Even the Ad Industry Doesn't Know Who's Tracking You 98
jfruh writes "The Internet advertising industry is keen to stave off government privacy rules and opt-in-only browsers by loudly proclaiming its adherence to a self-imposed code of conduct. Yet a little digging shows that even "self-regulated" advertisers link to services that link to other services that nobody's really sure what they do. That's why, for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones and won't return emails asking about their privacy policy."
Oh... (Score:5, Informative)
Re: (Score:2)
You're right - the trackers are leeches, and we need to throw those blood suckers in a bucket of lye! I told you not to wade in the shallow end of the gene pool!
Re: (Score:3, Insightful)
Ghostery itself is a tracker: http://venturebeat.com/2012/07/31/ghostery-a-web-tracking-blocker-that-actually-helps-the-ad-industry/ [venturebeat.com]
I use a combination of ABP, DNTMe, and Firefox's built-in DNT flag.
Re: (Score:2)
Add NoScript and the disabling of all third-party cookies and you've pretty much got my browser security setup. I never really used Ghostery (tried it; settled with Do Not Track Plus). After reading that article, I'm glad I didn't... I'd rather not fuel these filthy scumbags.
Re:Ghostery itself is a tracker (Score:3)
Yeah, I admit I use Ghostery as an intermediate step. I got to like their organized layout, and haven't put in the 20 hours to really nail down a pure replacement. For me it's important not just to block junk, but to know *who was there in the first place* (and then block them!) I have learned a lot about which "magazine sites" etc use more or less trackers from Ghostery. It's taught me a lot. So no, not perfect at all, but not bad for a beginner to the topic.
Re: (Score:1)
If by "tracker" you mean "has clearly labelled 'opt-in to stats collection' checkbox on top of options page".
Don't want to be tracked by Ghostery? Don't turn on that checkbox! Problem solved.
Re: (Score:2)
What about DoNotTrackMe? I haven't seen an indication that they're like ghostery in that respect.
Their FAQ says: "we don't do advertising or data mining of any sort, ever."
Re: (Score:2)
Ghostery itself is a tracker: http://venturebeat.com/2012/07/31/ghostery-a-web-tracking-blocker-that-actually-helps-the-ad-industry/ [venturebeat.com]
I use a combination of ABP, DNTMe, and Firefox's built-in DNT flag.
No. Ghostery is not "a tracker."
Ghostery's data collection is opt-in. To share data with them, you have to click a clearly-labeled checkbox. There doesn't appear to be anything fishy about it.
Re: (Score:3)
like we can trust the web sites, ad networks, and (most) search engines to NOT track, even if it was 'banned'.
browser functionality to block such behaviour, at least client-side, will pretty much always be necessary.
Re: (Score:2)
Re: (Score:2)
The problem is that cross-domain cookie setting, and resource requests are a core functionality in web browsers... Not just for advertising, but simply a working site that loads remote resources.
So is JavaScript, but I still browse with NoScript on by default and selectively enable when I want JavaScript. Along those lines, I also use RequestPolicy [mozilla.org] to block cross-domain requests by default, and selectively enable pages that need it. This works "fine" for a surprising number of sites (I put "fine" in quotes because the experience is quite different than standard browsing: in many ways better, but in some ways worse).
Tracking Illegal in the U.S.? (Score:3)
(A) Tracking of those 13 years of age and younger is illegal, and
(B) trackers can't possibly know for sure who is 13 and who is not.
Re: (Score:2)
If that would happen, that would be awesome. But you know, if such a thing was on the verge of happening, the scumbags in the advertising industry would throw so much money and lawyers out there that they would end up distorting everything and making it legal anyway, for reasons only worthless, crooked assholes like them could come up with.
Oh, yeah (Score:5, Interesting)
for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones
The NoScript list of blocked domains on many (even legitimate) websites is scary indeed. One of my favorites is Javascript from ru4.com required to be able login into your banking account on chase.com. Based on the name, it looks like a phishing website to me...
Re:Oh, yeah (Score:5, Informative)
From their whois record, ru4.com claims to be X Plus One [xplusone.com], an "enterprise" data-analytics company with a lot of finance-sector clients. So it seems reasonably plausible to me that Chase is contracting with them.
I don't get why large companies don't bring these things at least under their own subdomains, though. Even if you're having something hosted by a third party, it's not hard to set up its DNS at foo.chase.com.
Re:Oh, yeah (Score:4, Interesting)
From their whois record, ru4.com claims to be X Plus One, an "enterprise" data-analytics company with a lot of finance-sector clients.
Yeah, and the fact that ru4.com does not seem to resolve or redirect (the WHOIS record points to http://www.aboutus.org/ru4.com [aboutus.org]) makes it sound very legitimate :)
So it seems reasonably plausible to me that Chase is contracting with them.
