Real privacy risks are presented by all of the Web's solutions for embedded video — from user-generated-content sites like YouTube to proprietary sites like MSNBC and Comedy Central. When you visit a site with embedded video, you're not only sending your information to your destination site, but also to the website which hosts that video. In addition, you're allowing the video-host to place cookies and other tracking devices onto your computer. This means that loading an embedded video from within a blog could enable the video hosting site (and, in some cases, its advertising partners) to compile a history of which blog entries you were reading and when — even if you didn't try to play the video.
In February 2008, as a way to free EFF.org from this risk, we developed MyTube. It's a plugin for Drupal, the open-source content management system that powers EFF.org. It makes sure that no user information is sent to YouTube.com or any other third-party video host until the user has been informed of the risks and explicitly consents to the sharing.
A year later, President Obama's web team ran into exactly the kind of privacy problems MyTube was designed to prevent, when the newly-redesigned Whitehouse.gov accidentally exposed its visitors' data to YouTube. In response, YouTube launched a new feature for "privacy-enhanced embeds", which was modeled in part after MyTube. YouTube's "privacy enhancement" remains available to all Web users — although it does have some shortcomings, and the White House has since stopped using it.
Now, after months of work, Brian Swaney and other students at the Ohio State University Open Source Club have launched a new version of MyTube. Site administrators will find that protecting their users with this new version is far easier, more versatile, and less buggy than before. We've been using it on EFF.org for a few weeks now and it's already saved us time and made our jobs easier. You can see it in action on our "Fair Use Examples" page. New support for Vimeo embeds can be seen here.
The privacy risks posed by embedded third-party Web content are receiving fresh scrutiny this month, after it was revealed that many popular Facebook apps had been sharing private user information with advertisers. We'd like to see web developers everywhere consider solutions similar to MyTube to allow their users full control over how and with whom their data is shared.