Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Advertising The Internet

Even the Ad Industry Doesn't Know Who's Tracking You 98

jfruh writes "The Internet advertising industry is keen to stave off government privacy rules and opt-in-only browsers by loudly proclaiming its adherence to a self-imposed code of conduct. Yet a little digging shows that even "self-regulated" advertisers link to services that link to other services that nobody's really sure what they do. That's why, for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones and won't return emails asking about their privacy policy."
This discussion has been archived. No new comments can be posted.

Even the Ad Industry Doesn't Know Who's Tracking You

Comments Filter:
  • Oh... (Score:5, Informative)

    by WizardFusion ( 989563 ) on Thursday May 02, 2013 @11:10AM (#43610897)
    And that is why Ghostery and other such tools should be used until all tracking is banned.
    • Re: (Score:3, Insightful)

      by Cinder6 ( 894572 )

      Ghostery itself is a tracker: http://venturebeat.com/2012/07/31/ghostery-a-web-tracking-blocker-that-actually-helps-the-ad-industry/ [venturebeat.com]

      I use a combination of ABP, DNTMe, and Firefox's built-in DNT flag.

      • Add NoScript and the disabling of all third-party cookies and you've pretty much got my browser security setup. I never really used Ghostery (tried it; settled with Do Not Track Plus). After reading that article, I'm glad I didn't... I'd rather not fuel these filthy scumbags.

      • Yeah, I admit I use Ghostery as an intermediate step. I got to like their organized layout, and haven't put in the 20 hours to really nail down a pure replacement. For me it's important not just to block junk, but to know *who was there in the first place* (and then block them!) I have learned a lot about which "magazine sites" etc use more or less trackers from Ghostery. It's taught me a lot. So no, not perfect at all, but not bad for a beginner to the topic.

      • by Anonymous Coward

        If by "tracker" you mean "has clearly labelled 'opt-in to stats collection' checkbox on top of options page".

        Don't want to be tracked by Ghostery? Don't turn on that checkbox! Problem solved.

      • by Burz ( 138833 )

        What about DoNotTrackMe? I haven't seen an indication that they're like ghostery in that respect.

        Their FAQ says: "we don't do advertising or data mining of any sort, ever."

      • Ghostery itself is a tracker: http://venturebeat.com/2012/07/31/ghostery-a-web-tracking-blocker-that-actually-helps-the-ad-industry/ [venturebeat.com]

        I use a combination of ABP, DNTMe, and Firefox's built-in DNT flag.

        No. Ghostery is not "a tracker."

        Ghostery's data collection is opt-in. To share data with them, you have to click a clearly-labeled checkbox. There doesn't appear to be anything fishy about it.

    • by sdnoob ( 917382 )

      until all tracking is banned.

      like we can trust the web sites, ad networks, and (most) search engines to NOT track, even if it was 'banned'.

      browser functionality to block such behaviour, at least client-side, will pretty much always be necessary.

      • The problem is that cross-domain cookie setting, and resource requests are a core functionality in web browsers... Not just for advertising, but simply a working site that loads remote resources.
        • by Raenex ( 947668 )

          The problem is that cross-domain cookie setting, and resource requests are a core functionality in web browsers... Not just for advertising, but simply a working site that loads remote resources.

          So is JavaScript, but I still browse with NoScript on by default and selectively enable when I want JavaScript. Along those lines, I also use RequestPolicy [mozilla.org] to block cross-domain requests by default, and selectively enable pages that need it. This works "fine" for a surprising number of sites (I put "fine" in quotes because the experience is quite different than standard browsing: in many ways better, but in some ways worse).

    • I think all trackers should be removed from the (U.S.) internet immediately, because:

      (A) Tracking of those 13 years of age and younger is illegal, and

      (B) trackers can't possibly know for sure who is 13 and who is not.
      • If that would happen, that would be awesome. But you know, if such a thing was on the verge of happening, the scumbags in the advertising industry would throw so much money and lawyers out there that they would end up distorting everything and making it legal anyway, for reasons only worthless, crooked assholes like them could come up with.

  • Oh, yeah (Score:5, Interesting)

    by Mitreya ( 579078 ) <mitreya.gmail@com> on Thursday May 02, 2013 @11:14AM (#43610933)

    for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones

    The NoScript list of blocked domains on many (even legitimate) websites is scary indeed. One of my favorites is Javascript from ru4.com required to be able login into your banking account on chase.com. Based on the name, it looks like a phishing website to me...

    • Re:Oh, yeah (Score:5, Informative)

      by Trepidity ( 597 ) <[delirium-slashdot] [at] [hackish.org]> on Thursday May 02, 2013 @11:19AM (#43610987)

      From their whois record, ru4.com claims to be X Plus One [xplusone.com], an "enterprise" data-analytics company with a lot of finance-sector clients. So it seems reasonably plausible to me that Chase is contracting with them.

