More Web Site User Data Gathering Revealed 239
Emmett Interviews Interhack
Slashdot: For those uninitiated, what's interhack all about?
Basically, we're a firm of hackers interested in pushing technology forward through research, making computing apply to people by developing custom products and consulting for folks who want to put the technology to use, and helping people understand exactly what the ramifications of these systems are. That's a pretty broad way of saying that we're all about the Internet and making it work.
Slashdot: When did you start researching this story, and how long did it take to put the pieces together?
Sometime in May, someone sent us a tip about Coremetrics and what it's doing. We took a quick look over their web site to see their advertised services and then started to look at how the service is actually implemented on various client sites. We examined several sites, most of which very clearly stated in their privacy policies that they're using Coremetrics for site monitoring and provided links necessary for people who don't like it to opt out of the system. Most of the sites with clear, full disclosure policies weren't even sending Coremetrics personally-identifiable information like names and addresses.
The more interesting part of our find was in the sites that did send personal information to Coremetrics, particularly those that carried the TRUSTe privacy seal. Over the course of about three weeks, we performed an investigation of these sites, gathering as much information as possible from them. We reverse-engineered the system by reading the sites' code, reading through the obfuscation, and comparing logs of our network's activity with the activity that would be perceived by an end user.
What we found was a clear difference in user expectations and what was actually happening, as well as a clear difference between what Coremetrics says it offers and what its eLuminate service makes technically feasible. After writing drafts of our report and press release, we decided to take a wait-and-see approach to the release. Specifically, we wanted to ensure that sites that just started to use the Coremetrics service had adequate time to update their policies and to have an accurate idea of what was happening with the system after having been in production.
After waiting and watching for more than a month, we decided to release our findings. So, on Monday morning, we sent a pre-release copy of our report to Richard Smith and some folks at Zero Knowledge Systems. In addition, we contacted each of the firms named in our report and Coremetrics so that if the failure to disclose or the ability to profile people across web sites was unintentional, there would be time for some investigation and a decision about how to fix the problem. After the end of business Monday, we released our report.
Slashdot: What needs to change? In a perfect world, how do we deal with this?
This is a very interesting question. In my perfect world, detailed levels of profiling would not take place at all. There would be no such thing as persistent cookies. In general, I'm just not comfortable with the level of privacy that the industry as a whole has given up for the sake of a little convenience.
How big of a deal, really, is it to have to enter your password when you login to a web site? Don't forget that the reason why we have passwords in the first place is so that you'll have to do something at the beginning of the session to prove who you are.
Web browsers also need to be more intelligent. That is, they need to be able to identify things like dependencies on third parties so the user can know whether those images should be fetched or ignored. Right now, browsers -- for the most part at least -- just aren't very defensive. The model of parsing everything you're given worked fine in the Old Days for which some of us long so much but the fact of the matter is that you really can't blindly trust anyone on the Internet.
I'm not suggesting becoming a luddite. I'm suggesting that folks take a sort of "trust, but verify" approach a la Ronald Reagan. Right now, there's a lot of trust and almost no way to verify.
Slashdot: This all comes down to trust. How many policies are just there so people will shut up about personal information so they'll start buying stuff online?
I couldn't say. Policies are almost always written by lawyers. That probably speaks to the covering-one's-posterior-position value of privacy policies.
Slashdot: Since we can't trust written policies, what should people be doing before they start conducting business with these websites?
Verify everything. As I said earlier, though, we're severely lacking in tools that are accessible to most people that can help in that regard. I think Zero Knowledge Systems' Freedom network is a huge step in the right direction. Tools like Muffin (muffin.doit.org) also help, but it would be cooler for that kind of functionality to live right in the browser itself. There are opportunities for eager hackers on this front.
It's also important to stress that tools alone won't do it -- there is no silver bullet. People are going to have to have some understanding of what's happening in order to use these tools effectively.
Finally, where you see discrepancies, point them out. Most of the time, they're oversights. Look at how Lucy.com and Fusion.com dealt with this problem: they updated their sites. So although the problem shouldn't have happened in the first place, they did the right thing. Contrast that with Toys "R" Us, which issued a statement saying that what they're doing isn't a violation. And their privacy policy still doesn't say a word about Coremetrics. They still haven't said anything to address the issue of having information collected on children.
Companies that don't fix their problems don't take your privacy seriously, no matter how much lip service they pay. So don't go to their sites. Don't buy their stuff. Tell them why you're not buying their stuff. Tell their competitors why you shop where you do, lest the new places you shop get the bright idea to try to hide something.
Jamie Talks to Coremetrics
Here's the service Coremetrics provides to corporate websites:
Many companies demand accurate knowledge of how their sites are being used: what sections are popular, what paths visitors take through the site, where people click over from, and so on. It's like web log analysis but more specialized for large shopping sites.
Since these demands are very much the same, and the code to do the analysis is similar, outsourcing happens. From a CEO's viewpoint, Coremetrics fiddles with the website to do better-quality tracking than the company could do on its own, and then makes the resulting statistics available over SSL.
But from your viewpoint and mine, that "fiddling" results in cookie-carrying web bugs all over the sites we visit -- web bugs which usually send back to the Coremetrics servers a unique visitor tag, like any other cookie, but one that sometimes includes your name, email address or other personally identifying information.
Coremetrics promises that this information remains private. When DoubleClick collects data from <img> cookies across multiple websites, they do so with the stated intention of tracking you personally; this is part of their business plan.
According to Coremetrics, they do things very differently. Data is not cross-correlated between their client websites, they say, because their contracts with their clients prohibit this. In fact, their contract forbids them from doing much of anything with that data except statistical analysis.
I gave the Coremetrics PR person I talked to a chance to explain, using the example of their client Toys 'R' Us:
"Coremetrics is merely an agent that collects this data on behalf of an individual customer, for that individual's sole use only. We do not collect data, as was inferred very incorrectly by Interhack, across multiple unrelated websites, with any intention of selling it to third parties -- or even distribution to third parties. That's because we, as the agent, do not own that data, nor do we have any rights to that data. Toys 'R' Us, and Toys 'R' Us only, is the sole owner of that data. So legally, we cannot do any of the possibilities that Interhack had alluded to in their report."
But here's the interesting thing.
If I'm browsing my favorite website, Coremetrics is clearly a third party. They have a special contractual relationship to keep my data private, which we shouldn't ignore. But nevertheless -- a third party.
So why do some of their clients' privacy policies not mention this?
Toys 'R' Us is a good example. As Interhack made clear, they do send personal data to Coremetrics' servers. But their privacy policy reads, "We do not share any personally identifying data about our guests with anyone outside of Toysrus.com, its parent, affiliates, subsidiaries, operating companies and other related entities."
So is Coremetrics one of their affiliates or a related entity? I wouldn't think so, but I'm not a lawyer. One interesting thing is hidden in that privacy policy's HTML; after the closing </html> tag is the hidden message: "<!--CoreMetrics Information if enabled-->." Hmmmmmm.
