Even the Ad Industry Doesn't Know Who's Tracking You 98
jfruh writes "The Internet advertising industry is keen to stave off government privacy rules and opt-in-only browsers by loudly proclaiming its adherence to a self-imposed code of conduct. Yet a little digging shows that even "self-regulated" advertisers link to services that link to other services that nobody's really sure what they do. That's why, for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones and won't return emails asking about their privacy policy."
Oh, yeah (Score:5, Interesting)
for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones
The NoScript list of blocked domains on many (even legitimate) websites is scary indeed. One of my favorites is Javascript from ru4.com required to be able login into your banking account on chase.com. Based on the name, it looks like a phishing website to me...
Re:Oh, yeah (Score:4, Interesting)
From their whois record, ru4.com claims to be X Plus One, an "enterprise" data-analytics company with a lot of finance-sector clients.
Yeah, and the fact that ru4.com does not seem to resolve or redirect (the WHOIS record points to http://www.aboutus.org/ru4.com [aboutus.org]) makes it sound very legitimate :)
So it seems reasonably plausible to me that Chase is contracting with them.
They can contract who they want, but the fact that a random analytics company has to execute javascript on my computer before I can even login to my Chase account galls me a bit.
I don't get why large companies don't bring these things at least under their own subdomains, though.
Yes! And I have chase.com in the whitelist already -- such a move would solve everyone's problem.
Re:Oh, yeah (Score:4, Interesting)
From their whois record, ru4.com claims to be X Plus One, an "enterprise" data-analytics company with a lot of finance-sector clients.
Yeah, and the fact that ru4.com does not seem to resolve or redirect (the WHOIS record points to http://www.aboutus.org/ru4.com [aboutus.org]) makes it sound very legitimate :)
So it seems reasonably plausible to me that Chase is contracting with them.
They can contract who they want, but the fact that a random analytics company has to execute javascript on my computer before I can even login to my Chase account galls me a bit.
I don't get why large companies don't bring these things at least under their own subdomains, though.
Yes! And I have chase.com in the whitelist already -- such a move would solve everyone's problem.
Chase is a significant offender in this regard, as they change contractors semi-regularly. I often get alerts about new domains wanting access to chase assets.
But moving under chase.com wouldn't solve everyone's problem; I would no longer know that my data is being leaked, and Chase would suddenly be more accountable for their contractor's actions (as well as having to administer the DNS instead of letting their contractors administer their site.
Really, that's what subdomains are for though; everyone SHOULD be doing this. Of course, the ones you don't know about probably already are.
Use Firefox? Get Self Destructing Cookies add-on (Score:5, Interesting)
It lets the sites set their cookies, waits a few seconds (or until tab is closed), then nukes 'em. There's a whitelist for sites you actually use.
https://addons.mozilla.org/En-us/firefox/addon/self-destructing-cookies/ [mozilla.org]
I like this solution because you don't have to wait for Ghostery to add support for an advertiser, or an updated filter definition for adblock. EVERYTHING gets nuked, except the sites you care enough about to whitelist. It's a better default cookie policy.
Graph of web site third party dependencies (Score:5, Interesting)
I built a script to generate a graph of third-party resources a web page loads [dieweltistgarnichtso.net], which often represent advertising and tracking (sample output for Spiegel Online, a German newspaper [dieweltistgarnichtso.net]).
I also wrote a blog post about how advertising and tracking make sites slow (in German) [dieweltistgarnichtso.net] that contains even more graphs from when I ran the script in January 2013.