Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Advertising The Internet Your Rights Online

Advertising Network Caught History Stealing 143

jonathanmayer writes "Last week the Stanford Security Lab reported some surprising results on how advertising networks respond to opt outs and Do Not Track. This week we made a new discovery in the online advertising ecosystem: Epic Marketplace, a member of the self-regulatory Network Advertising Initiative, is history stealing with unprecedented scale and sophistication. And Epic is snooping some remarkably sensitive information, including pages from the FTC, IRS, NIH, Mayo Clinic, and more. Epic has written a response defending its practices."
This discussion has been archived. No new comments can be posted.

Advertising Network Caught History Stealing

Comments Filter:
  • Adsense (Score:4, Insightful)

    by zget ( 2395308 ) on Friday July 22, 2011 @10:33AM (#36846538)
    Google currently owns the largest advertising network, and it will only expand (both internet wise and datamining wise) with Google+. If others can't history steal, it will put them out of business. In practice, Googles monopoly demands others to play bad.. I'm not saying it's a good thing, it is bad. Just stating the facts.
    • Re:Adsense (Score:4, Interesting)

      by LWATCDR ( 28044 ) on Friday July 22, 2011 @11:00AM (#36846976) Homepage Journal

      What?
      Google does not have a monopoly. Facebook which is a monster does not use Google ads. Google does not have a monopoly on search. Bing and Yahoo which now uses Bing both serve ads and provide search so we can toss out your monopoly idea right there. Google plus has fewer users than Facebook, Twitter, MySpace and until recently Slashdot, so that isn't a monopoly in social networks.
      So now that we know that the facts you are stating is false we can just toss the rest of the comment out.
      They don't have to cheat to compete. Microsoft, Facebook, and Apple all have ad networks now. Apple is making a big push in the mobile ad space I would hope they are not history harvesting.

  • a self-regulatory network. Just like the wall street bankers want to be self-regulatory or allow the market to be self-regulatory. It's all the same bullshit.
    • "Self-Regulation" is extremely efficacious. It's just that it's a tactic for avoiding actual regulation, not a tactic for providing it...
  • by Lance Dearnis ( 1184983 ) on Friday July 22, 2011 @10:42AM (#36846676)

    Alright, I read the article on this one, and, there's a divergence of evidence here. Mainly..

    "We applied the methodology from last week's study to examine Epic Marketplace's opt-out practices. (Epic Marketplace was one of the eleven NAI members not included in that study.) We found that Epic Marketplace leaves its tracking cookies in place after both opting out with the NAI mechanism and enabling Do Not Track. We also found that history stealing continues after using either choice mechanism." - This one's from the study.

    "Furthermore, when the user opts out, all data collection efforts cease. The student erroneously concludes that users are unable to avoid participating in segment verification because the opt-out mechanism does not delete the cookie that exists on the user’s computer. Like many other networks have pointed out already in their responses, this is misleading and inaccurate. When a user opts-out, all further collection of behavioral data from that user stops and existing profile data is deleted, even though the cookie itself is not deleted. The reason for this is simple: these cookies provide important operational information necessary for the delivery of any ad, not just targeted ads. For example, Epic Marketplace needs this data to determine how many times a particular ad has been shown to a user, and to analyze whether fraudulent activity is taking place. Ironically, in order to give effect to a consumer’s decision to avoid data collection, the cookie has to remain, otherwise advertisers have no way of knowing that that particular consumer has elected to opt-out of that advertiser’s data collection practices." - and here's Epic's counter.

    These two statements seem strictly at-odds to me; the study states that the History Stealing continues to run, not just that a cookie remains as Epic sems to be saying. Epic claims the data collection stops - straight conflict here. Someone either screwed up their study, or Epic is lying, or Epic is unaware that their 'stop stealing' code doesn't actually work. It looks like they're not gathering personally identifiable or geographical location, and so are in the clear there - but now you've got a pure 'He said, she said' in terms of continuing collection after opt-out. Anyone interested in trying to duplicate this study and add some more evidence to if it continues or not?

    • As per the article, web histories count as identifiable information. So collecting them counts as gathering personally identifiable information.
    • I was going to comment on the spin applied to the headline "...caught stealing" that seems to make the debate a foregone conclusion, and mention Epic's rebuttle, but after reading the articles I had the same issue as you - who exactly is correct here? It would still be nice to not see such inflammatory headlines though.
      • by Anonymous Coward

        rebuttle

        Rebuttle is what happens when you watch Brazil twice in a row.

        Rebuttal is the word you are looking for.