Coremetrics lists twenty clients; I tried to contact seventeen of them for comment, with marginal success by press time. Three reported that they had not yet activated Coremetrics or had decided not to use the service at all. One (guru.com) reported not sending any personal information -- presumably, only tracking visitors with a non-identifying unique ID.
Two sites (lucy.com and fusion.com) began mentioning Coremetrics in their privacy policies on August 1, the day after the Interhack report. One site (thewest.com) did not even have a privacy policy until yesterday; they'd been working on it, and my email may have made it a priority because it was on their site three hours later.
According to Coremetrics, they encourages all their clients to disclose the use of their service in their privacy policy, and include a link for users to opt out. But some sites reported as using or planning to use Coremetrics' services have privacy policies that could use some clarification.
Altrec.com informs me that "...in the near future ... we plan to add to our privacy statement our use of Coremetrics and the fact that Coremetrics neither owns, distributes, nor has rights to the data it sorts on Altrec.com's behalf." However, their current privacy policy states very simply: "Altrec.com will never sell or give your e-mail address (or any other information about you) to anyone else without your permission. Period."
(Last-minute update -- just before press time, Altrec.com clarified that they are "sending unique ID (unique to Altrec.com) and city, state and zip. No other personally identifiable information is being sent to Coremetrics.")
Bravanta.com bounced me between different people until I got to leave voicemail that wasn't returned by press time. Their policy says they "do not and will not sell, trade or rent the personal information of our customers or gift recipients to any third parties."
(Update two hours later: Bravanta reports that they also have decided not to use Coremetrics' service, and are not currently using it.)
Mall.com didn't get back to me either, and their policy reads "We will NEVER release your name and personal information to a third party..."
Getplugged.com has a rather confusing privacy statement that begins, "Any personally identifiable information GetPlugged.com collects will be used solely for the purposes stated within this Privacy Statement" and wanders around from there. I'm not sure what to make of it, frankly.
All these polices may indeed be correct, if the sites are stingy with personal data. Like guru.com (and altrec.com), they may be using the Coremetrics service only with non-personal IDs. But, as with Toys 'R' Us, that may also not be the case.
(fusion.com, getplugged.com, and altrec.com also happen to be TRUSTe licensees, but TRUSTe wasn't able to comment by press time. In the AP wire story on Monday, they had harsh words but were speaking hypothetically; no comment since then.)
It's hard enough to read privacy policies already. Most of them are designed to protect companies legally, and mostly manage to confuse users. The distinction between Coremetrics as a third party; or affiliate; or agent, is a little too fine for the average consumer, and needs to be spelled out in each policy, as Coremetrics itself recommends.
But is all this a tempest in a teapot? If a signed contract forbids a company from misusing data, is that all we need to know?
I don't think so. In the first place, at the very least, companies like Toys 'R' Us need to disclose such things in their privacy policies. That's just common sense.
In fact, according to Coremetrics privacy advisor Dave Farber, they plan contractually to require such disclosure with future clients. (The company could not confirm or deny this at this time.)
More importantly, we as consumers are being asked to trust a third party whose reputation we know nothing about. In fact, 99% of us will never even have heard of them and might not understand what they do. We're told that a contract protects us, but we're still being asked to trust something we can't see. And when evidence of policy violations is turned up by a group of hackers, that erodes our trust.
After speaking at length with Coremetrics' PR, I get a general feeling of trust from them. (Of course that's a large part of their PR staff's job, earning reporters' trust.) More importantly, Dave Farber is well-respected, and his confidence carries weight -- with me at least.
Still, as Interhack says, our motto should be "trust but verify." That's why I proposed, to Coremetrics, that they publicly post, on their website, the paragraphs from their clients' contracts which assure that our private data remains private. If the actual legal words that protect our data are up there for us to see, we don't have to trust anyone.
When I mentioned this to Coremetrics' PR person, he promised to consider it; Dave Farber thought it was "a very good idea." It's unusual for corporations to make contracts public, even in part, but in this case it would do a great deal to put everyone's fears to rest.
no more privacy (Score:1)
Re:no more privacy (Score:1)
Setup empty zones for the webmarketing companies.
We haven't been seeing doubleclick data for about six months or so.
Re:Web Bugs (Score:1)
Re:no more privacy (Score:1)
Re:no more privacy (Score:1)
Re:no more privacy (Score:1)
My Web site uses themes; you can choose how the pages will be displayed. Most of the themes are based on (read: blatently stolen from) various operating systems, so the text shows up as if it were in a window, and that window can look like a Win95 window, a Mac OS window, an X window, etc. Each page is dynamically generated from a Perl script that takes two arguments in the query string (the end of the URL): "page" and "theme". Obviously, "page" indicates the name of the page to be viewed (except on the main home page, which is handled seperately), and "theme" indicates what theme you want to view it in. If "theme" is omitted, it chooses a default theme for you.
The problem with this is that the URL looks somewhat ugly, and if you link to a particular page from somewhere, you'd be linking to the page with a particular theme. I want the theme to be chosen for you automatically the first time you get to the site, since certain themes are not appropriate for certain browsers. That's why I want to use cookies instead - make it a local preference in the browser, and make it persist between sessions (in case you're demented enough to actually go back to my home page someday).
--
Re:no more privacy (Score:1)
You're aware, of course, that this breaks a lot of Web sites? Sure, Slashdot still works, although you lose any hope of customization, but most e-commerce sites break. I'm working on figuring out how to use cookies on my home page, just because they're so darned neat, and one of the hardest things to do is gonna be figuring out how to make the site still work if cookies are off. A lot of companies don't bother, and simply require cookies.
--
Re:Web Bugs (Score:1)
If browsers weren't so buggy and annoying, we (Web designers) wouldn't need to work around them by using single-pixel GIFs for spacing and such. It is possible to create an attractive design that doesn't get in the way of the content, and easily run into a situation where you need a 1x1 spacer (or something even more annoying) to make it work in HTML.
--
Re:How many? (Score:1)
I'm thinking the Better Business Bureau might not be a bad place to start.
--
Re:Web Bugs (Score:1)
The only problem with this is, if it becomes widespread, places like Doubleclick will quickly get domains like "dc.amazon.com" (or whatever) that all point to the same server.
--
Re:Web Bugs (Score:1)
I don't think there's a good way around it, and I'm willing to put up with the odd site like Yahoo where I can't load the images.
--
Re:Spot the webbug (Score:1)
Because the image is sent down by a CGI script (presumably perl), which would be less efficient the bigger the image got (relative to the webserver sucking it off the drive).
--
Re:Web bugs on Slashdot? (Score:1)
Actually, cache may be the reason they do it. If a cache caches the main page, there's no way for
THE ABOVE IS A TROLL (Score:1)
Re:What about normal page counters (Score:1)
Second of all, eviladagency.com can't get a cooke for amazon.
Thirdly, why would EVILADAGENCY.com relase said information to the president? If they do, this is an entirely different problem.
