DoubleClick DoubleCross

Slav writes "We've known for a while that tracking of Web users was possible and a few companies have been experimenting with it on a small scale. Now DoubleClick, Inc. has confirmed that it's tracking Web surfers [by name and address] with the help of the databases of its newly acquired Abacus Direct." Every site that you visit which has a DoubleClick ad - all 11,500 of them - can be notified of your name, address, phone number, etc., as soon as you visit the site. Or to look at it another way, your consumer profile in the gigantic Abacus database (hundreds of fields of data for essentially every person in the United States) will now include information about what Web sites you visit.

Re:Realy Bad?

If that floats your boat, go for it! In exchange for your customized advertising: Every click is:..FOREVER ..FOREVER ..FOREVER ..FO REVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FO REVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FO REVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FO REVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FO REVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FO REVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FO REVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FOREVER..FOREVER ..FOREVER ..FOREVER ..FO REVER ..FOREVER

Re:Opt-Out

[earlytime]

well it's fairly simple to argue that banner-ad clearing houses like double click make the cost of individual banner ads cheaper for the advertiser. Hence the advertiser may buy more ad space on more web sites. Even Taco will tell you that without ad revenue, slashdot would have gone bankrupt long ago. Advertising is not an inherently bad thing. At it's most basic level, it allows producers to educate consumers about their product offerings in a relatively non-intrusive way.
Consider commercials versus tele-marketers. I'd prefer that the companies calling about all their crap would do commercials/banner-ads instead of calling me. That way I won't feel so violated when they pitch their products. When you call me day and night about some crap, even something I might want to buy, I can't just say "I don't wanna hear it, so I won't answer the phone." I pay for my phone, and I do expect that friends and family wanting to talk to me will call me from time to time. With commercials/banner-ads, I can choose to watch the ad, switch the channel, scroll the page, etc if I dont't want to hear your pitch. What I find happens often with both commercials and banner ads, is that since I only see them on the channels/sites where I have an interest,(as opposed to just being displayed on my screen from time to time the aol or geocities way) they are far more likely to be an ad for something I'm interested in. So I'm more likely to listen, read, inquire + buy.
In essence what I'm saying is that yes, we do get something back from advertising in the form of:

• information about new products and services
• financial support for sites/channels/shows that otherwise would not exist, or would have to charge for access
• increased competition from content providers to attract and hold our attention (to help bring in the ad revenue of course)
• sometimes entertaining ads

so you see, banner ads, or even cookies, are not the problem. The problem with the double-click thing is that the web surfer is being covertly tracked and logged in their travels around the web. Filtering out _all_ ads/cookies wil not simply subvert doubleclicks attempts at tracking you, but it could stifle the means by which many a web site makes the $$$ to keep serving up that porn^H^H^H^Hcontent, yeah content, that's the ticket.
Of course, you are free to chose whether you, or the network you manage, will participate in the whole banner ad/cookies thing. I would be cautious however in choosing to replace banner-ads with banners of your own making. You could be opening a can of worms in regards to redistributing or modifying the copyrighted content of a particular web site. Several web sites have won lawsuits claiming that by altering their content, or putting it in a frame, you are violating their copyright on the content. It's the notion that ISPs have "common carrier" status that grants them some immunity from this kind of suit. However, if you start selectively modifying the ads that come through, you may be crossing that line from ISP for your students, to being a content provider. I would simply allow or deny all ads to keep that line clear. Otherwise, you could simply sell the (cached) banner ad space to advertisers who want to reach your students. Again, an extremely risky proposition.
-earl

Realy Bad?

I am not sure, if it's really that bad to get targeted banners. If doubleclick knows my interests and preferences, they can only send aadvertisment for services I am interested in. This is much better than being spammed wirh banners I am not interested in.

Sure, I'll set up an internet account tonite!

[reality-bytes]

Seriously, I will, then I'll send you a cookie :)

Re:Sure, I'll set up an internet account tonite!

[spodpit]

Assuming that cookies get modified over time depending on where you go, wouldn't it be slightly better to have a group of x people.

They start by all using the cookie from person 1, then after a set period of time (1 week - 1 month say) they all start using the copy that person 2 has, then person 3 ... and so on. This way, even if the cookie value changes they'll be denied tracking information!

Re:Bad

[Audin]

Netscape will allow you to reject all cookies or it can be set to warn you before accepting cookies. This may not be the most efficient way of stopping them, but it does work.

This isn't terribly safe, though... letting just one doubleclick cookie through will let them track you from that point on. It's quite easy to screw up when you're trying to work your way into some site which tries to set 20 cookies per page. A much better option is either a blocker like Junkbuster, or aliasing.

Information wants to be free

... as another slashdotter says: "that includes your personal information."

Take all your MP3 and DeCSS arguments and apply them here: "information wants to be free", "if I can see it then I can rip it", "you can't stop technology", and the blatant lie of "I only do this for legitimate purposes." (that is only a blatant lie for some people ... but it's only a blatant lie for some companies in the consumer tracking business too).

See, now Doubleclick is using those arguments right back on you. And as you develop cookie filters and ipchain filters and DNS filters, they'll just develop better tracking tools.

Information wants to be free!

How does it feel?

Re:Information wants to be free

So long as we have tcpdump, we will prevail.

Re:Information wants to be free

[Rakarra]

Here's some irony. BIG story about cookies and crushing implications on privacy. What do people do? They gripe about it, using their cookie-required accounts! I just don't understand people. Ok, kiddies, one more time:

COOKIES ARE EVIL!!!

Ummm, no. Cookies are not inherently evil. They are only a problem if they're used to track you over multiple sites, and slashdot doesn't do that. That's blaming stabbing deaths on knifes -- they have good legitimate uses, but are misused in some cases. That doesn't make them evil.

Probably -- misrepresentation & fraud

[KMSelf]

If a company says it's going to do one thing, then does another, then they're open for a whole mess of legal problems -- misrepresentation, fraud, etc. A legal friend of mine is interested in pursuing this idea on the spam front -- include a header which says "this message is not spam", allowing people to filter on it. Including this header (a non-default, BTW) in mail which is spam then becomes legally actionable.

Similar logic applies to Doubleclick. Do I give them the chance. No.

Yes, the law can be your friend.

What part of "Gestalt" don't you understand?

Privacy... did anyone else notice?

[Esjion]

From the article:

"Moreover, he adds, DoubleClick itself would hand over to privacy
advocates the list of participating companies if it could. But as in many
lines of business, partners frown when their relationships are disclosed
without their permission, he says."

Ok, am I the only one that has a problem with this? The companies involved would frown on their information being passed to us, but through this "service" our information gets passed to them, and most people probably don't even realize their information is being sent (let alone knowing that they can opt out).

If they are getting people's personal information, those same people should be able to know who the companies are as well. Why should their privacy be protected while mine is so blatently abused? Oh, wait, they have the money. That's right.

btw, mindstrm, do you have a link to these privacy laws? I can go look for them, but thought I would ask.

Re:Privacy... did anyone else notice?

[Esjion]

Actually, I believe they are not law at all. I was describing how it should be, not how it is.

That's too bad. I liked your description, and I agree that is how it should be. I may have to look into finding a link or additional info on the EU privacy laws - might be interesting to read.

Thanks for the info.

Re:Privacy... did anyone else notice?

[mindstrm]

Actually, I believe they are not law at all. I was describing how it should be, not how it is.

EU e-commerce laws, apparently, are similar to this though, mainly dealing with credit card info and other stuff. Sorry, I have no link, but I recall that the EU has some policies that to do e-commerce with the EU, you must follow their strict privacy rules.
ie: contact/name info can be provided for payment, but it is *forbidden* for the company receiving it to use it for anything else.

And you are right.. it is completely screwed up that these companies can tell DoubleClick who *I* am, as their customer, but DoubleClick cannot tell *me* about their customers ;)

Re:Anybody have a list of Dblclick sites?

[ardinos]

As a former employee of DoubleClick I can help you with some info here. Doubleclick maintains a network of sites that they don't host, but merely provide all advertising for. The network is pretty large and I'll guarantee you've hit thier sites before.

Doubleclick when I was there wasn't matching cookies to names and addresses because they knew people would holler like mad if they thought they could be tracked down like that.

I don't think you really have to worry about getting junk mail or anything as a result of the info they have. Then again that may have changed in the year since I worked for them, who knows.

Re:Couldn't the database be poisoned?

[B1]

Say there's someone at your work you don't like. Say they are happily married. Say they have a deeply religious family...[snip]...Wouldn't doubleclick's 'targeted marketing' then cause this person to receive all sorts of customized pornographic advertisement on their browser and in their mail?

Good thinking! Just be careful that it doesn't backfire somehow...I can see it now...

"Martha, this is the tenth pornographic banner ad I've seen tonight. The internet has way too much pornography on it. We must ban it, or make censorware mandatory...just think of the children!"

Re:Cookie crumbs

[IIH]

Another thing I have noticed recently is an increasing number of browsers that ignore the rules on accepting invalid cookies. There are a number of criteria that a cookie must fulfil, and if it's invalid, it must be rejected. I'm mainly thinking about the domain setting.
From RFC2109:
To prevent possible security or privacy iolations, a user agent rejects a cookie (shall not store its information) if any of the following is true:

1. The value for the Domain attribute contains no embedded dots or does not start with a dot.
   
2. The value for the request-host does not domain-match the Domain attribute.
   
3. The request-host is a FQDN (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.

Basically, 1 means you can't set a cookie for .com, 2 means you can't set a cookie for another site, and 3 means you can only set a cookie 'up' on domain (eg www.host.co.uk can't set a cookie for .co.uk)

However, I've seen the last one uses more and more by sites, hotmail being one example. One of Hotmail's servers lc2.law5.hotmail.passport.com sets a cookie for .passport.com, which is an invalid cookie, and by rights should be rejected. Of course, if your user agent is correct about cookies, then Hotmail will not work.

This may not seem a problem if you usually browse sites with .com etc, but a lot of countries have a sub division for commerical under the country name - eg .co.uk. I don't want a site to be able to set a cookie that is valid for the entire uk commerical network, but currently there are no user agents (bar lynx which alerted me to the problem) that will reject invalid cookies like this.

--

Re:Opt-Out

[grumpy_geek]

I'm sure they would be willing to pay for their portion of the bandwidth... Of course you would have to start sending a check back to the website for your bit of the bandwidth....

When was the last time you sent a check to slashdot, paying for the bandwidth you are using? Hmm... I guess someone thought that bandwidth only costs the end user; and that websites are free, as in free beer.

Fight Back!! Re:Time for a new Mozilla module.

[BeBoxer]

Actually, I've thought a little bit about this, and I think I 've got an idea that might be a little more fun.

Of course, you should be able to specify the domains that you always accept cookies from, and the domains that you never accept cookies from. But, what could be an entertaining third option would be to send a fake cookie to the domain. I'm thinking of some simple configuration where you could set a fixed prefix, and have it add the right number of numbers and/or letters onto the end of it. Lot's of sites just use something simple like:
"ID=nnnnnnnnnn". So, you just make up a random number each time you send them a cookie. End result? Their database starts filling up with random junk, and/or their error logs start growing with strange errors. If enough people were doing this, it could become a real headache for the cookie monsters.

Another interesting possibility, which is more involved, is some sort of anonymous cookie exchange. When your browser got a new cookie, it could automatically upload it to the cookie exchange server. The server would then send you a whole list of other matching cookies to use randomly. This would prevent the cookie sites from using large cookies with CRC's or MAC's to detect spoofed cookies. Since they would all be real, legit cookies, they would all be accepted by the tracking site. End result? Lots of random records with little to no marketing value.

I doubt that Netscape or IE would ever decide to pick up such a feature, but that's the great thing about Mozilla. They don't have to.

Junkbuster!

[sbeitzel]

You may want to take a look at setting up a Junkbuster proxy server on your web browsing machine. There are proxies for *nix and Win32. I've set 'em up on my FreeBSD box, my NT box, and my Win98 box, then configured my web browsers to use the appropriate proxy. It's sweet!

Re:Junkbuster!

[muleboy]

Junkbuster allows you to set up a list of "allowed" cookies sites whose cookies can get through. I wish it had an option to pass through when it blocks a link I want, instead of having to edit the configuration or disabling proxy in the browser to see the link.

Re:Junkbuster!

[Rob_u]

Hm... a special passthrough link on the "blocked site" page. Doesn't sound too hard to code up. I think I'll write that, in fact.

Re:An Obvious Solution...

[spodpit]

> This is quite obviously a horrendous invasion of privacy on the part of doubleclick,
> and a boycott (of sorts) should begin immediately.

A possible suggestion for those of us in the UK, which I'd like some input on:

www.freeserve.net (and probably other UK sites as well), get there adverts from ad.uk.doubleclick.net - from it's name and where it traceroutes to (pipex.net) it's based in the UK.

Is there anyway that we can use the data protection act (think that's the right one) and demand a copy of all the information they have on us. If enough of us do this, it's going to be rather time consuming for them ...

Also, if you're a Freeserve subscriber then it might be worth writing an email/letter of complaint to Freeserve suggesting that you're very unhappy about their use of doubleclick and that you're considering switching to another ISP. (Freeserve may not get any money off you directly, but they don't have whine when call minutes are down!)

Re:EVERYONE E-MAIL THESE ADDRESSES

[niagaracyber]

What if the pro-privacy community dug up names and all kinds of personal info on the executives involved in making these decisions at Double-Click, and spread it all over the net? Sort of a taste of one's own medicine.

Corporations don't feel anything, people do, and the people who make these kinds of decisions - and who lie about them - often feel they can act with impunity.

-Dave

ad filtering proxies

[kalaleq]

does anyone have any thoughts on the various ad filtering proxies out there? i've tried adzapper, which was quite nice but seemed to drop requests from my browser or something every so often, so that the browser would just sit there churning its wheels; i've tried cut the crap but it didn't seem to perform too well, and i've tried various others that just didn't quite seem up to snuff in various ways.

to anyone who thinks i'm cheating them out of much-needed revenue, just imagine i'm using lynx. which i do half the time (not now). lynx is nice - no ads, no distracting blinking graphics... all of which have their places, but most of the time they're just annoyances.

the thing i hate most about doubleclick and other ad sites like it is the fact that my browser has to make another connexion to their servers, and quite often they seem to be slower than the site i'm visiting. hm, not to mention all those port scans they do to my echo port, which they've told me is to determine which server will serve the ads to me most quickly.. not that it seems to work...

Re:ad filtering proxies

[palerider]

www.webwasher.com

wonderful little piece of software

Re:ad filtering proxies

[palerider]

www.webwasher.com wonderful little piece of software

Re:Ok. I'm scared now.

[Megane]

Co-incidentally, I installed Netscape 4.7 on my machine that only had IE installed. One of the first sites I went to featured a doubleclick ad for Telus, the phone company where I live. I never gave out any information about myself with the new browser, so they are definately tracking beyond just the cookie files. Either they are doing reverse-DNS lookups, or track the fact that I had just been logged in with the same IP with a different browser and made the transistion themselves.

Did you fill in your e-mail address as requested when you installed Netscape? They can get that information without using cookies. Then when you connect to them, wham bam, they can give you a freshly baked cookie based on a database lookup of your e-mail address.

IMHO, a web browser should be used only for web browsing, and not for reading usenet or email. So I always set my email address to "president@whitehouse.gov" or some similar bogosity.

One other possiblity is that they could have looked up your IP block geographically. Even with ISPs that are located in more than one city, the dialups themselves have fixed IP block ranges, so it is not impossible to determine your city from your IP address. It just takes time to build the database.

Re:Bad

letting just one doubleclick cookie through will let them track you from that point on.

Even if you tell Netscape to not send cookies and delete your cookie file? How is that possible?

Corrupt the data

[Keepiru]

Even better than blocking the ads, would be corrupting the data that they retrieve. A cron job that randomly changes your cookie for them every 5 minutes, or a proxies that randomly changes it should do the trick.

Re:IANALAY?

[lovebyte]

IANAL either, but I doubt tracking people without their knowledge is legal in the European Union. There is a law on privacy that all 15 EU countries have signed (but one. the Netherlands. Shame on you! It has been said that the average Dutch person has got some information stored about him in 400 databases! Scary.). This law implies that no data should be kept about someone without his/her knowledge. Unfortunately, who's going to sue anyone? The poor web surfer? I don't think so. We need a consumer association to do it.

Won't work for some

[Jenova]

Well just a note. That method won't work if you are forced to connect through a non transparent http proxy.

Re:Won't work for some

It should work if you tell your browser not to use the proxy for those domains, or possibly just for the loopback address.

Grep -v on your cookies file...

I help some novices, and they are lothe to turn off cookies. Instead, I just purge doubleclick from thier cookies file each time they start the machine. From memory, the line near the end of rc.local looks something like this;

cat /home/username/.netscape/cookies | grep -v doubleclick | grep -v yadda.yadda.yadda > /home/username/.netscape/cookies

The username is hard coded since the machine isn't used by anyone else. Anyone who knows a better way of doing this, let me know!

are they telling us everything?

[Rainer]

> DoubleClick defends the practice,
> insisting that it allows better targeting
> of online ads -- and thus makes
> consumers' online experiences at
> once more relevant and more profitable
> for advertisers.

If all they want to do is target their ads they could set up a page where we could customize their ads. (lots of checkboxes)

Then they could place a cookie on the users machine that tells them *exactly* which ads to serve to which user.

So we could keep our privacy and they could save the costs for maintaining a large database.

Just guess why they are not choosing the simple way!

--
PGP-Key ID: DSS: 0xB4C11ED9 RSA: 0x682F4f5D

Re:Yes, yes, yes, yes, yes

[cloudmaster]

As a junkbuster alternative, you can use squid and this redirection script to block out web pages, and also do some cool caching proxy stuff that made squid popular (it's great if you have a masq'd dial-up with a few machines that all check similar pages).

My blocklist is available here, and via anonymous rsync at rsync://cloudmaster.com/redir/redir
Assuming you already have squid up and running, you can just

• mkdir /var/squid/blocker
• echo "redirect_program /var/squid/blocker/squid.redir" >> /etc/squid.conf
• rsync -v rsync://cloudmaster.com/redir/* /var/squid/blocker
• cd /var/squid/blocker
• make

At least, I think that will likely work. You get the point... :) It'd prolly be better to just get the distrib from the other link, and then see if anything's in my blocklist that is desirable and isn't in the official distribution.

Re:Opt-Out

[spodpit]

> This is not "your bandwidth".

It sounds like he's in the UK, where he's paying by the second for his bandwidth (assuming it's either analog modem or ISDN), personally I'd say that makes it his - and if he doesn't want traffic from a certain site using it up, then that's his choice.

As for paying with bandwidth - why should *I* pay for the dubious honour of receiving advertising, if you want to send me advertising then I want paying for it. As soon as doubleclick start offering money to offset the money I'd have to spend downloading their adverts, I'll start considering downloading them ...

Re:Bad

[Keepiru]

Alright, I'll admit I replied to this so that I could be near the top, but, instead of just blocking the ads, why not screw up thier database? The database is based off of the number in the cookie, that is how it identifies you, why not change it every 5 minutes, to a new random number, a simple cron job should do the trick, of for the more ambitious, take an active approach and create scripts that actually go out and give them false information.

Re:Dynamic IP?

[sterno]

Double Click does not actually provide any content. All they are is an ad banner company. You've probably run across countless sites that use double click's banners, but you never noticed.

The tracking works regardless of IP address because the information is stored as a cookie. The cookie remains consistent on your browser even if you change IP addresses.

---

Suggestion for a technical solution in Mozilla

I suggest the following feature to be added to Mozilla:

Accept to send cookies to the host where the main page in a HTTP request originates from.

For example, if you load a page from www.slashdot.org, and this site includes graphics from www.doubleclick.net, the no cookie should be sent to www.doubleclick.net. However, if the graphics comes from www.slashdot.org, then a cookie can be sent with the request.

This should stop some of the problem. Of course, sites can simply proxy the connections to www.doubleclick.net, but I still think this is a technically sound restriction to have in any browser.

Router-level blocking

We already do at my company, all routers are configured to block ad sites such as doubleclick. Advert companies (online or not) do really suck anyway.

Ad filtering on Windoze

[HarryTuttle]

Don't think anyone's posted about WebWasher. It's pretty useful and is free for non-commercial use.

Interesting...

[Millennium]

However, in the end you miss the point. There is a difference between DeCSS and DoubleClick.

The difference: DeCSS was made under a non-profit situation. DoubleClick's tracking reeks of commercialism.

Information wants to be free. But DoubleClick wants to sell the information. Information it didn't even let the people know it was gathering. There is your difference for you.

Re:Interesting...

[Rakarra]

DeCSS was made under a non-profit situation. DoubleClick's tracking reeks of commercialism. (and) But DoubleClick wants to sell the information.

So what? A bad action is still a bad action whether or not you're making money on it or not. I think most objections to privacy violations are those: objections to an invasion of privacy, NOT just that privacy was invaded so someone could sell the information rather than give it away. If doubleclick GAVE away all their information to corporations rather than selling it (almost impossible scenario, since it would be a bad business model, but this is a hypothetical situation), I would still be complaining just as loudly, as would most privacy advocates.

Re: Uh.

[Kibbled]

Hmm... and you get moderated... up?

Anybody have a list of Dblclick sites?

[Grabble]

Step 1: find list of Doubleclick advertisers

Step 2: string-compare to browser's history file

Step 3: determine if I've filled out any forms at doubleclick "partner" sites

Step 4: holler at said webmaster

If you know of a list of Doubleclick sites, kindly post it.

Re:Anybody have a list of Dblclick sites?

[Grabble]

Right. Thanks for replying, though. Flycast publishes a list of all the sites in their network. Does Doubleclick do the same? I'm looking to answer this question...

What are all the sites that use to DoubleClick serve any portion of their ad inventory.

Mozilla open source solution

[yuriwho]

The greatest gift that the open source movement can give to consumers will be privacy! A web browser that can protect your privacy. We need a solution that any newbie can use. Just download the browser and you are now anonymous when you want. I noticed many savy posters tell us to set up firewalls and allow/disallow packets from certain IP addresses etc. but we NEED a solution that works for the newbie.

Is it possible to do IP spoofing via a browser? Never mind the cookies, they will track us with IP addresses. What I want is a button on mozilla that toggles whether I reject cookies, adds and spoofs my IP address or recieves cookies, ads and sends my real IP for any given site I am looking at, in real time. Is this possible?

This may become the biggest issue on the net. Most slashdotters can probably figure out how to avoid tracking but we need a solution for idiots.

I would love to hear suggestions.

here

linuxtoday.com/ltbs/*
*.bfast.*
ads*.*.*
ads*.*.*.*
*.flycast.*
*.netscape.com
messenger.netscape.com
209.207.224.220
www.clickXchange.com
email.cnn.com
/blipverts/
static.wired.com
www.hotwired.com
rd.yahoo.com
nsads.hotwired.com
www.tek.com
x25.futurequest.net
usa.nedstat.net
w23.hitbox.com
*.hitbox.com
view.avenuea.com
/*.*ad.info.gif
tracker.clicktrade.com
rd.yahoo.com
as5000.wunderground.com
http://www.gamefan-network.com/
www.about.com
www.123webhost.com
www.hitbox.com
www.amazon.com
www.findcommerce.com
*.valueclick.com
www.pcworld.com
ngserve.pcworld.com
*.flycast.com
www.graverobber.com
#/*.*cgi-bin
images.cnn.com
/shop/
/SHOP/
/*.*ad-bin/
/*.*redirect
www.cnn.com/cgi-bin/redirect?free_email
gc1.freeshop.com
pic.geocities.com
a196.g.akamaitech.net
www.cnn.com/event.ng/
/event.ng/
/jump/
barnesandnoble.bfast.com
# Illustrative Blockfile for the Internet Junkbuster

# The following line illustrates how to block a port (port 23 is telnet)
:23
# for more detail see http://www.junkbusters/com/ht/en/ijbfaq.html#attac k

# To block a particular URL, you can list it in full (omit the http://):
www.junkbusters.com/images/space.gif
ads2.zdnet.com
ad.uk.doubleclick.net
gp2.deja.com
web2.deja.com
gp.deja.com
# Almost all the following examples are commented out. To make them work,
# remove the comment so that this:
# www7.suckerfinder.com/cgi-bin/compost_tumbler/stra yed-in-from=14387
# looks like this:
www7.suckerfinder.com/cgi-bin/compost_tumbler/st rayed-in-from=14387
gp2.dejan.com
gp2.dejan.com
g.deja.com
q.deja.com
*.zdnet.com
# You can chop off parts on the left and right to get a broader block:
suckerfinder.com/cgi-bin/compost_tumbler/

# To block an entire site, simply include its domain name:
# ad.manipumedia.net
# patentlyoffensive.com
gp.*.*
# With no hostname, a pathname blocks regardless of the domain name:
# /images/banners/mindless/
# /bandwidth-hogs/
/adverts/
*.valueclick.*
ad.*.*
# Provided pattern matching option was used in the Makefile (now the default)
# you can use patterns such as
# the /*.* allows matches anywhere in the URL
/*.*banner
#/*.*cgi-bin
/ads/
*free.email*
/*.*click
www.dejanews.com/jump/
web2.dejanews.com
# /*.*/DespisedProductName.*.gif
# you can put * in the domain part only, not the path.

www.himemsys.com/
ad*.*.*
ads*.*.*
ads2.*.*
/*.*ads
# For more details see http://www.junkbusters.com/ht/en/ijbfaq.html#regex

# The ~ character in column one stops blocking if a previous pattern matched.
# The last match wins, so these exceptions are usually placed at the end.
# ~mycompany.com
image.pathfinder.com

All of Doubleclick's Networks!

