the more problems you have. I hear (from Schneier and the like) that intelligence agencies are suffering from the huge numbers of false positives triggered by their ever-accelerating data aquisition -- the signal-to-noise ratio is abysmal. I find this somewhat amusing.

Freeliving answered 12/7, 2011 at 16:25 Comment(1)
With google +1 scripts, appearing on mini games, which uses the mouse for controls... There will really really be lots of noise. XDMeunier
H
1

It's impossible to tell for certain, what Google does with this mouse movement data. As you can see yourself, it's not returning loads and loads of information back to the server, therefore, nothing to worry about.

The first is probably a generic event handler. Reason why I think that is if you read the source, you can see that on the line before there is throw Error("Invalid listener argument"); and next or one after the next there's throw Error("Invalid event type"). Since the fired line is in between these two (event related) exceptions, I'm pretty sure that it's some kind of an event handler. Using debugger, it doesn't do anything really (doesn't jump to some other function) so it seems that it's there for future implementation.

The second function is identical to the first one. Since it's gTalk's I suppose it updates your status (away, online etc).

The third seems to be content updater or something similar, since you can see strings like cacheTimeout etc scattered around it.

My 2 cents.

Headsman answered 18/7, 2011 at 15:54 Comment(0)
V
1

this is really beyond from far fetched, but here it goes anyway ...

it revolves around the type of trajectory & curvature of a mousemovement from a start point towards different attractors take i.e. 2 items/links on a page.

http://sciencestage.com/v/26698/dynamics-and-embodiment-in-language-comprehension.html

in short, if you put two competing links/buttons and analyze the trajectory towards one of those links, you can deduce a pattern or how you reached the decision to click only 1 of those links (see vid around 13:00)

Vivica answered 24/7, 2011 at 22:35 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.