Advertising Network Caught History Stealing 143
jonathanmayer writes "Last week the Stanford Security Lab reported some surprising results on how advertising networks respond to opt outs and Do Not Track. This week we made a new discovery in the online advertising ecosystem: Epic Marketplace, a member of the self-regulatory Network Advertising Initiative, is history stealing with unprecedented scale and sophistication. And Epic is snooping some remarkably sensitive information, including pages from the FTC, IRS, NIH, Mayo Clinic, and more. Epic has written a response defending its practices."
...Actually Complying? Maybe, but Probably Not. (Score:4, Interesting)
Alright, I read the article on this one, and, there's a divergence of evidence here. Mainly..
"We applied the methodology from last week's study to examine Epic Marketplace's opt-out practices. (Epic Marketplace was one of the eleven NAI members not included in that study.) We found that Epic Marketplace leaves its tracking cookies in place after both opting out with the NAI mechanism and enabling Do Not Track. We also found that history stealing continues after using either choice mechanism." - This one's from the study.
"Furthermore, when the user opts out, all data collection efforts cease. The student erroneously concludes that users are unable to avoid participating in segment verification because the opt-out mechanism does not delete the cookie that exists on the user’s computer. Like many other networks have pointed out already in their responses, this is misleading and inaccurate. When a user opts-out, all further collection of behavioral data from that user stops and existing profile data is deleted, even though the cookie itself is not deleted. The reason for this is simple: these cookies provide important operational information necessary for the delivery of any ad, not just targeted ads. For example, Epic Marketplace needs this data to determine how many times a particular ad has been shown to a user, and to analyze whether fraudulent activity is taking place. Ironically, in order to give effect to a consumer’s decision to avoid data collection, the cookie has to remain, otherwise advertisers have no way of knowing that that particular consumer has elected to opt-out of that advertiser’s data collection practices." - and here's Epic's counter.
These two statements seem strictly at-odds to me; the study states that the History Stealing continues to run, not just that a cookie remains as Epic sems to be saying. Epic claims the data collection stops - straight conflict here. Someone either screwed up their study, or Epic is lying, or Epic is unaware that their 'stop stealing' code doesn't actually work. It looks like they're not gathering personally identifiable or geographical location, and so are in the clear there - but now you've got a pure 'He said, she said' in terms of continuing collection after opt-out. Anyone interested in trying to duplicate this study and add some more evidence to if it continues or not?
Re:Adsense (Score:4, Interesting)
What?
Google does not have a monopoly. Facebook which is a monster does not use Google ads. Google does not have a monopoly on search. Bing and Yahoo which now uses Bing both serve ads and provide search so we can toss out your monopoly idea right there. Google plus has fewer users than Facebook, Twitter, MySpace and until recently Slashdot, so that isn't a monopoly in social networks.
So now that we know that the facts you are stating is false we can just toss the rest of the comment out.
They don't have to cheat to compete. Microsoft, Facebook, and Apple all have ad networks now. Apple is making a big push in the mobile ad space I would hope they are not history harvesting.
Re:Computer fraud? (Score:4, Interesting)
No. The end user requested information from the web site they were visiting. That a third party is running software on their computer is not an implied or expressed condition of that request.
While it's common for sites to display ads from ad networks, and the simply displaying of an ad could be considered an implied contract of using most web sites, displaying an ad and running software (even javascript) is not an implied contract. In this case, the software goes out of it's way to ensure that it runs without any indication to the user, thus the user is completely unaware that there is even anything to which he should have be asked to consent.
Re:Adsense (Score:4, Interesting)
Some people use quotation marks for paraphrased quotes.
Right. And some people don't know what they're talking about and like to put words in other people's mouths. If you're going to quote someone, quote them.
What was actually said in the oft-misquoted Schmidt interview:
Note that isn't a paraphrase. That's a real, gen-u-ine quote. I don't agree with him that the desire to maintain privacy is any way linked to whether I should or should not be doing something. But what I find even more interesting is that in the same breath, we're being warned about the Patriot Act. We're being told without actually being told (because that would be illegal) that Google is being served with Patriot Act requests. Nobody ever seems to key on that though.
Back on topic - nowhere does Schmidt say that privacy isn't important. I understand and share the concern over how much data and meta-data Google has access to. I'm even more concerned over the possibility of Google changing hands or Government access to data (i.e. Patriot Act). But let's limit criticism and concerns to real issues. The real issues are enough without making crap up.
Unless, of course, making crap up is part of a larger agenda.