I'm all for paranoia about the government, but if we don't look so paranoid about everything, people will take us more seriously about the things that really matter.
-nosilA
What about normal page counters (Score:1)
Sure, Digits might be gathering more stats about you than I know, but what are they going to do with it? We're not talking about the FBI who is going to track you. We're not talking about someone who has access to your credit card information or home address - it's just your IP address, and browser info. So they link it between multiple sites. They know you look at my web page and the Sarah Michelle Gellar fan page (their #7 most active site) or the Irritable Bowel Syndrome Help Group (#1 site). IT DOESN'T MATTER!
The point is there are lots of things for us to be paranoid about, but whether someone is tracking your usage habits to send you more directed spam is pretty irrelavant in the scheme of things. Besides, use a proxy server hosted by someone you know/trust. Then they get less info on your page. problem solved.
-Alison
Re:What about normal page counters (Score:1)
nosilA
Re:Web Bugs (Score:1)
Apart from that, if anyone were to implement a 1x1 filterer, that obviously shouldn't effect layout, so it would still space things as before (to not break any web sites) but simply not load the images. Would only make your web server faster because of fewer requests.
Re:Web Bugs (Score:1)
Re: or...give them MORE. (Score:1)
Re:Protect Yourself (Score:1)
Re:DNS Entries (Score:1)
Or maybe I'm just not paranoid enough anymore.
Re:DNS Entries (Score:1)
This is actually the way user tracking SHOULD work, internally, for internal use. Not with crap bounced halfway around the net to some company who may/may not sell it to someone.
xrayspx
Re:Emmett and Interhack (Score:1)
Hm, well lets see here. People get criticized all the time, especially
I work with Clyde on Time City. ...Matter of fact, I don't even know if Clyde is involved with Interhack. /., it's good for laughs, and links.
I'm sure his interhack email address that goes to the time city mailing list *never* meant anything to you. Oops, caught again.
Emmett, it's really sad that I'm a damned programmer and I know more about jouranlistic integrity than yourself.
As for
nerdfarm.org [nerdfarm.org]
Re:Emmett and Interhack (Score:1)
I questioned Emmett's ability to competently research and provide journalism unbiased to the public. You, nor members of Interhack (I'm assuming, very well could be wrong with this) are not journalists (nor pretend to be). Because of this, you merely were posting your findings, because Emmett's involvement both personally and professionaly with you outside of Slashdot he has comprised the whole premise behind journalism.
Which I've seen him do time and time again.
nerdfarm.org [nerdfarm.org]
Emmett and Interhack (Score:1)
Emmett Plant, founder Time City Project.
D. Clyde W., very visible member Time City Project
D. Clyde W., member of interhack
Hm, can we same shameless plug.. considering slashdot uses bugs I can't believe that they are slamming coremetrics.
Slashdot used to get worse on a monthly basis, then weekly, now it's with every post.
nerdfarm.org [nerdfarm.org]
Re:Emmett and Interhack (Score:1)
b) there are other documents and also I have witnessed conversations with emmett present where clyde has stated his affiliations with interhack.
nerdfarm.org [nerdfarm.org]
Re:THE ABOVE IS A TROLL (Score:1)
It may be incorrect, but it is not a troll.
Re:Emmett and Interhack (Score:1)
Haven't seen you in eons...
BTW- I was in no way involved with this particular project. If you'd care to read the Interhack information, my name is not listed on any of the "cookie" investigations.
Have a Good Day.
D Clyde Williamson
Re:Emmett and Interhack (Score:1)
add these tidbits to your junkbuster .block file.. (Score:1)
images2.slashdot.org/Slashdot/pc.gif
images.slashdot.org/cgi-bin/adlog.pl
images.slashdot.org/pagecount.gif
anybody want to ante up entries to block this coremetrics bull?
Re:DNS Entries (Score:1)
I'd like to know how one concludes from an IP number who the administrator *really* is.
Re:DoubleClick Ads on Slashdot (Score:1)
OR
Clear your cookie file, click like crazy on slashdot links, and then examine it.
2. Post your results to this forum
3. Get modded up and possibly an answer.
Mozilla??? (Score:1)
Mozilla has already implimented some of these features (at least for rejecting cookies) and being open sourced, Mozilla should be easy enough to change to allow for an exclution list for images, etc.
My guess is that, once Mozilla arrives at an initial final release (read complete and stable), one of the many anti-spam groups (like JunkBuster) will release a version of Mozilla (or even an add-on) focused toward ad filtering. A few options are ALREADY available, most in the form of proxies that can be installed locally or by an ISP.
But, until then, here's the link to JunkBusters.
JunkBuster Proxy - GPLed Ad Filtering Proxy
Just my $.02 worth, I could be wrong.
Re:Web Bugs (Score:1)
"contractually precluded" is not good enough. (Score:1)
I'm sure that internet advertising agencies will pay big bucks for a list of identities with data. No corporate contract will keep some people from immorally stealing and selling that data.
John Heintz
Re:This "web bug" thing is a dumb approach (Score:1)
Remember kids, always be sure to learn a little something about how modern http browsing environments work before you call someone's web application dumb!
Just a little friendly advice,
-zack
Doesn't the term web bug (Score:1)
Here ya go (Score:1)
In particular, check out 4b and 4c. "Potential conflicts" would presumably include "he's my friend's friend so I don't want to make him look back".
I just noticed the "joeshmoe" in that URL, but I don't feel like looking for a more reputable-seeming link.
--
Re:Web Bugs (Score:1)
I agree with the current high scoring comment, if web sites are merely outsourcing their traffic analysis, there is no problem. You don't demand that sites that use WebTrends to analyse their logs say so in their privacy policy, do you? It only becomes a problem when the 3rd party trackers are allowed to aggregate the information they collect for their clients, and can resell that information. I would say that it is in the best interests of the collectors to NOT do this if they just want to sell a traffic analysis service.
-Red
Third parties are often not known to the users (Score:1)
Correction (Score:1)
---------------------------
"The people. Could you patent the sun?"
It's polite to ask (Score:1)
__________
Re:difference? (Score:1)
Legitimate use of a 1x1 GIF (Score:2)
Yes, caches do screw up the system. To fool the caches, the next index.html page that is written by the CGI program puts in the IMG SRC for the GIF with a PATH_INFO after the name of the program that spits out the GIF. This PATH_INFO consists solely of the process ID number. Cache servers think it's an entirely new link and go out to fetch it, but our http server ignores the extra path info and loads the same program. You also need all the standard NO-CACHE headers in the html page, of course.
You can do all sorts of things in this CGI program. The point is that in order to get a straight html page to also activate a program automatically whenever it is loaded, you have to use something like a IMG SRC. Otherwise you have to resort to Java or something similar, which has a huge amount of overhead associated with it.
Re:Emmett and Interhack (Score:2)
Feeling bitter, Jay?
You've got all the right in the world to question my journalistic integrity. As a matter of fact, I welcome it. But unless you've got a problem the facts or the way I present them, chill out. If I've said something untrue in my work, you've got a responsibility as a reader to point it out. You haven't done that, though.