      I don't get why large companies don't bring these things at least under their own subdomains, though. Even if you're having something hosted by a third party, it's not hard to set up its DNS at foo.chase.com.

      • Re:Oh, yeah (Score:4, Interesting)

        by Mitreya ( 579078 ) <mitreya.gmail@com> on Thursday May 02, 2013 @11:28AM (#43611089)

        From their whois record, ru4.com claims to be X Plus One, an "enterprise" data-analytics company with a lot of finance-sector clients.

        Yeah, and the fact that ru4.com does not seem to resolve or redirect (the WHOIS record points to http://www.aboutus.org/ru4.com [aboutus.org]) makes it sound very legitimate :)

        So it seems reasonably plausible to me that Chase is contracting with them.

        They can contract who they want, but the fact that a random analytics company has to execute javascript on my computer before I can even login to my Chase account galls me a bit.

        I don't get why large companies don't bring these things at least under their own subdomains, though.

        Yes! And I have chase.com in the whitelist already -- such a move would solve everyone's problem.

        • Re:Oh, yeah (Score:4, Interesting)

          From their whois record, ru4.com claims to be X Plus One, an "enterprise" data-analytics company with a lot of finance-sector clients.

          Yeah, and the fact that ru4.com does not seem to resolve or redirect (the WHOIS record points to http://www.aboutus.org/ru4.com [aboutus.org]) makes it sound very legitimate :)

          So it seems reasonably plausible to me that Chase is contracting with them.

          They can contract who they want, but the fact that a random analytics company has to execute javascript on my computer before I can even login to my Chase account galls me a bit.

          I don't get why large companies don't bring these things at least under their own subdomains, though.

          Yes! And I have chase.com in the whitelist already -- such a move would solve everyone's problem.

          Chase is a significant offender in this regard, as they change contractors semi-regularly. I often get alerts about new domains wanting access to chase assets.

          But moving under chase.com wouldn't solve everyone's problem; I would no longer know that my data is being leaked, and Chase would suddenly be more accountable for their contractor's actions (as well as having to administer the DNS instead of letting their contractors administer their site.

          Really, that's what subdomains are for though; everyone SHOULD be doing this. Of course, the ones you don't know about probably already are.

          • Re:Oh, yeah (Score:5, Insightful)

            by gstoddart ( 321705 ) on Thursday May 02, 2013 @11:48AM (#43611345) Homepage

            and Chase would suddenly be more accountable for their contractor's actions

            Good, because those contractors are doing this on behalf of Chase -- so ideally they couldn't do something like denying any responsibility because it was all done by the evil contractor.

            They did it on your behalf, and you engaged them to do it, you are still responsible for it. You can't then say that what your contractors do isn't your problem.

            Essentially it lets them do an end run around their privacy policy. "We don't collect or share" becomes meaningless when the people who do the work for you do collect and share.

          • Chase could have a CNAME of foo.chase.com that points to chase.foo-provider.com, then foo-provider.com can manage their DNS and infrastructure however they want... this is how most CDNs work.
        • by Rolgar ( 556636 )

          I have a Chase account, and I have ru4.com disabled in NetScript, and I can login just fine.

      • Better yet, why aren't they more transparent about it?

        • Because they like the current state of affairs. In a sense it's "sorta not that hard" of a problem, but they benefit from the current weak environment.

          I bet any couple of guys in these companies know who does what, but they can carefully keep them separate from "corporate knowledge" and play dumb. For example, using the (I know, imperfect) Ghostery, in twelve seconds it gives you the list of all *seventeen* trackers on a typical page of IT World, but I bet 10 out of 12 PR reps couldn't name the complete lis

          • I think I'm equally divided on the agree/disagree factor here, and it's probably a little of both...

            1. The company is too disorganized / doesn't know what they're doing, but they have enough sense to see the value of information, so they grab as much as they can, while valuable, they still don't really know what they have / what they're doing with it, these are prime hacker targets (iOS location tracking fiasco).

            2. The company has bigger aspirations with the data they mine, the data is mined as thoroughly

      • Even if you're having something hosted by a third party, it's not hard to set up its DNS at foo.chase.com.

        It's not hard to set up DNS, but it is hard to get third-party programs to use it. The browser requests the script from foo.chase.com, and that's hosted at ru4.com... but the script requests another script, likely without knowing it's supposed to be at Chase... so it'll request from ru4.com, The uncertainty is still there, but now it's hidden under another layer of obscurity.