[sterno]

For those of you who want to set up ipchains to block everything vaguely associated with doubleclick, I went over to ARIN and looked up what IP blocks have been assigned to them. This should block everything. On a couple I went a bit overboard and blocked an entire 0-255 subnet when they only had a small chunk. But i figure, better safe than sorry :). Here ya go:

ipchains -A output -d 199.95.206.0/24 -j REJECT
ipchains -A output -d 199.95.207.0/24 -j REJECT
ipchains -A output -d 199.95.208.0/24 -j REJECT
ipchains -A output -d 199.95.207.0/24 -j REJECT
ipchains -A output -d 63.160.54.0/24 -j REJECT
ipchains -A output -d 208.211.225.0/24 -j REJECT
ipchains -A output -d 208.10.202.0/24 -j REJECT
ipchains -A output -d 216.94.59.0/24 -j REJECT
ipchains -A output -d 208.228.78.0/24 -j REJECT
ipchains -A output -d 208.228.86.0/24 -j REJECT
ipchains -A output -d 209.167.73.0/24 -j REJECT
ipchains -A output -d 208.229.75.0/24 -j REJECT
ipchains -A output -d 208.203.243.0/24 -j REJECT
ipchains -A output -d 204.178.112.160/24 -j REJECT
ipchains -A output -d 204.253.104.0/24 -j REJECT
ipchains -A output -d 216.230.65.0/24 -j REJECT
ipchains -A output -d 63.77.79.0/24 -j REJECT
ipchains -A output -d 128.11.60.0/24 -j REJECT
ipchains -A output -d 128.11.92.0/24 -j REJECT
ipchains -A output -d 199.95.210.0/24 -j REJECT
ipchains -A output -d 199.95.206.0/24 -j REJECT

---

Re:All of Doubleclick's Networks!

[coolgeek]

I guess it's just the wirehead in me (and maybe I'm paranoid, too), but I prefer to filter them out at the router, rather than trust an http proxy to block the traffic.

DoubleClick question.

Anyone know why doubleclick.com scans port 7 when you click on an ad?

Re:Bad

[Dimes]

This probably doesn't help much, but on my machines doubleclick.net resolves as 127.0.0.1, Not sure if this screws with the tracking info.....but it sure is nice not to have to wait for the adds to come up ;-)

dimes

FYI, there is an Open Source option

[DragonHawk]

...many of us are willing to pay a few bucks for a good commercial tool when there's no open source alternative.

I don't have any problem with your endorsement (it is useful information, after all), but For Your Information, there is an Open Source product available that blocks banner ads, cookies, and such. Source available, no cost, and protected by the GPL, it is called "The Internet Junkbuster" and is available for free download from www.junkbusters.com. It functions as a proxy server, and guards your privacy.

Just FYI.

Re:Opt-Out

[LetterJ]

In my area, it seems that anyone who is calling from behind a "corporate phone system" comes up "UNAVAILABLE". Unfortunately, that's also what several of my relatives and friend's come up as. The supreme irony came when US West (the provider of my CallerID) called to pitch me additional services and came up as "UNAVAILABLE".

LetterJ

Write your State's Attorney General.

[kilroy666]

If you live in New York, Eliot Spitzer is doing something to protect your privacy.

Drop him a line (if you're in NY) and let him know what is going on. Mention that the Privacy Statement is wrong on DoubleClick's web page, reference the Usa Today article, Agitate.

The AG's in NY have been pretty good about at getting the 'bad guys'.

RobM.

Re:Bad

i am almost sure their system works with cookies. so going into the browser properties and disabling them should do the trick. --AC (too lazy to register)

Boycott doubleclick SPECIFICALLY

[sjames]

Blocking all ads from all ad companies won't do much good, the market will shrink a bit bit the percentages will be about the same. The answer is to specifically block doubleclick (and any others that start tracking name/address etc.). That way, a specific practice is punished, and not doing that is rewarded. It also sends a message to DoubleClick's clients "your ad isn't being seen, but it WILL be if you get rid of DoubleClick and choose another ad company". To advertising supported websites it says "You'll get more clickthrough pay if you switch away from DoubleClick".

That DOUBLES the impact of the boycott.

Now for some notes on blocking DoubleDlick. First, they use round robin DNS and several different address blocks. If you don't firewall every last one of them, you will get their ads. They have some sort of odd DNS system that assigns addresses to ad.doubleclick.net based on network latencies which they measure by sending packets to port 7 (TCP echo service). I know this because they triggered portsentry on a network I am responsable for and they explained that when I emailed root about it.

The easiest option if you are on a Unix system is to use a local DNS server and set up doubleclick.com and doubleclick.net as master zones. That will cause name lookups for doubleclick to fail.

I would like to firewall their address blocks as well for good measure. Does anyone have a list of all of the addresses assigned to them? I did do dns lookup and check the returned address with rs.arin.net, but the IP is a non-portable address owned by above.net.

Re:This Might Sway Some

[Mignon]

Just because they use Linux doesn't mean jack shit.

That's definitely debatable, though someone else already has. My secondary point (aside from tossing out a Linux tidbit) was that lots of us get caught up in our Linux zealotry to the point where we would consider something like this to be a mitigating factor.

For a reverse of this example, consider Slashdot. Most of us think they're a pretty cool site, but some have pointed out that in spite of promoting open source, they are not terribly forthcoming with their source. (Yes, I know they just released v.9 - damn irony!)

Here's my sociological hypothesis about the quote above (are you listening, Jon Katz?): We've gotten so tightly enmeshed with our digital, binary, logical world, that we can't see that qualities like good and bad are on a continuum.

Enough with the complaining...

How can we avoid that tracking? I mean... What can *I* do on *MY* computer to avoid them knowing who I am? Shutting off cookies isn't an option at all, nor is manually filtering all my cookies.

Re:Enough with the complaining...

How about pouring hot grits down your pants... 11th post... Yee-UHh..

Re:Enough with the complaining...

Check out Zero Knowledge's new software at http://www.freedom.net for anon surfing while still using cookies

Re:Enough with the complaining...

[m3000]

Because a lot of cookies are very usefull to me. For example, thanks to cookies, I only have to log in once to Slashdot. Or it saves my preferences at places like zdnet.com and other personalization sites. It also saves some of my login's and passwords to certain sites, which, while I guess would be a security risk to yall, I trust my family. Of course, I could selectivly get cookies, but I tried that once, and spent about half my time clicking "no" to 5 at each website I visted, totally wasting my time. I don't really mind cookies when they're useful, it's just that sometimes they're not.

Re:Enough with the complaining...

[atholbrose]

If you go to www.doubleclick.com, click on "privacy policy" and follow a few more links, tey can send you an opt-out cookie. It sets your doubleclick user ID to "OPT_OUT". Is this good enough? I dunno. I'm going to see, though.

Re:Enough with the complaining...

Browsers need to enable a "cookie zone" feature. This way you can deliberately add the useful sites and make all others not bother you at all with the question.

Re:Enough with the complaining...

Internet Explorer 5 has this feature. In addition to general Internet and Intranet security settings, you can define custom security settings for Trusted Sites and Restricted Sites. All you have to do is add sites you trust to Trusted Sites, then disable cookies for Internet sites generally (and Intranet sites, if you don't trust your local network; they're disabled by default for Restricted Sites, which is a good place for sites you definitely don't trust).

Click THIS

Are you SURE you want to opt out?

Re:Internet == Advertisers? Bullshit.

[jamesl]

Sounds like PBS for the internet. Who is going to write the grant request to get it started?

Dataprotection Act : EU and UK

[tubs]

There is a nice law in the UK (and EU) called the data protection act. Basically it says you are not allowed to keep inaccurate information, pass on information without my prior consent and when asked you must allow me to view this information.

Why doesn't the US do somthing like this? Its not about interfereing with your rights, its to stop business from abusing your information.

Re:Dataprotection Act : EU and UK

There's one tiny problem with the European database laws: they require that companies and individuals report the existance of their databases to their government. The creation of such laws at the end of a century in which governments killed more than 100 million people is breathtakingly obtuse.

Someone mentioned the Neatherlands had refused to go join this system; well, maybe they have better memories. A particular activist once related how he got his start: while in basic training (US Army back in the days of the draft), an aquainance told him of an incident he had witnessed as a young boy in the then Nazi occupied Neatherlands. An entire family was executed on the spot in front of their house when the father couldn't produce a pistol that was listed in a government gun registration database.

And we all know how the US Census supplied the data to allow the US government to round up Japanese-American citizens after our entry into the war (and before you say this was only a necessary wartime measure, ask yourself why their land and other property wasn't returned to them after the war...).

Re:Dataprotection Act : EU and UK

The reason is that american companies do not like the idea of being subjected to such a rule.

Also, what do you know about the enforcement mechanism for the EU Data Protection Directive? If I am not mistaken, enforcement power remains in the hands of government agencies rather than individuals in the EU.

Re:Dataprotection Act : EU and UK

[tubs]

From what I understand it is up to the goverment to enforce the regulations, specifically the "data protection registrar" who is appointed by the goverment, but is supposed to be independant.

The Registrar can then take companies and individuals to court for breaking the Data Protection Act. Yes individuals can be taken to court (for example if someone asked a police friend to "get some details" for them, the Police Officer would be taken to court not the Police Force)

From what I understand (I have only browsed the act) hefty fines and Jail terms (for directors etc) are the order of the day, so the registrar does actually have teeth.

Mac IE 4.5 anticookie

Mac IE 4.5 has nice per-site cookie blocking/allowing.

Spreading the word.

[Amphigory]

Guys,

Its not enough for geeks to opt out. We need to get the whole 'net to opt out. Attached is the email I sent to about 20 people. May I suggest that all of you go and do likewise?

--

Distribution of this memo is unlimited.

Since I am probably the biggest spam-hater alive, you can imagine for me to originate one of these chain things is pretty unusual. (In fact, its more than unusual, its unprecidented). Nevertheless, I think that the danger to our society (and the internet as a whole) represented by the situation I am about to describe is great enough that I will take the flames and pass this on.

There is a company called "doubleclick.com". They provide the little banner ads that you see on most web-sites nowadays. That is, when you pull up a web page with advertising, the company making that web page points your web-browser towards DoubleClick's web servers to get an appropriate ad. DoubleClick then pays the company if you click on the ad (anywhere from 1 to 10 cents for a click-through -- if you just look at it, they often get some small fraction of a penny for showing it to you).

In order to target the ads, DoubleClick sets what is called a "cookie" in your browser. This cookie uniquely identifies your computer on the internet. DoubleClick uses this information to target advertisements towards you based on your previous viewing patterns: if you typically click on ads for computer hardware, DoubleClick will show you lots of ads for computer hardware. However, all of this is still anonymous.

That is, it was thought to be until the following story came out:

http://www.usatoday.com/life/cyber/tech/cth211.htm

To summarize, the above story relates how DoubleClick bought a direct marketing company called Abacus Direct. Abacus Direct maintains a database covering over 90% of all American households. And DoubleClick acknowledges that they have begun linking Abacus Direct's database with theirs.

The net effect of this is that, for a price, a vendor can get your name, address, phone number, /and/ your reading habits. They can find out what newspapers you read (over the web), what web sites you visit, etc. They can find out what products you buy -- it is simple to link information from amazon.com to doubleclick as well. They can then use this information to target advertisements at you.

Many people don't see the problem with this. May I suggest that you consider this: the express purpose of advertising is to get you to buy things which you would not ordinarily buy. That is, the perfect person in their eyes is a profligate spend-thrift. Happiness through possesions is the mantra they push.

The advertising industry has already demonstrated that they will stop at nothing to sell products. For example, consider that the "June Cleaver" perfect housewife of the 1950's is acknowledged to have been created by and for the advertising industry! Or consider some of the tactics used by the baby formula companies to get mothers to not breastfeed, despite the acknowledged medical fact that breast-feeding is far better for the child. (Some of the tactics used in developing countries were exceptionally gruesome.) What about the toilet-training "experts" who are employed by the diaper companies? Ever wonder why we suddenly need Size 5 Pampers?

We have already seen what advertising can do with statistical sampling alone: what will they be able to do with specific data about you? That is, what will happen when, instead of marketing to a mythical (but frighteningly accurate) average household, they are marketing to you personally?

Fortunately, there is a way out. You can visit:

http://www.doubleclick.net/optout/optout.asp

And decline to have your information tracked. I highly recommend it. I could go on for pages about why this is important -- the point is that once we have given Madison Avenue this power, we will never be able to take it back. The time to opt out is now.

Re:Spreading the word.

[miyax]

Good plan. BTW, if anyone out there cares, I wrote an article about Doubleclick/Abacus Direct/internet privacy for my school's paper not to long ago. Hopefully that will spread this around a bit.
Hopefully. The sad thing is, John Q. AOLuser doesn't really give a rat's ass. He doesn't look to see who's providing his banner ads, nor does he care, or would he even know who that company was. "Doubleclick? Who they hell are they? I thought this ad was about toasters."
That was basically the point of my article, that and why John should care. Because this is coming. This is what everybody's going to do in a few years, if we don't stop them at the beginning. Sadly, Mr. AOLuser doesn't care.
Maybe we should have tried to stop AOL before it took over the world. ::shrug::
Anywho, I for one will forward this to everyone I know, and instruct them to do likewise.

miyax

Database sabotage

What do you think if there was a way to just corrupt their database? Then the stuff they were trying to sell would be worthless. I was thinking if there was some way to randomly select from a pool of everyone's Doubleclick cookies then they couldn't really say they had any integrity in the profiles they've created?

Fight the power baby!

Now on the other hand, I don't really give a care about privacy. Eventually nobody's going to be able to hide anything anyway. But in the mean time, in the mean time this is the paradigm I am in favor of: Any available information about anybody accessable to anyone else, that if you are wanting invasion to my privacy you must submit equivilant private information.

Market efficiency thrives on good information, so I understand the reasons for wanting to have this information available. But not forsale, if it's going to be there it needs to be freely available to everyone. That's fair and that's the only option I'm willing to embrace.

Rights?

You have no rights online! Ask any OSU computer user! Taylor 5 represent Napster RIP

CPM goes up for this.

[asianflu]

For geotargetting, where ads are pitched based on your zip code, doubleclick can triple or quadruple the price it charges advertisers. Urban Fetch wants to advertise its NY delivery service? it can spend $20 on a run-of-site banner show to everyone including surfers from singapore, or $80 on doubleclick that can restrict the banners to web site visitors with zips in NY city. Which do you think is more valuable a campaign?
That money magnet is what is dragging doubleclick to tear up its privacy agreements, its just too rich a prize, especially with run-of-site CPMs now down at the $5/1000 level and click throughs at the half percent.

Re:An Obvious Solution...

[kurumi]

Advertising is increasingly unfashionable to defend, but if it weren't for advertising, much of the content on the Internet wouldn't exist. Without advertising, it is essentially impossible to put a useful page up on the web and not lose money. The only real alternative is paying for content... now which would you prefer?

Paying for content. Cable TV, DSS, DMX, BBC, PBS... to varying degrees a similar revenue model and better content. Though PBS is showing more commercials all the time.

In an Internet where content is almost universally supported by advertising, no advertising simply means no content. (And let me also point out that there's a banner at the top of this very page...)

Hmmmm... I'll take your word for that. All I see is a broken image tag. :-) Also, advertising != content. There are tons of great pages for historical, entertainment, news, information, with no ads, because the webmasters have real jobs elsewhere and just want to contribute to the community.

It's a pretty good deal: I give out free info, fun stuff, sw, and get the same from other sites. No adz needed.

Anyway, I really resent these incessant, impudent demands for my attention ("eyeballs.") I don't want ad fsckers like Kevin O'Connor tracking me, and I'll use proxies, unlisted #'s, false demog info, and whatever else to thwart them.

More: http://www.kurumi.com/opinion/adblock.ht ml

cookies...

[JustShootMe]

Isn't it possible to reject any cookies from doubleclick.com?

Not that I think this ia good thing, I think it's abhorrent. But one would think that's one way to combat it...

If you can't figure out how to mail me, don't.

Re:How To Block DoubleClick's Tracking In Two Step

[sallen]

Opting out of doubleclick is fine here, and if that causes a problem for site that use doubleclick for services, then that's too bad.
Ethics you say? Ethical behavoir wouldn't include going through my wastebasket without my premission to put together all my receipts and sell the data with my name and address. How is doubleclick any different. If a RESPONSIBLE advertiser wishes to send me banner ads and that keeps web sites operating and provides them an income, then I'm all for it.

Interestingly, as people mention FTC complaints (which is good), one should also remember that doubleclick is now a public company, listed on the stock exchange with a LOT of stockholders that expect to make money. A little bad publicity about a lot of opt-outs, even if only temporarily, can cause a hefty hit to their share price with the way the market acts these days. They're after a buck, and their shareholders are certainly after an increase in revenues...and unlike celebrities, the market DOESN'T like bad publicity for a company, even if the press does spell their name correctly.

You have to quit Netscape

[mattc]

The cookie file isn't updated until you quit Netscape. Quit Netscape and then look at the cookie file.

Re:You have to quit Netscape

[Nodatadj]

I did.
No change.
So I deleted the cookies I didn't like
and then made the file read-only.

Re:Data Mining

[TheTomcat]

ok, this is WAY off topic, but:
Ever notice that there IS no word for male feminist? Also notice that "sexist" is commonly understood as a male term?

Now, I'm no misogynist, but I'm sure we'd see bra-burners at Wawanesa and State Farm if women were charged more based on stats.

Re:Bad

It's all quite simple really :-

bash-2.03$ cat /etc/hosts
# Entry to stop doubleclick badness
127.0.0.1 ad.doubleclick.net
bash-2.03$

Now, is it just me, or is this so blindingly obvious that you guys really should have thought about it before. :))

And what's more this will actually work on Windoze boxes as well (yes, Win95 and up does have a c:\windows\hosts file if you want one).

Only problem with this technique is if you aren't running a httpd on localhost, you might get some browsers complaining all the time, and even if you are running httpd, your logs will start looking weird, but at least you're not getting ads, doubleclick aren't getting your hit, your privacy isn't being invaded, AND you're not spending 20 bucks on some badly written code that will 'junkbust' - whatever that is. :)

An Obvious Solution...

[Tsian]

This is quite obviously a horrendous invasion of privacy on the part of doubleclick, and a boycott (of sorts) should begin immediately. I would presume that very few users want to be in the doubleclick database, and as such i submit a simple sollution.
Simply put the doubleclick domain (in ie, i presume netscape has a similar feature) into the restricted sites area, and adjust security in that zone as necessary to as not accept cookies.

Re:An Obvious Solution...

Without advertising, it is essentially impossible to put a useful page up on the web and not lose money

False.

Re:An Obvious Solution...

It's all explained at: Here I've I got it right, you could request a copy of the information but they are entitled to ask for a small "admin" fee.

Re:An Obvious Solution...

[dhml]

Question: if flycast are innocent why have
I just found a flycast cookie in
my file? What possible innocent use is it to
anybody?

Another question: anybody used CutTheCrap
(filter proxy)? I have it installed & I thought
it was working (don't know how old the cookies are). Any reason to trade it for junkbuster
which seems to be the favourite here?

Michael

Re:An Obvious Solution...

[Mija+Cat]

Yahoo did just fine as a search engine before ads.

Re:An Obvious Solution...

[Binar1]

Might want to add *.flycast.com to that restricted list, too.

Re:An Obvious Solution...

[Paul+Wright]

Is there anyway that we can use the data protection act (think that's the right one) and demand a copy of all the information they have on us. If enough of us do this, it's going to be rather time consuming for them ...

Yes. I think you can at the moment, but you definitely can when the EU directive beomes law. The changes to European Union law will be propagated into UK law effective on 1st March, according to the Data Protection Registrar's website.

The subject access rights have been extended:

Whereas under the 1984 Act the data subject was only entitled to have a copy of any data processed by reference to him, the new Act states that he is also entitled to a description of the data being processed, a description of the purposes for which it is being processed; a description of any potential recipients of his data and except in limited circumstances, any information as to the source of his data (where available).

The website also says:

In addition Schedule 2 provides that processing may only be carried out where one of the following conditions has been satisfied i.e., where;

• the individual has given his consent to the processing
• the processing is necessary for the performance of a contract with the individual
• the processing is required under a legal obligation
• the processing is necessary to protect the vital interests of the individual
• or to carry out public functions
• the processing is necessary in order to pursue the legitimate interests of the data controller or certain third parties (unless prejudicial to the interests of the individual).

Depends on whether Doubleclick's address tracking is "legitimate" I suppose... AFAIK, the DPA is criminal law: you don't have to sue them yourself.

Re:An Obvious Solution...

[fougasse]

If I remember correctly, that's because it was hosted by a university, and therefore publically funded. This was possible then because the traffic levels that Yahoo received were much, much lower.

Re:An Obvious Solution...

[fougasse]

Because cookies are not evil by definition. Cookies are used to, among other things, track which ads you've seen and which ads you tend to click on. Calling this a privacy violation is going overboard -- what private information is revealed? Is the fact that the user at IP 112.43.82.48 has already seen the ad with the dancing penguin and tends to click on ads about food a serious violation of your self?

Re:An Obvious Solution...

[fougasse]

Your claim that it's fully possible for Internet content to exist without advertising just doesn't ring true. Certainly, small sites will work just fine without ads -- webmasters will happily pay 20 dollars a month to share something they created.

BUT this would rule out both larger sites and sites that need to be worked on full-time. It's essentially impossible to run a search engine without ads, for instance: the bandwidth and hardware requirements are so huge that engines would have to either be publically funded (publically funding the Internet is no longer feasible due to its size), display ads, or use micropayments. (Those search engine which operate without many ads today, i.e. Google, run based mainly on venture capital, which certainly is not permanent).

So the only remaining alternative is micropayments. I certainly wouldn't want to pay for every search, and I don't think most users would either. You need only look at the introduction of flat-fee, unlimited Internet access: users left per-minute-fee ISPs in huge numbers. These days, virtually all home ISPs offer unlimited access, even the broadband ones. In fact, free, ad-based ISPs are becoming more and more popular these days.

Re:An Obvious Solution...

[fougasse]

Thank you, Anonymous Coward, for your in-depth response.

Re:An Obvious Solution...

[fougasse]

Right, but wrong.

Oh no. Not paradox, please. I hate those.

There are many, many useful sites which do not advertise, for example www.gnu.org There are no banners there. And as for content, it's the top. Excellent tools.

I didn't say that there were no good sites without advertising... I said that you usually couldn't put up a good site without advertising and not lose money. And the only reason GNU does not lose large amounts of money is that they receive grants and donations. Grants and donations can't sustain more than a minuscule percentage of the Web... I assume you don't want search engines to have PBS-style pledge breaks. (We'll get back to your search in just a few minutes now, but wouldn't you love this novelty AltaVista heated blanket, available at the $85 level?)

It is sad to see the Internet gradually turn into a mindnumbing TV-like apparatus simply because "there can be no content unless you advertise". That is no free speech. It is free speech for those who have the money, because "you sing the songs of those whose bread you eat."

The cases in which advertising would limit free speech are very rare. But they certainly do exist. This is the case in many other media, though -- newspapers with, for instance, anti-capitalist views cannot be supported by advertising. So these newspapers either charge readers or operate at a loss (and solicit donations). The same is applicable to the Internet; nobody said that you can't put content up without advertising, only that you have to find an alternative revenue source or operate at a loss. And yes, as is the case with other media, this will make it more difficult to make anti-advertiser views heard. Capitalism inherently limits some forms of free speech, and this is one of them.

However, without advertising, speech would be much more limited: those without enough money couldn't operate a web page. A case of "you can only sing if you have bread". That, it seems to me, would damage free speech much more.

Re:An Obvious Solution...

[fougasse]

No, don't add flycast to that restricted list.