Stories are not created in a vacuum. As a reporter, I rely on relationships with people to get my job done. As a writer, I rely on the English language to convey facts to the audience.
The worst part is that you can't see beyond your own personal problems and outright bitterness to understand that Interhack does some very important work, and that this story is important to anyone who does business online.
What do you want me to say, Jay? Clyde clued me in to the Interhack press release. I work with Clyde on Time City. Clyde pointed me to it because he thought it was newsworthy. It was. I did some research, got together with Jamie, and we wrote the piece. I didn't write the piece as a favor to Clyde. Matter of fact, I don't even know if Clyde is involved with Interhack. I think he's related to Matt, though. Actually, I think you'd be amazed how many stories are submitted to me and Slashdot by personal friends that I reject. What do you want from me?
I don't find where you work and post things about the quality of your work. I don't question your professional integrity, because I really don't understand or know what you do for a living. At this point, I don't care. You just seem like someone who was really burned and you're working out your 'angry ex-girlfriend' mojo on me for some unknown reason.
I'm sorry you didn't like the article.
Slashdot used to get worse on a monthly basis, then weekly, now it's with every post.
Then don't read it. Apparently it's causing you undue stress.
--Emmett
Re:DoubleClick Ads on Slashdot (Score:2)
BTW - Several people have answered your question in this SID, please read them and quit thinking that everything is a personal attack against you. People will take you more seriously that way.
- Cliff
Re:Web Bugs (Score:2)
You'd be surprised. One of the reasons I use 1x1 transparent GIFs is, say I've got a table, and one cell has a background, but no foreground text or graphics - just a background color, or repeating background pattern, and I'm using this cell (probably not very big) for layout and design purposes, because there's no other way to do it. Well, if I don't include that 1x1 GIF, then the browser thinks the table cell is empty and won't render it at all (so I don't get my background). This is remarkably annoying. I used to use instead, but then I started doing these with really small areas where a whole wouldn't fit, so I've switched to 1x1 GIFs. For an example of what I'm talking about, check out my home page [phroggy.com].
--
Re:no more privacy (Score:2)
Re:Web Bugs (Score:2)
Re:How many? (Score:2)
First: you are referring to the Slashdot crowd. For example I am sufficiently paranoid to put my old address or my company address on warranty cards and other stuff like this when I buy personal kit so my snail mail address does not get out. But this is me. Joe average random luser puts his personal information. Both in a conventional store and online
Second: correlation analysis is a great thing and statistics is a great science. If there is enough information and the criteria for filtering bogus data are well defined it can be filtered and your real you to show up.
Re: or...give them MORE. (Score:2)
You won't be sending a little robot to the local store anytime soon, and it is a lot easier to track you down that way then it is via the web.
But you are right. Writing your little robot would be the
Legislating it out of existance or banning it
The internet has a way of policing itself. If we keep the government from interfering, than this kind of intrusion will meet it's own extinction at the hands of people like you. People who will write software that makes their software obsolete.
Re:Web Bugs (Score:2)
That doesn't make sense. The web uses HTML, and HTML is a logical markup language where the client (not the server) makes formatting decisions. Why would a "web designer" ever need to micromanage such detailed issues as spacing?
---
Re:Spot the webbug (Score:2)
The JavaScript is still executed.
-JF
He has a point (Score:2)
However, I do know that doctors don't operate on their friends (or family of friends) or families (or friends of family). Same goes for journalism. From the facts presented by "Jay" and you, it seems as though you've interviewed a friend of a friend for your article. That's a no-no, regardless of newsworthiness. Why not just have roblimo or someone interview the friend?
--
Who owns the data (Score:2)
I'd have to agree that Corematics doesn't have a right to that data, but do the companies they're collecting it for have a right to it?
What rights do I have to it? It it is being sold, that means it has value. Where's might cut of the proceeds? If you and I own a peice of property, and you sell it without my knowledge or consent, and I find out about it, can't I sue for my share?
The corps can't have it both ways can they? If it is intellectual 'property', then aren't I half owner?
Re:Mozilla to the rescue? (Score:2)
1. It's already behind schedule
2. Blacklisting certain companies could get you all sorts of legal harassment from said companies. Look at the whole Cyber Patrol/peacefire thing.
Re:How many? (Score:2)
Can junkbuster filter out useless 1x1 images completely? I mean, I can live without a 1 pixel image or three on a web page.
Re:Web Bugs (Score:2)
Hey moderators: This post, #170 is HIGHLY deserving of being modded right up to +5.
Sorry for abusing my +1.
Re:Web bugs on Slashdot? (Score:2)
I figure it's so that Anonymous Cowards are not so anonymous. If need be, Slashdot can check the page and time, then cross reference it with their logs to determine who from where was doing what when. No?
Anonymous Cowards are not anonymous anymore.
Slashdot's justification is probably that they're using it to track 'trouble makers' on Slashdot.
Oh yeah, and to turn in Anonymous Cowards to mega corporations and goverment agencies for bounty
What is the real concern? (Score:2)
It would appear from the article that the problem is not what they do, but how their customers inform the public about the arrangement.
And if we are to attack them because they COULD do something bad, isn't that unfair, or at least prior restraint?
Obligatory ad blocking hosts file post (Score:2)