They can contract who they want, but the fact that a random analytics company has to execute javascript on my computer before I can even login to my Chase account galls me a bit.
I don't get why large companies don't bring these things at least under their own subdomains, though.
Yes! And I have chase.com in the whitelist already -- such a move would solve everyone's problem.
Re:Oh, yeah (Score:4, Interesting)
From their whois record, ru4.com claims to be X Plus One, an "enterprise" data-analytics company with a lot of finance-sector clients.
Yeah, and the fact that ru4.com does not seem to resolve or redirect (the WHOIS record points to http://www.aboutus.org/ru4.com [aboutus.org]) makes it sound very legitimate :)
So it seems reasonably plausible to me that Chase is contracting with them.
They can contract who they want, but the fact that a random analytics company has to execute javascript on my computer before I can even login to my Chase account galls me a bit.
I don't get why large companies don't bring these things at least under their own subdomains, though.
Yes! And I have chase.com in the whitelist already -- such a move would solve everyone's problem.
Chase is a significant offender in this regard, as they change contractors semi-regularly. I often get alerts about new domains wanting access to chase assets.
But moving under chase.com wouldn't solve everyone's problem; I would no longer know that my data is being leaked, and Chase would suddenly be more accountable for their contractor's actions (as well as having to administer the DNS instead of letting their contractors administer their site.
Really, that's what subdomains are for though; everyone SHOULD be doing this. Of course, the ones you don't know about probably already are.
Re:Oh, yeah (Score:5, Insightful)
Good, because those contractors are doing this on behalf of Chase -- so ideally they couldn't do something like denying any responsibility because it was all done by the evil contractor.
They did it on your behalf, and you engaged them to do it, you are still responsible for it. You can't then say that what your contractors do isn't your problem.
Essentially it lets them do an end run around their privacy policy. "We don't collect or share" becomes meaningless when the people who do the work for you do collect and share.
Re: (Score:2)
Re: (Score:3)
I have a Chase account, and I have ru4.com disabled in NetScript, and I can login just fine.
Re: (Score:2)
Better yet, why aren't they more transparent about it?
Re:why aren't they more transparent about it? (Score:2)
Because they like the current state of affairs. In a sense it's "sorta not that hard" of a problem, but they benefit from the current weak environment.
I bet any couple of guys in these companies know who does what, but they can carefully keep them separate from "corporate knowledge" and play dumb. For example, using the (I know, imperfect) Ghostery, in twelve seconds it gives you the list of all *seventeen* trackers on a typical page of IT World, but I bet 10 out of 12 PR reps couldn't name the complete lis
Re: (Score:2)
I think I'm equally divided on the agree/disagree factor here, and it's probably a little of both...
1. The company is too disorganized / doesn't know what they're doing, but they have enough sense to see the value of information, so they grab as much as they can, while valuable, they still don't really know what they have / what they're doing with it, these are prime hacker targets (iOS location tracking fiasco).
2. The company has bigger aspirations with the data they mine, the data is mined as thoroughly
Re: (Score:3)
Even if you're having something hosted by a third party, it's not hard to set up its DNS at foo.chase.com.
It's not hard to set up DNS, but it is hard to get third-party programs to use it. The browser requests the script from foo.chase.com, and that's hosted at ru4.com... but the script requests another script, likely without knowing it's supposed to be at Chase... so it'll request from ru4.com, The uncertainty is still there, but now it's hidden under another layer of obscurity.
Alternatively, the third-party script gets a custom-branded version for each major contractor, which increases development cost, or th
Re: (Score:2)
And which relative path do you suggest they might use in their master page / global header so that it works in all cases:
from http://chase.com/ [chase.com]
from https://chase.com/mortgages [chase.com]
from https://chase.com/banking [chase.com]
from https://chase.com/creditcards [chase.com]
from http://sub.chase.com/ [chase.com]
from http://www.chase.com/external/something/yourpagehere.aspx [chase.com]
Yes, it is easy to anonymously give out random useless answers than to actually think about the question.
Re:Oh, yeah (Score:4, Insightful)
for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones
The NoScript list of blocked domains on many (even legitimate) websites is scary indeed. One of my favorites is Javascript from ru4.com required to be able login into your banking account on chase.com. Based on the name, it looks like a phishing website to me...
What I like is when you allow a website and then suddenly you have 30 new addresses on the noscript list. Mainly when trying to read articles or see the videos attached, it becomes a guessing game (based on domain names) on who you should allow so you can see the text, or vid.
Re: (Score:2)
Has anyone seen any pages that do this with ghostery or REQUIRE facebook or google scripts to run in order to load?