      • by Anonymous Coward

        I've read the articles too, and it does seem rather difficult to disentangle. Epic says the data collection stops once the user opts-out. What they claim may be true, but I notice that they admit that the cookie established for tracking purposes remains after the user opts-out. Why? Why not delete the cookie too? They offer some seemingly-legitimate reasons, but if *anything* is left from the data collection/tracking process they aren't being thorough about implementing the "opt-out". There's a big fa

    • I also find a couple other things curious:

      1) Epic starts by attacking the person not the argument

      2) Epic goes on a random rant about there being no definition of "tracking"

      • Well, to summarize responses to all there of these:

        Epic was certainly caught 'history stealing' - the contention is if they continue this practice even if you opt out, not that the practice occurs in the first place.

        While it goes through your web history, it separates out into 'interest segments' rather than directly pulling URLs; in other words, while directly collecting them WOULD count as personally identifiable information, Epic isn't doing that. They don't read 'You went to groupon!', they read 'You we

  • by Anonymous Coward

    to pay each advertiser one bitcoin EACH just to not target my IP address with advertisements.

  • I don't think anyone but the most naive users were surprised at last weeks results, or at this. Even "Average Joe Internet User" knows that, in general, Internet advertisers and their practices are shady.
  • by TheGratefulNet ( 143330 ) on Friday July 22, 2011 @10:55AM (#36846872)

    TFA:

    When a user opts-out, all further collection of behavioral data from that user stops and existing profile data is deleted, even though the cookie itself is not deleted. The reason for this is simple: these cookies provide important operational information necessary for the delivery of any ad, not just targeted ads. For example, Epic Marketplace needs this data to determine how many times a particular ad has been shown to a user, and to analyze whether fraudulent activity is taking place. Ironically, in order to give effect to a consumer’s decision to avoid data collection, the cookie has to remain, otherwise advertisers have no way of knowing that that particular consumer has elected to opt-out of that advertiser’s data collection practices.

    its been a while since I did web programming, but isn't an opt-out better implemented as data stored on THEIR systems and not mine? am I missing something here?

    "we can't be sure you dont' want our shit, so we send you a cookie so we can know you don't want our shit."

    WHAT???

    do they expect technical people to say 'oh, ok, you are right' ?

    so, unless I'm missing something, they should look at their LOCAL database of do-not-track ip addrs and users and not even TRY to write data to their disks (cookies). and if the user denies cookies (as I do on all sites that are not already whitelisted)? their 'design' doesn't allow for THAT case, does it?

    these guys should be sued into negative oblivion. bottom feeding fuckwads.

    • by Skapare ( 16644 )

      If any of their tracking actually works in the case of user cookies being denied or not kept, then yes. If they choose to still do tracking for such users, they also need to honor do-not-track for those users.

    • by aitan ( 948581 )

      So you have a permanent IP assigned to you, and you want that the advertisers always know and keep track (no matter if you clear cookies, or if you enter Private browsing) that it's you the one visiting some pages?

      Well, that might work for you, but the rest of the world doesn't have such luxuries and the IP is temporary so in order for them to keep such preferences, they must store the preferences in your computer.

    • by Sloppy ( 14984 )

      they should look at their LOCAL database of do-not-track ip addrs

      IP addresses don't opt out of things; people do. There has to be some way of associating a request that they want to track, with an earlier opt-out request. Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).

      • Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).

        Not to mention that a do-not-track cookie and a do-not-track HTTP header member essentially have the same effect from a practical perspective (in that they both modify the HTTP header). However, an HTTP header would work across all domains, not just the domain that set it which might be a disadvantage to those who want to pick and choose who can and cannot track them.

      • by FSWKU ( 551325 )

        they should look at their LOCAL database of do-not-track ip addrs

        IP addresses don't opt out of things; people do. There has to be some way of associating a request that they want to track, with an earlier opt-out request. Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).

        All fine and good, but why should I HAVE to opt out of something like this just to protect my privacy? What makes these marketing troglodytes think they have a right to track my browsing habits by default?

        • by Sloppy ( 14984 )

          All fine and good, but why should I HAVE to opt out of something like this just to protect my privacy? What makes these marketing troglodytes think they have a right to track my browsing habits by default?

          Lots of reasons:

          1. We speak of "do not track" instead of "ok to track." The debate is already framed to their advantage.

          2. You're ok with it. Almost everyone is ok with it. Otherwise, they wouldn't send the requests (complete with the cookies they asked you to send, the last time you communicated with t

    • The right solution is probably the browser ignoring actions based on domain. Another solution is to ignore sending cookies based on domain and also ensuring JS from that domain can't read certain data. It would require a black list, but if they aren't going to play ball, then we can play hard ball.

    • by Aladrin ( 926209 )

      They can't be sure it's you without a cookie to verify it. IP addresses change, and so do browser agents.

