Pinterest is placing promotional ads for itself onto web pages, via its Chrome plugin. The people at Postlight spent a day figuring out what Pinterest was doing, then wrote some code that anyone who manages a website can use to hide the ad. That code is at the bottom of this article.
Update, December 10th, 2015: Pinterest reached out. They’ve fixed their regexp bug and are also keeping their promotional ad from displaying on Readability.com, which fully resolves our issues. Thanks, Pinterest!
Who did what now?
On Friday, December 4, Philip Forget, the lead developer on Readability, posted the following screenshot of Readability.com into our group chat. “This seems like a sleazy move to me,” he wrote. “But maybe I’m biased.”
To understand why it seemed like a sleazy move, you need to know who’s involved.
First, Pinterest is a gigantic, well-funded image-bookmarking service with 100 million users and 500+ employees. A few months ago it began to offer a feature that lets you save not just pictures, but whole articles.
Second, Postlight is a digital agency in New York City that builds mobile and web apps. As a business we’re just a few months old, but as a team many of us have been working together for years. The company was founded by me, Paul Ford, and my partner, Rich Ziade.
Third, Readability is a digital service that Postlight manages. It competes with Pinterest’s “read later” product by saving web articles in a simple, readable view. It has tens of millions of users, and two or three employees on a busy week (zero employees on a quiet one). It has been around since 2010.
It wasn’t hard to figure out what was making this happen: The Pinterest Chrome plugin, which is supposed to make it easy to “pin” images you find on the web, had exceeded its mandate and started to drop ads into other people’s web pages. This is not illegal! But it’s bad form and also confusing to users. We had no idea Pinterest was inserting ads for a competing product on our own pages. Plus it doesn’t look like an ad — more like a friendly reminder. We use red, they use red. People might think we were promoting Pinterest’s product over our own.
We weren’t outraged, just curious. Why, we asked ourselves, was Pinterest putting ads for its reading service on top of the pages of our reading service? We’re little. They’re huge. It made us paranoid. We tried and tried to make the ad appear on other websites, like that of the New York Times and the New Yorker, but no dice. Could they be targeting us specifically? Then we looked around online and found that other people had noticed the ad on other sites:
The three of us, Richard, Paul, and Philip, spent time downloading the Pinterest plugin source code and poking around. Philip’s by far the best programmer of the three, so before long he’d unpacked the situation and explained what was up—a nice Saturday activity.
In the source
The Pinterest Chrome plugin source code is not the best-documented but we did our best to understand it. So far as we can tell every time you visit any web page, Pinterest’s code looks at the page’s address, “hashes” it into a 12-letter code, and checks that code against a list of about 8,000 other codes.
Our guess is that this is an obscured list of the sites that don’t want you to pin their images — an “opt-out” list. And if a site isn’t on that list, Pinterest’s code will add “Pin it” buttons to all of the pictures that are 300 pixels wide or bigger on the current web page.
Reading the code, it seems like the ad “experience” is supposed to show up more often than it actually does—something like 30% of plugin users are supposed to see it once every two weeks. But Pinterest has a bug in their code: When they look at all the images on your page, they look for ones that match secure, “https” URLs and also, um, “htts” URLs. There is no such thing as “htts”; they meant “http” and made a mistake. As a result of that bug, their ad injection only works on sites that host images securely—and most sites don’t do this, so most sites can’t actually haz the experience. Readability, lucky us, can, because we are one of the few sites that host images over a secure connection.
When we made a copy of their plugin and ran it with the bug fixed, we were able to reliably see their ad on any website with large-enough images. So we learned that our company was not being targeted specifically, which was a relief. Rather, Pinterest expects to inject itself everywhere.
It’s worth noting that if you installed the Pinterest plugin in Chrome, you consented to all this. Your own browser asked if it was okay for Pinterest to look at everything you browsed, and you said yes. You implicitly granted Pinterest permission to watch what you are browsing, report back whatever it wants to report, and to jam ads on top of any page you visit. That’s how web plugin permissions work.
Pinterest is hardly the worst offender—it’s not trying to grab your credit card number or anything. It’s just doing what you told it it could do.
And this is just one piece of code that we took some time to understand, based on a paranoid hunch that turned out to be wrong. (Well, not wrong, just not specific to Readability.) Browser plugins are like Rumpelstiltskin — they promise to spin the web into gold, then demand your firstborn child.
We thought a little bit about what to do next. The smart thing for us to do would be to shut up and shrug it off. (We have, uh, acquaintances in common.) Smart—but boring. Plus now we’d spent a lot of time figuring out how their code works. Then we thought: If Pinterest can insert ads into our pages without permission, well, we can counter-insert some text into their ads. It only took a few minutes to figure out how. Here was one we tested:
Other ideas from Postlight’s staff (legally actionable/obscene ideas removed) included:
— and finally—
Of course Pinterest could change their code to route around our blocker, but we doubt they will notice or care. At their scale, our lack of compliance with their forced ad injection will just show up in their logs as statistical noise.
We could probably figure out how to opt out, like those 8,000 secret-hash websites — but then our users wouldn’t be able to pin their pictures. And who are we to come between people and their pins?
Does any of this matter?
Pinterest is a global company with 500-plus employees. Readability is also a big service — it serves hundreds of millions of requests every month—but with a skeleton crew. We tried to make money for writers (and for ourselves!) once, but our attempt pissed everyone off really bad—so we paid every penny we made to as many writers as we could track down and gave the $100,000 remaining to literacy not-for-profits. Summary: We’ve only ever lost money on the product, and annoyed tons of people (although we did help encourage literacy and pioneered a whole category of Internet service).
So why do we keep it going? Folly, stubbornness, and massive global demand. Readability has, on its merits, become a core utility for millions of people on the web. We serve users who live under oppressive regimes where the Internet is heavily censored, and help disabled people gain access to articles on the web. And we secretly power a lot of reading apps and third-party software. So we focus on those things. Some companies are unicorns worth billions, and we are not. But it’s a privilege, and an education, to quietly shepherd this weird tool that is today part of the web’s hidden infrastructure.
Up until Friday, we’ve been in awe of Pinterest. They have built an enormous platform, shipped some amazing products, and stay focused on their users rather than on getting headlines. This injection style seems like a weird step for them to take to promote their new bookmarking service, but they have commercial pressures we can only imagine.
On the vanishingly small chance that someone from Pinterest’s leadership reads this, we suggest that Pinterest stop inserting vaguely-defined promotions on other people’s sites, “experiment” or not. If not that, Pinterest should at least make clear to their users where the ads are coming from. Just adding some text to the injected ad, such as, “You’re seeing this message because you installed the Pin It Button for Chrome,” would do the trick. Clarity is a sign of respect. Or do a colored stripe+notification across the top of the page, which is a better-known pattern for promotional ad injection.
And all that aside, please fix the regular expression on line 1031 in cr_139.js. If Pinterest is going to do the wrong thing, they should at least do it well.
Paul Ford & Rich Ziade
Postlight & Readability
P.S. If you manage a website, you can hide Pinterest’s ads with this code (while letting the “pin this” icons work as normal — we wouldn’t want to mess up your social media engagement strategy).