Re: (Score:2)
Re: (Score:1)
ru4.com ... , it looks like a phishing website to me...
Thats a 3 letter domain name in the .com TLD, now that is a sign of a successfull phishing sham.
Graph of web site third party dependencies (Score:5, Interesting)
I built a script to generate a graph of third-party resources a web page loads [dieweltistgarnichtso.net], which often represent advertising and tracking (sample output for Spiegel Online, a German newspaper [dieweltistgarnichtso.net]).
I also wrote a blog post about how advertising and tracking make sites slow (in German) [dieweltistgarnichtso.net] that contains even more graphs from when I ran the script in January 2013.
Re: (Score:3)
Then you're using noscript the wrong way. Instead, use a whitelist of those places you need scripting active and block everyone else by default. Far easier on the system then the other way. Another issue is that firefox gets slower and slower to start/shutdown along with unstable the more you add to the blocked sites. The solution I found that works the best is a combination. I use the Noscript list to build a host file and block at that level. It's more effective and actually protects more of the system si
Re:This article is an apk summoning ritual. (Score:4, Insightful)
You realize you just did the equivalent of saying "Beetlejuice" three times, right?
Are you Evil? (Score:2)
All we need is a form with a couple of checkboxes.
1. Are you Evil? [ ] Yes [ ] No
Then we just need a few people to define Evil
for several contexts, add a followup question for kicks,
and we're done.
Re: (Score:3)
1b. If you answered No to the above, you will be marked as Evil.
Re: (Score:2)
RfC 3514 [ietf.org]. Why re-invent the wheel with new standards?
Re: (Score:1)
and yet... (Score:4)
... and yet they whine and moan about people using adblockers and such.
Shut up, bitches. You made your bed, now you get to sleep in it.
LOL ... (Score:5, Insightful)
And according to DoNotTrackMe, TFA has beacons for 5 tracking companies, plus two social media sites. So ITWorld are just as guilty of this shit as everyone else.
I swear, between NoScript, AdBlockPlus, DoNotTrackMe, and blocking/deleting cookies -- I'm *still* not sure how much crap is out there I'm missing.
I don't feel the slightest bit of guilt for blocking these sites so some marketing asshole can collect data.
Re: (Score:2)
And according to DoNotTrackMe, TFA has beacons for 5 tracking companies, plus two social media sites. So ITWorld are just as guilty of this shit as everyone else.
I swear, between NoScript, AdBlockPlus, DoNotTrackMe, and blocking/deleting cookies -- I'm *still* not sure how much crap is out there I'm missing.
I don't feel the slightest bit of guilt for blocking these sites so some marketing asshole can collect data.
I run those exact same addons you do in firefox along with Social fixer plus to actually straighten out the mess facebook is, Cookies Manager+ to see all my cookies and block cookies, and finally Element hiding helper for adblock plus which comes in handy. My wife insists on me playing that "oh so popular game" on facebook called Songpop.
With element hiding helper I ended up having to block five or six items that even adblock plus missed so they won't show. And now lately i've came across the RARE sites tha
Re: (Score:2)
I haven't seen that, but any site which makes that suggestion will simply get a back button and then ignored.
They all say they need ads to run, and that they have a privacy policy, but then they don't even know who all is getting to see your browsing habits.
No thanks.
Re: (Score:2)
I haven't seen that, but any site which makes that suggestion will simply get a back button and then ignored.
Really? You've never been to hulu.com? I get at least a couple of them every show I watch through them. I just wait it out, though. The clock just ticks the seconds down until the black-screened warning goes away and programming resumes.
Re: (Score:2)
Nope ... because I just don't care.
Re: (Score:1)
And according to DoNotTrackMe, TFA has beacons for 5 tracking companies, plus two social media sites.
You missed quite a few.
Ghostery reports 17 (!) beacons:
Adhere, Adobe Digital Marketing, BlueKai, Demandbase, Digg Widget, Disqus, Dynamic Logic, Eloqua, Facebook Connect, Google +1, Google Analytics, Krux Digital, LinkedIn Widgets, New Relic, Quantcast, Scorecard Research Beacon, ShareThis
Nice collection!
Re: (Score:2, Insightful)
Great idea! You could even raise additional funds by collecting and reselling info about what your users are browsing. Maybe even insert some relevant product-based sponsored informational links into the proxied pages?