      If they stored they data on their side, you'd have to re-opt-in every time your ISP gave you a new IP, or you upgraded your browser.

      It sounds like they're storing additional data on it, however, and that's not acceptable.

    • Yes, you're missing something. Imagine you opt out of tracking and the company erases all information about you (including their cookies). What happens the next time you hit their system? You look like somebody they've never seen before. In most systems, that means they give you a cookie and start tracking you. But you just asked them not to track you...

      The only way they can comply is to know that you fall into the group of people who don't want to be tracked. In general, they can do this with a gener

      • Or maybe they need to go to an "opt-in" system, to make it easier for them to be honest. I suppose there could be a reason they wouldn't want that, though...
    • good point. my work pc has firefox set to clear cookies and history at shutdown. so, my do not track request can't be respected after a reboot?

    • You're over thinking things. What if you were allowed to tick a checkbox in your browser, and thereafter it would state clearly in every HTTP request header DO NOT TRACK ME. This enables notification that we do not want any tracking to be performed, and is delivered in the same set of headers that they are already parsing to read the "Cookies" they set. [donottrack.us]

      It looks like this:
      DNT: 1
      Firefox4 and IE9 Support this, last I heard Chrome didn't (I hear there is a 3rd party plugin now). All those advertising bastards need do is not track people with those settings. Additionally, use a plugin like CookieMonster [mozilla.org] to manage your cookie settings.

      Them: "Without cookies how will we know if you want to opt out?!"
      Us: "Problem Solved. Read the DNT header fool."
      Them: "We need cookies to makes sure people aren't fraudulently clicking ads, and to count clicks"
      Us: "Not our problem; Besides, Cookies can be cleared -- Store your clicks & hits in YOUR OWN damn database!"
      Them: "... [under breath] But we don't have to, and we won't comply sanely without mandatory regulation."

      They'll cry us a river when it comes down to strict regulations -- The only bad thing is that the law writers don't understand technology enough to just say: "Advertisers must honor the 'DNT: 1' (do not track header) as if the user had followed the advertiser's opt-out procedure, and [insert other shit they should do like delete user records and not set cookies -- though I can manage my own damn cookies, but thanks]."

      • by Tom ( 822 )

        You're spot on.

        They claim that a click on an "I accept" button constitutes a binding contract. But a checkbox in the configuration that I don't want to be tracked doesn't?

        Frankly, stop treating corporations like responsible citizens. They aren't. They are cheaters, liars and frauds. Their only purpose is profit. If they were humans, they would qualify as psychopaths.

        Treat them like that.

    • by tokul ( 682258 )

      am I missing something here?

      Web users are anonymous. You can't identify them, if you don't store something unique on their machine.

      • I think that is the idea. They don't want to be identified, yet storing something unique on their machine makes it pretty easy to identify them.
    • by jvkjvk ( 102057 )

      Yes, of course they have to track you to know that you have opted out of tracking.

      How else do think it would work?

      This pattern is depressingly similar to how the whole legal system is going.

      • by 0123456 ( 636235 )

        Yes, of course they have to track you to know that you have opted out of tracking.

        Here's an idea. Maybe they could, you know, have people opt-in to tracking, and then the only people being tracked would be the ones who had asked the company to track them.

        Of course as we all know, almost no-one would volunteer to be tracked unless there are financial benefits (e.g. supermarket store card discounts) and only inertia prevents most people from 'opting out' of online ad tracking.

    • they should look at their LOCAL database of do-not-track ip addrs

      So I need to opt out of tracking at home. And at work (blocking other people sharing the same outbound NAT who want to be tracked for some odd reason, possibly involving incentive programs). And at the coffee shop. And in motels. And in libraries. And every time my DHCP lease changes. Basically, every IP I'll ever occupy - however temporarily - I'll need to re-opt-out from.

      so, unless I'm missing something

      Yes, I think you're missing something.

  • by Anonymous Coward

    I don't care if that hits a site renevue stream enough that they will require paid registration (I will just register and pay). You either do something to block all ad network-supplied crap, or you are at a much increased risk of damage.

    ad networks have, in the past:

    1. distributed viruses and trojans (PNG exploits, for example)
    2. distributed criminal matter (hate speech, k1dd13 p0rn, etc)
    3. distributed content to mislead the user into visiting damaging sites
    4. attacked the user browser to mine information

    E

    • if only there was a loosely associated group of computer hackers sometimes following the activist mindset and settling on particular targets of interest...

  • by LWATCDR ( 28044 )

    Well they claim that what they are doing is not an issue. So I simply want to know what sites use them and what advertisers use them along with the name of the script.
    That way I can have the freedom to choose if I want to go to those sites or not and let the site owners and advertisers that I don't like it. Not that it is ilegal or not but I don't like and don't want it to happen to me. That is all they have to do.