This discussion is about the privacy violations of DoubleClick. I agree that what they're doing is a violation of privacy and that they should certainly be boycotted because of it. But you certainly can't extend that argument to "block all advertising". Flycast, for example, has a privacy policy that explicitly forbids associating personal information with your website-viewing profile.

Advertising is increasingly unfashionable to defend, but if it weren't for advertising, much of the content on the Internet wouldn't exist. Without advertising, it is essentially impossible to put a useful page up on the web and not lose money. The only real alternative is paying for content... now which would you prefer?

If users start blocking ads, then sites which advertise will make less money. As it is now, ad-blocking is generally restricted to techies, people who use the Web a lot and know a lot about it too. And so if this demographic (or psychographic, I'm not sure which applies here) blocks ads, sites which appeal to this demographic (to use advertising terms) will receive less revenue per visitor. That is, tech sites will make less money. Or, in other words, there will be fewer tech sites.

In an Internet where content is almost universally supported by advertising, no advertising simply means no content. (And let me also point out that there's a banner at the top of this very page...)

Re:An Obvious Solution...

[dhml]

Clearly the above scenario is not a violation of self: however it is of no possible __benefit__ to me (the point of cookies) and could concievably be used for targetted marketing etc if the the info ever got married up with any of my pid. Bottom line: I do not think I should be sent cookies unless they are for my benefit eg user preferences.

Re:An Obvious Solution...

I've found the most useful web sites by far are university sites (funded largely by the British, American, and other states). Apart from them, I also use the BBC sites quite often (again, funded by the British state). There are exceptions to this: newspapers/news sites, standards organisations, and corporate sites (for documentation, drivers, etc.). Of these, the only ones that rely on advertising are the newspapers/news sites.

I suppose you could say that state-sponsored, corporate and organisational web sites lose money, but it would cost much more to published the same information by traditional means, so from that perspective, they're really saving money.

Re:FIRST

This first post stuff is so lame... and you where not even first.

What the rest of the internet comunity needs.

[HenrysCat]

It is ok for people with IT skills who can edit their cookies etc. I let mine be open because it tends to help and I know I can sort it if need be. But the non tecky peeps need help too. Someone should set up a site the maintains a list of bad cookies. Then people having spam problems can visit it once a month and let the site clean out it's bad cookies but leave the good stuff. Anyone seen such a site?

Re:Dynamic IP?

[pen]

are you going to trade your privacy for some convience?

You don't have to. Just use a proxy. Allow only the sites where you want cookies to be enabled, and then deny all others. Try JunkBuster.

--

pcweek's pc proxy rerview

[sevenseven]

interestingly enough, zd-net's pcweek has a review of personal proxy servers for pcs: http://www.zdnet.co m/pcweek/stories/news/0,4153,2423273,00.html

the review evaluates norton internet security 2000 and some other tools. all of them are commercial products however...

Re:Time to start poisoning those pigeons.

BRILLIANT IDEA!!!! Let's take this a step further! Get a list of sites that use Double Click, then feed it into a spidering engine. Then have the spidering engine feed thousanda of the tainted cookies from thousands of sites into Double Click's database!

AHAHAHAHAHA!!! I've been looking for a pet project to do. I'm thinking this would be a good opportunity to mess with Java Threads >:)

Data Mining

[oy]

Information gathering is nothing new, everytime you go grocery shopping and use your "Club Card" your grocery purchases are put into a huge databse. Say you buy some pampers... instantly a red light goes off some where and next week you'll be getting mail about baby products.. Building huge data bases on people is extrmley scary, and at present laws don't really exist to protect peoples privacy, or information.

Should you be allowed to know i have a history of cancer in my family before i buy insurance from you?

Re:Data Mining

[Helge+Hafting]

Building huge data bases on people is extrmley scary, and at present laws don't really exist
to protect peoples privacy, or information.

Laws exists where I live. Anyone wanting to build a database with information about identifiable persons must get a permission from the authorities. The law was made because of computer databases, but applies to other media as well.

Of course there are exceptions for obvious stuff, a company may, for example, keep a payroll without applying for permission.

The law also states that you may demand to see your own record in anybody's database, and you can tell them to delete it. I tell telemarketers to delete me from their lists, as required by law. They really don't call back - until the next edition of the phone directory is scanned. (Or whatever they use.)

Re:Data Mining

[kurumi]

This is exactly why I stopped shopping at Kroger the day they started having a "Club Card" (well, that and the fact that they raised prices 50% overnight so they wouldn't lose any money on the card discount) ... I won't patronize businesses that punish me for wanting to maintain a little privacy.

I like club cards. I can live another life, and change it frequently. Back when Safeway would try to be personal and read your name, I became Ben Feldstein, and I would always correct the cashier on the pronunciation:

"Thank you, Mr. Feldsteen." -- "That's FeldSTINE."

"Good morning, Mr. Feldstine." -- "I'm sorry, that's FeldSTEEN."

But that card is long gone. Right now I'm revered Penn State football coach Joe Paterno.

A good rule of thumb for filling out any form: if their having the correct information does not benefit you personally, and is not required by law (e.g. SSN on your 1040), fake it.

Re:Data Mining

Should you be allowed to know i have a history of cancer in my family before i buy insurance from you?
OR, should you be allowed to see how many pounds of red meat I buy each year before selling me Life Insurance?


If I'm the one selling you life insurance, then, yeah. Why would I want to sell life insurance to your fat fucking heart-attack prone ass? Life insurance is cheaper for non-smokers, you know. So lay off the Whoppers, you fat lazy fuck.

Re:Data Mining

Yeah, if you don't use a credit card and only pay in cash.

Re:Data Mining

[bobv-pillars-net]

I know what you mean.

Spent half an hour at a local bank today, on hold with their legal department (long-distance on THEIR nickel) waiting for a legal explanation of why they required my right thumbprint to cash a payroll check drawn on their bank.

Re:Data Mining

[TheTomcat]

Should you be allowed to know i have a history of cancer in my family before i buy insurance from you?

OR, should you be allowed to see how many pounds of red meat I buy each year before selling me Life Insurance?

Statistic in insurance should be regulated. I got quoted $4967/year for insurance on my new car. I'm male, under the age of 25. No, I've never been in an accident. Stats prove that I am more likely to get into an accident than females 10 years older than me, so I get shafted. What if stats proved that gays got in more accidents than straights (sorry if straight is considered a slur now... ) or if African Americans (insert politically-correct-term-of-the-week for black people here) got in more accidents than whites?

Sorry. I know it's a little OT, but if corporations like double click can gather info on us the same way, who KNOWS what'll happen.

Re:Data Mining

I have a more interesting question. If statistics actually showed the converse, would the rates be adjusted appropriately? What if women actually get in more accidents then men. Would the companies have the guts to charge women more? I wonder what cost these people can bear while holding to outdated notions of responsibility and demographics.

Re:Data Mining

[dsl]

This is exactly why I stopped shopping at Kroger the day they started having a "Club Card" (well, that and the fact that they raised prices 50% overnight so they wouldn't lose any money on the card discount). It's annoying sometimes since all of the all-night groceries around here are Kroger, and I liked buying food at 2 AM, but I won't patronize businesses that punish me for wanting to maintain a little privacy.

Re:Data Mining

[sjames]

That's just paranoia, mostly it's manufacturers and retailers who want to be able to serve you better.

If that's all it is, then DoubleClick and it's business associates would be happy to tell us who is part of the program. No business serves a customer well by sneaking around behind their backs. If they want to listen to what I'm telling them, then they should listen to what I'M TELLING them, not covertly gather information that I'm NOT telling them.

Furthermore, unlike many of those programs, DoubleClick not only does this after explicitly claiming otherwise, but they share it around with many other companies quietly. Even if I had some sort of grocery card (I certainly don't!), the information is not available to other merchants the moment I walk into their store. With DoubleClick, it apparently is. This like many other things is marginally acceptable on a small scale but becomes grossly unacceptable when applied on a larger scale.

The only really postive thing that you can do is to fill out false and misleading information voluntarily...

That's great fun! Von Wilhelm, Hochkis. nationality: German. Occupation: Shepherd. Relation to family: Other.

Re:Data Mining

[mcrandello]

Better than that, I use the temporary card they gave me. The cashier *never* gives me a rough time, I get my discount, and if they ever do ask, I'll let them know I don't want a name attached to my spending habits. Oh, and I pay with cash. No bank cards or cheques.


mcrandello@my-deja.com
rschaar{at}pegasus.cc.ucf.edu if it's important.

Re:Data Mining

[crush]

Building huge data bases on people is extrmley scary, and at present laws don't really exist to protect peoples privacy, or information.

Nah. That's just paranoia, mostly it's manufacturers and retailers who want to be able to serve you better. They want to be able to respond to the free-market and listen to what their customers are telling them. Companies are often perceived as uncaring, deaf monoliths, but really they're just there to do your bidding. So why are you so scared of them?

Like you say, this is nothing new, they're collecting information all the time. What really kills me are things like the grocery cards or airmiles - the bastards are asking us to work for them by providing a false reward. If they can afford to give away the airmiles then they should give them away. The cunning aspect of this tactic is that they've already got enough people doing it so that if you don't then you lose out. I hate it! If I were to sell my shopping data I'd expect a lot more money than that. Save us from the idiots.

The only really postive thing that you can do is to fill out false and misleading information voluntarily on as many survey forms as you can, my father introduced me to this idea when I was quite young and they started collecting this data with grocery cards. Soon we had a pretty wacky family to go down on the unimportant cards: 3 bachelors uncles of ages 13, 53 and 93 lived with us and were employed respectively as: a stockbroker (earnings > $100,000 per annum), unemployed, and a garbage-man (30-50,000). There were also more subtle pieces of disinformation, altering the amount of products of a particular type that one was supposed to be buying up or down, some estimatedly reasonable fraction.

Perhaps it does no good ( I can see our outlier being eliminated from the data set pretty quickly) but at least it did them no good!

Re:Data Mining

[Skim123]

But with the supermarket card, you have the option of using it. With Doubleclick's scheme, you aren't aware that you're being tracked...

Re:Cookie crumbs

[General+Winter]

WWWOFFLE offers the functionality and control you desire, and much more. Try it out, it's worth the effort.
http://www.gedanken.demon.co.uk/wwwoffle/

Re:Should we trust Doubleclick not to track us?

[guran]

Hell, if you've got a firewall, block all packets to and from doubleclick.net

You did not run into problems with page rendering?

I've seen a coupla webpages that did not display at all since a freaking ad server was down.

(Yeah I know "If they can't make proper web pages, why should I bother to visit yada yada" Yes, some strange looking pages is a small price to pay to get rid of doubleclicks tracking, but I still wonder

Anyone looked at DoubleClicks privacy notice?

If no one has looked at DoubleClick's privacy notice, you might find this ironic...this is the first paragraph, first section, first page of the said notice. ##### Starts here ##### Information Collected in Ad Delivery In the course of delivering an ad to you, DoubleClick does not collect any personally-identifiable information about you, such as your name, address, phone number or email address. DoubleClick does, however, collect non-personally identifiable information about you, such as the server your computer is logged onto, your browser type (for example, Netscape or Internet Explorer), and whether you responded to the ad delivered. #### Ends here #### Just thought that is the biggest lawsuit i've ever seen waiting to happen...

Re:Opt-Out

[Helge+Hafting]

Consider commercials versus tele-marketers.
I can't just say "I don't wanna hear it, so I won't answer the phone.

You can - with caller ID. With ISDN you may even set the pc up as a selective answering machine. You can have the pc identify telemarketers by their number and deliver a rude message, while letting the phone ring normally for others. Whenever a new telemarketer get through - add their number to your own datbase. Databases can work for "the little man" too.

Filter Plug-In

[crashdavis]

It would seem pretty simple to me for someone to write a plug-in for IE or Netscape which would parse the HTML and remove doubleclick (or some configurable list of domains) image tags.

What's the problem with doing this?

Another way to do this, although potentially harder, would be to do what was suggested here during the last round of postings and produce a plug-in which would suppress creation of cookies for domains external to the displayed page.

Whatever sophistication Doubleclick has in identifying this info, the fact is that *we*are*giving* this information to them with our stupid browsers.

Crash Davis

Re:Filter Plug-In

[reaper20]

Doesn't junkbuster filter out all of this stuff already? I know it blocks the advertisements, but does anyone know if it blocks the information going the other way??

Re:Filter Plug-In

[ffatTony]

Another way to do this, although potentially harder, would be to do what was suggested here during the last round of postings and produce a plug-in which would suppress creation of cookies for domains external to the displayed page.

Netscape 4.7 already has an option of Only accept cookies from the same server as the page being viewed which is what I think you are refering to.

Re:Filter Plug-In

I was thinking the same thing. How privacy conscious is Mozilla? Mozilla is "open source" can't we write privacy/anonymous features directly into it? make Mozilla the anonymous browser?!? afterall my wife(tobe) would be really pissed to find out how many porn sites a REALLY visit :) STUPID DOUBLECLICK JERKS! Mitch

Re:Filter Plug-In

[Bastian]

Netscape 4.7 already has an option of Only accept cookies from the same server as the page
being viewed which is what I think you are refering to.

I think what you mean is the "Only accept cookies which get sent back to the originating server" option.
My understanding of this option is not that it filters out cookies which didnt come from the server that made the webpage, but that it rejects cookies that dont go back to the server that sent them. In this case, since the cookies are coming from doubleclick.net, that option would not filter them out.

Re:Time for a new Mozilla module. Any volunteers?

[QuantumET]

The feature certainly wouldn't have to come with any preset addresses, or lists.

Just a general feature of being able to block requests to certain addresses would be a very welcome addition, even if it is just a listbox in netscape.

127.0.0.1

[Will_Malverson]

I've got all kinds of advertiser addresses aliased to 127.0.0.1. It protects your privacy and speeds up your Internet browsing. It's even possible if you, for whatever reason, use Microsoft Windows, there's a hosts file in the c:\windows (or whatever) directory, that you can edit. However, you do need the most recent version of IE (I don't know what Netscape would do) to make it not go to a full-screen error message on any site that has an ad.

Sorry 'bout the heavy MS content.

Re:127.0.0.1

[RickHunter]

Well, I've tried this on my system, following the instructions in C:\Windows\hosts.sam. Didn't affect Netscape at all, even though ping and tracert insist that they're being mapped right. Guess Netscape assumes you're too dumb to know how to use a hosts file. Yet another thing that irritates me about Windows and Windows products.

As a note, I am pro-alternative-operating systems. I think Linux and *BSD are all very nice alternatives to Windows. Its just that this machine has a lot of Windows-only software.

-RickHunter
--"We are gray. We stand between the candle and the star."
--Gray council, Babylon 5.

Re:127.0.0.1

[Our+Man+In+Redmond]

Take a look at the Linux Tips page on Portico. They recently posted a list of servers you can alias to 127.0.0.1 in your /etc/hosts file. I haven't tried it yet but I'm going to.

Any chance someone could create a cookie we could all paste into our caches that indicates that every single one of us is the MPAA Executive Offices? Let Doubleclick track them. Somehow I think they might deserve each other.
--

Re:127.0.0.1

Aliasing to 127.0.0.1 doesn't work. I've seen sites that have arranged so that you don't get the site content if you've got their advertiser aliased that way.

Re:127.0.0.1

[Mr.+Slippery]

you know they have these ads for a reason?...

And we block them for a reason. I'm trying to read a page and there's a damn flying monkey zooming all around the top of it, distracting me chewing up my CPU time. No thanks.

Want me to know about your sponsors? I won't feel the need to block a simple, plain text "Supporters of this page include...The Frobozz Corp, makers of fine Frobozz Grue Repellent." It might even give me a warm fuzzy feeling towards The Frobozz Corp, that a dancing grue animation never would.

Ad banners are dying, and I can't wait to piss on their graves.

Re:127.0.0.1

[Cycon]

It's even possible if you, for whatever reason, use Microsoft Windows, there's a hosts file in the c:\windows (or whatever) directory, that you can edit.

Under Windows 2000 (and I would assume NT as well) this file resides in the c:\winnt\system32\drivers\etc directory, to be exact.

Re:127.0.0.1

[Cycon]

However, you do need the most recent version of IE (I don't know what Netscape would do) to make it not go to a full-screen error message on any site that has an ad.

Just checked this out and verified it under Netscape 4.7 (again, under Windows 2000 Professional) and it works just fine, that is where ads used to be you just see the broken image box in it's place.

Re:127.0.0.1

Another solution that unfortunately only works for internet explorer is to list these sites as "Restricted Sites" under the security settings in internet options. That way you don't get the cookies from them. It's really easy to find where/how this is stored in the registry, so you can export a *.reg file and pass it around.

When I have some time I'll probably write a program to clean and ban all the advertisers who've dropped cookies on my system.

Using Microsoft internet features to protect privacy - "embracing and extending" my personal cyberspace.

Re:127.0.0.1

That list has ads.theonion.com... you know they have these ads for a reason?...do you not want The Onion to be around??! Sorry for the English.

Re:127.0.0.1

[jesser]

Sorry 'bout the heavy MS content.

Nothing wrong with that. Considering that most Windows users aren't aware that they're being tracked, much less that they can opt-out by typing a medium-length URL into their browser, user education is important. And user education starts with the geeks, whether they use Linux, Windows, or any other O/S to surf, figuring it out. Link to the opt-out site from your website. Mention it whenever you discuss internet privacy with your friends.

--

Re:creating the hosts file

[Erik+Hensema]

There is nothing special to the private ranges, except they're not on the internet.

Your PC just looks in its routing table to figure out where it should send packets to 192.168.*, and is sees it should send them to the default route, eg. the internet.

Your ISP's router is likely to be configured to drop packets to private ranges, so the trace will stop there.

One way or another, your packets aren't going to make it to any machine on the net, they are going to be dropped somewhere.

If you want to drop them locally on your machine, you should configure a firewall. In Linux 2.2, it should become something like:

ipchains -A input -S 192.168.0.0/24 -J drop

And similar lines for the other private ranges. When you're running a private net, you ofcourse shouldn't block the addresses when originating from your own net ;-)

ipchains -A input -I ! eth0 -S 192.168.0.0/24 -J drop

Or something like that. RTFM.

Re:Look at it another way

[Helge+Hafting]

I mean, seriously... ad companies specialize in one thing, ads. They don't want to blackmail you because you've been buying diamond jewlery online for your mistress, and buying your wife cheap wal-mart stuff.

They don't want to. Some private investigator might. He breaks in or gets a short-lasting job at the ad company. Then he collects info on thousands of people to find good blackmail candidates. Or maybe he finds the proof your wife hired him to find. Or he calls up the ad company claiming to be a online jewellry seller and could he please buy the dataset for people who have bought at least once?

Re:Yes, solution for IE

[kimihia]

For IE, add advert sites to your 'Restricted Sites' zone, and then set that zone not to allow cookies.

How to do it

Re:Lets all use the same cookie!

[cyanoacrylate]

Not with my cookie...

Maybe you'd like to offer yours up instead???

Or maybe we could steal Bill Gates'.

But the best alternative, as mentioned above, is to turf all traffic to and from doubleclick.net at the firewall. (alternative for those without a firewall: set up a http server and set hosts table entry for *doubleclick.* to localhost (requests for doubleclick crap are redirected to your http server, which returns an error)).

Damn nested brackets - I hated Lots of Irritating and Silly Parentheses. It was the silliest language I have ever seen!

And for the rest of the world, they can wait for the consumer advocacy groups to make this practice illegal (if they can).

Happy Surfing!

they forgot

[happyhamster]

... that despite all the hype the Internet in general and web in particular are still based on cooperation between all users. These greedy bastards hear the ecommerce hype and run on the internet and use it as if that's their property. But last time I checked, overwhelming majority of users pay(sometimes a lot) its own money to access it. With all recent abuses of privacy, I'm getting a strong feeling that the abusers must get a hard slap to remind that the internet is about cooperation, not abuse.

You can do better. :-)

[Mechanist]

Here's an alternate idea that's more appealing from a Discordian sort of perspective....

With a little Perl/Python/whatever hackery, you could easily create a script to randomize you cookie files. It's easy, you just open the file, read the cookie values, change a few random digits here and there, and write it back out. Ideally the new cookie should have the same format as the old one, so that it looks like valid data even though it's random junk.

Then set up a cron job to run this script at regular intervals. And set your browser prefs to just accept all cookies, because you know they're going to get scrambled anyway. Voila, every day you are a different person to the likes of doubleclick. But they can't tell that they're getting bogus data, and so they aggressively attempt to target market these random non-persons.

The only thing to keep in mind is to periodically quit/restart your browser, so as to wipe out any memory-resident cookies.

I did this at my last job, but I lost the script in transition and haven't gotten around to re-creating it. But it's easy for anyone with even a little bit of Perl skill.

Re:You can do better. :-)

[Kris_J]

I remember someone claiming to have written a cookie mangler. It would just randomly change a bit here and a bite there, without any regard for what the cookie was supposed to look like. They said you could then surf to the sound of badly written web servers crashing...

Great idea!

[Brian+Knotts]

Another interesting possibility, which is more involved, is some sort of anonymous cookie exchange. When your browser got a new cookie, it could automatically upload it to the cookie exchange server. The server would then send you a whole list of other matching cookies to use randomly. This would prevent the cookie sites from using large cookies with CRC's or MAC's to detect spoofed cookies. Since they would all be real, legit cookies, they would all be accepted by the tracking site. End result? Lots of random records with little to no marketing value.

I really like this idea. This should definitely be added to Mozilla. The way to combat these sort of practices isn't just to block them, but to make them impractical/unprofitable.

New XFMail home page

Privacy invaders can kiss my ass

I for one hope that DoubleClick rots in hell for this blatent invasion of users privacy. Anyone with 0.5g of brain cells knew this would happen - to anyone with less (ahhh, politicians) this will be a complete surprise...But I digress.

I firmly believe that it's MY INFORMATION, I OWN IT, and I get to CONTROL WHO USES IT!

This means that if you want to use my information, you have to apply and PAY for a non-exclusive license to do so - FROM ME or my authorized agent(s).

Things I hate and block:

1) Junk snail mail. I file prohibitory orders against all junk mail I receive. Result: I don't get very much of that crapola anymore. I got this way after saving it all for a month to see how much I got. When I discovered that I had 70 lbs, I became an active mail refuser. US Supreme court decisions and Federal law support your right to declare anything you want to be a pandering and erotic advertisement. You have complete and unfettered discretion in this matter. Go to www.junkbusters.com and get more info. Go to your postoffice and get form 1500 - the one against erotic mail. Fill it out, attach those annoying advertisements from Advo or ValueMailer, or whatever and then mail it yourself to the prohibitory order processing ctr... Volia! Stuff's gone after about 30 days... If not, send it back to the proh. ctr with notes, and they'll sue the fucks for you at no cost to you.

2) Those god damned "Fresh Values" or "Super Saver" cards from the groceries. First off, those fucks raised the prices to cover their costs, then they issued the cards. They sell information on what you buy to people you buy it from, they sell info on what you didn't buy to people you didn't buy it from. They know what time you shopped. When you traditionally shop. What you traditionally spend. Waaaaaaay too much info if you ask me - mainly because it shows when I'm NOT home - so some $5/hr backoffice fuckwad can have his 'homies' rob my house... And if you don't have the card, they try to make you feel like a 2nd class citizen. Since so many people lied on the forms, they've started requesting ID's to verify the info...

3) Internet AD's. Ummm, If I want something, I'll go to a search engine and find it and find the best price. I'm never going to click on some god damned ad. I also despise cookies - there's no good reason for the damn things. I'm happy to log in when I need to use a service - learn to type. One site, www.800.com REQUIRES a cookie be set just to surf the damn site - so guess what? I went elsewhere with my $$$... I block ALL ads (visit www.webwasher.com - Nice free software). Blocks all those assinine popups, ads, flashing crap, etc. And it's easily configurable. Too bad it doesn't deal with cookies (yet - there's plugin ability for it...). I could care less how the web site makes it's $$$, find a better way. I for one didn't mind the occasional small ad at the bottom of the screen when this all started - but now it's totally out of hand - something like 150K worth of ads on some sites... so I said screw it - got rid of that crap and all the litter that it put into my caches...

4) My next vacation is going to be spent writing some software (yeah, I'm a geek) that intercepts a cookie, checks against a list of "OK" cookies (like say from Datek...ok, so I like to trade...), and the rest just takes it and perverts it at random and returns it to the offending assholes... Go ahead, look at that... have fun...

