About the recent scripting rule

Although the recent discussion about scripting has been closed for discussion, the post leaves room for a couple of questions.

One thing that users are concerned about is what counts as using scripts to cheat. The post singles out the use of scripts to automatically run (/complete?) sessions. Other scripts seem to be allowed, but the option is left open for other things to be banned as well.

That is due to another question that is raised by the discussion. Why is this use of scripts is not allowed? It is possible to deduce that these scripts might interfere with Duolingo's tools for measuring user performance. However, that could mean that other scripts will also become illegal. For example, when the XP-bar was removed, some users found ways of countering that change. As this could potentially affect results for A/B-tests, would scripts like these be deemed illegal?

Maybe in the future Duolingo will be able to develop ways to detect scripting and to adjust their test pool based on that. But for now, it is still somewhat unclear what is and isn't allowed and why certain things aren't allowed.

Finally a comment about the last line in the post. It says "Thank you for helping to keep Duolingo a safe and welcoming community.". This line seems out of place. If there is a good motivation why certain forms of scripting are not allowed, then there is no reason for people not to comply.

Yet, it is hard to imagine that these scripts have anything to do with keeping the community safe and friendly. If there is a reason for not stating the motivation behind the new ruling, then that's somewhat understandable. Just be careful with the things you do say. Unless you can prove these scripts will affect the forums, there is no need to make comments about the community. All it does right now is give the impression you are trying to sell these changes by appealing to users' goodwill to support each other. That might not be your intention, but it is something to be aware of to make sure users' trust is not misused.

February 13, 2016


I'm just a user, but I know it's normal that automatic usage of websites like this is forbidden. For example, Google also forbids automatic search queries. The reason is that this type of automatic usage is not intended by the supplier of a web service. It takes away system resources like bandwidth and computing power from other users, while not fulfilling the goal of the website, i.e. helping an individual person learn a language. Other user scripts, which are only an addition to the duolingo user interface, don't fall into this category and are therefore tolerated (the post is pretty clear that only this special case of full automation is concerned).

February 13, 2016

I don't understand what this quote (from the locked discussion) means

scripting to automatically run sessions/lessons

and therefore, I have to disagree with this

the post is pretty clear that only this special case of full automation is concerned

I'm not at all doubting your interpretation of the post, I'm just explaining that it is not at all clear to all users. Many of us don't know how these scripts (that some of us use and others don't) work and how to decide which ones are OK and which aren't. And even a knowledgeable explanation from a fellow user does not replace clear communication from staff. (I already asked on the staff member's stream whether this could be explained better in the post itself, just as Lenkvist is doing here.)

February 13, 2016

Yes, people posting on the staff member's stream for clarification was my reason to start this discussion. It is possible other users have ideas about what the answers might be, but there was no place to discuss that.

February 13, 2016

This is quite simply the end result of users abusing certain bugs in the software, along with certain limitations of web sites.

Yet, it is hard to imagine that these scripts have anything to do with keeping the community safe and friendly.

Perhaps if one doesn't understand the nature of scripts, and how they can be used to harm. One simple example are those posts that exploited styling to add colors or tables. Several users including myself indicated that was a clear security risk.

For scripts running a full automated sessions there are many security issues:

  • One can create several bots, to overwhelm Duolingo / amazon servers and bring down the servers.
  • One can create tools with exploits that claim to simply complete the whole tree for a person, while keeping track of their private information (trojans).
  • Adding code with scripts that complete sessions and add spam to each discussion is possible, e.g. when android discussion was launched it had to quickly be removed due to extreme amount of spam.

Just be careful with the things you do say. Unless you can prove these scripts will affect the forums, there is no need to make comments about the community.

They have already affected forums, with all those nonsense posts full of nonsensical colors, and styling that appeared outside of the post. It wasn't too hard to use similar code to hide the whole thread. Scripts can make that worse if a motivated cracker really wants to do so.

February 13, 2016

I've noticed over the last month or two that there are a lot times when Duo runs very slowly- actually always slow to load (compared with other sites I've opened, and with Duo as was before). But what is most frustrating is getting near to the end of a lesson and have Duo hang up with no way to complete the lesson. Very frustrating. It certainly seemed that the servers were overwhelmed. I just thought "too much traffic" (due to the popularity of Duo), but now I know there are other possibilities. At one point it was so bad I was almost ready to abandon Duo.

February 13, 2016

By the way, the scripts is one thing, but there are severe bugs in Duo allowing, for example, to ultimately block any post (the post then return 404, i.e. I could block this whole thread if I were of vicious kind) or to get thousand lingots in several clicks without using any scripts or meddling with the code. Developers were informed about the bugs quite a long time ago, but there were no any reaction except for automatic response with the ticket ids. The exploits are still there. I'm curious, if such things are considered of low importance or they actually do not read these reports.

February 14, 2016

Another example, there is a minor exploit allowing to keep your post always on top (resembling the posts pinned by moderators). Moderators remove messages explaining this bug from forums, hence my thought that it is actually a bug, not feature. :)

February 14, 2016

Thank you for your answer Dessamator. Your explanation about the security risks of scripts offers strong arguments that it can indeed affect larger groups of users.