Re:I'll tell you what I'm thinking (Score:4)
Sorry for the cynicism. I agree that stripping out all the junk is a great idea. The question is where to do this. Working through a third-party proxy as described above is great if the proxy is trustworthy. Unfortunately, it just adds another link in the chain that, if the idea takes off, would be attractive to scumsucking privacy invaders to exploit with their own deceptive variants. Working towards privacy-by-default on the browser side seems to me a better approach. Wouldn't it be cool if a default Firefox install would require the user to add a bunch of plugins if they wanted to unblock ads and tracking? Better browser privacy design to prevent "data leaks" (like what the EFF is trying to study with Panopticlick [eff.org]) can provide much of the benefit of proxies without requiring extra layers of trust (and costs for proxy operation).
Install Collusion (Score:3, Informative)
Install Collusion add-on into your Firefox browser and monitor it while surfing. After visiting a few web sites you will see links forming to ten other sites. etc...
It becomes apparent that everyone is telling everyone else about you.
looks like this...
http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/2012/4/13/1334309538603/Collusion1.jpg [guim.co.uk]
No need for government. (Score:4, Funny)
"Self Regulated"
Good! They don't need government intervention, soon the free market will offer a privacy-friendly service and the free market will eventually choose that over these other services that don't respect my privacy.
But, don't regulate! Keep your government off my information-tracking ad service!
The only thing that can stop a bad guy with a spying/tracking ad service is a good guy with a spying/tracking ad service.
Re:No need for government. (Score:5, Insightful)
Apparently you missed the part where they're stunningly incapable of self regulating.
Self regulation is corporate speak for "let us do whatever the hell we want and leave us alone".
Re: (Score:3)
Poe's Law bro, Poe's law ...
Yay Ghostery. (Score:3)
There's extensions for just about every browser. Good stuff.
http://www.ghostery.com/ [ghostery.com]
Re: (Score:1)
There's extensions for just about every browser. Good stuff.
http://www.ghostery.com/ [ghostery.com]
There's also https://www.abine.com/dntdetail.php [abine.com] which is what I decided to use after being a longtime Ghostery user especially since it would appear that Ghostery has had some memory hogging issues lately.
not responding to emails (Score:3)
Re: (Score:2)
Why would the CIA/NSA want to bother with pretending to be an advertiser? They can just buy up the information from a real advertiser for less effort. Private enterprise for the win (and humankind for the loss)!
Re: (Score:2)
It's not unusual for a national intel org to participate in, even form, any number of small legitimate businesses. It helps them in several ways. If it shows a profit, that's a source, however small, of off-the-books funds which can be used in a great variety of ways - whether helping sort out an unofficial defector or source, buy vehicles, rent apartments in different places around the world - again unofficial safe houses, one-off meeting places, etc.
The companies can also provide a bit of legitimate cov
That's why I block 3rd party cookies by default (Score:2)
You wouldn't believe how much tracking is going on within a typical website. Even /. has some strange tracking service scorecardresearch.com. I'm not saying they are marketing scums of the earth, but their privacy policy doesn't say much. More 'mainstream' sites, e.g. huffingtonpost.com has no less than 11 3rd party tracking/login cookies.
(Hmm... scorecardresearch.com seems to be everywhere, btw)
We verified it. (Score:1)
Oh come on! Major web sites have vetted these advertisers to ensure their accounts have sufficient funds to pay for the advertising.
Use Firefox? Get Self Destructing Cookies add-on (Score:5, Interesting)
It lets the sites set their cookies, waits a few seconds (or until tab is closed), then nukes 'em. There's a whitelist for sites you actually use.
https://addons.mozilla.org/En-us/firefox/addon/self-destructing-cookies/ [mozilla.org]
I like this solution because you don't have to wait for Ghostery to add support for an advertiser, or an updated filter definition for adblock. EVERYTHING gets nuked, except the sites you care enough about to whitelist. It's a better default cookie policy.
Re: (Score:2)
Wow, a post about cookies from a privacy nut which I actually agree with!
Expiring at the end of a browser session is indeed a good default cookie policy, and I see nothing wrong with a pop-up at the top of the browser window, similar to the "Do you want to save your password?", ActiveX warnings, etc, which states "The website at xnd.garbledgunk.adserver.goo[NOT VERIFIED] would like us to send data [view data] whenever this site is accessed, until September 1st, 2013. It gives the reason "Enhanced Browsing E
NOSCRIPT (Score:1)
If I visit a vendor's site and can't browse unless I enable the spy sites, I don't buy.
I caught one of the cable companies (and state offices) doing this on the wrong side of an HTTPS connection
and let them know that allowing those companies visibility on a secure connection was a bad idea.
At best, (in the U.S.) it could be considered a HIPPA violation. It changed after I mentioned that.
Requestpolicy (Score:2)
This firefox addon blocks anything from 3rd party domains on any site you visit, but with a configurable whitelist for any sites you actually care about.
https://www.requestpolicy.com/ [requestpolicy.com]
It's not just the ad industry and other companies (Score:1)