5) Those damn RF readers for Tollway booths - why, oh why, do they have to be keyed to me? Why can't they be anonymous? For years I've been saying they capture an audit trail - what booth, what time, what date, etc. Now some lawyer has subopenead the records on some poor fool to prove that he's in a specific area at a certain time... What's next? Oh you went thru booth A and B in record time - here's your speeding ticket... or the backoffice fool saying "gee, here's a guy with a mercedes...every day he's at booth A...and he's got a bitch with a Ford Excursion who's at booth B by 30 min's later... crossed with the tax records, they have two kids who are in school... not paying any nanny tax, so there's no one at home... and they make $200K/yr... let's hit their shack!" No thanks - I'll stick to coins...

DEFEND IT OR LOSE IT PEOPLE!

Re:Cookie crumbs

[knutsen]

Cookie Pal may be downloaded directly from the vendor, Kookaburra Software.

Re:You have mail!

[SJS]

Anyone know of a site or utility to clear out certain cookies like these, but leave the nice ones in like Slashdot?

1. Get rid of your cookies file.

2. Hit those sites that you want to allow cookies from, like Slashdot. (Alternatively, you can just edit the cookies file...)

3. chmod a-w .netscape/cookies
(Or whatever your cookie file is.)

If you want to add cookies, briefly chmod the cookies file to be writable, hit the site, set the cookies, and then chmod the cookies file again.

Re:Should we trust Doubleclick not to track us?

[Fastolfe]

I really don't have a problem with the *ads* themselves. Advertisements are what pays for sites like Slashdot. Blocking them out decreases revenue for Slashdot, so I'm quite happy to leave them in place, so long as they're benign (which seems to not be the case with DoubleClick).

Hell, I occasionally (like once every few months) even click on one.

Opt-Out? A quicker and better solution.

[Thorgal]

echo "127.0.0.1 doubleclick.net" >> /etc/hosts

Cookie Filtering

[kcarnold]

I set up a firewall (simple ipchains ... -d ad.doubleclick.net -j DENY) and it was a tremendous pain, especially with IE. In my experience, if IE5 has trouble loading an ad, it will cover the entire page with a location unavailable or something like that error. (I have seen IE only cover the image with the same, but that depends on some things that I don't want to spend my time investigating.) My bigger problem, though, was the problem of a heck of a lot of ad servers under doubleclick.net. I block one, the next day they have a different one and I block that, etc. It gets tiring, and I am still not guaranteed that somehow it isn't sneaking a cookie by (like a 1x1 image the same color as the background or something). I want the ability to block cookies from specific sites. This should be implemented in the browser, and is already sort of implemented in IE through the use of "zones". However, I have found this not to be flexible enough. I want to be able to specifically block cookies from specific sites, or even better, block cookies transmitted along with non-html (i.e. banner ads) content. Since we have the code for Mozilla, why not do it there? A simple list in the user preferences file would be enough to accomplish the desired result. Block cookies that come from *.doubleclick.net. Block all cookies that are attached to things not of type text/html. Or act like IE: only allow cookies from Slashdot, etc. Go ahead and tell me it's already been done and make me feel stupid... or make me happy by saying that you're working on it. If no one else wants to work on it, I'll try it. Can't be that hard.

Kenneth (who wishes to remain "anonymous" but is definately not).

PS - I don't like out-of-browser filters because (a) they are usually not cross-platform, while good browsers are, and (b) many rely on proxies, which I don't like, not to mention (c) they take up speed and resources on my computer that I don't really want to give away if I can help it.

Re:Cookie Filtering

[bobv-pillars-net]

Change it from -j DENY to -j REJECT, and you won't get the delays.

REJECT sends an "unreachable" response immediately, whereas DENY just drops the packet, leaving your browser to time-out the connection.

Re:Cookie Filtering

[kcarnold]

Thanks; the docs I had weren't very clear on this.

Re:Cookie Filtering

[Mister+Attack]

Actually, IE4.5 (Mac version) allows cookies to be blocked by site. That would be my method if I didn't already have a firewall in place. And I've had very few rendering problems, BTW.
--

Re:Cookie Filtering

[kcarnold]

IE5/Win lets you do zones, which work all right but it lumps all sorts of other security stuff with it, like Java and ActiveX security. Just because I want cookies to be accepted by all of some subset of sites doesn't mean that for each site I want it to treat my security the same way.

am i missing something

Ok, I understand logically how they can get your name, age, etc etc but how are they going to know it was you that clicked on their ad and how to correlate your click to your info?
Can anybody enlighten me?

http://enmasse.penguinpowered.com/

Re:am i missing something

[Ravensign]

They have web site hosts who "cooperate" with them, and when you say give them your name for a service or product, they bacsially tell doubleclick what your cookie number is then they line that up with their direct marketing big database which in all probability has an entry for you already and viola, DoubleClick now knows what cookie goes with who.

It's creepy and I don't think it's gonna stand.

Re:am i missing something

[ffatTony]

hey bacsially tell doubleclick what your cookie number is then they line that up with their direct marketing big database which in all probability has an entry for you already and viola, DoubleClick now knows what cookie goes with who

Perhaps I am wrong, but as I understood the cookie rfc, a cookie will only be returned to a site if the address is the same as the site that issued it, thus if xyz.com gives you a cookie, a script at doubleclick.com cannot access it.

What I forsee is that when xyz.com gets some info about you, they'll pop it into a shared database and all connected sites will know.

As for identifying you when you visit the page, ip-address is the only thing I forsee, unless you give them more info in which to identify you.

Re:am i missing something

[Aaron+Denney]

Perhaps I am wrong, but as I understood the cookie rfc, a cookie will only be returned to a site if the address is the same as the site that issued it, thus if xyz.com gives you a cookie, a script at doubleclick.com cannot access it

Yes, but they can give out cookies for image requests, and since all of the banner ads come from doubleclick, they can get the cookies.

Can you say DatAmerica?

[Jomolungma]

After I read this article on CNet I immediately thought of William Gibson's DatAmerica, which shows up in Virtual Light, Idoru, and I believe his latest incarnation. Anyone else seeing this connection?

We have no privacy (Not that it isn't obvious)

Just wait until AOL-Time Warner buys DoubleClick and controls your personal information, your content, and your method of accessing it. Every day our privacy and freedom is dimished, but what can we do?

Thanks!

[Jake_Man]

I just wanted to drop a note of thanks for the blockfile you whipped up. I've been meaning to play with Junkbuster for some time now, and you just removed my last excuse not to do so.

Simplest solution.

Set doubleclick.net to point to 127.0.0.1 Doing this is easy just stick the following entry into c:\windows\hosts :- doubleclick.net 127.0.0.1 In most linux distros i think the file is /etc/hosts I did this ages ago as i pay for my bandwidth and dont like recieving banner ads.

Privacy Statement Lies

[waldoj]

Their privacy statement says:

In the course of delivering an ad to you, DoubleClick does not collect any personally-identifiable information about you, such as your name, address, phone number or email address.

This, as we now know, is untrue. Granted, they collect it from another server, and not from you, but they still collect it when they send you an ad.

Liars.

-Waldo

Doubleclicked opted me back in again!

[type2]

I opted out of doubleclick a couple of months ago. Today I went back to their opt-out page to find that I'm opted back in. So I opted out again, but who knows for how long? I will have to take other measures.

Of course, I can't provide independently verifiable proof that I did indeed opt out before, or that I was opted in as of this morning. But I know I did.

This pisses me off no end.

-type2

PS: No, my ip address hasn't changed, and anyway that shouldn't be a problem since they are using cookies, right?

Re:Doubleclicked opted me back in again!

Were you using Netscape? I use NS 4.7, and I notice that Netscape loses my entire cookie file at least once a month. This is a huge pain in the ass (anyone know why this happens?).

In any case, if Double click is setting a cookie that identifies you as someone who has opted out, obviously that cookie will be lost if your entire coookie file gets cleared.

Opt-Out

[hernick]

This is the opt-out link. It will place a cookie on your computer that'll let you opt out of doubleclick's tracking.

I am the administrator of a few web caches (I use squid) and I've started blocking web ads a while ago, replacing them by one-pixel blank gifs. It probably fixes the problem...

Re:Opt-Out

[sarchasm]

Even without caller-ID, you can filter out most phone spam. Most of the time the caller uses an automatic dialer which introduces a noticable delay into the conversation. Answer the phone, say hello... if there's no answer within 1-2 seconds, hang up. High accuracy, and if it was a real call and they really want to talk to you, they'll call back and pay attention this time!

Re:Opt-Out

[alecto]

Except for the regrettable fact that telemarketers have a talent for placing calls from outbound call centers in areas that show up as "out of area." (This avoids the stigma of having blocked caller ID.)

I regret that I can't find a citation, but I've heard of at least one instance of RBOCs marketing caller-ID proof outbound lines to telemarketers. Anecdotally, this certainly seems true here.

There are countermeasures against telemarketers, just as there are for banner ad tracking: Telemarketing Scum Page technical data. That link contains references to patents on call progress detection and tips on foiling predictive dialers.

Re:Opt-Out

[mitheral]

Hmm, The opt out page is /.'ed to hell and back. Wonder why that is. Maybe people actually do care about this.

Re:Opt-Out

[TeddyR]

The thing is... Your way would make it harder for sites that DO depend on ads for revenue. And what if your users wanted to see the page as designed... ads and all...

Personally I prefer to have squid "do its thing" normally, but use the Internet Junkbuster chained to a squid proxy. This way your users can select to have an ad-free proxy or a normal proxy.

Re:Opt-Out

Another problem with some banner advertisment servers is that they do not give up. I have found that if I close my browser while a site with a banner is showing then frequently I see the banner site trying to send packets to (the now non-existent) browser for quite some time. This can cause the idle timeout not to trigger and thus cause the telephone charges (I am in the UK) to be higher than they should.

Re:Opt-Out

[the+way]

I've started blocking web ads a while ago, replacing them by one-pixel blank gifs

One problem with this is that it makes some sights' design look wrong, since it assumes the ad exists. You might consider replacing the ads with a blank gif the same size as the original.

Also, consider offering two proxies, one which doesn't block ads, so that users can exercise choice.

Re:Opt-Out

[hernick]

Actually, there is a problem with ads. We pay for bandwith.

The stats for the proxies, when merged together, give exactly this:

62.46% Global Hit-Rate
29.63% Doubleclick.net Hit-Rate
03.72% Doubleclick.net KB Transferred

By making a simple calculation doubleclick alone is using 7.84% of my bandwith, therefore increasing my monthly costs by more or less that amount. The connections we use have a base cost that's pretty low plus 12$ a gigabyte. So doubleclick (and other ad sites, but mostly doubleclick) is costing us a non-insignificant amount of money !

Now, I'm sure the stats are different than they would in another environement - this is an educational establishement so the sites visited tend to be more often the same, and a normal proxy would probably devote less bandwith to doubleclick.net, and a normal site would probably not pay for bandwith by the gig like we do.

The problem is, they're making money without us getting anything in return. I don't feel it's immoral to deprive them of their revenue as long as they won't compensate us at all. I think that if more proxy administrators start doing the same, or perhaps even replacing the doubleclick banners (that's pretty easy to do, and I am considering doing it), doubleclick will have to react and do something.

What I'd consider fair is for them to offer us a share of the revenue. It wouldn't have to be big.. And perhaps offer a solution to cache their ads more efficiently rather to get such a low hit-rate.

Please reply with any constructive input, I appreciate it :)

Re:Opt-Out

[Kris_J]

The "Opt-Out" option does not stop the ads from appearing on your screen, it stops the advertising company from tracking your details. The website still gets the revenue...

If you want to actually block the ads (on a windows PC), I recommend Proxomitron. Otherwise, Junkbusters. (or adding the appropriate domain blocking to Squid, if used.)

I'm the IT guy for a 50+ company. I use Proxomitron personally and I've blocked a number of advertising domains using the company proxy. I also have GIF animation turned off. All in all, I see few ads and even less advertising content. (You'd be surprised the effect just turning off GIF animation has....)

Re:Opt-Out

[Kris_J]

Better yet - replace the ads with company custom ads!

That is too cool. Sounds like a good reason to try Junkbusters on one of our servers... Staff would probably much prefer "local advertising" than the totally useless US crap (I'm down under).

Re:Opt-Out

This is not "your bandwidth".

YOU chose to visit the site... in return they would like to MAKE SOME MONEY!

Many sites DEPEND on the small amount of income they get from these banners.

If you don't want to pay with your bandwidth, then do not visit the site. Please don't op this down, I forgot my nick/passwd

Re:Opt-Out

[plunge]

but that's exactly what I'm talking about- if you aren't getting the full "ad view" the advert company wants, then at some point they'll find out and either not pay the website owner anymore, or find some other way to force you to see it. Ad companies aren't going to always be fooled by simple hits.

Re:Opt-Out

[Kris_J]

Fine, but that's not "Opt-Out", not in the context of this article.

Ad companies are welcome to try whatever tricks they want to expose me to ads, so long as it's legal and above board. Similarly, I use any tricks I can to avoid seeing them. It's a competition and ultimately the result is less important than how you play the game... (In fact, how you are perceived to have played the game is part of the game. DoubleClick took a major risk with the unannounced tracking of personal details, and may have lost this round)

Re:Opt-Out

[jesser]

Doubleclick pays site to site admin can make money (or at least not lose too much money) while providing a free service. User pays internet provider in order to access free web-based service. What exactly is the problem here?

--

255.255.255.255

[Tom7]

255.255.255.255 works better for me, particularly if you're running a web server on your local machine. All real routers drop these packets immediately (god forbid).

Here's my blacklist:

ad.doubleclick.net vbn.adbureau.net www.adclub.net imageserv1.imgis.com adforce.imgis.com ads15.focalink.com geo.yahoo.com adproxy.whowhere.com ad.lycos.com adex3.flycast.com imageserv2.imgis.com www76.valueclick.com ads.msn.com oz.valueclick.com ads23.focalink.com adimages.gamespy.com adcontent.gamespy.com

If you use linux, set up your own caching name server (faster anyway) and use it. You can probably do something similar (anybody know how easy this is, or do you need to hack the source?)

Mac users are out of luck, as far as I know.


I'm sure we'd all love to write a Mozilla plugin to keep ads away a little more cleanly -- I'm sure many of us will.

Comparison

[KMSelf]

I haven't downloaded Stefan's junkbuster, but reviewing his page:

• The current implementation of the main Junkbuster includes an option to replace banners with a 1x1 clear gif, which also sizes to fit. The other options are to substitute a "Junkbuster" image, or the broken icon.
• My complaint against long blockfiles is that you start crossing the diminishing returns threshhold, and long lists become difficult to proof. My short list gives ~90%+ effectiveness, and is relatively easy to tune and test. All inclusive lists are interesting, but can be more bug-prone. I've seen a couple of samples posted here which block domains I'd choose not to (netcom.com?!).

What part of "Gestalt" don't you understand?

Re:Bad

[m3000]

Alias their site to 127.0.0.1. If you're running Windows, edit the 'hosts' file.

And for all you Linux guys, do the same thing, except to the /etc/hosts file. It's very nice to surf with a lot less ads.

Opt Out

To opt-out of this, just visit:
http://www.doubleclick.net/privacy_policy/privac y.htm

Click thru the several links, and the computer and browser your are using will be opted out. You will have to repeat this for each computer and
browser you use.

Another solution (and a rant)

[B.D.Mills]

Doubleclick.net and other unscrupulous online businesses rely on one simple principle for their online profiling to work: that the ID cookie that they send you will always be associated with you. This lends itself to some interesting possibilities if you want to really screw around with their online profiling.

The simplest method would be to either block all traffic from doubleclick.net, or frequently go on search-and-destroy missions through your cookie files, looking for doubleclick.net cookies and systematically removing them all from your system. Profiling cannot work if the ID code is no longer valid.

Another method that would take more effort to set up but can potentially cause irreparable damage to the usefulness of the cookie as a profiling tool follows. Set up a central web site for doubleclick.net cookies. Users of the site would download special software that swaps cookies. Then the software would upload your doubleclick.net cookie, and you would receive another random cookie back. Swapping cookies like this destroys them as a tracking resource.

This isn't illegal, but doubleclick.net may decide to sue the site to force them to stop trading cookies in this way anyway. If this happens, all the users on the site can then launch a class action countersuit against doubleclick.net with the goal of forcing them to stop profiling. For example, does it constitute illegal wiretapping? And does doubleclick.net have a valid end-user licence for the use of the personal information in this way?

Everyone, please remember the horrendous Orwellian scenario that already exists when profiling is combined with Web Bugs (also more euphemistically known as clear gifs). Web Bugs are small (typically 1x1 pixel) clear gifs that are found on the bottom of web pages that inform the owners that the page has been loaded. Doubleclick.net already know what pages you visit, a lot more than you think. And it's happening now.

Doubleclick.net are not the only net terrorists that are acting this way. They are merely the most prominent, and the first that have actually admitted to the practice. Where I refer to doubleclick.net here, substitute many other ad banner companies freely.

If you want to boycott companies, the following need to be boycotted, in order of importance:

1. doubleclick.net and other ad banner companies that send you persistent cookies.
2. All companies that have web bugs leading back to any of these companies, particularly if they do not disclose their use of web bugs in their "Privacy" page.
3. All other companies that deal with ad banner companies mentioned in #1.
4. 
   
   
   --

Re:Another solution (and a rant)

Random perturbation is most likely ineffective, becuase cookies are probably encoded with an error-correcting scheme --- where given a change of a few bits, the original word can be reconstructed in cubic time. e.g., Hamming codes, BCH codes (which are used in audio CDs)

Re:Another solution (and a rant)

[gorilla]

Changing the entire number makes it impossible to reconstruct any number, and it certainly makes it impossible to track me.

Re:Another solution (and a rant)

[beagle]

I use a different solution, which I've found to be quite successful thus far. I'm surprised I haven't seen it mentioned here yet.

Delete all entries that you don't want in your cookie file, then make it read-only. This works for both UNIX and Windows versions of Netscape. Anyone know how to do something similar in IE? I then accept all cookies. Voila - no more bother with "do I want this cookie?"

Sure, I get tracked around for the short while that I'm running my browser, but since I shut it down every night after work, I don't ever end up with any "junk cookies" - and no tracking worth mentioning! (What good is a profile of 8 hours?)

Time for a little Cyberwarfare, anyone?

[Sir_Winston]

How much continued cookie-shuffling would it take to start making their databases choke and sputter? I'm sure many of the dedicated scripters out there could cobble together something that would cycle through pulling down a lot of banner ad/cookie traffic and deleting it. Now, if just half the readership of Slashdot who have high-speed connections would participate--that'll add up to billions o' cookies for the database, and a lot of server time dedicated to serving up banners a la mode to little old us.

Ideas, folks? It is, however, time to take a stand against the AOLified and doubleclicked idea of the Net which corporate America wants to feed us. We pay for this bandwidth, not DoubleClick, so why don't we start showing them how we can use that bandwidth to screw 'em in the arse?

doubleclick

[vectro]

You can use a junkbuster proxy to filter out ads. Alternatively, I believe that internet explorer allows you to set the 'doubleclick' domain to be in its own security zone, and then set that zone to not accept cookies.

Note also that you will only be associated w/ the database if they have some way to associate you w/ your entry in their database. Once your cookie is there, though, they will know.

Re:doubleclick

[the+way]

I believe that internet explorer allows you to set the 'doubleclick' domain to be in its own security zone, and then set that zone to not accept cookies

That's not necessary. Just click here, which places a special cookie on your computer telling Doubleclick not to give you a personalised cookie.

Re:Bad

In the M$ Windows world, there is a utility called CookiePal from Kookaburra Software http://www.kburra.com that allows you to selectively accept and reject cookies.

It also allows to always or never accept a particular cookie. I have found this to be very useful, because there are some sites that I need to go to that require cookies.

*I am in no way associated with Kookaburra Software, except that I use their software.

Re:Bad

[pen]

If you're a Windows or *nix user, you could try the Internet Junkbuster proxy. If you're willing to pay ($19.95) and use Windows, try interMute. The latter will auto-configure your browsers, including Netscape, IExplode, Opera, and AOL.

--

Additional Information & Links

[nlvp]

I did a couple of searches in the discussion and couldn't find any of these links, so I thought I'd supply them.

DoubleClick's Privacy Policy.

Information Collected in the Process of Delivering an ad by DoubleClick

Doub leClick "Opt-Out" Option (how-to)

info@doubleclick.net email address

Use the Junkbuster Proxy

[Ethan+Butterfield]

http://www.junkbuster.com

You can run the proxy server on either a UNIX box or a Win32 one, and it has the ability not only to filter out ad banners, but also to block cookies and to change the browser-type header you send. I've been using it for several months, and it's just peachy.

Re:Time to Act on Privacy Issues

[NecrosisLabs]

Did anyone else find this comment to be a bit rich: "Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of participating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says." Did it cross their minds that other people might feel that way too?

Block ads and cookies (and tracking)

[zlexiss]

Use internet junkbuster.. makes everything better, and now helps protect privacy too :-)

http://www.junkbuster.com

Good example of quality GPL'd software, even has win32 versions. I've been using it for a while even with a cable link to speed up web page loading and get rid of the ads..

rm -rf cookies.txt

[kevlar]

End of story.

What is with this?!

[browser_war_pow]

I think Congress needs to outlaw this stuff altogether. It is one thing for an ecommerce stuff to track me on their site so that they can help me find cool stuff, but this is nothing close to something positive like that. Why do these people think that they have a right to get rich off of selling, using and abusing my personal information?!

Re:Here's the middle ground I'd like to see

[tietokone-olmi]

Umm.... couldn't everyone just lie about their name to the browser that they're using? Although some systems might take the name information from somewhere else, at least GNU and BSD users should be pretty safe.

Protocol

[kcarnold]

Missed one important option: selective cookie acceptance. Almost all browsers allow this.

Idea for the protocol for such an exchange:

• The servers would be distributed, like the DNS system. One per ad server or whatever.

• When a browser receives a cookie:

  1. It checks the cookie against the "allow" list.
  2. It checks the cookie against the "ask" list.
  3. It checks the cookie against the "deny" list.
  4. It sends the cookie to the cookie exchange server.

• The packet to the exchange server would contain at least the following information:

  • Protocol version (for extensibility)
  • Cookie given
  • Site visiting when cookie received (you must be able to opt out of sending this information, for privacy purposes.)
  • The src= for the img tag
  • (possibly a user tag - like/not like)

Cookie sending would involve a similar exchange (since the mere presence of a cookie on a computer can be used for tracking without sending another cookie). If a cookie is sent more than once to a site that the user has specifically not said "allow" or "ask" to, it would also be exchanged. On the same subject, if the cookie was originally on the "ask" list when it was received, also ask before sending it back (option to exchange it also).

The entire system must be structured to minimize the bandwidth necessary and the time delay in loading the page. This is why exchanging would be done on the receiving side always, and on the sending side sometimes; you can display the page without knowning whether or not to store a cookie, but you may need a cookie to load a page properly.

The server would contain information by server as to whether or not scrambling the ID would work, and if it did work, the server would send back a scrambled cookie instead of a "recycled" cookie. The server would also keep track of how many times each cookie was sent so it could even out the averages.

It would be necessary to keep users from accidently exchanging a cookie with a username/password in it. Maybe the browser could check whether a form submission included the text from an item whose input type was "password", then either "ask" or "allow" all cookies from that site by user preference.

The worst-case scenario would be that the user was not tracked at all. The more likely case is that Internet cookie-based advertising dies. Be careful not to let up your guard if that happens, though.

Suggestions for improvements?

Ken, eating his cookies

Blocking Doubleclick

[supz]

Is there any possible way to block out all connections from doubleclick.net in Windows? I know in linux you can do it, but my family primarily uses windows, and I would like to protect them from the prying eyes of the pervasive eyes of the people at doubleclick.

Re:Here's the middle ground I'd like to see

[MattMann]

yes, tricks like that work some of the time. The danger is: if you ever buy anything online, anywhere, using a credit card, and you have a static ip address, forget about cookies and lying in your registrations, you are at risk of being identified everywhere, all the time, very accurately, and tied into your full credit, purchasing, and healthcare histories.

I think it would be nice to be able to use e-commerce without this kind of a problem.

E-Mail Response From DoubleClick

[waldoj]

Libby, Alycia
Wednesday, January 26, 2000 3:22 PM
"Waldo L. Jaquith"
RE: Privacy Statement

Thank you for contacting DoubleClick with your concerns. Protecting the
privacy of consumers is of paramount importance to DoubleClick. We are
founding members of several organizations (NetCoalition.com and Network
Advertising Initiative) that are currently creating standards that protect
online consumer privacy, and belong to the Online Privacy Alliance. First
and foremost, we want to make sure that you understand exactly what we do,
and to clear up any misperceptions that exist in the media or marketplace.

First, it is important to understand that Web advertising is critical to
ensuring that consumers like yourself can continue to access Web sites at no
cost. . Effective Web advertising assures that the Web's information,
content, and resources remain free for everyone.

