How Websites Know Your Email Address the First Time You Visit

An anonymous reader writes "Darren Nix works for 42Floors, a business that uses its website to help people find office space. He recently received a marketing email for a service that offered to identify visitors to his website. After squeezing some information out of the marketer and playing around with a demo account, he now explains exactly how sketchy companies track your presence across multiple websites. The marketer offered to provide Nix with 'tracking code that would sit in your web site' which would 'grab a few key pieces of data from each visitor.' This includes IP addresses and search engine data. The marketer's company would then automatically analyze the data to try to identify the user and send back whatever personal information they've collected on that user from different websites. Thus, it's entirely possible for a site to know your name, email address, and company on your very first visit, and without any interaction on your part. Nix writes, 'A real-world analogue would be this scenario: You drive to Home Depot and walk in. Closed-circuit cameras match your face against a database of every shopper that has used a credit card at Walmart or Target and identifies you by name, address, and phone. If you happen to walk out the front door without buying anything your phone buzzes with a text message from Home Depot offering you a 10% discount good for the next hour. Farfetched? I don't think so. ... All the necessary pieces already exist, they just haven't been combined yet.'"

Tor

[girlintraining]

"[...]All the necessary pieces already exist, they just haven't been combined yet.'"

Not me. I'm behind ten proxies and use Tor for everything. I use throwaway e-mail addresses from places like Mailinator. I even registered my gmail account using a hospital courtesy phone... that was in another country. My friends joke that I'm paranoid of the government. No, I could care less about the government... it's all the corporations!

Re:Tor

[usuallylost]

Not me. I'm behind ten proxies and use Tor for everything. I use throwaway e-mail addresses from places like Mailinator. I even registered my gmail account using a hospital courtesy phone... that was in another country. My friends joke that I'm paranoid of the government. No, I could care less about the government... it's all the corporations!

All of that sounds great for your electronic transactions. Not sure it will help all that much when they start tracking your physical movements through the world and building databases that way. I guess you could wear a variety of disguises, always pay cash, never sleep the same place twice and make your living by pan handling or something. The problem here is that as this stuff becomes more and more pervasive it is going to become harder and harder to avoid. I suspect what we really need is some strict data privacy rules that require people to get opt ins for this stuff. That may be possible in the EU I don't see it happening in the US.

Highly illegal

[Splab]

Well one reason why this hasn't been done is it's downright illegal to do so in many countries.

Try this in EU and find yourself in a world of hurt.

RequestPolicy + NoScript

[magic maverick]

I've mentioned before that I don't use an Ad Blocker, and yet I rarely see ads. The addons I use (among others) are RequestPolicy, NoScript and Cookie Monster. These three allow me to not be tracked across most websites.

As well, I tend to use unique email addresses (either with Mailinator, or with another domain) for each website I sign up on (I record which email address I use where, and this allows me to track who is sharing my info).

And if I did somehow receive an email that said something like Sumit Suman received, I would be very unhappy with both the party I initially shared the email address with, and the other party. And would cease all business with both.

A commentator at Hacker News [ycombinator.com] says at least one company uses the IP address to get the company and then looks up that company via LinkedIn. Another reason to a) support Tor, and b) not use LinkedIn I guess.
------

Ironically, 42Floors is using Disqus for their comments. This allows visitors to be obviously tracked across websites (at least that use Disqus) and I'm amazed that any privacy conscious person or organization would outsource like that. There are many other tools (e.g. Gravatar) that fall into the same category. In fact, with Gravatar, I can be tracked even if I don't use the service (by not having an avatar with them) because my email address is still sent every time I leave a comment. And I'm sure there are some blog maintainers wondering why they get email addresses of the form webmaster@domain from some of their more insightful commentators.

Gmail is easy to snoop

[broothal]

I was logged into a gmail that I only use for receiving, never sending. I visited Netflix in another tab in Chrome. I visited their free trial page, but I decided it wasn't for me, so I closed the tab without entering any data.

A few days later I got an email from netflix - to the gmail account I was signed in to in another tab - asking me if I needed help completing the form.

True, and very scary story.

Minority report

[Reclaimer]

So we've hit minority report: "You drive to Home Depot and walk in. Closed-circuit cameras match your face against a database of every shopper that has used a credit card at Walmart or Target and identifies you by name, address, and phone. If you happen to walk out the front door without buying anything your phone buzzes with a text message from Home Depot offering you a 10% discount good for the next hour."

Wall Street Journal has more details

[jfruh]

The Wall Street Journal [wsj.com] had a big article about this practice, which is not new and is fully mainstream among U.S. companies. The article contains this COMPLETELY AMAZING quote" "Dataium [a company that facilitates this tracking] said that shoppers' Web browsing is still anonymous, even though it can be tied to their names. "

Re:10% ? Great

[Osiris Ani]

I prefer to pay by giving my email address than by real money.

Then you are a fool. Some people know the price of everything and the value of nothing.

I generate a new email address on one of my domains for every new interaction with a new vendor. The process requires approximately ten seconds of my time, and that address could vanish just as easily. The net savings outweighs the net cost by a hefty margin.

been around forever

[Charliemopps]

I've been on here preaching this forever. Any large website you visit is doing this. It's easy to do and a cheap service. TOR doesn't even help you. If you visit a site, they can uniquely identify you, period. They might not know exactly who you are (your name) but they don't care about that. They have your browsing habits, what you're into, and what you're likely to buy. That's all they need. I've seen these systems in action and the level of detail is amazing. You can not escape them.

Re:Gmail is easy to snoop

[V-similitude]

Almost guarantee that they didn't snoop your e-mail through chrome or hidden cookies/3rd party trackers. Not saying it's not possible; it's just that they'd be crazy to do it so flagrantly. Most likely, you entered your e-mail in a field that was snooped by javascript. You may think you didn't "enter" any data if you close the tab before hitting submit, but that's not true. Either that, or you previously had an account with them and had some cookie with them indicating that.

If I'm wrong, it should be replicable. I'd love to hear if that's actually the case.