Disqus, the dark commenting system

Disqus is a free commenting system and a great example of "if you're not paying for it, you become the product". Unfortunately, in Disqus' case, your website visitors become the product too.

Today, I'm going to analyze what happens when you embed Disqus on your website.

Disqus makes 76 HTTP Requests per load

I signed up at Disqus and added the installation code to a blank page (So, I'm sure every HTTP request that the browser makes is from Disqus).

Disqus makes 76 HTTP requests and fetches 2MB of data! (even with 0 comments). And, it took 7 seconds to load.

Disqus HTTP Requests

Disqus Injects 11 Third-party Trackers To Your Website

Disqus was acquired by an advertising company called Zeta Global in 2017. Obviously, advertising companies do everything to increase their revenue (Ex: the Big G).

I analyzed the network requests log. Disqus makes HTTP requests to 11 different third-party domains through the browser. All of these websites are trackers/pixels (Even some were detected as malware by my security guard).

Here are the external domains:

viglink.com* - One of Disqus's major partners. Disqus use Viglink to personalize ads.
io.narrative.io - "The data streaming platform that makes it easy to buy, sell, and win."
live.rezync.com - a pixel website
idsync.rlcdn.com - another pixel (website returns 404)
netc.sfr.fr - another pixel (website returns 404)
p.rfihub.com - another pixel, malware reports on Google (website returns 404)
pixel.tapad.com - pixel, main site titled "WE PROVIDE THE WORLD’S LEADING DIGITAL CROSS-DEVICE GRAPH"
pippio.com - redirects to liveramp.com, titled "Build better data-driven customer experiences."
ei.rlcdn.com, idsync.rlcdn.com - website returns 404, GIF pixel used
tag.clrstm.com
ib.adnxs.com - Malware site, "Adnxs appeared as the eighth-biggest name in our Tracking the Trackers data."

If you are not familiar with Pixels/Trackers, take Facebook as an example. You can place a pixel on your website to share your website traffic data with Facebook. Facebook uses this data for better personalized targeting. According to GDPR, you cannot place the code without your users' consent in the EU region. But, Disqus places all of these pixels on your website (inside their iframe) without any consent.

*In 2014, Disqus inserted Viglink affiliate links to their client sites intrusively (Source)

Nothing Changes in the Disqus Paid Plans

When you provide a free product, money should come from somewhere. Disqus uses advertising for that. Now, I subscribed to a paid plan trial of Disqus to see if things change or not. No! Even in the paid plans, the same pixels are loaded on the client-side. Looks like there's no way to opt-out from tracking.

Disqus, the Data Machine

Even I title the article "the dark commenting system", I'm not sure if Disqus is a commenting system. Journalist Martin Gundersen once called Disqus a "data machine".

Uncovering the Disqus data machine: @disqus shared the personal data of tens of millions of users without them or the websites knowing about it. thread - 1/13 pic.twitter.com/bLW4Gl2Rhf
— Martin Gundersen (@martingund) December 18, 2019

As I stated earlier, Disqus is owned by data/ad company ("Data-driven marketing powered by AI"). This is a large company with more than $400 million in annual revenue. They own the "The Web's Largest First-Party Data Set". While Disqus allows third parties like Viglink to directly access your website, they also collect information by themselves and shares them with more third-parties. Twitter has also been one of their old customers. (see data.disqus.com)

How does Disqus sell your visitors' data with thirdparties without your consent?

Actually, you give them the consent when you agree to their privacy policy.

"Advertising is the predominant way Disqus makes money. Advertising revenue allows Disqus to support and improve the Service. Disqus uses, and also engages third party ad partners and affiliates who use cookie IDs, device IDs (including mobile), hashed email addresses, IP address, ISP and browser information, demographic or interest data, content viewed and actions taken on the Service or Partner Sites, including information about the websites you’ve viewed and advertisements you’ve interacted within order to provide you with more relevant advertising targeted to your preferences and interests derived from your interaction with the Service, Partner Sites or other third party websites."

"We partner with third parties that collect information across various channels, including offline and online, for purposes of delivering more relevant advertising to you or your business. Our partners use this information to recognize you across different channels and platforms, including but not limited to, computers, mobile devices, over time for advertising (including addressable TV), analytics, attribution, and reporting purposes." - Disqus Privacy Policy

Consider Privacy-First Alternatives

If you are currently using Disqus on your website and value your user's privacy, consider migrating from Disqus to a privacy-first commenting system. One such service is Hyvor Talk, which I founded as a hobby project and now has grown into a profitable SaaS business in less than one year (with 3 employees and growing). At the time of writing this article, we serve 30 million page views per month and provide our privacy-first service for 2000 customers. You can also import your old Disqus comments to Hyvor Talk.

I got so fed up with @disqus's obnoxious ads and disregard for privacy that I finally migrated the comments of my main blog (https://t.co/2gUgV3yVEM) to @HyvorTalk, a comment system that actual values your privacy. I highly recommend you to do the same!
— Bozhidar Batsov (Bug) (@bbatsov) December 7, 2020

Feel free to leave a comment below if you have any questions.

Tagged: Privacy

You can connect with me on Twitter or Linkedin.

Written On

Jan 30, 2021

Last Updated On

Jan 30, 2021