Second, we would like to clear up a huge misconception in the marketplace
that companies such as DoubleClick have the ability to "track" what an
Internet user is doing throughout the Web without their knowledge or
consent. The fact is that the only time DoubleClick knows when a user
visits a Web site is if DoubleClick is serving an ad to that particular Web
site. Even then, the information that is collected by DoubleClick is used
only for advertising and reporting purposes, so that our customers can gauge
the effectiveness of their advertising campaigns.

DoubleClick does not know the identity of any user to whom DoubleClick
delivers an ad until and unless that user has been provided notice about and
consented to having his or her identity used in connection with serving
advertising and other online marketing services.

You should also know that DoubleClick does not sell any information
collected from cookies to third parties. DoubleClick has an explanation of
what a "cookie" is and how it is used on its Web site that we invite you to
read at http://www.doubleclick.net/privacy_policy/.

Simply put, cookies are small text files that are sent to a user's hard
drive in order to facilitate surfing on the Internet. They are commonly
used by Web sites to maintain a customized environment for each user and to
make it easier for customers to purchase goods and services. DoubleClick
also uses cookies to limit the number of times a customer sees an ad, which
our customers have told us is important to them. We also use them to
measure ad effectiveness on behalf of advertisers and Web sites with which
DoubleClick does business.

However, please be assured that until, and unless, a person chooses to
provide personally identifiable information to a Web site, DoubleClick has
no way to know their identity. All DoubleClick knows is that a computer's
browser is visiting the site.

Finally, we want you to know that DoubleClick does create profiles about
consumers solely in an attempt to deliver ads that the user may be
interested in viewing. Again, DoubleClick does not create a profile about
any user unless that consumer has received notice and the opportunity to opt
out from such profiling. Moreover, DoubleClick does not create profiles that
contain sensitive information such as a consumer's medical information.
Consumers can absolutely choose not to accept DoubleClick cookies or to
receive ads tailored to their personal information by opting out at
DoubleClick's Web site at
http://www.doubleclick.net/privacy_policy/privac y.htm.

We hope that you will take a minute to read the complete discussion of what
information DoubleClick does collect and how it's used. Please visit our
privacy policy on our Web site at
http://www.doubleclick.net/privacy_policy/. The page also provides you
with the opportunity to opt out from DoubleClick's cookies.

If you need more information about DoubleClick please feel free to contact
us at 212-683-0001.

Again, thank you for contacting us with your concerns. We hope that this
letter has helped to clear them up and that you will contact us if you need
more information.

Sincerely,
DoubleClick, Inc. (NASDAQ: DCLK)
http://www.doubleclick.net

Re:Bad

[MattJ]

(Actually, by the *security* issue I mean that the browser will accept cookies from the ad image's server, even if it's in a different domain than the web page.

So you think you're only viewing xyz.com, but quietly your browser is accepting cookies from doubleclick.com via the ad image retrieval.)

Re:Bad

[orabidoo]

who needs a proxy! just 1) delete your entire cookie file once a day or so, and 2) stick the 50 or so biggest ad servers in your /etc/hosts (that's \windows\hosts for you windows users), assigned to a bogus IP like 127.0.0.2. start with ad.doubleclick.net, and add hosts as you see ads (under netscape, right-click to "copy image location")

in general, cookies are OK, and quite useful, for short-lived browser/server interaction state keeping. There is no real need for long-term cookies; at worst you'll have to enter a password a few times more. And clearing your cookie file very effectively dissociates any further browsing from any profile doubleclick may have of you.

Re:Bad

[Will_Malverson]

Alias their site to 127.0.0.1. If you're running Windows, edit the 'hosts' file. Here's mine, just to get you started:

127.0.0.1 localhost

127.0.0.1 ads.doubleclick.net

127.0.0.1 ad.doubleclick.net

127.0.0.1 adforce.imgis.com

127.0.0.1 ads.enliven.com

127.0.0.1 Ogilvy.ngadcenter.net

127.0.0.1 oz.valueclick.com

All it takes is an annoying ad to get your site added to this list.

Re:Cookie crumbs

[pen]

I would be willing to wager that Opera will reject the cookies, since it adheres to all the specs in other areas, including HTML, CSS, and similar things about cookies.

However, I have also had some sites not work because of this.

But that doesn't matter, since I block all cookies anyway, except for the ones I need. If you don't do this already, you really should get JunkBuster. Available for Win32 and *nix.

--

How to avoid the scam

[Rasha]

If you are running Linux you can compile your kernel with ipchains. This is essentially a firewall package that among other things can filter packets. That is it can block packets coming from or going to a specific url or ip address read the HOWTOS on ipchainsand if needed the kernel HOWTO. Does anyone know all the ip addresses that Double Click uses so that I can set up my firewall to block them?

Re:creating the hosts file

[jesser]

Try getting a newer version of IE.. I think IE 5.01 handles it correctly, but if not get IE 5.5 beta (which unfortunately introduces lots of new bugs in areas where features weren't even changed as it fixes some old bugs).

--

Re:creating the hosts file

[Jomolungma]

I've tried this host file thing and everytime I come to a page with a doubleclick banner, my IE gives me a "couldn't find page" page, instead of just ignoring the ad. Does this method not work on IE? Or is it possible my office network that is doing the messin?

Ad blockers

I use the JunkBuster and Proxomitron proxy servers together to block ad banners and cookies. Here are some others too. http://www.junkbusters.com/ http://www.junkbusters.com/ht/en/ijb20.zip http://www.webwasher.com/ http://www.webwasher.com/en/software/wwash/downloa 1.htm?submit=I+agree http://www.naviscope.com/ http://www.naviscope.com/nscope.exe http://www.clasohm.com/leanweb/ http://lide.punknet.cz/miri/adbuster.html http://www.ispec.net/adext/ http://members.tripod.com/Proxomitron/download.htm l http://www.meta.demon.co.uk/webmask/download.html http://home.comset.net/povarov/proxy.html http://www.geocities.com/SiliconValley/Heights/528 7/ http://ourworld.compuserve.com/homepages/gtschech/ ijb95_en.htm http://waldherr.org/junkbuster/ I recommend WebWasher or Naviscope to less experienced users and JunkBuster or Proxomitron to experts. The hosts file and Netscape's proxy.pac are other methods of blocking.

Re:Time to Act on Privacy Issues

> In The Art of War Sun Tsu says that if you know
> your enemy, and you know yourself, you have
> already won half the battle.

Wait, didn't G.I. Joe say that?

Nevermind...

Database access

[BOredAtWork]

So, how can I see what information is available about me in this database? Or can't I?

--

Re:Should we trust Doubleclick not to track us?

[Mister+Attack]

You did not run into problems with page rendering?

Well, yes, on some extremely ad-heavy and poorly-designed sites that assumed the ads were there. Small price to pay...
--

ADFU

[Uart]

People, stop using this offensive Double-click! Use Adfu instead, from the people who brought you Slashdot!

Re:Lets all use the same cookie!

Someone pull the doubleclick cookie out of your cookie file and post it. Then we can all paste it into our cookie file and re-chmod the cookie file to be read only. Then it'll end up just being one person hitting every web page on the planet thousands of times a day (It would actually be interesting to see what kind of junk mail that guy gets after a year.)

It would be nice if that cookie is associated with the e-mail address of someone at DoubleClick.

prOn habit

Guess that would be a good reason to stop surfing for prOn huh?

Suggested new open source browser feature

I would love to see open source browsers configurable to lie about cookies to a list of domains that you choose. The lies could come from the configuration as well. That would allow the browser to come with a set of pre-configured generic cookies for a variety of sites. Obviously, they should end up in the databases next to the name J. Random Hacker, with an e-mail address of jrandom@invalid.domain.con.

Re:Opt-Out - useful

[paled]

thanks. I'm opted out.

Re:America and Corporations

What the hell is wrong with the moderators!? That is an excellent post which deserves at least a 2 for relevance. Jesus Christ, Slashdot is moderated by brain-dead tech-flunkies.

Softly,
As in a morning sunrise
The light that gave you glory
Will take it all away.

Cookie -> Name mapping.

[larva]

The first time you see a doubleclick banner you get a nice little cookie. from that point on all the banners that you see comming from doubleclick will get the cookie, save the info on your COOKIES surfing habit and then maybe update the cookie.

couple this with an database filled with names and addresses. now, unless you somehow reveal your name to doubleclick it is impossible for them to make a mapping between these two databases.

they dont have name->cookie pairs. so how are they going to make use of the name database?

(l)

Re:Cookie -> Name mapping.

[A.Gideon]

It is less of an "infrastructure challenge" then you might thing. Actually, I can think of a couple of easy technological solutions just off the top of my head. Likely these aren't even the best.

However, the "alliance" comment is right on the mark. I've no idea how likely or unlikely such a thing is. But it is worth noting that it doesn't require this alliance with all sites displaying DoubleClick ads; only a few.

Let's consider one interesting case: Yahoo. Let's also assume that they display DoubleClick ads (I believe so, but I've not checked this). Yahoo has various means of inducing people to "sign up". That's a pool of identities that can be matched to DoubleClick's database. One the names from Yahoo are matched to DoubleClick cookies, your identity is tracked on *every* site displaying DoubleClick ads.

Does Yahoo provide this information to DoubleClick? I've no idea, but they're only one example.

Another point to consider is whether there is a way to get this information w/o the cooperation of the site displaying the ads. I'm thinking, for example, of email addresses being embedded in query strings.

Given the problems that, for example, Hotmail has had with security, such a thing would not amaze me.

A final point: mail messages with embedded HTML that accesses banner ads. This is a perfect way to match email addresses (and therefore people) to cookies.

The worst aspect to this, from my perspective, is that it will only take a small abuse of this sort to generate a potentially nasty backlash against Internet commerce. Whatever form this takes, I'd not look forward to it.

Re:Cookie -> Name mapping.

[A.Gideon]

>they dont have name->cookie pairs. so how
>are they going to make use of the name database?

First, recall that most browsers send - as a part of every HTTP request - a field called HTTP_REFERER. In the case of an image, this tells the web server the URL of the page on which the image has been displayed.

Therefore, DoubleClick's servers get not just the cookie, but also the URL of the page on which the ad is displayed. This includes the query string of that URL. More, many uses of banner ads include query strings in the URLs to those banners, passing even more information.

What DoubleClick has, based upon the above, is an easy way to map between a DoubleClick cookie and a visitor to all those many web sites which display DoubleClick ads. This means that they know a great deal about a person's browsing history.

But you're correct that this isn't enough to get a name. However, once you pass your name (ie. as a part of a purchase, or even just a request for information via a form) to one of those sites which uses DoubleClick ads, that site's information can be combined with DoubleClick's to determine precisely who you are.

Note that it only takes one "leak" of this information. Because your name is now associated with a DoubleClick cookie, all activity associated with that cookie - past, future, and all web sites - is now associated with you.

Re:Cookie -> Name mapping.

[larva]

>However, once you pass your name (ie. as a part of a purchase, or even just a request for information via a form) to one of those sites which uses DoubleClick ads, that site's information can be combined with DoubleClick's to determine precisely who you are.

that would require doubleclick to strike an alliance with all sites they have banners on, quite the infrastructure challenge there.

(l)


yes it is possible. but as long as you dont give away your name (or other identifiers )to doubleclick (or sites where they have banners to be even more secure) they will never be able to map your name to your cookie.

You have mail!

[seandunn]

What really worries me about this profiling is that sites might get information back from DoubleClick. I can just see it, my Grandmother types in www.whitehouse.com, and since she accidentally checked a box off on Yahoo stating "Please send me spam from anyone who gave us money" she is automatically signed up for the Big Bone of the Day.

Well, I'm sure that going a little far, she probably will only be getting free samples of KY jelly in the mail and a free issue of Jonny Leatherpants and his Magic Nipple Clamps.

But in all seriousness, I thought the FTC was tring to cut down or make on this kind of thing illegal, *and* with the whole Pentium 3 serial code fiasco, it is painfully clear that people value their privacy on the web.

Anyone know of a site or utility to clear out certain cookies like these, but leave the nice ones in like Slashdot?

Re:You have mail!

[DeadSea]

I recomend Cookie Pal for windows. It intercepts the cookie alert window and then accepts or rejects the cookie for you based on filters.

I don't know what is available for linux. You can get the program at Tucows. They also have several other cookie management tools available.

This Might Sway Some

[Mignon]

I have it on good authority that DoubleClick uses Linux. Seriously - no trollin'. They may be evil, but they're not all bad...

Re:This Might Sway Some

[DrEldarion]

What's with this...
Just because they use Linux doesn't mean jack shit.

That's saying something like "Well, Hitler once saved a kitten from the cold.. see? he's not all bad!"

-- Dr E. --

Re:Bad

[Valheru]

Not sure if this is the case or not, but does just blocking the AD (and not displaying it) prevent DoubleClick from tracking you? When you load the web page I would assume that the cgi script is still processed and that doubleclick servers are hit to send the ad to your computer (which you then ignore). Thus, they already have your IP and know which web page you were on.

Once again, I do not know if this is the case, and I hope that it isn't because it then you can just configure ipchains to block doubleclick.com (I think)

No need for hysteria

[.uuo]

DoubleClick tracks people using a unique identifier in a cookie. DoubleClick has no way of matching that cookie with any peronally identifiable information unless *you* provide them with the information, either directly or indirectly. "Indirectly" means you register with a site and it passes your name,etc., to DCLK using redirection.

If you don't want DCLK to match your name to your cookie, don't give them your name. Check the privacy policies of any website before giving out your name. Sue the websites who violate their privacy policies.

Better yet, opt out of tracking.

If you are paranoid about having your behavior tracked, then never buy anything using a credit card. And never fill out product registration cards or enter contests which require your name. All of that information finds its way into databases such as those maintained by Abacus and Experian.

Big Brother

[dogbyte12]

I can see a presidential election, 20 years from now, where these ad companies, sell to candidates, the url's their opponents went to when they were in college. But in a way, big brother will be a playing field leveler. If 20 years from now, somebody was running for President, and the only web sites they looked at were /., weather.com, and yahoo, I might be a little weirded out by them. It will ruin the idea of anonymous dialogues, which help in fostering honesty, but also bring along flame wars, but perhaps big brother will be a beacon of freedom in a perverse way. If we all act normally, i.e., not holier than thou, the notion of being watched will be like being ourselves in front of our families. I suggest we all order beer on line, go to playboy.com,(or playgirl for that matter for those so inclined;) order sex toys, join an online cult, and engage in flame wars on a star trek newsgroup by posting doctored naked pictures of our love affair with Spock. Hell, if Bill Clinton has shown us anything, it's that we have at least grown up enough to allow a human being to be president. The internet can allow us to grow as a society. If we act like ourselves, the truth will be less shocking. Isn't that a good thing?

George W. Bush-- Not a crackhead since 1974!

Re:America and Corporations

Excellent post, dude.

Ad and cookie blocking for Windows

[Paul+Johnson]

I am, for various reasons, constrained to using Windows.

To stop this stuff, and also save on bandwidth, I use AtGuard. It filters cookies on a per-site basis, and also blocks access to URLs containing certain sub-strings (which can also be configured on a per-site basis). Overall a really cool and useful program which deserves to be far better known.

Unfortunately I've just discovered that WRQ (the creators of AtGuard) have sold the rights to Symantec, and its now part of Norton Internet Security 2000 for almost twice the price of just AtGuard. But you get a virus scanner as well. Ho hum.

Paul.

DoubleClick's Opt-Out program

[LonEagle]

I was considering pasting parts of DoubleClick's "privacy" policy and critiquing them, but it's much easier just to opt out of their little cookie system. They replace their userid string in your cookie with a string: OPT_OUT. If enough people do this, their little database scheme will be worthless... muahahah!

http://www.doubleclick.net/optout/defau lt.asp

Re:DoubleClick's Opt-Out program

[Gregg+M]

Junkbuster allows you to edit the cookies you send back to certain domains. I like to put the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE". You can put a well worded letter about what they can do with there database.

Re:IANALAY?

[ajs]

If there truely is a law against this kind of tracking in the EU, then the authorities should be the ones pressing charges.

Offtopic: domain sorter script

[Speare]

#!/local/bin/perl5
#
# usage: domain.sort.pl < listofdomainnames > sortedlistofdomainnames
#
# Sorts by each domain, so all *.com's are sorted together, and
# all *.abc.com's are sorted together near the top of all *.coms, etc.
# Doesn't sort dotted IP4 addresses well, but doesn't mangle them either.

sub reversehost
{
my @terms = split(/\./, shift);
@terms = reverse @terms;
join('.', @terms);
}

sub main
{
my @lines = <>;

foreach my $line (@lines)
{ chomp $line; $line = reversehost($line); }

@lines = sort { $a cmp $b } @lines;

foreach my $line (@lines)
{ print reversehost($line) . "\n"; }
}

main();
1;

"This is not spam"

[Robin+Lionheart]

> ...include a header which says "this message is not spam", allowing people to filter on it.

I already filter on messages that say "This is NOT SPAM". They go straight to my spam folder. Haven't had a false positive yet.

Re:"getting nothing in return????"

[acomj]

How do you think web pages and those who create them pay for them..?

I can't you believe all the pages you view were put on the web at a cost of nothing. Ads help pay for them in the same way they keep the prices of magazines and newspapers low. So in a way they are paying you to view them because you want to view the content (unlike unsolisited email). Yeah adds are annoying, but they're necessary.

They'res also the question as "click through" rates fall as they are, whos is going to pay for serving all this content.

As for thinking those add are immoral?? Its an advertisment. Do you stop wathcing TV because of ads (which actually waste your time..)

On the otherside, doubleclick is a devious company trying to match real address to web cookiew.

surf anonymously

[dexter_goodfeather]

check out spaceproxy.com they allow you to surf the internet anonymously, and you can even use their proxy server. free of charge of course.

Better Yetter

Sign those addresses up with XOOM. They (XOOM) will sell the addresses to every company on earth.

Re:Here's the middle ground I'd like to see

[mftuchman]

I know how you feel...When I first got my yahoo mail account for the purpose of receiving primarily commercial email, I was excited about the idea of targeted specific advertisements. I figured - hey - if they want to sell stuff without killing trees, I'd give them the benefit of the doubt.

But now my trust has eroded considerably. I question the viability of the middle ground simply because there is nothing to keep these merchants honest. True, they can lose business if word gets back, but it's a big if. Meanwhile they're making money selling your name behind your back and despite lip service to "trust" and "privacy"

I'd like to see aggressive enforcement of these trust agreements. Every company must be required to disclose the source of data collected for each person, upon request.

Consumers should be allowed to track back and verify who sold their name without permission. Then the heavy fines can begin - it's no different from the no-call lists for telemarketers. If they call you back against your will, you can collect penalties.

Re:utility that will accept, then delete a cookie

[um...+Lucas]

I wish that in netscapes prefs, you could list all the sites you go to and specify whether or not to accept cookies from them, so you could always accept cookies from Slash or Amazon but never from AdFu or Doubleclick...

Maybe it could happen in Mozilla?

Web logs still leak info; opt out *completely*

[Tau+Zero]

I have adopted a policy: if an ad site tries to serve me with a cookie, I block that ad site entirely. I never see ads from flycast.com, for example. I'm doing this by hand, mostly for fun, but also as a bit of consciousness-raising on my own part.

I'm doing this under IE4.0 at work. The HOSTS file is useless since all HTTP traffic goes through a proxy, but going into the advanced-proxy configuration allows one to specify sites which should not be accessed through the proxy. Routing these to the local network gets them blocked at the firewall, and they time out. This is better than blocking cookies, because the ad site never gets to see an IP address, let alone the http:referrer field.

Something to be aware of: Even if you use the write-protected cookie file trick under Netscape, if you accept a cookie it will still be active until the end of your session. This means you will be letting Doubleclick/Abacus connect your hits to your name and home address, at least for the rest of your surfing that day. Blocking all access to Doubleclick costs them a lot more.

Slashdot serves a lot of its own ads, which I still see (of course). I will happily patronize Slashdot, because I doubt it is going to sell my private information to anyone or track me between sites. Doubleclick, flycast, bfast, hitbox and the rest are not so friendly, and I think that sites which use their services should not be given the benefit of the doubt (or the revenue).

Here's my current blocklist (pardon the formatting):
a32.g.a.yimg.com;valueclick.com; mojofarm.sjc.mediaplex.com;www.burstnet.com ad-adex3.flycast.com;ads17.focalink.com; ad.doubleclick.net;ad.uk.doubleclick.net; a1.g.a.yimg.com;ad.preferences.com; barnesandnoble.bfast.com;ads.enliven.com; ads09.focalink.com; view.avenuea.com;ads.i33.com;ads.bfast.com; adserver.track-star.com;ads.admaximize.com; ads24.focalink.com;banners.orbitcycle.com; adforce.imgis.com;service.bfast.com; ph-ad04.focalink.com;leader.linkexchange.com; adex3.flycast.com;Ogilvy.ngadcenter.net; ads18.focalink.com;ads06.focalink.com; van.ads.link4ads.com;view.accendo.com; ads19.focalink.com;ads21.focalink.com; thinknyc.eu-adcenter.net;ph-ad05.focalink.com; ad.doubleclick.net;barnesandnoble.bfast.com; gm.preferences.com;newads.cmpnet.com; ads25.focalink.com;ads22.focalink.com; app-05.www.ibm.com;cookies.cmpnet.com; ads20.focalink.com;idealab-ad.flycast.com; ph-ad07.focalink.com;ads15.focalink.com; ads10.focalink.com;ad.ca.doubleclick.net; static.admaximize.com;ads.dallasnews.com; realmedia.com;www.rbiproduction.co.uk; w131.hitbox.com;ln.doubleclick.net; c1.thecounter.com;ads23.focalink.com; maximumpcads.imaginemedia.com; maximumpcads.snv.futurenet.com; www56.valueclick.com;ads05.focalink.com; kansas.valueclick.com;oz.valueclick.com; ads07.focalink.com;ads12.focalink.com ;ads16.focalink.com;redherring.ngadcenter.net; ads.guardianunlimited.co.uk; media.preferences.com;excite.com; stats.superstats.com;mojofarm.mediaplex.com
--

I own my cookies

[dgonz]

How can it be illegal to manipulate cookies on your own machine? I can set up anything I'd like on my computer and if they want to read it and shove it in a db, fine. Good luck trying to get anything useful from it though.

Re:Already done...

[Krimsen]

See this comment.

Re:Cookie crumbs

[Paolo]

What Mozilla needs is what a little 3rd party MacOS browser upstart iCab has: the ability to ask before accepting cookies, and refuse all cookies from that domain from that point on. It is a lot more useful, because if some horrible site uses 5 cookies, or the admin has put on multiple-retry Apache cookieing it doesn't matter if you keep on hitting cancel, cancel, cancel, because it will take lots of time for them to go away.

Any status reports on Mozilla as to whether this is possible with the latest?

well, there's always ipchains

From the ipchains howto:

• I don't want any local process (ie. Netscape, lynx etc.) to connect to doubleclick.net:
  
  # ipchains -A output -d 199.95.207.0/24 -j REJECT
  # ipchains -A output -d 199.95.208.0/24 -j REJECT

http://www.rustcorp.com/linux/ipchains/HOWTO-4.h tml#ss4.2

Need cookie control in browsers

[skelter]

We need to demand selective cookie control in our browsers!

Shareware tools for windows users

[Merk]

If you're a windows user like I'm forced to be, I strongly recommend AtGuard. It was recently bought out by Symantec, but I think you can still get trial versions and stuff.

The way this thing works is that it scans TCP/IP requests and never transmits the ones matching a certain pattern. I end up seeing less than 0.1% of the banner ads on the 'net, and when I do see one, I just add the relevant pattern to my block list and never see ads from that site again.

AtGuard also does one more amazing thing -- it stops animated GIFs from looping. About time!!

Along with AtGuard I use Cookie Pal. It basically intercepts the Netscape or IE cookie request dialog, and handles it. What makes it better than Netscape or IE is:

1. It keeps a list of sites to accept / reject with wildcards. I reject anything from *.doubleclick.net for example. Once that site is in your list, you never get asked about cookies from that site again.
2. On sites not found in your lists it asks: "Accept a cookie from www.spamsite.net?" with the options "Yes, No, Always, Never" and a checkbox allowing you to apply the always/never rules to *.spamsite.net. This flexibility far exceeds what browsers can do with their one-time Yes / No capability.

Eventually (once it's more stable and I have more time) I plan to get Mozilla and, if someone hasn't done it first, add all these features to the source. At one point I had read enough of the Mozilla source to know how to stop the animated GIFs but I never got around to adding the changes. Until then these tools are amazing and I can't recommend them enough.