#
#
# This is a ad-blocking hosts file compiled by Mike Skallas (user245@hotmail.com)
# Just add '127.0.0.1 ADSERVER' to the bottom to continue the list.
# The rest are instructions from MS:
#
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost #this is not an ad server, this is your PC
127.0.0.1 www.doubleclick.net
127.0.0.1 ad.preferances.com
127.0.0.1 ad.doubleclick.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.preferences.com
127.0.0.1 ad.washingtonpost.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.doubleclick.net
127.0.0.1 ads.i33.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 adforce.imgis.com
127.0.0.1 ads.enliven.com
127.0.0.1 Ogilvy.ngadcenter.net
127.0.0.1 oz.valueclick.com
127.0.0.1 doubleclick.net
127.0.0.1 ads.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad2.doubleclick.net
127.0.0.1 ad3.doubleclick.net
127.0.0.1 ad4.doubleclick.net
127.0.0.1 ad5.doubleclick.net
127.0.0.1 ad6.doubleclick.net
127.0.0.1 ad7.doubleclick.net
127.0.0.1 ad8.doubleclick.net
127.0.0.1 ad9.doubleclick.net
127.0.0.1 ad10.doubleclick.net
127.0.0.1 ad11.doubleclick.net
127.0.0.1 ad12.doubleclick.net
127.0.0.1 ad13.doubleclick.net
127.0.0.1 ad14.doubleclick.net
127.0.0.1 ad15.doubleclick.net
127.0.0.1 ad16.doubleclick.net
127.0.0.1 ad17.doubleclick.net
127.0.0.1 ad18.doubleclick.net
127.0.0.1 ad19.doubleclick.net
127.0.0.1 ad20.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.ch.doubleclick.net
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.linkexchange.com
127.0.0.1 banner.linkexchange.com
127.0.0.1 adcount.hollywood.com
127.0.0.1 ads*.focalink.com
127.0.0.1 ads.imdb.com
127.0.0.1 www.ad-up.com
127.0.0.1 bannerswap.com
127.0.0.1 commonwealth.riddler.com
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
127.0.0.1 nrsite.com
127.0.0.1 www.nrsite.com
127.0.0.1 ad-up.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.atlas.cz
127.0.0.1 ad.blm.net
127.0.0.1 ad.dogpile.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.net-service.de
127.0.0.1 ad.preferences.com
127.0.0.1 ad.vol.at
127.0.0.1 adbot.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adbureau.net
127.0.0.1 adcount.hollywood.com
127.0.0.1 add.yaho.com/
127.0.0.1 adex3.flycast.com
127.0.0.1 adforce.adtech.de
127.0.0.1 adforce.imgis.com
127.0.0.1 adimage.blm.net
127.0.0.1 adlink.deh.de
127.0.0.1 ads.criticalmass.com
127.0.0.1 ads.csi.emcweb.com
127.0.0.1 ads.filez.com
127.0.0.1 ads.i33.com
127.0.0.1 ads.imagine-inc.com
127.0.0.1 ads.imdb.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.mirrormedia.co.uk
127.0.0.1 ads.msn.com
127.0.0.1 ads.narrowline.com
127.0.0.1 ads.newcitynet.com
127.0.0.1 ads.realcities.com
127.0.0.1 ads.realmedia.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.tripod.com
127.0.0.1 ads.usatoday.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.web.de
127.0.0.1 ads.web21.com
127.0.0.1 adserv.newcentury.net
127.0.0.1 adservant.guj.de
127.0.0.1 adservant.mediapoint.de
127.0.0.1 adserver-espnet.sportszone.com
127.0.0.1 advert.heise.de
127.0.0.1 banners.internetextra.com
127.0.0.1 bannerswap.com
127.0.0.1 customad.cnn.com
127.0.0.1 dino.mainz.ibm.de
127.0.0.1 ganges.imagine-inc.com
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
127.0.0.1 207-87-18-203.wsmg.digex.net
127.0.0.1 Garden.ngadcenter.net
127.0.0.1 Ogilvy.ngadcenter.net
127.0.0.1 ResponseMedia-ad.flycast.com
127.0.0.1 Suissa-ad.flycast.com
127.0.0.1 UGO.eu-adcenter.net
127.0.0.1 VNU.eu-adcenter.net
127.0.0.1 a32.g.a.yimg.com
127.0.0.1 ad-adex3.flycast.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.ca.doubleclick.net
127.0.0.1 ad.de.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fr.doubleclick.net
127.0.0.1 ad.jp.doubleclick.net
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.linksynergy.com
127.0.0.1 ad.nl.doubleclick.net
127.0.0.1 ad.no.doubleclick.net
127.0.0.1 ad.preferences.com
127.0.0.1 ad.sma.punto.net
127.0.0.1 ad.uk.doubleclick.net
127.0.0.1 ad.webprovider.com
127.0.0.1 ad08.focalink.com
127.0.0.1 adcontroller.unicast.com
127.0.0.1 adcreatives.imaginemedia.com
127.0.0.1 adex3.flycast.com
127.0.0.1 adforce.ads.imgis.com
127.0.0.1 adforce.imgis.com
127.0.0.1 adfu.blockstackers.com
127.0.0.1 adimage.blm.net
127.0.0.1 adimages.earthweb.com
127.0.0.1 adimg.egroups.com
127.0.0.1 admedia.xoom.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 adremote.pathfinder.com
127.0.0.1 ads.admaximize.com
127.0.0.1 ads.bfast.com
127.0.0.1 ads.clickhouse.com
127.0.0.1 ads.enliven.com
127.0.0.1 ads.fairfax.com.au
127.0.0.1 ads.fool.com
127.0.0.1 ads.freshmeat.net
127.0.0.1 ads.hollywood.com
127.0.0.1 ads.i33.com
127.0.0.1 ads.infi.net
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.link4ads.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.madison.com
127.0.0.1 ads.mediaodyssey.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.ninemsn.com.au
127.0.0.1 ads.seattletimes.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.smartclicks.net
127.0.0.1 ads.sptimes.com
127.0.0.1 ads.tripod.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.x10.com
127.0.0.1 ads.xtra.co.nz
127.0.0.1 ads.zdnet.com
127.0.0.1 ads01.focalink.com
127.0.0.1 ads02.focalink.com
127.0.0.1 ads03.focalink.com
127.0.0.1 ads04.focalink.com
127.0.0.1 ads05.focalink.com
127.0.0.1 ads06.focalink.com
127.0.0.1 ads08.focalink.com
127.0.0.1 ads09.focalink.com
127.0.0.1 ads1.activeagent.at
127.0.0.1 ads10.focalink.com
127.0.0.1 ads11.focalink.com
127.0.0.1 ads12.focalink.com
127.0.0.1 ads14.focalink.com
127.0.0.1 ads16.focalink.com
127.0.0.1 ads17.focalink.com
127.0.0.1 ads18.focalink.com
127.0.0.1 ads19.focalink.com
127.0.0.1 ads2.zdnet.com
127.0.0.1 ads20.focalink.com
127.0.0.1 ads21.focalink.com
127.0.0.1 ads22.focalink.com
127.0.0.1 ads23.focalink.com
127.0.0.1 ads24.focalink.com
127.0.0.1 ads25.focalink.com
127.0.0.1 ads3.zdnet.com
127.0.0.1 ads3.zdnet.com
127.0.0.1 ads5.gamecity.net
127.0.0.1 adserv.iafrica.com
127.0.0.1 adserv.quality-channel.de
127.0.0.1 adserver.dbusiness.com
127.0.0.1 adserver.garden.com
127.0.0.1 adserver.janes.com
127.0.0.1 adserver.merc.com
127.0.0.1 adserver.monster.com
127.0.0.1 adserver.track-star.com
127.0.0.1 adserver1.ogilvy-interactive.de
127.0.0.1 adtegrity.spinbox.net
127.0.0.1 antfarm-ad.flycast.com
127.0.0.1 au.ads.link4ads.com
127.0.0.1 banner.media-system.de
127.0.0.1 banner.orb.net
