We've recently started embedding video from YouTube and elsewhere into Deeplinks and other areas of EFF.org. This posed a challenge: On one hand, embedded video is an important tool that we want to be able to use. But, on the other hand, embedded video has worrisome privacy implications that we thought we should do something about.
All embedded, in-line, or off-site content on the World Wide Web implies some privacy risk because of the way most web browsers work. Whenever you follow a link, or download an embedded or off-site resource, your browser sends a referer header (sic) that tells the web site what web page you came from. And whenever you load any document, your browser may send cookies that show whether you've visited the same site before, and that may even identify you directly. For instance, if you're logged into YouTube and you watch an embedded YouTube video on some other site, YouTube can still recognize you because your browser will still send a personalized YouTube cookie.
This means that loading an embedded video from within a blog could enable the video hosting site (and, in some cases, its advertising partners) to compile a history of which blog entries you were reading and when — even if you didn't try to play the video. When the video hosting site uses an <IFRAME> tag (an increasingly common technique), your browser will automatically load an entire web page from the hosting site; in the course of displaying that page, your browser might send several dozen cookies to several different entities including portal sites or advertising networks. (Even using software like a Flash blocker won't stop this from happening.)
So, that's the challenge we faced: We want to embed video here in the Deeplinks blog because it's an important way of communicating with our readers. But we've also gone to great lengths to protect our visitors' privacy; we believe that when you visit EFF.org, nobody but you should know about it.
As a compromise, we've developed a script called MyTube to protect your privacy. When we embed a video using MyTube, Deeplinks readers will see only a thumbnail from the embedded video — hosted on EFF's own servers — in their web browsers. MyTube prevents the third-party-hosted video from being loaded until and unless the user clicks to play it.
This prevents YouTube.com (and other third-party video-hosts) from knowing you've been to EFF.org or reading Deeplinks unless you specifically click to watch the video.
As the web gets smarter and more powerful, a broad range of exciting new tools for enabling collaboration and communication are emerging, of which embedded video is just one. As these capabilities grow, it's important to keep an eye on the unexpected privacy implications. Increasingly often, loading a website or even using a desktop application can send information to multiple third-parties without the user's knowledge or consent. EFF encourages the web community to help us find ways to make these information leaks transparent and controllable for the average user.
Updated Jan 23 2008: We removed a line about EFF's site search which was no longer accurate, and added a link to the new MyTube Homepage.