Moderators: I know this is endorsement of commercial Windows products by a Windows user. I know it's not accompanied by the requisite amount of Slashdot Windows trashing or anti-commercial ranting, but let's face it, many of us have to use Windows, and many of us are willing to pay a few bucks for a good commercial tool when there's no open source alternative. Please help me get the word out and help people regain their privacy and freedom from advertising by bumping this up a couple of points. (And no, I'm not associated with either product, just a happy user).

Here's A List of Dblclick sites!

[blipvert]

here is what I found!

http://www.doubleclick.com/advertisers/network/n et_sites/all_sites/default.htm

I'm still a little confused...

I can see how the bastards are tracking your surfing trail. I can't see how they're getting your name and address though. Anyone know how they are getting that info?

If it weren't for the DMCA, someone out there could reverse engineer their system and create a way to send it bogus data. More proof the DMCA isn't just unconstitutional; it's just plain evil.

Re:Should we trust Doubleclick not to track us?

[Nodatadj]

No change here....
So I just deleted the .doubleclick line, and all the other ad ones.

Filter doubleclick at your proxy...

I have been filtering doubleclick.net from my proxy for months now and am still amazed at how much less bandwidth I use use while surfing. torch@ripco.com

Re:It's my computer, not yours

Haha.. with your business model, there will be no sites left.. look you hypocrite.. all the good sites have banner ads.. slashdot, freshmeat, sourceforge ALL OF THEM do you not understand??? why go to these sites if you are just going to rip them off??? Get off slashdot, you don't need it.. don't worry.. according to you someone will make one just as good without banners.

Re:Cookie crumbs

[DeadSea]

I would recomend getting a program that works with your browser to filter cookies. If you are a windows user, Cookie Pal is by far my favorite choice. You tell you web browser to tell you about cookies and cookie pal finds that window, intercepts it and handles it according to the filter options you set.

I don't know what options are out there for linux but I will probably check them out now since I'm using linux more.

Tucows has a nice list of cookie programs. I'd check it out if I were you.

I don't think this is always possible

How do they determine the user ? Most large ISPs (like AOL, etc.) go thru proxy gateways and the user has no unique IP address. Since cookies by themselves don't convey much about the user, how is it that they can get any info that could possibly tie the session to a user's personal information ? I'm a little sceptical about this. Please explain how its done if you actually know.

Re:I don't think this is always possible

[billybob+jr]

When you accept a cookie from a site it is analogous to someone coming up to you and writing on your forehead 19876523. Does 19876523 mean anything in itself? No. But now lets say that the you go to the store and they see 19876523 on your forehead and write it down. Now you go to another store, and they write it down. These stores also write down everything you buy.

Now let's say you go to another store and order something they are going to ship to you. They write down 19876523 as well as what you bought as well as your home address and name. Now a company knows what you ate at tacobell, bought at the supermarket, and what you bought at wal mart.

Cookies in theory are limited in scope moreso than my example was, because only the company that wrote on your forehead could read the number. Only slashdot can read the cookies it sends to your browser. But, what ends up happening is that web pages use a 3rd party to serve up the banner ads. This 3rd party is the one that sends you the cookie. When you go to another site that this 3rd party is also serving up ads to, they instantly identify you from the old web site. If one of the websites you go to gets your shipping information and they have an agreement with the banner ad company, it's all over.

Re:Couldn't the database be poisoned?

[orabidoo]

well, getting their banners and tracking cookies, but removing the cookie every day or more often, is a way of poisoning the db with lots of useless entries; however, these entries will eventually expire (no more hits in a long time => cookie must be lost; not associated to a real name profile => useless, expire it). a stronger way to poison the db would be to have a proxy that randomizes the content of the doubleclick cookie, within its usual syntax. depending on how their system is setup, you could either get ignored in most cases, or manage to assign your hits to other random people's profiles. but you'd need a lot of people doing that to have a significant impact, and most people just don't care enough. hell, *I* don't care enough either; I'm just happy to block them at /etc/hosts.

Look at it another way

[blazer1024]

I mean, sure, it's not so great they can track everything we do, but also look at it this way. If they start calling my house trying to sell me something, they're basically wasting my time. Same if they start cluttering my mailbox(both e- and snail) I delete it/throw it away--I already do that. However, if they're doing something like trying to find out what sorts of things I am personally interested in, let them. Wouldn't you much rather receive adds that you might possibly be interested in, rather than aluminum siding adds when you live in a dorm, or coupons for an oil change when you ride a bike to work/school, or internet web server tools when you don't have or want your own web site? (Okay, now I sound like an IBM/Lotus commercial)

I mean, seriously... ad companies specialize in one thing, ads. They don't want to blackmail you because you've been buying diamond jewlery online for your mistress, and buying your wife cheap wal-mart stuff. They want more effective advertising. Plus, by showing them what we like, then the businesses trying to make goods we'll buy will concentrate on what people want, rather than what everyone things people want. It's not really anything to be paranoid about. I'm sure half the companies in the world already have my name and address because I've bought something, but I don't care. Let them. Then they can see what I buy, and what I like. Who cares if Doubleclick has access to them now? It's all the better for us, if you ask me.

Re:Look at it another way

[znu]

They'd need to make strict laws regulating what information can be collected, who can see it, what it can be used for, and how long it can be kept. Until that's done, there's just no way I'll be comfortable with information about me being collected, even though I know there's only a very small chance an actual human will ever see it.

--

Re:Serious, Re:Lets all use the same cookie!

[Tau+Zero]

One could create a special cookie (and mail-address) for this purpose and send all the Mail back to all the senders or such stuff. I would have real impact, when some ten thousands have the same identity.

Many Slashdotters are already doing something like this to news sites like nytimes.com (slashdoted/slashdot or cypherpunk/cypherpunk). However, I don't know how many of them delete their cookies after every session (I do). Failing to delete the cookie allows tracking them upon their return, which I refuse to do. As far as these sites are concerned, I'm a new guy every time.

Exchanging cookies (like wearing and swapping masks) is a great twist on this concept. I like it.
--

Um

I have never used my real name anywhere on the internet, or have had it stored anywhere on my computer. Even in the case of software I have paid for, i enter the name 'Buck Futter'. Switch some of the letters around, I'm sure the DoubleClick motherfuckers would like that one. Eat my shit.

Automated "Cookie Cutter"

I put this

0,5,10,15,20,25,30,35,40,45,50,55 * * * * $HOME/bin/auto-cookie-cutter >/dev/null

in my personal crontab. And wrote this...

#!/bin/sh
# auto-cookie-cutter: get rid of unwanted cookies
netscapeHome="$HOME/.netscape"
cookieFile="$netscapeHome/cookies"
noCookieList='^\.?linkexchange\.com|^\.?doublecl ick\.net'

egrep "$noCookieList" $cookieFile >/dev/null || exit 0

cp -p $cookieFile $cookieFile.bak || exit
egrep -v "$noCookieList" $cookieFile >$cookieFile.new || exit
mv $cookieFile.new $cookieFile

So even if doubleclick or linkexchange does try to leave me
cookies, they won't be very long-lived!

Heh heh heh.

Re:Time to Act on Privacy Issues

[warpeightbot]

Now, what I thought I just read was "Government is ineffectual" followed by "Call your congresscritter." Ummmm, huh?

Government is not the answer to individual privacy, just as government is not the answer to individual security. Government can make it easier or more difficult to do these things, but ultimately it comes down to individual responsibility. Frankly, the best way for government to make anything easier is to get the hell out the way and let us do our thing. (Actually, the Europeans' various privacy legislation isn't such a bad attempt, but if you think the American Congress is going to pass any such thing, I have a steak dinner that says you're sadly mistaken.)

Folks, our privacy is being taken away with technology. We can use technology (or the lack of it) to fight this. Junkbuster is an excellent example. Refusing supermarket club cards, and choosing who you shop with by how they respect your privacy, is another. Joining EFF, and contributing to other worthy organizations like EPIC, is yet another.

We might be able, over time, to bludgeon the rotters in the District O'Crime into respecting us... which is why EPIC and such are worthy causes. But for the nonce, we are far more effective at protecting our privacy as individuals than as subjects of the Imperial Federal Government. IF your congresscritter will listen, talk to him. My last one would not (in fact, she was a Communist... but I digress). But in the short term, protecting privacy is simply a matter of using your head and the word "no"... and voting with your feet.

Oh, one way to keep track of issues that I haven't seen posted here before: The Privacy mailing list, which IIRC is a digest of comp.society.privacy (not posting to Usenet is a good way to keep one's email private!), which is available from privacy-request@vortex.com. Simply being aware of what's out there is one of the best ways to run a clean operation.

In The Art of War Sun Tsu says that if you know your enemy, and you know yourself, you have already won half the battle. You can use the Net, one of the very things being used to take your privacy, to learn about the enemy. You can learn what it knows about you. And once you do that, you can then figure out how to control it, make it work *for* you. I leave the rest to the reader.

--
There is no spoon.

What doubleclick?

[slashdot-me]

[ryan@leia: serial]$ nslookup www.doubleclick.net
Server: line.ryans.dhs.org
Address: 199.201.131.225
*** line.ryans.dhs.org can't find www.doubleclick.net: Non-existent host/domain

Golly, my dns server must be misconfigured :)

Ryan

Re:What doubleclick?

[interiot]

Care to briefly share how you did that? Yours is a nice solution that I could share with my friends localy who don't have a linux box and don't want to install a proxy.

Re:What doubleclick?

[slashdot-me]

If your friends don't have a unix box to run a dns server they're out of luck. I run a name server (BIND) for my domain ryans.dhs.org. The server is set so it thinks it's authoritative for the doubleclick domain too. Any name lookup on my network gets routed to my dns server for resolution. Since my server thinks it's authoritative for doubleclick it won't attempt to resolve the name and just returns error "no such domain."

You might try setting the address for ad.doubleclick.net to 127.0.0.1 in you hosts file. I think windows stores it in c:\windows\drivers\etc\hosts
Something like that.

Ryan Salsbury

Re:Bad

[znu]

For Macs there's WebFree, which can block ads in IE and Communicator, or the rather nice but also rather beta iCab browser, which has ad filtering abilities built in.

--

Re:Bad ... You could always enter the lion's den

[Buskaatt]

Go to http://www.doubleclick.net/optout/default.as and set your cookie to OPT_OUT. You lose your PID and its relationship to the Abacus database.

Re:One possible way?

I edit my cookie.txt file using wordpad. It seems to preserve the weirdness of the file so that it still works with netscape.

I've been editing my cookies.txt file for years, making random changes. Changeing true to false, and vice versa, modifying serial numbers, etc.

Hypocrits to the highest degree.

[oddRaisin]

'Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of articipating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says.'

... From the article on USA today.

Hmmm. Dare I ask why it's ok to disclose my relationship to a site I'm browsing without my permission? They seem to be more than just a little hypocritical and arogant (obvious, Joe Blow isn't worth applying ethics to).

Re:Netscape Configuration

To Stop Doubleclick I simply deleted all my cookies. Then I went to the two places That I wanted to recognize me. I verified that I only had cookies from where I wanted, then changed the file attribute on my cookie file to read only... A low Tech solution... BTW Who uses Doubleclick? I was surprised to find it on my favorite web site cnet.net, www.nydailnews.com, anybody think of keeping a list of sites that use it, then complaining to the sites ?

Ironic: slashdot postings on evils of web ads

[timboy61]

I am as down on DoubleClick as the next guy (I have already sent them a complaint, and got their helpful boilerplate response saying that they are misunderstood and it will all be clearer to me once they explain to me what a cookie is).

But it's ironic to see /. posters seriously arguing that Web banner ads are evil and should be abolished. Um, ads pay Cmdr T. and Hemos to do this full-time, and presumably pay for some of the hardware and connectivity making it possible for those very anti-ad rants to be posted. No, I don't think that people are obligated to download ads as "payment" for the privilege of seeing a content site, unless they signed a contract. But in aggregate, that's the money model that supports content sites, and if everybody blocked ads by default, free content sites would largely go away.

Re:Netscape Configuration

Great idea, but I think you meant cnet.com. How about a simple program called Doubleclick catcher, that blocks and makes one aware of a doubleclick attempt.

Re: Yet Another solution (and a rant)

For IE, I use a shareware called Cookie Pal (http://www.kburra.com/cpal.html). This program can always accept/reject cookies from domains that you specify.

Just turn 'Prompt before accepting cookies' options on and let Cookie Pal take over. In fact, Cookie Pal can monitor any process that could put a cookie, like a HTML enabled email program.

The best $15 I have spent :)

More privacy tips...

[guardian-ct]

Also, never post to slashdot using your real name.

Build a real firewall around the inside walls of your apartment. Design carefully, so that a few pyrotechnics can start a fire that will burn all
the evidence, even if the feds get in. Lock all
food items in the refrigerator.

(sorry, too much conspiracy theory)

Re:Netscape Configuration

[Mr.+Slippery]

In netscape, you can disable cookies from other hosts than the page being viewing. This effectively blocks Internet-wide tracking like doubleclick.net.

NO. IT DOES NOT.

Sorry to shout, but I fear many people share the same misapprehension. Cookies can be attached to images as well as to web pages. By attaching cookies to banner ads or invisible GIFs served from a common source, servers can pass information about you between themselves. Since the cookie comes from the same source as the image, the "Only accept cookies originating from the same server" option will gladly accept them. You must block or delete cookies if you wish to prevent this tracking. (Also note that even the mighty, mighty Junkbuster won't protect you fully - cookies can still get thru in Javascript and SSL.)

For a detailed explanation see Chapter 9 of Phillip and Alex's Guide to Web Publishing (scroll down about halfway for the relevant section).

An attempt to understand how this works

[Spittoon]

John: http://www.usatoday.com/life/cyber/tech/cth211.htm
Steve: oh, that
Steve: that's just personalization
John: oh
John: ok
John: i won't worry about it then
Steve: nothing to worry about here
Steve: move along
John: i feel soothed
Steve: darn it, now I hate cookies again
John: i know!
John: i was like "what's wrong with cookies?" until this
Steve: I'm not sure I follow how it works, though
Steve: double click makes a cookie
Steve: they give the unique id to a company
Steve: the company gives it to you, and you send them info.
Steve: that seems circular to me
Steve: I think I'm misunderstanding
John: yeah
John: Doubleclick sends an ID number to your browser and at the same time sends the same number to the site you're visiting.
John: the site you're visiting sends DoubleClick some sort of information that lets DoubleClick look you up in their Abacus database.
John: so the site you're visiting has to be a collaborator
Steve: I thought you could only access cookies for the domain you've served the webpage from
Steve: oh, ok now I understand
Steve: duhh
John: i have no idea how the site you're visiting correlates the ID number it receives with your identity
Steve: wait, I still don't understand
Steve: that's what I don't understand
Steve: in order to make a corellation, it seems like they'd have to know who you are
Steve: how about this:
Steve: doubleclick creates a # with no other info., just a pool of numbers
Steve: they give a batch to a collaborator
Steve: you visit the collaborator, and they give you a cookie (with a # pulled from the pool)
Steve: you give the damn quisling your name address, soc. sec. #, and underwear fabric preference
Steve: the collaborator forwards the cookie# and your info to double click, who stores your info.
Steve: I'm still missing how the next collaborator gets the same cookie identifier
Steve: otherwise, it's not tracking
John: yeah, doesn't quite make sense
John: but I do believe them when they say they can do it
Steve: so do I
Steve: I believe they can do it, I'd just like to understand how
John: yeah, i'm sure there are lots of people who would like to know that
Steve: heh
Steve: it wouldn't do them too much good without the abacus db
Steve: I'm thinkin' that's how the match is made
Steve: double click has that db with 90% of the U.S. in it
Steve: they already know our names and addresses
John: right
Steve: so, the collaborator sends a name and address to double click
Steve: double click looks you up by name and address, and then records that you've been to the collaborator's website and bought x y or z
Steve: in that case, they wouldn't need cookies though
John: right
John: unless
John: the site doesn't know the identity of the person with the cookie until you purchase something or give information somehow
Steve: right
John: once they know who has what ID #, they've identified you
John: and then they can identify you by the cookie number, even if you don't buy anything
Steve: so, in order for it to work, the site would need to be able to pull the cookie from Double Click
John: i guess
Steve: oh, so once they've id'ed you, you never need to buy anything else...they'll still know each time you visit
John: right. they just keep the same ID
John: and if the same person is identified from multiple sites, their tracking gets more accurate.
John: but i don't think i understand how doubleclick's cookies work
John: if you embed an image in a page, and the image is stored on another site, can they give you a cookie from that site?
John: like, do all doubleclick cookies come from the same site?
John: if so, then once they've got your identity matched up with an ID, they know where you are and who you are everytime you load a doubleclick banner ad
John: because obviously each banner ad URL is coded somehow so they know where it's being shown...
John: god, this is complex and evil.

junkbuster is "free" code.

[guardian-ct]

No payment of 20 bucks necessary. Just download, compile, and install (well, maybe not That easy...)

Someone else out there has modified the junkbuster code to return 1x1 blank GIFs in place of banner ads.

www.junkbuster.com (basic junkbuster code nearby)
www.waldherr.org (blank GIFifier)

Junkbuster does have a logging function, but you can turn most of it off if you like. If you turn off all the debugging log functions, the only things left are "program started" sorts of log entries. If you turn them all on, everything that passes through the proxy gets logged, including all the data from the http connection. You can be your own paranoid delusion, and try to track yourself down.

enjoy...

You're going about this all wrong

[dijit]

The correct way to block ads is to blackhole their entire zone on your DNS server. For example:

in /etc/named.conf add:

zone "doubleclick.net" {
type master;
file "db.blackhole";
};

and in db.blackhole it could just contain:
@ IN SOA nowhere. hostmaster.nowhere. (
1999083000 ;
10800 ;
3600 ;
86400 ;
43200 ) ;

That's it. This will stop any packets looking for that image from ever being transmitted. If you want to only block one host or subdomain, just add that instead of the "doubleclick.net" in /etc/named.conf. If you can't do it, email your admins and ask them to. (Note: dilbert.com comes up a lot faster this way.)

// dijit
dijit at half-truth.com

Re:Bad

Where exactly do the banner sites get the info from? I've entered bogus info in most places, i.e. netscape's identity section and windows' user registration during installation. The only place where I entered real info was when I created my user under Linux. Would it be possible for them to get the info from there?

Re:How to get rid of doubleclick

[Sternn]

I have been blocking doublclick for months now. If you use a firewall on your network, you can not only block themm, you can find out everywhere they are. FW1 does a nice job of hiding real IP's behind a fake Ip, which I use to catch all attempts from doubleclick (and other sites attempting to send/scan a users information). The scary thing is, they are not the only large company out there that is doing this...

How To Block DoubleClick's Tracking In Two Steps

[@Man]

1. Put all DoubleClick's servers in your /etc/hosts file as 127.0.0.1

2. Put all of DoubleClick's servers in your "bypass proxy for" setting in your browser.

This will kill both their ads and their cookies.

I maintain a web page with a list of their servers and more detailed instructions for unix, windows, and BeOS (with experimental Mac instructions available tonight) using either Netscape or IE at http://www.ecst.csuchico.edu/ ~atman/spam/adblock.html. It is easy and it works great.

Re:utility that will accept, then delete a cookie

Lynx does.

Question

[xdroop]

I presume that adopting another user's cookie ID without their consent would be illegal. But what if everyone here decided to use the same cookie? I mean, what if someone says "this is my cookie, you have my permission to use it"? A cookie equivilent to the 'cypherpunks' accounts that are here and there.

Everyone wins: doubleclick sells the eyeballs, sites get advertising money, and we get access to the content without a 'profile' being developed!
--

Comment removed

[account_deleted]

Comment removed based on user account deletion

Big Brother is watching you surf...

[hypergeek]

If I'm not mistaken, the Supreme Court recently ruled on a similar issue, saying that States' selling of DMV information to 3rd parties was an unconstitutional invasion of people's privacy.

If that is the case, then these guys will come toppling down when the courts rule that they're infringing on people's rights... (At least, I hope that the courts will see the glaringly obvious similarities here!)

If anybody has the specifics on the aforementioned Supreme Court ruling, please let me know...

-Hypr Geeque

Direct all flames to the above address... (especially if you're on a large campus/corporate network!)

Re:Big Brother is watching you surf...

[billybob+jr]

The DMV selling information is a world of difference from some company doing it. We have to do business with the DMV. We have to give them our address. If you want to drive it is as simple as that. It is indeed wrong for the DMV to be able to sell off personal information for a few bucks, when the "customers" (everyone who wants to drive) have no say over the matter.

It should not be illegal for a company to sell information about it's clients. You may not like it, I don't. Let's not do business with them. Let's find another company that is sensitive to our privacy needs. There is no need to get the government involved to force the "one true way" that we believe is right.

What would be useful is legislation that would force disclosure of whether or not companies sold the information. We could make a little privacy ribbon .jpg that could be on sites that swore to not release privacy information. Maybe some sort of overseeing body that would revoke the "privacy friendly" status of a company if they acted stupid.

My point is that we are not totally helpless here. We can solve the problem. No need to legislate.

Re:Big Brother is watching you surf...

We can solve the problem. No need to legislate.

(To the tune of "Celebrate":)

Le-gis-late good times; come on!

Re:Should we trust Doubleclick not to track us?

[Ateran]

Neither do I. I do, in fact feel a little guilty about using junkbuster, because, as you say, they pay for a lot of sites. In fact, every so often I turn it off out of the "kindness of my heart =P". The problem is, and the reason I always turn it back on, that far too many ad servers are really slow, and when you use netscape, they makes you have to wait that much longer just to view the page. I've come across ad servers that take up to a minute just to contact. End result: I turn junkbuster back on, and I *do* find that it speeds up my web access.

-Ateran

Re:Bad

[the+phantom]

Netscape will allow you to reject all cookies or it can be set to warn you before accepting cookies. This may not be the most efficient way of stopping them, but it does work.

To refuse cookies, go to the preferences menu and highlight "Advanced." You can mess with cookies from there.

Re:Bad

[Ozwald]

No, Junkbuster (JB) does a lot of things really well. This is how it works: First: the browser sends the headers. This includes a server and file name, and the location of current url. JB reads this. If the server or file name look like an ad, the real web server (for example DoubleClick) never gets contacted and a dummy file is sent from JB to your browser; a couple byte html page or 1x1 transparent gif. Second: if the server and file name are cool, the headers are sent MINUS (this is important) the referrer tag. This prevents the web server from knowing what url you came from. Third: if the server requests cookie information, JB can decide whether or not to allow it. Depending on JB's settings, you can make that decision based on server. For example, cookies are good for Slashdot so you don't have to log in each time. Others are not allowed by default. In another words, DoubleClick doesn't even know you exist if JB is set up. As a side note, Altavista's and the Simpsons Free Internet ads are blocked by JB because they use the Internet Exploder ActiveX control to show the ads on the screen. Just an ironic side note is all. Ozwald

*Ads* aren't necessarily bad...

[Colm@TCD]

As I'm sure has been posted elsewhere in this thread, it's important to draw a distinction between the mere presence of advertising on the Net, and the privacy issues which arise from tracking users in the manner described.

Like it or not, advertising revenue pays for a substantial part of "The Internet" as we know it today. Yes, it probably would be nice if the whole thing was funded by magic, but it isn't, and banner advertising does provide a relatively straightforward way of funding lots of useful sites. There's nothing intrinsically wrong with provision of advertising space, and DoubleClick does do a pretty good job of selecting and targeting ad banners based on your cookie trail - no worse than anyone else, anyway.

However, the business of associating this cookie trail with your "real-life" name and address takes us into serious privacy issues - I'm not totally clear what the legal situation in the USA is, but in the EU they must provide an opt-out from such a system, and they must abide by it. Any evidence that they are failing to abide by the opt-out will be taken very seriously indeed by the data protection people. I'm sure a similar régime must prevail in the USA and elsewhere.

Let's not get carried away, folks. Don't confuse the "necessary evil" (web ads) with the serious privacy issue. Ads aren't necessarily bad, but DC and others have to abide by the rules of privacy, and these are legally enforceable.

Slight disclaimer : My fiancée works for DoubleClick, but the views expressed above are mine alone.

Avoid it or destroy it?

Better than figuring out how to avoid it why not figure out how to destroy it and make it illegal? Why not make an example of these bastards so that no one will ever want to do this shit again? THIS IS BIG BROTHER. They are tracking everything you do, what you look at, THEY KNOW. This is so fundementally wrong. We need to organize ourselves and stop them. Immediatly.

OK...everyone use this cookie

[Brian+Knotts]

This one is as good as any, I figure. I just created it by hand:

.doubleclick.net TRUE / FALSE 1920499166 id bc2ff937

New XFMail home page

Edit your cookies

[Wabbit]

I flush out all of the advertisers cookies on
a regular basis. I'm assuming that this
will cause them to build up zillions of one off database entries. I'm making some
assumptions here about how they do their database.