127.0.0.1 banner.relcom.ru
127.0.0.1 banners.easydns.com
127.0.0.1 banners.looksmart.com
127.0.0.1 banners.wunderground.com
127.0.0.1 barnesandnoble.bfast.com
127.0.0.1 beseenad.looksmart.com
127.0.0.1 bizad.nikkeibp.co.jp
127.0.0.1 bn.bfast.com
127.0.0.1 c3.xxxcounter.com
127.0.0.1 califia.imaginemedia.com
127.0.0.1 cds.mediaplex.com
127.0.0.1 click.avenuea.com
127.0.0.1 click.go2net.com
127.0.0.1 click.linksynergy.com
127.0.0.1 cookies.cmpnet.com
127.0.0.1 cornflakes.pathfinder.com
127.0.0.1 counter.hitbox.com
127.0.0.1 crux.songline.com
127.0.0.1 erie.smartage.com
127.0.0.1 etad.telegraph.co.uk
127.0.0.1 fp.valueclick.com
127.0.0.1 gadgeteer.pdamart.com
127.0.0.1 gm.preferences.com
127.0.0.1 gp.dejanews.com
127.0.0.1 hg1.hitbox.com
127.0.0.1 image.click2net.com
127.0.0.1 image.eimg.com
127.0.0.1 images2.nytimes.com
127.0.0.1 jobkeys.ngadcenter.net
127.0.0.1 kansas.valueclick.com
127.0.0.1 leader.linkexchange.com
127.0.0.1 liquidad.narrowcastmedia.com
127.0.0.1 ln.doubleclick.net
127.0.0.1 m.doubleclick.net
127.0.0.1 macaddictads.snv.futurenet.com
127.0.0.1 maximumpcads.imaginemedia.com
127.0.0.1 media.preferences.com
127.0.0.1 mercury.rmuk.co.uk
127.0.0.1 mojofarm.sjc.mediaplex.com
127.0.0.1 nbc.adbureau.net
127.0.0.1 newads.cmpnet.com
127.0.0.1 ng3.ads.warnerbros.com
127.0.0.1 ngads.smartage.com
127.0.0.1 nsads.hotwired.com
127.0.0.1 ntbanner.digitalriver.com
127.0.0.1 ph-ad05.focalink.com
127.0.0.1 ph-ad07.focalink.com
127.0.0.1 ph-ad16.focalink.com
127.0.0.1 ph-ad17.focalink.com
127.0.0.1 ph-ad18.focalink.com
127.0.0.1 realads.realmedia.com
127.0.0.1 redherring.ngadcenter.net
127.0.0.1 redirect.click2net.com
127.0.0.1 regio.adlink.de
127.0.0.1 retaildirect.realmedia.com
127.0.0.1 s2.focalink.com
127.0.0.1 sh4sure-images.adbureau.net
127.0.0.1 spin.spinbox.net
127.0.0.1 static.admaximize.com
127.0.0.1 stats.superstats.com
127.0.0.1 sview.avenuea.com
127.0.0.1 thinknyc.eu-adcenter.net
127.0.0.1 tracker.clicktrade.com
127.0.0.1 tsms-ad.tsms.com
127.0.0.1 v0.extreme-dm.com
127.0.0.1 v1.extreme-dm.com
127.0.0.1 van.ads.link4ads.com
127.0.0.1 view.accendo.com
127.0.0.1 view.avenuea.com
127.0.0.1 w113.hitbox.com
127.0.0.1 w25.hitbox.com
127.0.0.1 web2.deja.com
127.0.0.1 webads.bizservers.com
127.0.0.1 www.PostMasterBannerNet.com
127.0.0.1 www.ad-up.com
127.0.0.1 www.admex.com
127.0.0.1 www.alladvantage.com
127.0.0.1 www.burstnet.com
127.0.0.1 www.commission-junction.com
127.0.0.1 www.eads.com
127.0.0.1 www.freestats.com
127.0.0.1 www.imaginemedia.com
127.0.0.1 www.netdirect.nl
127.0.0.1 www.oneandonlynetwork.com
127.0.0.1 www.targetshop.com
127.0.0.1 www.teknosurf2.com
127.0.0.1 www.teknosurf3.com
127.0.0.1 www.valueclick.com
127.0.0.1 www.websitefinancing.com
127.0.0.1 www2.burstnet.com
127.0.0.1 www4.trix.net
127.0.0.1 www80.valueclick.com
127.0.0.1 z.extreme-dm.com
127.0.0.1 z0.extreme-dm.com
127.0.0.1 z1.extreme-dm.com
127.0.0.1 ads.forbes.net
127.0.0.1 ads.newcity.com
127.0.0.1 ads.ign.com
127.0.0.1 adserver.ign.com
127.0.0.1 ads.scifi.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adengine.theglobe.com
127.0.0.1 ads.tucows.com
127.0.0.1 adcontent.gamespy.com
Re:Emmett and Interhack (Score:2)
Email addresses are given out like candy.
Protect Yourself (Score:2)
Granted, this is not the easiest thing to use ever. I'd really like a list of servers I could manually update, whose cookies would always be rejected. *.doubleclick.net, *.adforce.com ... you get the picture.
Point is, though, you do have recourse. You don't have to "blindly trust" all those baddies trying to set cookies on your harddrive. Now I think the priority should be making this easier for newbies to pick up, and educating them about it.
Re:How many? (Score:2)
Yeah really. Someone should Mod this up, and maybe some marketing braindead's will see it. No one I know EVER puts in their real information, real email, or anything, unless they absolutely have to. And I'm not just talking about us l33t hackers, I'm talking about joe average Internet user. In schools around where I live, they actually teach you not to ever give your real information (including email) unless its someone you absolutely trust.
So what I would liek to know is, what good is all this tracking, when your'e tracking fake people? It's just a huge waste of time. Not that I reallly care, I added all banner ads to my hosts file being redirected to 127.0.0.1 a LONG time ago
Re:Web Bugs (Score:2)
Re:Spot the webbug (Score:2)
Or send back corrupted data (Score:2)
This "web bug" thing is a dumb approach (Score:2)
Re:Spot the webbug (Score:2)
I'm going to have to go diving through the ad code (assuming the slashdot guys use the one from sourceforge) to see exactly what the number is used for.
My guess is that the number is used to see how many eyeballs saw that particular ad, but what they do with the number beyond that is unknown.
Example:
<IMG SRC="http://images.slashdot.org/pagecount.gif?/ar
.....
<IMG SRC="http://images.slashdot.org/banner/tkgk0082en
Re:Coremetrics.. (Score:2)
Of course no site would put up a box saying "click here to have your privacy invaded." Instead, they'd set up a system so that the user gained some small benefit from having their privacy invaded- like not having to re-enter their password every time they visited the site or having customized content- and ask customers if that's what they wanted. If they worded it right, you'd be surprised at how many people would opt in.
Actually, the well known grocery card business is a good example of this. People are willing to give supermarkets personally identifying information on an opt-in system in order to get marginal price benefits. They're even willing to swipe their card when they don't have anything in their cart that actually gets a price break based on minute chances of winning a car or something. Don't overestimate people's desire for privacy.
DoubleClick Ads on Slashdot (Score:2)
I sent e-mail to Jaime almost 2 weeks ago asking about the use of doubleclick served adds (from doubleclick servers) on Slashdot. He promised to get back to me. He never did.
Would anyone on the Slashdot Team like to comment on whether or not these adds perform functions similar to DoubleClick ads on other sites? I've seen posts about this in some discussions, but this seems like the good place to post it.