It is also interesting you list some non-automated ways of scripting as potential dangers as it opens the possibility for other forms of scripting to become illegal.

February 13, 2016

[deactivated user]

    I agree mostly with what you are saying, however there are some scripts that moderators themselves use and actually recommend usage of, like the X-P bar. Some scripts have been made innocently, just for the usage of Duo users to make their time of using the site more fun and enjoyable. I personally do not use any scripts... because I couldn't get them to work on my laptop. If I could use any, I would try the dark side of Duolingo (made by BLAZERUNNER), which makes the color contrast larger, and more interesting to see. I would also bring back the xp bar.

    However, I think that scripts that allow you to level up faster, or to skip lessons, should not be permitted. Those could interfere with the codes that Duo uses to run the site, potentially causing the site to crash.

    February 13, 2016

    Don't some browsers have features of their own which can change how they display web pages (such as changing the color contrast, showing or not showing images, which fonts to use, etc.) which have no effect on the sites themselves and other users of the site? :)

    February 13, 2016

    [sarcasm on]
    It was necessary to write so: "Do not send queries to the server one after another! Add pauses in scripts of your bots!"
    [sarcasm off]

    February 13, 2016

    Why would someone want to write scripts to auto complete the courses? What benefit could this possibly serve? I assume a script us like a mini programme that is hacked into the DL system?

    February 14, 2016

    Scripts are just pieces of code. They usually aren't "hacked into the system" but are more like an add-on that's run on the client side but might interact with the server. If it were to be executed on the server, every user would experience the effects of the script.

    In the case of Duolingo, they mostly just take the data that is provided by them system and present it in a different way. A very mild form would be that they only change the background of the site (e.g. to the flag of your learning language instead of light grey) or modify the font. Or make changing the base language easier by adding ALL your learning languages to the drop-down menu! A more drastic form would be to add games or modify the reverse trees to include TTS for the "base language". Still - those scripts are beneficial! They don't cheat but try to make using the site more enjoyable.

    But of course there are also scripts that aren't so beneficial. Why? Probably mostly because of curiosity. Does it work? How does it work? Why? To which extent? And can I get away with it? To many programmers, finding security gaps is like a puzzle. They aren't malevolent people (most at least) but often recklessly curious. I know MANY people that just have a habit of trying to find security gaps in any software they use

    And since there are also students using Duolingo in class, it would be possible that some of them cheat for the same reason they cheat on their regular homework. Laziness and a lack of interest but pressure to get it done.

    February 15, 2016

    Thank you so much for taking the time to explain that to me! Thanks to you I have a much better understanding of this :) Here's a lingot for you, spend it wisely ;)

    February 15, 2016

    Huh, this conversation was a year ago and yet on the forums the other day there was a guy with a forest of 25s to his name, including japanese and korean, with a pretty poor looking streak to go with it. Curious i looked at his profile, it showed 110000 plus points in Japanese alone. At say two and a bit minutes a lesson that's 14 full time working weeks just on Japanese . Added to the 75000 he had in most of his other languages I thought - Yeah right. I just don't get the point but I am sure it is going on still.

    November 14, 2017

    Hey Lenky! Thank you so much for making a post to respond to and clarify this recent locked and stickied post made by KaiLoh. I too have been wondering what the big issue is with cheating, and I agree that the last line in Kai's post did seem out of place. But after reading Portofan's post above, I understand much better why staff has chosen to get involved here.

    I still don't think it is much of a problem if only a couple people are running these automated lesson scripts, but if this catches on and becomes a trend then I see how it could slow down the website. Might as well nip the problem in the bud before it gets out of hand.

    As for using smaller user scripts to enhance site functionality, I don't think I could live without the Duolingo Course Changer one. Most of the others are more for aesthetics, but that one has just made my life so much easier over time.

    February 13, 2016

    At the risk of speaking in absolutes: while it is certainly possible that someone could write a Greasemonkey script which abused Duolingo's backend in the way they are worried about, i don't think people who use existing Greasemonkey scripts like Duolingo Course Switcher or Duolingo Course Progress need to be very worried.

    Here's why: what Duolingo is worried about is people who use scripts to access their API/backend and either (1) make changes to the site's state much faster than a human using a web browser could, or (2) make changes to the site's state using undocumented/unsupported features that a human using a web browser would never see.

    By contrast, what the popular Greasemonkey scripts do is take information which the API/backend is already giving you (e.g. details about which skills you've completed), and display them a different way in your web browser. From the point of view of getting Duolingo's backend into a bad state, this is entirely harmless, because these scripts don't call APIs which should make any backend changes. (And from the point of view of calling the site too fast, by and large these scripts use information you already have and don't have to call the site at all, but, regardless, if a script runs once per time you load a DL page in your browser, it's still running at the same speed as a human using a browser, which should not be a problem.)

    February 14, 2016

    Aha! That is an important difference. Thank you for clearing that up!

    February 14, 2016
    Learn a language in just 5 minutes a day. For free.