I keep thinking there must be a way to filter what
gets exchanged when I go to a web site. I don't
want to shut off cookies, too many user id's and passwords.
Someone with a little more knowledge about
how all of this works may want to comment

Re:Edit your cookies

[Mister+Attack]

Depending on your OS, you have a couple of options(listed in order from my most favorite to least favorite):

1. Use a program that replaces the contents of cookies to sites not specifically allowed with random data. This screws with their tracking and is fun, fun, fun! I am writing such a program for the Macintosh platform first, since that's what I primarily use; Linux support will follow RSN.
2. set up a firewall that drops all packets to and from *.doubleclick.net (firewalls are nice to have anyway, and there's firewall software for every OS on the market) This, BTW, is what I currently do.
3. Use Junkbusters or a similar proxy service. (Win, *nix only) There is also proxy software available for the Macintosh; basically, it sits between your Internet connection and your web browser and filters all the content you don't want (like ads). You can also use proxy software to block Javascript and anything else you don't want.
4. Get all the cookies from the sites you need cookies for (like your Slashdot login), then set the permissions on your cookies file to read-only.
5. Block all cookies. This will stop the tracking, but it will also break some sites.
6. Don't autoload images. Just load the images you want to see manually. Since the cookie is attached to the banner, you don't get the cookie unless you look at the banner.

I hope that gave you some nice ideas...
--

Let's sue them!!! ;)

[Munky_v2]

This is such crap. I always thought that the whole "you are losing your freedom" stuff was BS, but now with the MPAA and doubleclick pulling this thing, I am going to have to start IP spoofing all the time.

I say we need to activley fight this kind of invasion of privacy. IMHO boycotting will not work - stupid people greatly outnumber geeks, and stupid people, 1. don't care about this (because they are too stupid to understand) and 2. don't want to chage there habbits at all (again, because they are stupid and set in their ways). Any ideas on what we can do???


Munky_v2
"Warning: you are logged into reality as root..."

Re:creating the hosts file

Hi, I followed these steps, and then went to http://www.altavista.com to try it out... The page took a *long* time to load; it was paused for a long time on the ad. Is there a way to speed this up? Thanks in advance, Thomas

This looks like a job.. for Junkbuster

[urashima]

http://www.junkbusters.com/ht/en/ijb.html

Configurable site, ad, cookie, and browser query blocking.. Now all I need is an up-to-date blocklist. :)

Relationships?

Something I haven't seen addressed, and am interested in, is: How is the relationship between doubleclick cookie ID and real name and phone number first established?

Do they wait for you to purchase something at a participating site & receive that information back?

Windows Users should note...

Windows users should note that win98 and "up" can store cookies in a central location, making them available to all browsers. Im not sure where (whether?) you can turn this off.

AdSuppression proxy.pac

[mindesign]

i've tried to be comprehensive as possible but brief. anything outside of these is likely to be a rare occurence. AdSuppression by Stephen Dowdy.

use in all versions of Netscrap as proxy file:

var adsuppress_proxy_notify=0;

// Nullify common advertiser's banners
function FindProxyForURL(url, host) {

if (adsuppress_proxy_notify == 0) {
alert("NOTE:\nYou are using the AdSuppression Proxy.\nThis proxy nullifies many common banner/advertiser URL references");
adsuppress_proxy_notify=1;
}
if (
shExpMatch(url,"*.linkexchange.com/*")
|| shExpMatch(url,"*.doubleclick.*/*")
|| shExpMatch(url,"*.*/ad/*")
|| shExpMatch(url,"*.*/ads/*")
|| shExpMatch(url,"*.*/advert/*")
|| shExpMatch(url,"*.*/adverts/*")
|| shExpMatch(url,"*.*/advertising/*")
|| shExpMatch(url,"*.*/banners/*")
|| shExpMatch(url,"*.*/sponsors/*")
|| shExpMatch(url,"*.*/home/ads/*")
|| shExpMatch(url,"*.*/image/ads/*")
|| shExpMatch(url,"*.*/images/ads/*")
|| shExpMatch(url,"*.*/img/ads/*")
|| shExpMatch(url,"*.g.a.yimg.com/*")
|| shExpMatch(url,"ad.*.*/*")
|| shExpMatch(url,"ads*.*.*/*")
|| shExpMatch(url,"adremote.*.*/*")
|| shExpMatch(url,"adforce.imgis.com/*")
|| shExpMatch(url,"*.imgis.com/images/*")
|| shExpMatch(url,"banner*.*.*/*")
|| shExpMatch(url,"image.pathfinder.com/sponsors*")
|| shExpMatch(url,"*.imaginemedia.com/cgi-bin/*")
|| shExpMatch(url,"*.focalink.*/*")
|| shExpMatch(url,"*.clicktrade.*/*")
|| shExpMatch(url,"*.valueclick.*/*")
|| shExpMatch(url,"*.flycast.*/*")
|| shExpMatch(url,"*.adbureau.*/*")
|| shExpMatch(url,"*.eads.*/*")
|| shExpMatch(url,"*.riddler.*/*")
|| shExpMatch(url,"*.bfast.*/*")
|| shExpMatch(url,"*.accendo.*/*")
|| shExpMatch(url,"*.mediaplex.*/*")
|| shExpMatch(url,"*.superstats.*/*")
|| shExpMatch(url,"*.thecounter.*/*")
|| shExpMatch(url,"*.preferences.com/*")
|| shExpMatch(url,"*.avenuea.com/view/*")
|| shExpMatch(url,"*.wired.com/advertising/*")
|| shExpMatch(url,"*.ngadcenter.net/event.ng/*")
|| shExpMatch(url,"*/RealMedia/ads/*")
|| shExpMatch(url,"*.teknosurf.*/*")
|| shExpMatch(url,"*.advertising.*/*")
|| shExpMatch(url,"*.hitbox.com/*")
|| shExpMatch(url,"*.sextracker.com/*")
// ... (fill in your favorite entries here...
) {
return "SOCKS localhost:12"; // bogon fails
}
else {
return "DIRECT; "; // or DIRECT or whatever
}
}

COOKIES ARE EVIL!

[Gregg+M]

OK Rob, I don't want to say I told ya so, but...
Cookies are they way people track you regardless of the morals behind it. When Mozilla happens we will have individual cookie control. Until then turn your cookies on and set your cookie file to read only. Then I'll need a button (on Mozilla) to set all security funtions for each web site I hit.

What's going on with these page colors?

[tomcrooze]

What happened to the colors on this page? I'm getting brown and yellow and funkywunky stuff. I mean, it's not a holiday or anything, so....

your fiancee' is lame, dude

she should, like, do something about that.

Re:Bad

Junkbuster. You can specify certain sites that are allowed to set cookies, and any site connected to you over port 443 to set them. You can even allow cookies to go out but no new cookies to be set. Junkbuster is a network server, and netscape or some other browser is the client which can be running on any host with access to your network. Thus on my little LAN, where my Linux system is the gateway to the Internet, my Mac surfs through the Junkbuster server (netscape setting use proxy 192.168.1.1 port 8000) on the PC just like when I use netscape on the PC where Junkbuster is running. It's transparent.
Really many thanks are due Jason Catlett the Junkbuster author.

iCab browser is solution for Mac users

[Topia]

The iCab web browser iCab web browser allows filtering of page images by source (server, path, filename, and URL) and by dimension (eg 1 pixel x 1 pixel). It comes preconfigured to filter out images from double-click and friends. Check it out. This browser is free and surprisingly smart and configurable.

Dynamic IP?

[ffatTony]

Do they just log IP addresses? What about us with dynamic IPs? Will each site try to palce a cookie and then store that info in the database for the other sites to share?

I've never heard of this company, can anyone name some of the sites they provide?

Re:Dynamic IP?

[plague3106]

A cookie is a small text file that the browser (if set to accept them) will place on YOUR computer. So it doesn't matter if your IP changes the file is still on your computer. If you're running IE5, look in c:\windows\temporary internet files and look for files with the text icon. some will be called cookie:whaterver.com...delete them. (NOTE: that is how amazon remembers your credit card, so if you delete the cookie for amazon, the website will ask for your info again). Now the question is, are you going to trade your privacy for some convience?

Re:Dynamic IP?

[MattMann]

they provide the ads for many many many sites. do a view-image on an Altavista ad, for example.

Re:Dynamic IP?

[jesser]

Doubleclick abuses a "misfeature" in http (or is it in the browser implimentations?) that allows sites to attach cookies to images. Since you request the banner from a hostname like ads.doubleclick.net, doubleclick gets to look at your cookie each time you go to a site with a doubleclick ad.

--

One possible way?

[Petethelate]

What's the best way to block them from knowing who you are without going through an anonymizing site?

I'm trying something right now that should/might help. First, I edited the *DO_NOT_EDIT* cookies file that Netscape puts in my directory. Then, I set permissions to read-only.

I tried a couple of sites with cookie warning enabled. Even let doubleclick try to set a cookie. It (IIRC) lets cookies run during a Netscape session, but it cannot write the file.

This wasn't my idea--read it somewhere else, but never got around to trying it. We'll see if any complications arise. At least, I got back into Slashdot....

Re:One possible way?

[Bad-Tech]

If all you want is not to have cookies be set, you could sybolic link your cookie file to /dev/null.

Re:One possible way?

[Petethelate]

If all you want is not to have cookies be set, you could sybolic link your cookie file to /dev/null.

Well, if I were on a linux box, yep, but this thing is on Windoze. BTW, I tried re-logging and couldn't get back into Slashdot. Evidently, there is some odd reformatting in a cookie file that really does prevent you from effectively editing it.

So, for the MK II attempt, I let Slashdot set a cookie, then reset permissions to read only. It looks like a cookie will be set (if you let it), but it's only active for the length of the session.

As is my habit, I'll keep manually refusing cookies for the while. I've found very few sites where a long term cookie really needed to be set. I stopped doing business with Amazon, so that's another cookie not needed.....

Oh. My. God.

[cancrman]

Wow.

I mean sure, this was something that was sorta expected when I first heard about this (some old slashdot story). But after realizine the implications of this I just have to say...Wow. Welcome to a new era of junk mail people. Ultimately that is what this will result in. Okay it might be a little more severe than that, but what I really think will come of this is that a few more of us might be getting doubles of the edmund scientific cataloge.

Okay, bad joke. This is serious. And I really wonder how the opt out link that they provide is used. Do you have to opt out for every IP address that you have? I opted out from my work IP but now I'm at home. Does that mean that evey thing I do from here they can track? What about people with dial-up connections? They don't have a static IP. Does this mean that they can't opt out at all? I'm kinda scared of the implications of this. For me I hope that it just means that I'll get more spam on my hotmail account. But still......

Pete

Re:Oh. My. God.

[jesser]

Do you have to opt out for every IP address that you have?

No, but you need to opt out for every browser you use. I think the opt-out site explains it fairly well - it gets rid of the unique doubleclick cookie in your browser by replacing it with OPT_OUT, and then leaves it there. Hopefully, they won't find other ways to track you once you no longer have a unique cookie.

--

Re:Oh. My. God.

[joe52]

it gets rid of the unique doubleclick cookie in your browser by replacing it with OPT_OUT, and then leaves it there. Hopefully, they won't find other ways to track you once you no longer have a unique cookie.

You can also delete the cookie(s) yourself. When I first heard about this story I went through my cookies and deleted a lot of them (including all of them from doubleclick). I also configured my browser to reject cookies from a number of ad networks.
I tried doubleclick's opt-out and I am happy to say that it didn't work because they couldn't place another cookie on my system, which seems a lot better that trusting them to keep the opt-out cookie in place.

joe

Re:Bad cookie, bad bad bad

I empty my cookies every day or so any way (well, I don't exactly empty it, I keep /.'s, Hulka's, and a few other important ones.

You know what, though? I fell like Bill Gates complaining about someone stealing his nickle, but I HATE it when some lame site I'll never visit again drops a cookie. A byte is a byte. It's MY hard drive, dammit, and I hate the fact that everybody from micro$hit to Joe Momma's Quake with 10 visitors and 11 ads puts crap on it I don't want.

How about somebody publish a list of sites that carry doubleclick ads so we can boycott THEM?

Also, does anybody have a freeware utility that will accept, then delete a cookie? I'll trade a copy (I hold the copyright) of Artificial Insanity for it. mailto:mcgrew@famvid.com -A.C. (password in the cookie at home)

Re:FIRST

#rit getupkid @Dread tupper @Ancient @Dreadnaut @Maganoo0 Chromium @abbstract @KrON brood Nooloo Endo1 rm125 tarmac @parker @positive clambang derF KennyK3n @thief XdreadX +ODI +trek_dss UPbeat @godlike @xtopher @apheks @CiSCo @pos +TGator @SpermyMan @cormega @sigma lady3jane catmother cocolapin FusionNet cocteau @XposX pele gangloot ninsei bmw-m3 @KennyKen k +[geo] +tangwyn +EtherMan @AncCore @KrON^ @theef Myth0s @ka0s^ Xodarap rowjimmy _Esoteric +_geck0_ - #rit Alkivar MrZ_ D0lby _PrOxY_ RiDE` BlackDeth +trekka +Crakor @Spudnuts

not viewing ads != stealing

[xdc]

Viewing the ads is part of the "price" you pay to view the site itself. The fact that you (and i) are able to easily opt out is merely a demonstration of how easy it is for us to "steal"- and probably means we'll see more draconian measures in the future by webmasters to ensure that they get the number of banner-views they think they need.

"Stealing" is a harsh way to put it. What about people who browse the web with auto-load images turned off? I see nothing wrong with processing downloaded code and data as the user or administrator sees fit. People should in no way be obligated to endure ads or any other objectionable content.

The Internet is a public network. By putting up websites and serving requested information to users, site owners are freely offering and releasing information. Users may then store, process, act upon, or discard that information as they see fit. The fact that many sites are sustained by revenue from ads should not deprive users of those basic, reasonable rights.

In any case, I think that it is less ethical to covertly track and profile people than for people to set up their software to not request ads or accept cookies. People don't exist for the sole purpose of generating revenue.

Re:not viewing ads != stealing

[plunge]

I wasn't completely serious about "stealing" but you see my point- if we aren't actually seeing the ad content that companies pay webmasters to display, at some point they'll find out and try to work around it. The alternative may suck much more than what we have now. People aren't obligated to watch commercials on tv either, but companies will go to great lengths to see that their product gets the "views" it wants. This has included paying shows themselves to shill product. It is starting to really effect content of entertainment that relies upon ad dollars to fund itself. I don't know the solution here, but I do think just opting out (as both you and i obviously have a right to do) isn't going to be a stable situation.

Aren't you just being a little paranoid?

I think a lot of people are being slightly paranoid here.

First, some words on banners in general:
Banner advertisements are normally the single revenue stream for web sites. Sometimes they irritate the hell out of me, like when there are about 6 on the same page, but I really don't see how someone can object to one or two banners on a page when they don't really get in their way. The argument about the slowing down a site carries little merit. What slows down a site is massive pages, whimsical graphics and icons that each involve a new HTTP connection. Using programs such as Web Washer means that in the future, you'll see less sites around.

And naturally, most don't object to banner advertising on Slashdot and other open-source type sites. Hmmm, so I suppose Yahoo, Excite and co. don't have the right to display banners (and go out of business)? Yeah guys, that makes real sense (!)

Now, the DoubleClick thing:
As for the whole DoubleClick thing: only DoubleClick have access to the database. No one gets this paranoid about 'normal' direct marketing. Why all the hype. You can easily opt out if you want to.

Face it - having your details record in many places and being tracked is just a part of everyday modern life: web site logs, supermarket loyalty cards, credit card bills, CCTV, credit rating databases. Short of going to Mongolia and living by subsistence farming (Very hard given Mongolia's climate!), there's nothing you can do.

Mailbombing or sending mails to all the DoubleClick staff is unlikely to have any effect either. (Except your ISP closing down your account for violating their TOS).

Be a bit more sensible.
If you really object to it yourself, then by all means opt-out.

netscape solution.

[radar+bunny]

All the more reason to use netscape. In netscape, all your cookies are stored in a single text file. Simply open the file and delete everything with a reference to double-click or any other site whose cookie you dont want. Then save the file and change the permisions to read-only. The result is that no more cookes can be placed on your computer. Under Micro$oft I.E. the only option is to find the double click cookie (also a text file) and emtpy its contents and then do the same, but then they wll just give you a new one so its kinda hopeless.
On a side note, I wonder how many John Does living at Nil street with a zip code of 12345 they have in their database?
it's stange that the internet used to be a place of openess and free exchange of information. Now, these guys give us a reason to lie about everything. The REALY strange thing is that i dont think our privacy is being threatened as much by our government. but big business is sre trying to make it a thing of the past.

Re:netscape solution.

[nylon66]

Yep -- I've done a different version of this on my Linux box: a Perl wrapper named 'safe-netscape' which runs through the cookies file and ditches all unwanted (i.e. non-Slashdot) lines. Writes the file, starts Navigator.

Time for a new Mozilla module. Any volunteers?

[Apuleius]

It should be a domain/IP-address based module to remember never to send requests to domains like doubleclick.

It should make its way to the preferences section, preferably together with a cookie filter. By making it a standard part of Mozilla, it will pressure Netscape and M$ to copy the feature.

This way the user has some control of how much info he gives away by browsing. Anonimizing proxies are also a solution, but it's best to make a .22 pea shooter available to those who don't want to pack a shotgun.

Re:Time for a new Mozilla module. Any volunteers?

[jesser]

Would it be legal for a company like Netscape to release a browser that blocks a specific company's website, even if it's just an option? I doubt they would block all the ad sites, because www.netscape.com uses a mixture of imgis and aol banner advertisements.

Oh, wait, MS does things to break specific other products all the time, and they haven't gotten in any big trouble yet, so it must be ok. Never mind. Add to mozilla. Moderate down.

--

Re:Bad

[MattJ]

Good question, but its a separate cookie. There's a security design issue (bug) in the browsers where they'll allow a cookie in the headers sent with an image. When your browser retrieves the URL for the ad image, it's in that request-response that the doubleclick cookie gets sent.

Makes me very edgy.

[Neuromancer]

In a way it makes me queasy and a slight bit paranoid. In another way it annoys me that I've just become more spammable.

This wouldn't be such a discomfort if we had more (or any) intelligent user agents to act as go betweens for us. Digital Liasons if you will.

Sure, you can block this sort of abuse by using JunkBuster, or even IP chaining rulesets, but for the average user this can be too much work.

Anyone have the 411 on browser add-ons that could automagically block this kind of thing? Are there even any such projects in the works?

I'd have use of a "stealth" browser. :)

Re:Bad -- use Muffin

[boyns]

Muffin can filter out doubleclick and much more.
It's very powerful, allows users to write their
own filters in Java, runs on linux/win32/mac, and it's freely distributed under the GPL.

http://muffin.doit.org/

Privacy!

I think it's a good trade, less privacy for more money, money for me that is. :) DCLK stock holder.

MOD PARENT UP - Re:web ad blocking that works!

[Northern+Hunter]

(And mod me down :)

Diclosure Practices and Avoidance

Net sites that are ostensibly free make money by employing increasing levels of hidden "costs": 1) Really Free=No Ads, no cookies, no registration, no fees; 2) Less Free=ads but no cookies, no registration, no fees; 3) Not Free=ads and cookies but no registration or fees; etc., etc. In most cases the user can avoid cookies, registration and fees, but if access is really needed, such as for online brokerages, then a price must be paid. However, selective rejection of cookies is possible and guess what?

Financial sites such as American Express and WaterhousE, to name a couple, use their own cookies for navigation and session control plus they throw in some DoubleClick cookies! I was very surprised when I began selectively reviewing their cookies. The good news is that the Doubleclick cookies can be rejected and site access is still viable.

Where they may have broken the faith is disclosing those cookies from customers who have specifically requested total privacy. Dunno about that.

TANSTAAFL

Re:Bad cookie, bad bad bad

[Ominous+Coward]

If you don't want cookies loaded into your computer, change your prefs so that you're asked before a cookie's loaded. Simple, easy, elegant.

I've secured the patent!!

[Travoltus]

I was awarded the patent today on open source petrified telemarketers and advertising executives. My IPO is April 1st. :)

url for opt-out

[Rebirth]

http://www.doubleclick.net/cgibin3/optout/check2.p l

Yikes!

I'm not usually one to jump up at privacy concerns - but I think this is pretty serious.

Basically what it says, if you shop at a web store that uses DoubleClick's new tracking ads, then DoubleClick can associate the info that you typed in about yourself (name, real&email address, age, purchases, home/work/fax numbers, etc) And whenever you go to another site using DoubleClicks ads, they can read a cookie that was set and append to your profile that you visited the site.

In other words, Marketting types would just LOVE this information. Shows all sorts of comparison shopping behavior and opens doors to all sorts of consumer analysis.

What we need is a cookie filter to automatically reject DoubleClick cookies (without having to pop up a window for EACH cookie - thats gets rather annoying). I believe that should effectively foil this scheme.

Maybe a plugin/patch like that already exists and I just need to find it. (But its sometimes just easier to write a quick perl script! ;)

Tom

utility that will accept, then delete a cookie

"Also, does anybody have a freeware utility that will accept, then delete a cookie?"

If you're using Netscape, you can just lock the cookies file ("magiccookie" or something like that on a Macintosh, "cookies.txt" on Win32, "cookies" on Unix) This will allow a site to write a cookie that persists throughout the 'browser session', but disappears when you close the browser.

You may be able to accomplish the same thing by locking the 'cookies directory' with MSIE, I haven't tried.

Data mining = Big Brother

Data mining is so fundementally wrong, I can not believe that it is a legal practice. It disgusts me to know that some corporation has a computer which contains a profile of me which I did not consent to them creating. Big Brother is coming, and unless we do something to stop him now we will not be able to stop him when he gets here. The Corporations are transforming the world into a fascist empire of braindead consumers.

Surf within VMware

[LunarOne]

Surf within VMware with no personal info on file...then it doesn't matter (see VMware for Linux).

Re:creating the hosts file

[Trombone8vb]

I've been fiddling with this for a while now. Every time I save it, notepad will only allow me to save it as a .txt file. If I put the period after it, it still comes out as .txt. Is there any extension at all for it?

Opt-out and tech fixes not enough

[timboy61]

Lots of DoubleClick defeating schemes have been posted here (editing cookie files, editing host files, anonymizing browsers, etc.), and also people are encouraging others to opt out.

I think this is almost a negative thing, and practically helps DoubleClick. Does DC care if everyone on Slashdot solves the problem for themselves? Not. The result will be that the very people who are knowledgeable enough to get irritated (a trivial slice of Doubleclick's market) aren't that irritated anymore. DoubleClick will still know who your grandmother is, and you'll be the only person who your grandmother knows that DoubleClick isn't tracking.

If they get away with making it tricky not to be tracked, they just won. So let's write them, write the media, write legislators, etc. (I would of course never endorse tactics like DoS or other attacks ... but they do have the virtue that your Grandma might benefit from them too.) -t

Arm Yourself Against Spam

[x+mani+x]

The software package that I prefer using is junkbuster. It is an easy to set up web proxy server that runs on port 8000 ... it is extremely effective at blocking out banner ads, and it also has options for blocking out suspicious cookies, and preventing $HTTP_USER-type variables from being initialized.

It is unfortunate that we have to go to the trouble of installing these things, but the only cost of running it is the time it takes you to install the software. on the other hand, you'll be protecting your privacy as well as your bandwidth.

Cookies with Images?

[ffatTony]

Can you tell me more? How does someone do this? (I'm on my way to read the rfc right now)

Re:Serious, Re:Lets all use the same cookie!

[A.Gideon]

At least at the moment, the real cookies being used are 8 hex digits representing an increasing value, with the name of 'id'. There's also what appears to be a temporary of A=id that is replaced at the second ad view.

I've used a few, but the latest appears to be around d81af???, where the final three digits are missing because...well, guess.

So a perfectly valid value would likely be id=d81af000.