I have noticed a STEADY increase in the number of DoubleClick served adds since I initally contacted Jaime. All the SuSE ads, the Genuity add, and now some IBM (and I'm sure others) ads are all DoubleClick served. This is true on other Andover sites like freshmeat as well. Many adds are served from Slashdot's addserver, but often DoubleClick ads load.
I can provide links to any and all ads that I've seen if I need to, but I think that it would be overkill.
Just curious
-fp
Re:Legitimate use of a 1x1 GIF (Score:2)
The point is that in order to get a straight html page to also activate a program automatically whenever it is loaded, you have to use something like a IMG SRC.
Wouldn't you be better off in that case just executing your maintenance script via SSI, rather than relying on a seperate web request from the client?
Something like
<!--#include virtual="updatemainpage.cgi" -->
would do the same thing, and not rely on the client. Assuming, of course, your server can do SSI. If not, you could use an index.cgi instead of index.html, just have it dump out the page, then do the maintenance as part of that request. It'd save you on network traffic too.
Using a 1x1 IMG to do it is one solution, but it's not by any means, the only solution.
Re:Spot the webbug (Score:2)
For the truely lazy:
Re:What's wrong with user profiling? (Score:2)
So who really gives a damn? I usually buy books that have been recommended through word-of-mouth, anyway, who cares what Amazon's computer cooks up for you? Hell, I really don't care about the cookies on my computer - if someone steals my credit card number then it'll show up on the statement and I can get my money back. So what if Maxim ads always always pop up on yahoo sites for me? So I clicked on one, once.
Spam is pointless - I'm immune to it. I'm sure everyone who's grown up with television is, too. I'd rather go outside and sit in the sun anyway (but I'm stuck here at work).
Hmm, actually now does feel like a good time for a smoke break...
Re:Emmett Rocks! (Score:2)
See, well fucking done! You just achieved something that "your friend", Emmett "hung like Robert" Plant couldn't quite get it up for! You just gave us .... a "disclaimer". So now, we can take with, shall we say, a grain of shit, your comment that "I think that attacking Emmett's journalistic integrity is immature" ("immature"!, ye fucking gods! Why not just say that you think it's "gay" or "spastic" if you don't have any arguments!). We can tell that, whatever your views on journalistic ethics, you're probably prepared to prostitute them in order to help out your friend.
Now, if you'd dropped in and said "Hi, I'm Nitrozac, I have no connection to Emmett or anything, I'm just a stuck-up internet loudmouth and censorship advocate with a wholly unrealistic view of "geek" culture. I just took time off from simultaneously patronising and demeaning women by calling them "Techno-Talking Babes in my ludicrously unfunny comic to drop over here and tell the world that, in my considered opinion, "freaking out" over a journalist providing free publicity to his cronies without disclosure is "kinda dumb. Now kiss my ass, and tell me how great you think my boots are." --- then that would be kind of dishonest.
And indeed, given that the context is a story about Internet privacy and "Your Rights Online", am I the only one to think that there is something supremely fucking hypocritical about you daring to raise your square head above the parapet, given that you're the proprietor of a bulletin board which is notorious for censoring contrary opinions and logging IP numbers of anyone who sails by? Though, I doubt that either Slashdot or Interhack will be doing an article on that any time soon.
Please feel free to reply here, or contact me by email, or indeed to do anything that will distract you from drawing another episode of that godawful comic, User [goatse.cx] Friendly [aftery2k.com]. Before you make the obvious response, I'll point out that I don't read the fucking thing, I just think that you have far to many preteen dittoheads, and anything that reduces their numbers makes the world a less shit place. Not necessarily better, just less horribly shit.
In conclusion, fuck yourself.
One word.... (Score:2)
Really, it's a simple as that. You don't even have to clutter your copy with parenthetical disclaimers, just a link to the relevent information about the connection for those readers who care.
C'mon guys. Like it or not, you're journalists now, so play the game properly.
Re:Illegal in the UK. (Score:2)
Hey! I resemble that remark!.
Seriously, folks. I think that the above analysis of the DPA is a little pessimistic. The Act does in fact define gross invasions of privacy in a roundabout way: there is a list of items of "Sensitive Personal Data" which are subject to much stronger regulation.
The Act provides for civil and criminal penalties for breach of the provisions as to fair processing; it is not toothless.
As to the "taking of steps" point, that provision is also governed by the requirement that the processing be proportional to the need and transparent to the data subject, and the Data Protection Commissioner has power to rule on what is and is not within that requirement of fairness. For example, she has stated that those "opt out of our spam list" checkboxes are not fair on the data subject: they should be "opt-in" boxes.
As to "presenting a retail site such that it's accessed 'with a view to entering into a contract'", that has to be done with an eye on the remainder of the Act, which limits what you can and cannot do, the various dicta of the Data Protection Commissioner, one's own liability if one colludes in the commission of a criminal offence or advises a client to commit one and, in the UK, the Unfair Contract Terms Act 1977, which is a prize pain in the backside for those in the business of ripping off consumers.
The whole point of the DPA, you see, is to make it easier and more cost-effective for the lawyer to advise the client to comply than to infringe. Being a naturally conservative crowd, that is exactly what we do.
Illegal in the UK. (Score:2)
Anyone thinking of using this service in the UK (or anywhere in the EU for that matter) should think again. It's (potentially) a criminal offence to collect any data on a person without telling them you're doing it (Data Protection Act 1998, generally [hmso.gov.uk] and Schedule 1 part I [hmso.gov.uk] in particular). The fact that you're using a third party based abroad to dig the dirt on your site visitors will avail you nothing with the Data Protection Commissioner [dpr.gov.uk] if she decides to land on you with both hobnailed boots.
Those privacy statements, whose status in the US I cannot comment on (IAAL but NAUSQL) are binding in the UK and breach of them potentially sounds in damages (section 13 of the Act [hmso.gov.uk] isn't in force yet, but soon, soon) as well as criminal liability and all manner of interesting and exciting regulatory action.
For the rights of data subjects generally, see Part II of the Act [hmso.gov.uk] generally and the register of Data Controllers is maintaned at the Data Protection Commissioner's site and is fully searchable. Go on, look up your favourite corporation and dob them in if they aren't playing by the rules. (Non-UK readers may be amused to know that an assortment of pranksters make a point of doing this with political party membership lists when they use them for mailshotting purposes.)
How many? (Score:2)
Right now there is probably a lot of junk mail and phone calls going to 1642 Slackware Ave, Retro, CA (111)222-3334...
I can't remember putting in real information in a long time... actually the last time I put in that information was when I bought a DeCSS TShirt.
Toysrus.com sells information even tho they say in the privacy statement they don't? Welp, add another place not to shop to my list. Does anyone publish a listing of companies that don't sell information to other public/private companies anywhere? I'm sure it would be very useful to some.
difference? (Score:2)
Tracking proliferation (Score:2)
Use WebWasher to protect yourself from web bugs. (Score:2)
Re:Similarities (Score:3)
In the end, it comes down to "What information can the advertiser extract from the HTTP request to identify me?" This is why things like Junkbuster obfuscate as much of the request as technically possible, including User-Agent.