        Alternatively, the third-party script gets a custom-branded version for each major contractor, which increases development cost, or th

    • Re:Oh, yeah (Score:4, Insightful)

      by Nyder ( 754090 ) on Thursday May 02, 2013 @11:25AM (#43611039) Journal

      for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones

      The NoScript list of blocked domains on many (even legitimate) websites is scary indeed. One of my favorites is Javascript from ru4.com required to be able login into your banking account on chase.com. Based on the name, it looks like a phishing website to me...

      What I like is when you allow a website and then suddenly you have 30 new addresses on the noscript list. Mainly when trying to read articles or see the videos attached, it becomes a guessing game (based on domain names) on who you should allow so you can see the text, or vid.

    • The number of websites with ten or more scripts running seems to be increasing, and they seem to be increasing the number of scripts required to run as well. And then there's the helpful automatic redirecting AFTER the content of the page has loaded, taking you to a webpage saying "You need to turn off noscript to view this page properly!"

      Has anyone seen any pages that do this with ghostery or REQUIRE facebook or google scripts to run in order to load?
    • by DogDude ( 805747 )
      You're surprised that Chase may not be on the up-and-up? Really? Have you read any news in the past decade or so...?
    • by Anonymous Coward

      ru4.com ... , it looks like a phishing website to me...

      Thats a 3 letter domain name in the .com TLD, now that is a sign of a successfull phishing sham.

    • by erlehmann ( 1045500 ) on Thursday May 02, 2013 @01:36PM (#43612485)

      I built a script to generate a graph of third-party resources a web page loads [dieweltistgarnichtso.net], which often represent advertising and tracking (sample output for Spiegel Online, a German newspaper [dieweltistgarnichtso.net]).

      I also wrote a blog post about how advertising and tracking make sites slow (in German) [dieweltistgarnichtso.net] that contains even more graphs from when I ran the script in January 2013.

    • Then you're using noscript the wrong way. Instead, use a whitelist of those places you need scripting active and block everyone else by default. Far easier on the system then the other way. Another issue is that firefox gets slower and slower to start/shutdown along with unstable the more you add to the blocked sites. The solution I found that works the best is a combination. I use the Noscript list to build a host file and block at that level. It's more effective and actually protects more of the system si

  • All we need is a form with a couple of checkboxes.

    1. Are you Evil? [ ] Yes [ ] No

    Then we just need a few people to define Evil
    for several contexts, add a followup question for kicks,
    and we're done.

  • by X0563511 ( 793323 ) on Thursday May 02, 2013 @11:25AM (#43611053) Homepage Journal

    ... and yet they whine and moan about people using adblockers and such.

    Shut up, bitches. You made your bed, now you get to sleep in it.

  • LOL ... (Score:5, Insightful)

    by gstoddart ( 321705 ) on Thursday May 02, 2013 @11:28AM (#43611103) Homepage

    And according to DoNotTrackMe, TFA has beacons for 5 tracking companies, plus two social media sites. So ITWorld are just as guilty of this shit as everyone else.

    I swear, between NoScript, AdBlockPlus, DoNotTrackMe, and blocking/deleting cookies -- I'm *still* not sure how much crap is out there I'm missing.

    I don't feel the slightest bit of guilt for blocking these sites so some marketing asshole can collect data.

    • And according to DoNotTrackMe, TFA has beacons for 5 tracking companies, plus two social media sites. So ITWorld are just as guilty of this shit as everyone else.

      I swear, between NoScript, AdBlockPlus, DoNotTrackMe, and blocking/deleting cookies -- I'm *still* not sure how much crap is out there I'm missing.

      I don't feel the slightest bit of guilt for blocking these sites so some marketing asshole can collect data.

      I run those exact same addons you do in firefox along with Social fixer plus to actually straighten out the mess facebook is, Cookies Manager+ to see all my cookies and block cookies, and finally Element hiding helper for adblock plus which comes in handy. My wife insists on me playing that "oh so popular game" on facebook called Songpop.

      With element hiding helper I ended up having to block five or six items that even adblock plus missed so they won't show. And now lately i've came across the RARE sites tha

      • And now lately i've came across the RARE sites that demand you to disable adblock plus and or noscript?

        I haven't seen that, but any site which makes that suggestion will simply get a back button and then ignored.

        They all say they need ads to run, and that they have a privacy policy, but then they don't even know who all is getting to see your browsing habits.

        No thanks.

        • by IANAAC ( 692242 )

          And now lately i've came across the RARE sites that demand you to disable adblock plus and or noscript?

          I haven't seen that, but any site which makes that suggestion will simply get a back button and then ignored.