  • From Epic Marketing's Fine Rebuttal:

    The Stanford studentâ(TM)s blog purports to examine a practice described as âoehistory stealingâ. The use of such a pejorative term obviously reveals a bias ..

    followed by

    .. Epic Marketplace needs this data .. to analyze whether fraudulent activity is taking place.

    Hmmmm ...

    • by hubie ( 108345 )

      What I like is that in their response they not once referred to him by his name (Jonathan Mayer), but only by "the student." I would say that was a pretty pejorative use of that word.

      To me, their response comes off sounding like (I'll let you read it with your favorite exaggerated accent): "Stealing? That is such an ugly word. We prefer to call it 'segment verification'."

  • Computer fraud? (Score:5, Insightful)

    by gstrickler ( 920733 ) on Friday July 22, 2011 @11:08AM (#36847090)
    Epic has no contract, expressed or implied, with the end user to run software on their computer. They have only an agreement with the website operator, who has no authority to grant Epic the right to execute any software on the end user's computer. That said software actually examines the users browsing history to determine if they have visited specific pages, should be considered illegal, even if they only send back a de-identified list of segments represented by those links. Until Epic has received user consent, their actions should be considered computer fraud [wikipedia.org].
    • Huh? The user's browser has, on behalf of the user, explicitly contacted Epic's webserver, requested a copy of the javascript from their site, and run it. It's not like Epic's servers attempted to connect to the user's computer, hacked a firewall, cracked a password or anything. The user (via their browser) has initiated the entire thing here.

      If the user does not want their browser to retrieve and run javascript from every third-party server mentioned by websites they choose to visit, maybe they should get

      • Re:Computer fraud? (Score:4, Interesting)

        by gstrickler ( 920733 ) on Friday July 22, 2011 @12:08PM (#36847966)

        No. The end user requested information from the web site they were visiting. That a third party is running software on their computer is not an implied or expressed condition of that request.

        While it's common for sites to display ads from ad networks, and the simply displaying of an ad could be considered an implied contract of using most web sites, displaying an ad and running software (even javascript) is not an implied contract. In this case, the software goes out of it's way to ensure that it runs without any indication to the user, thus the user is completely unaware that there is even anything to which he should have be asked to consent.

    • by Trepidity ( 597 )

      Wouldn't that theory criminalize any Javascript that: 1) the user did not explicitly consent to execute; and 2) did anything the user found objectionable? I don't like this practice, but that cure seems worse than the disease.

      • See my reply to the above commenter.
      • Isn't that how it should be? If I didn't ask for it, you shouldn't be putting it on my computer.
        • by Trepidity ( 597 )

          But you did ask for it! It's not like they came to your house and installed on your computer software that would: 1) request Javascript from their servers; and 2) execute it. You installed software on your own computer that did that!

          If anyone's at fault, perhaps it's Firefox for having JS retrieval and execution enabled by default.

    • I went to the two websites listed as examples in TFA and I couldn't find the iframe or javascript that they claim is checking on your browsing history.

      Can anyone pastebin the relevant snippets of html or javascript links from http://www.flixster.com/ [flixster.com] or http://charter.net/ [charter.net]?

  • Read a response from a professional advertisement and marketing agency? Why don't we just throw the idea of objective assessment out the window altogether.

  • they do anything they can to get you to buy some shit you dont want including lying and stealing, then get all offended when you call them on it

  • Did you read the response? What a classic case of corporate misdirection. They redefine history stealing as "segment verification", which presumably means that they are using this technique to verify that a visitor is part of a particular segment of people that advertisers are trying to reach.

    Clue: It doesn't matter what you do with the information, if your process involves checking to see whether a user has visited any of a list of sites in the past, that technique is known as history stealing and it is wr

  • At first I thought that somehow history was caught stealing something by an advertising network. It took me a minute to realize the title actually meant "stealing history". If the used word order is really that important, the submitter could've at least thrown a hyphen in there to make it a bit clearer.
  • "self-regulatory"

    Well there's your problem.

  • by Tom ( 822 )

    Epic has written a response defending its practices."

    If you still don't see what's wrong with these people, that sentence is all you need. Get caught with the hands in the cookie jar and then go about explaining why it was an ok thing to do.

    How long until we as a society finally realize that corporations do not have ethics ? They are, almost by definition, psychopaths. We need to start treating them like the dangerous criminals they are.

    No, I'm not a communist. I do, however, strongly advocate seing things the way they are, and not fool yourself with delusion

There are never any bugs you haven't found yet.

Working...