When it boils down to it, we don't have to send them anything more then "send me this page". The only other identifiers we must leave behind are the IP address we are recieving at, obfuscatable with a proxy server.
At this point, the only choice the advertisers will have is to either grant us service, or deny us service, despite the inability to tell who are. If we feed them nothing, they can't pull the information out of the air.
Denying us service is not likely, either; advertising knowlege is nothing compared to actual profit obtained from a purchased item.
We don't have to put up with this. When Mozilla comes out, there's a few patches I want to make (like completely blocking the "onclose" event from firing)... maybe a few other hackers making a few other security patches can nail down that browser well enough for actual use. (Block 3rd party cookies, strip out some useless HTTP header information, and put some sandbox-style warnings into other parts of Javascript (like form submission) and you're a lot of the way there... it'd mostly be a matter of selectively removing features, which is usually not so hard :-) )
Spot the webbug (Score:3)
now = new Date();
tail = now.getTime();
document.write("<IMG SRC='http://images2.slashdot.org/Slashdot/pc.gif?
document.write(tail);
document.write("' WIDTH=1 HEIGHT=1>");
document.write("<IMG SRC='http://images.slashdot.org/pagecount.gif?/co
document.write(tail);
document.write("' WIDTH=1 HEIGHT=1>
");
--
Web Bugs (Score:3)
(web bugs are EVIL)
Evil never dies -- It just comes back in reruns
Re:Emmett and Interhack (Score:3)
And lastly, I hear she liked him better.;)
Re:Spot the webbug (Score:3)
Is the person saying something inflametory that they know to be false to get a response? Just because you are satisfied with the explanation, doesn't mean everyone has to be. Or is it that
Personally, I've seen these images at the top and was suspicious, and now from the informative responses, I know what they are.
Automatically polute their data (Score:3)
Its not surprising this is happening (Score:3)
It is up to us, the geek consumers, to push back at these companies, voice our concerns, refuse to buy products from them or use their web services. Since they understand best off of their pocketbooks, that is what will get their attention. This is also something that my mom and dad can understand. If I tell them 'the following websites are collecting private information about you' they wont use those sites. They are finally convinced its not the hackers out there that are going to be taking away their privacy, but instead, the government and corporate america.
Just my two... sleepy thursday cents
DoubleClick Ads on Slashdot (Score:3)
However, slashdot has been serving DoubleClick ads with increasing frequency of late. NOW, I am NOT suggesting that Slashdot is corrupt or evil. I'm just curious to know whether or not we can expect these adds to behave similarly to the DoubleClick ads that have been described in previous stories.
If so, doesn't that fall into the "web bug" catagory. Why hide it in a 1x 1 GIF when it's right there in a DoubleClick ad?
Anyway, I'm just curious. I posted this on the root level of the story and have already been modded down to -1. So moderators, do your worst. I'm just looking for an answer, not a flame war.
-fp
Re:no more privacy (Score:4)
Simple fix: /dev/null ~/.netscape/cookies
ln -sf
Your cookies will all be accepted and valid while they remain in memory (that is, as long as you keep the web browser open), but will be flushed every time you close netscape -- giving you the best of both worlds.
Matt
Re:DoubleClick Ads on Slashdot (Score:4)
The basic problem is that a huge percentage of advertisers outsource their advertising operations to DoubleClick. To have them advertise, you grab images off of DoubleClick. That's not anything we have control, unfortunantely, as that's the advertisers choice to go through DBL. I wish it were otherwise.
class action suit filed against Toys R Us (Score:4)
What's wrong with user profiling? (Score:4)
Amazon, for instance, tracks all of my purchases, and, in return, gives me the only useful product recommendations I've seen on any commercial web site. Other sites could track my reading patterns (within their own site, not across others!) to figure out what types of articles actually interest me so that they can provide better content in the future. They need to plant a cookie on my browser to do that tracking, and they may even benefit from demographic information from me (to see what 20 year-old white males like to read), but they never need to know my real name, address, or phone number.
For me, the biggest privacy concern is spam and telemarketing. I WANT people to get enough data about me to serve banner targetted ads, because those are more likely to be interesting to me (I might buy a boxed copy of Enhydra, but I probably won't buy a copy of Cosmopolitan), as long as they don't invade my Inbox with those ads.
--JRZ
Re:Web Bugs (Score:4)
So Web designers are forced to use HTML for visual presentation of information (no, just putting it in a simple list isn't good enough -- 400 years of learning how to effectively present information says otherwise. See Edward Tufte's works FMI). And the only way to do that is to micromanage detailed issues like spacing.
But all that's moot. The worst part about this whole article is that the companies are lying to their customers about how their information is being used. There is almost no way an educated user, without the benefit of infinite time and tools, could have known to protect him- or herself from this information theft. That's why Truste needs to sue and the FTC needs to get involved. Personally, I think that the companies who did this need to be permanently banned from having a Web presence in order to set an example, but I don't know how that could be done legally.
You can do something: opt out
http://www.coremetrics.com/opt_out_ options.html [coremetrics.com]
Re:Spot the webbug (Score:5)
Please note that all these images come from slashdot's own servers. They're pagecounter images. I'll just forward along the email I got from Richard M. Smith, the guy who coined the term "web bug" [tiac.net], when I asked him about it:
Jamie McCarthy
The can is open, and there is no going back. (Score:5)
The best you can do is write a browser plug-in that will reject such data and prevent the corporation from gaining any valuable data from your visit.
No amount of legislation can stop this kind of thing. If you ban companies from collecting data like this in the United States, they will simply move their servers outside the border and continue to do business as usual.
In the information age, it is no longer the job of government to protect our privacy - they can't, it's an insermountable job. The only way to protect online privacy is to do it yourself.
Forcefeeding and poisoning the cookies (Score:5)
Interesting things to do with entries in the cookies file:
- randomly change some of the ID numbers -- let them think you're somebody else (or nobody)
- if there's a timestamp, change the date to something bogus -- 1956, or 1842, or 2003. Maybe somebody's database will break.
- insert really really long strings of random characters (or numbers if numeric) into the cookie values -- maybe it'll overflow a buffer somewhere.
- add a few hundred or thousand bogus cookie entries for some domains, maybe the cookie eater will choke.
How much of this actually adversely affects the cookie server I don't know -- not my area of expertise -- but it at least screws up their tracking somewhat. You want cookies? Here, I'll give you cookies....
Coremetrics.. (Score:5)
Personally, I don't see the issue of online tracking as being more than 'a tempest in a teapot'. Those that do not wish to be tracked can surely disable it, and the tracking companies and user data mining companies will continue to make money off the mindless drones that populate the net.
It's always been 'buyer beware'. What is so special about the net that it no longer applies? So the tracking is easier to do, and easier to analyze, and there is more of it, and it is more meaningful; Do you honestly think your bank, the telephone company, and the credit agencies aren't selling your spending habits to marketers?