          Really? You've never been to hulu.com? I get at least a couple of them every show I watch through them. I just wait it out, though. The clock just ticks the seconds down until the black-screened warning goes away and programming resumes.

    • And according to DoNotTrackMe, TFA has beacons for 5 tracking companies, plus two social media sites.

      You missed quite a few.

      Ghostery reports 17 (!) beacons:
      Adhere, Adobe Digital Marketing, BlueKai, Demandbase, Digg Widget, Disqus, Dynamic Logic, Eloqua, Facebook Connect, Google +1, Google Analytics, Krux Digital, LinkedIn Widgets, New Relic, Quantcast, Scorecard Research Beacon, ShareThis

      Nice collection!

  • Install Collusion (Score:3, Informative)

    by vettemph ( 540399 ) on Thursday May 02, 2013 @11:53AM (#43611393)

    Install Collusion add-on into your Firefox browser and monitor it while surfing. After visiting a few web sites you will see links forming to ten other sites. etc...
    It becomes apparent that everyone is telling everyone else about you.

    looks like this...
    http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/2012/4/13/1334309538603/Collusion1.jpg [guim.co.uk]

  • by noobermin ( 1950642 ) on Thursday May 02, 2013 @11:53AM (#43611399) Journal

    "Self Regulated"

    Good! They don't need government intervention, soon the free market will offer a privacy-friendly service and the free market will eventually choose that over these other services that don't respect my privacy.

    But, don't regulate! Keep your government off my information-tracking ad service!
    The only thing that can stop a bad guy with a spying/tracking ad service is a good guy with a spying/tracking ad service.

  • by DdJ ( 10790 ) on Thursday May 02, 2013 @12:05PM (#43611571) Homepage Journal

    There's extensions for just about every browser. Good stuff.

    http://www.ghostery.com/ [ghostery.com]

  • by codepigeon ( 1202896 ) on Thursday May 02, 2013 @12:18PM (#43611719)
    Maybe that company that sells ringtones is really a front for the CIA/NSA? That's what I would do if I were them. Pretend to be an advertiser whilst collecting/building profiles.
    • Why would the CIA/NSA want to bother with pretending to be an advertiser? They can just buy up the information from a real advertiser for less effort. Private enterprise for the win (and humankind for the loss)!

      • It's not unusual for a national intel org to participate in, even form, any number of small legitimate businesses. It helps them in several ways. If it shows a profit, that's a source, however small, of off-the-books funds which can be used in a great variety of ways - whether helping sort out an unofficial defector or source, buy vehicles, rent apartments in different places around the world - again unofficial safe houses, one-off meeting places, etc.

        The companies can also provide a bit of legitimate cov

  • You wouldn't believe how much tracking is going on within a typical website. Even /. has some strange tracking service scorecardresearch.com. I'm not saying they are marketing scums of the earth, but their privacy policy doesn't say much. More 'mainstream' sites, e.g. huffingtonpost.com has no less than 11 3rd party tracking/login cookies.

    (Hmm... scorecardresearch.com seems to be everywhere, btw)

  • Oh come on! Major web sites have vetted these advertisers to ensure their accounts have sufficient funds to pay for the advertising.

  • by neiras ( 723124 ) on Thursday May 02, 2013 @01:16PM (#43612279)

    It lets the sites set their cookies, waits a few seconds (or until tab is closed), then nukes 'em. There's a whitelist for sites you actually use.

    https://addons.mozilla.org/En-us/firefox/addon/self-destructing-cookies/ [mozilla.org]

    I like this solution because you don't have to wait for Ghostery to add support for an advertiser, or an updated filter definition for adblock. EVERYTHING gets nuked, except the sites you care enough about to whitelist. It's a better default cookie policy.

    • Wow, a post about cookies from a privacy nut which I actually agree with!

      Expiring at the end of a browser session is indeed a good default cookie policy, and I see nothing wrong with a pop-up at the top of the browser window, similar to the "Do you want to save your password?", ActiveX warnings, etc, which states "The website at xnd.garbledgunk.adserver.goo[NOT VERIFIED] would like us to send data [view data] whenever this site is accessed, until September 1st, 2013. It gives the reason "Enhanced Browsing E

  • by Anonymous Coward

    If I visit a vendor's site and can't browse unless I enable the spy sites, I don't buy.

    I caught one of the cable companies (and state offices) doing this on the wrong side of an HTTPS connection
    and let them know that allowing those companies visibility on a secure connection was a bad idea.
    At best, (in the U.S.) it could be considered a HIPPA violation. It changed after I mentioned that.

  • This firefox addon blocks anything from 3rd party domains on any site you visit, but with a configurable whitelist for any sites you actually care about.

    https://www.requestpolicy.com/ [requestpolicy.com]

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...