Currently link clicks trigger HTTP pings: a request to the Discourse instance is made every time a user clicks a link. This enables tracking of who clicks what.
Would be nice to have an option to disable link clicks counters globally to make browsing more private.
This is inappropriate for the following two reasons:
1 - This tracks users who are not logged in to Discourse, who have not done anything to accept being tracked by Discourse, and who probably have an expectation that they are not being tracked by visiting the site.
2 - This tracks user behavior when they leave Discourse for other sites (whatever the link goes to) and not just on Discourse itself.
From a big-picture perspective, almost all tracking can enable some cool feature. I have written about this before . Hence, the existence of some cool feature is not enough of a justification for tracking to exist.
As a general rule, a website should not track users in a way that is not obvious to the user at the time that they will be tracked. For example, tracking who posts a comment and having a list of all the comments you have posted under the user profile is acceptable because a user expects the website to keep track of that when they post a comment, so the website isn’t tracking them in an unexpected way. Tracking which links you click on is not an expected way of tracking, so if a website wanted to do it there should be some obvious warning, that requires an opt-in, before that tracking is implemented.
Another general principal is that users who are not logged in should never be tracked.
Your message made me wonder—have you investigated how Discourse utilizes the information it gleans from such HTTP pings? Does it simply track that a link has been clicked 3 times, or that User X, User Y, and User Z clicked the link (and perhaps along with timing information and other details)?
I personally consider the two scenarios to be fundamentally different—tracking the popularity of assets within a post, vs tracking the behavior of specific users.
This is not to say I wouldn’t like a site setting to control this feature. I think it would be great
As an end user, even if I know what the upstream Discourse source code does, I have no way of knowing what a particular instance of Discourse actually does with the information because I have no way of knowing if they are running modified code. But at a browser level, I can verify whether an HTTP Ping code is included in the HTML that is sent to the browser. Therefore, from an end-user perspective, the only safe answer is for these codes to not be included in the HTML.
I am fundamentally opposed to any version of internet privacy that boils down to “just trust us”. On many topics, I am a trust-but-verify kind of guy, but when it comes to internet privacy I am just a verify kind of guy. And the only way I can verify that a website isn’t trying to do naughty things with HTTP Ping codes is if they never use them in the first place.