Re:Bad

[plague3106]

Or you could just tell your broswer to refuse all cookies...that may break some sites, but so will blocking software...blocking software will give you better control, you can accept cookies only from certain sites and only specific ones from those sites

Cookie crumbs

[scotch]

I use Netscape version 4.5-7-ish, and I have my settings configured to prompt me before accepting any cookies. This is probably not uncommon among slashdot readers; what is interesting is that when you do this, you really get an appreciation for how much cookies are abused or mis-used out on the web. Here are some of my humble observations on the matter:

• Most sites that I am personally interested in use very few or no cookies at all
• Many sites out there use an obscene number of cookies. 10-15 for 1 page is not uncommon. Regardless of whether you object to the privacy issues, this is bad design. I suspect that there are Web Authoring systems out there that enable cookies for every single page, image, and sound clip by default, and many of those cookies are not used for anything useful.
• Some sites have what I believe is a legitimate purpose for cookies. If I am not mistaken, /. sets only 1 cookie on my machine and from this 1 cookie is able to do all kinds of user specific configuration
• Other than for legitimate uses (user customation, on-line ordering, etc.,) (in which case I support accepting cookies) rejecting all other cookies on the web will not affect you web-surfing experience 99.44 percent of the time
• Fortunately, I usually find that sites that use lots of cookies are really not that interesting too me, anyway. Strange coincidence?

Of course, regarding the last point, there are some exceptions. I find Netscapes's cookie-handling policy, while better than giving no choice at all, does not offer enough flexibility for my tastes. I would prefer to be able to accept/reject cookies based on a set of filters and rules for domains, transaction types, etc. I believe lynx has some better capabilites than Netscape in this department.

Further, I think it would be useful to have a set of switches that are easily accessible on the toolbar that would allow you to toggle cookie policy on the fly. This would be much more useful than the latest Netscape feature, the "Shop" button. What a waste of real-estate. It would be nice to get something like that into Mozilla. I'll start tinkering with the Mozilla source just as soon as it takes less than two hours to download via cable modem ;) Ramble, ramble, ramble.

Takeover

Just wait until AOL-Time Warner buys DoubleClick...

How about Microsoft and their tons of cash sitting around? They could buy DoubleClick and incorporate it into Windows. Then forget about the workarounds to avoid cookies and so forth.

Doubleclick/Real-Birds of a Feather...

Here's what this benevolent company known as Doubleclick.net has to say about privacy: Information Collected in Ad Delivery

In the course of delivering an ad to you, DoubleClick does not collect any personally-identifiable information about you, such as your name, address, phone number or email address. DoubleClick does, however, collect non-personally identifiable information about you, such as the server your computer is logged onto, your browser type (for example, Netscape or Internet Explorer), and whether you responded to the ad delivered.

Now we find out that this is not only a bold-faced lie, but that they are proud and excited about this new opportunity to invade our lives. I for one am sick and tired of these incursions into my web-surfing habits. Sure, bills need to be paid so we can use web sites for free, I understand this. But there is a fine line between that and having some jack ass call me up at dinner time asking me if I'd like to enter in the Getaway 2000 Florida Vacation after his computer auto-dialed me from some massive database somewhere in the country. Why aren't the hackers going after these databases? Come on, do us proud boys! The marketing gurus have overstepped their bounds, and mark my words, it's just beginning. I wouldn't be surprised if some unsuspecting person clicks on a Gore2000 or Bush2000 banner ad and gets a phone call the next day asking for donations to the cause. Or how about you find a nice little banner ad for some church, like the Latter Day Saints, or any religious organization or group- the next week, two smart young missionaries show up at your door. This is ridiculous.

Spoofing

[KMSelf]

Most club cards require zero authentication of ID. For years, my local grocery club card was listed as belonging to the CEO of a large IT organization (no, not that one, or that one).

If you're familiar with IT operations, Fred Flintstone (etc.), Test User, Test Account, Admin Account, and similar interesting first/last name combinations can be fun to try.

What part of "Gestalt" don't you understand?

A Practical Solution (one of em, anyway) for this.

[Threemoons]

Hey...for Win** users at least anyway...go to http://www.thelimitsoft.com and download Cookie Crusher...tastes great, less filling, and it KILLS DOUBLECLICK CRAP DEAD! Works on IE, NS, and Opera! For even more fun use AdsOff (site under renovation; get a copy from someone who has it)

Both of these utils are simple to use and stable! If enough people use em it may just force these idiots to be honest...

Should we trust Doubleclick not to track us?

[Mister+Attack]

It will place a cookie on your computer that'll let you opt out of doubleclick's tracking.

The thing is, do we want to trust Doubleclick not to track us personally, even after we opt out? I think it's less than prudent to put that kind of faith in a company that's been decieving us since last year.

A simpler (and more thorough) solution: block cookies from doubleclick.net. Hell, if you've got a firewall, block all packets to and from doubleclick.net. I, personally, can't see any reason to connect to a doubleclick server. Who wants the ads anyway? Same thing goes for preferences.com, flycast.com, and any other advertising company. I've been dropping all packets to and from the domains mentioned above, with no significant problems. Of course, I don't get to see those specially targeted banner ads, but I don't really think I'm missing out :)
--

Re:Should we trust Doubleclick not to track us?

[god_of_the_machine]

They could still be tracking us. I just opted out and looked at my cookie files (Netscape 4.7 for Win98) and it didn't set the cookie to a string starting with "OPT_OUT". Here is my cookie strings in Netscape Before:
www.doubleclick.com FALSE / FALSE 951372615 q4_popup 1
.doubleclick.net TRUE / FALSE 1920499068 id d7ee54a9

And after...

www.doubleclick.com FALSE / FALSE 951372615 q4_popup 1
.doubleclick.net TRUE / FALSE 1920499068 id d7ee54a9

Check this out on other systems/platforms I know on my IE5.5 install, it does set it to "id~OPT_OUT~doubleclick.net/~0~1468938752~31583413 ~866453120~29321155~*" which doubleclick may still be able to track based on the complex numbers following the OPT_OUT.

Time to Act on Privacy Issues

[Eric_Grimm]

The government is too busy (and ineffectual) to protect individuals' privacy. The alternative most often mentioned in Inside-the-Beltway debates is "industry self-regulation." What this REALLY means is that there are no rules for Commerce to play by and government will just look the other way so long as consumers don't get too upset. It is a recipe for abuse of individual rights on an industrial scale.

Is there any alternative to these two options? You bet there is. The alternative is to empower individuals to police their own privacy. People shouldn't have to rely on the Federal Trade Commission or any bureaucratic agency to make sure their privacy is safe. This means making sure that every man, woman, and child has an ENFORCEABLE right to make sure their personal information is not used in a way they have not authorized. It also means making sure that all individuals have swift and certain REMEDIES against any business that (by negligence or deliberately) misuses personal data or fails to protect it.

This proposal would not be bad for business. To the contrary, it s essential to the viability of the new economy. Protection for individual privacy just provides a better incentive for business to be truly responsive to customer wants and needs.

Pipe dream? Not if enough people demand the rights they should already be able to enjoy. But the deal is ALREADY being cut in Washington next month to prevent YOU from exercisng the rights you should have.

Look at the list of panelists on what the Federal Trade Commission calls a "balanced" committee to examine how to protect consumer information. See http://www.ftc.gov/opa/2000/01/asrev.htm -- aside from one or two "token" privacy advocates, the whole panel is dominated by comercial internests -- such as representatives of the Direct Marketing Association AND the law firm that represented it (Piper & Marbury) AND several of its member companies.

So what can you do? Call your Member of Congress and both of your Senators. If you're really ambitious, call your state government representatives, too. For each office, get the name of the staffer who handles "Internet Privacy and Medical Privacy" issues. Tell that person that you are a constitutent, that you vote, and that it is important to you for Congress to empower individuals to protect their own privacy on the Internet. Ask if your Congressperson or Senator has a position on this issue, and if so, what that position is.

Then point out how you are upset by how the FTC has composed its Advisory Panel principally of industry representatives. Tell your elected officials that you do not feel safe when government agencies puts representatives of the Wolves in charge of writing the rules for protection of the Sheep.

If you learn anything particularly interesting on the subject, post it here on /.

Other contacts (who may have good ideas on how to get involved in making sure lawmakers make good rules) are Diedre Mulligan at the Center for Democracy and Technology, and Mark Rotenberg at the Electronic Privacy Information Center.

Re:Bad

[whatever3]

Don't forget "doubleclick" (without the space).
Here's my preliminary list...if anyone can improve
on it, please do so:

199.95.206.0/23
199.95.210.0/24
208.211.225.0/24
208.203.243.0/24
204.178.112.160/27
216.230.65.64/28
63.77.79.192/26
128.11.60.64/26
63.160.54.0/24
208.210.202.0/24
216.94.59.64/27
208.228.78.0/24
208.228.86.0/24
209.167.73.128/27
208.229.75.0/24
208.32.211.0/24


btw, I'll lay $10 on them not actually using
more than 10% of these addresses. Bunch of pigs,
really.

my experience with all this

[Klash2]

this is my first post i've made under a name: anyway, i am no hacker but I like neat jacker tricks and i read BB at places like this to pick them up. i have windows '95 and i decided to go on my own anti-ad binge... so i editted /windows/host and aliased doubleclick.net to 127.0.0.1 for starters. under netscape, a page with a banner/etc from doubleclick keeps trying to load the banner and doesn't stop, making it a lot slower. it never finds it, but you have to cancel the page loading and that is a pain in the ass. it did this for other banners, like adclub.net, etc. under ie5, it worked, except for doubleclick.net and adforce.imgis.com, where i would get a full-page error. so i instead aliased those to 192.168.0.1, the internal network IP... i have an internal network. i don't know what would happen if i didn't, but since i do and i run winproxy, those banners would show up on the page (in ie5) saying "you do not have access to this page", an ie5 error. and that is fine with me. but in netscape, all banner locations that were aliased to 127.0.0.1 would screw up like i descibed earlier. so i instead aliased all of those (except doubleclick and adforce) to 255.255.255.255. This did not effect the end result in ie5, but it fixed the problem in netscape (4.5). For doubleclick and adforce, the banners appear as broken links. my question is: why did i have to link to my internal network for doubleclick and adforce and not the others? (remember, my technical understanding of all this is very limited)

Re:my experience with all this

[Klash2]

Sorry about the jumbled text, i wasn't aware that this was an HTML form

test test

test

There's Government and there's Government

[Eric_Grimm]

Perhaps you did not read my post carefully enough. As you know, EPIC and EFF are both (to a greater or lesser degree) engaged in discussions about HOW the government should help solve this problem. Your problem is that you make the mistake of thinking of the "government" in monolithic terms.

The argument I made is a little more subtle. There are two different approaches to the issue. The one I criticize involves an administrative agency serving as policeman. In other words, if you want a remedy from a merchant, then you have to ask the FTC and the FTC gets to decide whether you get any remedy (in other words, they can tell you they are too busy).

The reason I suggest calling Congress is that there is a *second* Governmet solution that works better (especially when COUPLED with technology). The *second* approach involves tha passage of a law that empowers *every single consumer* to act as his or her own "mini-FTC" and to go directly after a merchant. If the merchant doesn't satisfy the customer, then the customer has a right to go to court -- no need to ask the FTC for *permission* first.

Get it? There is a difference if you think about it. Now, please re-read the earlier post.

thanks north

[Scudsucker]

too bad I didn't get the message in the first 50 comments instead of 200+. :)

Re:Bad

[Vandermar]

Apparently, the way the system works it requires another site as a sort of referrer. That site is supposed to give you the option of not participating in the privacy section of their terms. Whether this will happen or not we'll just have to wait and see. The only other options that I can think of would be to not accept cookies or possibly pick through your cookies frequently.

I'm not going to sack him straight away. I'm going to kill him straight away. Chef!

Re:Serious, Re:Lets all use the same cookie!

[Kris_J]

One could create a special cookie (and mail-address)

The mail address should be postmaster@localhost.com - if someone does a set of cookies for doubleclick et al with this e-mail address, I'd be most interested in using it...

Re:Serious, Re:Lets all use the same cookie!

[Kris_J]

Oops. No ".com" (*sheepish*)

Big Brother 1984

[nael]

Can anyone say BIG BROTHER IS WATCHING YOU!

Orwell warned us about this! Did we listen no! We just stood there and let this merger go through without even saying a word. Yet, today we're here arguing it as if we weren't aware of it. Even if we choose to use netscape or I.E., the damage is already done. All they need is the information that they collected of you on each web site. For example, all you need todo is click on one of those banner ads, they can track whom you are , which web site you visited, where you visited, how long you were there for, what ip address you used, even your user name and email.

Its not the goverment we fear regualting the net, its these mega corparations that get bigger and bigger every day. We need regulation to prevent anyone company from dominating this industry and I for one would not mind goverment intervention so long as it protects my rights as a consumer, and as user of the web. Even better lets bring the ACLU involoved in this. Isn't a violation of our civil liberty. (I'm just fumed at this right now). For example, I would not mind seeing is a community on the web thats elected by internet users, since we are the citzens of the net. We can vote for them online and no other form of media or voting method allowed. Lets create our own internet goverment body, that can appeal to both corprate america and protect our rights at the same time.

Remeber today its just collecting names and emails, tommorow its collecting your personal profile, whom you chatted with, what messages you posted, what you purchased, what did you use to purchase, and even sell your information to other online retailes. They tel us they want to offer us special discount by authorizing to sell our names to their partners. But, are they doing more harm than good?

How many id's can thay give out?

[moore]

when I opted out thay toled me my ID it wasent a
very long number. Now I am sure that thay have
more then enough id's for every one in the world,
probly way more then enough, but what if there
were houdreds or thousands of people continusaly
making requests for cookies and then deleteing
them. How long untill we could exaust there ID
space?

Re:Bad

[jburroug]

Since I run an IPMASQ/Firewall, at home, I just use ipchains rules to block out all traffic TO their servers:
/sbin/ipchains -A output -j REJECT -d 199.95.207.0/24
/sbin/ipchains -A output -j REJECT -d 204.253.104.0/24
/sbin/ipchains -A output -j REJECT -d 199.95.208.0/24
/sbin/ipchains -A output -j REJECT -d 208.211.225.0/24

I only started doing this a few days ago (kinda profetic eh?) so I know i'm missing a few of the subnets their servers use (my rough guess is about 1 in 8 gets through ;-( ) since i block traffic to their sites, their servers don't even get my IP address ;->. If your machine isn't behind a firewall you control you can still run firewall rules locally to keep out unwanted crap and/or visitors ;->

creating the hosts file

[jesser]

If you don't already have a hosts file, the easiest way to create one is to type the following into start, run:

notepad C:\windows\hosts.

Note that there's a period at the end - that tells notepad not to try to add a .txt extension. Replace c:\windows\ with your windows directory if necessary.

Windows allows you to include comments in the hosts file by beginning the line with a # symbol.

(For the clueless, when you connect to a web server, it's usually a two-step process: first, look up the IP address for a hostname like "www.slashdot.org" and get an IP address like 209.207.224.42; then, connect to the computer with the IP address 209.207.224.42 and request the webpage. Adding entries to the windows hosts file short-circuits the IP address lookup, so your browser and other programs on your computer think that the IP address for "ads.doubleclick.net" is 127.0.0.1. But 127.0.0.1 is a special address called the loopback address, meaning that it always refers to the computer you're using. Since you probably don't have a web server on your computer, your browser fails in connecting to "ads.doubleclick.net" and displays an empty banner. This attempted connection to your own computer happens without wasting any of your bandwidth, by the way.)

--

Re:creating the hosts file

All IP addresses are routable, even 127.0.0.1. By convention the IP 127.0.0.1 gets assigned to a loopback interface and called localhost.

The other "Private Address Range" IP numbers *must* be blocked at the border router.
The RFC states that "Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, and packets with private source or destination addresses should not be forwarded across such links. Routers in networks not using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out) routing information about private networks. If such a router receives such information the rejection shall not be treated as a routing protocol error.

Your machine is trying to access those IP adrresses because it is supposed to. If you get host unreachable or timeouts, then you ISP has done their job properly. If not, find another isp.

Re:creating the hosts file

[jesser]

yeah, that works, but 127.0.0.1 had the advantage that it didn't send any packets over your modem (and therefore didn't cost you any bandwidth). also, some isps (like mine, cox@home) actually do use 192.168.* internally.

--

Re:creating the hosts file

[Skim123]

You can look at C:\Windows\hosts.sam to see a sample hosts file.

Discoverable records

There are three problems with your argument:

1. Data which are collected becomes data which are discoverable. Law enforcement or investigative reporters snooping through my grocery, drugstore, video store, book store,.... receipts is not something I particularly relish.

2. Even if the company doesn't have an interest in the data, individuals there may. Suppose you are a contractor working at a large financial services company and you realize that you have access to information on some jerk who's been annoying the hell out of you online for some time. Name, address, SSN, various account numbers and balances....

3. Companies are bought and sold. The current management might have one interest, but if an advertising agency is sold to a firm with a different business bent -- for the data held by the advertising firm (stranger things have happened), you now have an entity whose only interest is the data and what it can draw from it.

   No thanks.

Re:Bad

[Seth+Morabito]

I got a full list of their subnets through ARIN, conveniently listed below. Some of these guys may not actually be Double Click, but since they all have "Double Click" somewhere in their names, they all get blocked at my router level:

[root@foo /root]# whois "double click"@arin.net
[arin.net]
Double Click (NETBLK-UU-208-211-225) UU-208-211-225
208.211.225.0 - 208.211.225.255
Double Click (NETBLK-UU-208-203-243) UU-208-203-243
208.203.243.0 - 208.203.243.255
Double Click (NETBLK-UU-204-178-112-160) UU-204-178-112-160
204.178.112.160 - 204.178.112.191
Double Click (NETBLK-UU-204-253-104) UU-204-253-104
204.253.104.0 - 204.253.105.255
Double Click (NETBLK-CYPC-2162306564) CYPC-2162306564
216.230.65.64 - 216.230.65.79
Double Click (NETBLK-UU-63-77-79-192) UU-63-77-79-192
63.77.79.192 - 63.77.79.255
Double Click Computers (NETBLK-DCLICK-T1-BLK) DCLICK-T1-BLK
204.186.74.0 - 204.186.74.255
Double Click Imaging, Inc. (ICO-HST) NS1.ICONETWORKS.NET 204.94.129.65
Double Click Imaging, Inc. (NET-DOUBLECLICK2) DOUBLECLICK2 192.65.80.0
Double Click, Inc. (NETBLK-DOUBLECLICK31-60-18) DOUBLECLICK31-60-18
128.11.60.64 - 128.11.60.127
Double Click, Inc. (NETBLK-DOUBLECLICK-92-19) DOUBLECLICK-92-19
128.11.92.0 - 128.11.92.255
Double Click, Inc. (NETBLK-DOUBLECLICK-210-08) DOUBLECLICK-210-08
199.95.210.0 - 199.95.210.255
Double Click, Inc. (NETBLK-DOUBLECLICK3) DOUBLECLICK3
199.95.206.0 - 199.95.209.255

Re:Proxomitron Filter

[seoman70]

I've gotta put in a plug for a filter that I'm fond of: The Proxomitron. It is Win32 only (unfortunately; if you use a different platform, Junkbusters is probably the way to go), is much more user-friendly than JunkBusters, and probably just about as configurable. Since it is a proxying filter, it works with all browsers. Hey, it's even skinnable. :)

Only for Slashdot

[solar]

I only except cookies from a VERY select group of websites, /. being one of them. Cookies are bad, very bad (except the chocolate chip kind, yum!).

pick one

[Len-Brabant]

holy cow batman ... big brother internet is stealing our anominity !!! quick robin ... to the batcave! where ya all been ... none a ya listed in the fonebook ... been admitted to or treated @ a hospital ... bought batteries at radio shack, yada yada yada? chrissake lookit all the cameras gawking @ ya, why the hill aren't ya all up in arms about that one? remember ... those who do not learn from their errors are doomed to repeat them! twit filters, hosts.allow, hosts.deny, >/dev/nul (ya, 1 l alias) .*.conf, blah, blah, blah ... been around a long time. use um. or go live in a cave.

Re:Bad

[Audin]

Even if you tell Netscape to not send cookies and delete your cookie file? How is that possible?

It isn't. The original suggestion was to set netscape to "ask befor accepting cookie".

Turing cookies completely off and deleting the cookie file should do the trick.

Re:rm -rf cookies.txt -- Not good enough

[nlvp]

As i understand it, this will no longer do the trick for most people. All of us have one or two sites we're members of that we enjoy using. For example, Freeserve are my ISP and their front page has a doubleclick ad on it.

Now if I delete my cookies, then log back into Freeserve or another "doubleclick associate", even if they're not displaying doubleclick ads to me, the next time I do see a doubleclick ad, the doubleclick server will recognise an associates cookie in my cookies.txt file and go and ask that associate who I am. At that point, they can link up everything they learn about me now to all the knowledge they have accumulated in the past. This is why connecting that database has removed the privacy from internet surfing.

For privacy, you have to shun all cookies forever, and sites like Yahoo, the Motley Fool and Slashdot require cookies in order for their system to remember you're a member.

Re:Bad

Sites that try the sort of crap that doubleclick does deserve an immediate blocking to bring them to their financial knees. If you're running linux then setup your computer with ipchains and bind-utils. try nslookup ad.doubleclick.net to find their various subnets. So far:

ipchains -A input -j REJECT -s 199.95.207.0/24
ipchains -A input -j REJECT -s 204.253.104.0/24
ipchains -A input -j REJECT -s 199.95.207.0/24
ipchains -A input -j REJECT -s 199.95.208.0/24
ipchains -A input -j REJECT -s 208.211.225.0/24
ipchains -A input -j REJECT -s 209.67.38.0/24
ipchains -A input -j REJECT -s 208.184.29.0/24
ipchains -A input -j REJECT -s 204.253.104.0/24

If you're running windows, then change the security level for doubleclick.net and doubleclick.com to refuse any cookies. If possible install software to refuse any sort of connection to or from doubleclick. Pretty soon these sorts of companies will need to realize when they've over-stepped their bounds, if not then they'll stay blocked from any computer under my control until they do.

Matt.

--
Every morning is a Smirnoff morning.

Re:How To Block DoubleClick's Tracking In Two Step

Do you want to shut down all professional sites such as Slashdot.org or my site??? Many small timers depend on the advirtisements to justify spending vast amounts of time maintaining them. That's terrible.. I mean really.. do you have any morals?? Howabout ethics?? Any of those??

Re:Here's the middle ground I'd like to see

[Chalst]

I don't think that your proposal would preserve anonymity. It is quite
possible to infer who someone is from apparently anonymous
information.

For example, a point made a while back on the PRIVACY mailing list is
that date of birth and ZIP code uniquely identifies a high proportion of US residents.

Privacy invasion period.

If I need something, they'll hear from me. Otherwise fuck off.

If I ever came into personal contact with these people who would trample my rights and the constitution to make a buck off me I would permanently remove their genetic material from the gene pool.

Re:FIRST

[lilgorgor]

wow, this makes me so proud to attend RIT. let me guess, you're an IT major.

Yes, yes, yes, yes, yes

[KMSelf]

...that's full agreement with all points above. For Linux users, deploying Junkbuster is as easy as downloading the RPM or DEB file and installing it. For Windows users, either NT or Win9x, you can also use the proxy.

Both the banner and cookie action are way cool. The following blockfile eliminates pretty darned near all the banner ads (and the sites associated with them if a full site or domain is listed). Note that I've allowed banners at a number of Linux-friendly sites, on principle, though you could change this if you wanted.

/*.*/ad/
/*.*/ads/
/*.*/advert/
/*.*/adverts/
a32.g.a.yimg.com/
ad.*.*
adforce.imgis.com/
adremote.*.*
ads*.*.*
doubleclick.net
image.pathfinder.com/sponsors*
preferences.com
sfgate.com/place-ads

Those few lines block virtually all the ad traffic I see.

For cookies, I block all, then selectively allow a limited number of sites with which I do business. Mostly message boards.

There was a really good program Online Profiling on NPR's Talk of the Nation a couple of months back. Other useful resources are Center for Democracy and Technology, and for a look at the other side, NetworkAdvertising.Org and Direct Marketing Association

If setting up a proxy is too much for you, the following tricks will prevent a permanent cookie file from being generated:

• Linux, Netscape: ln -sf /dev/null ~/.netscape/cookies
• Windows, Netscape: set read-only permissions to your cookies file, or replace it with a directory.

I'm not sure what the corresponding IE trix are. For Linux, lynx and other browsers can use the link to /dev/null trick.

What part of "Gestalt" don't you understand?

Boycott doubleclick.net

[erichschubert]

Boycott all doubleclick servers by blocking nameserver request (i.e. resolving them to 127.0.0.1) What doubleclick is doing is at least in Germany illegal; ISPs should consider protecting their clients from doubleclick...

Someone's going to jail!

Some advice for the DoubleClick suits:

When you go to jail, kick someones ass the first day or become someones bitch.

On a lighter note, these guys suck a really big, REALLY BIG COCK. This must be stopped, this must be illegal right now! or maybe a class action law suit... mmmm class action law suits *homer drool*

Did you read 1984?

Remember the ending? If not then go read the book and think long and hard about the ending. You should never love Big Brother.

Re:Bad

[lizrd]

The best way I've found to block them (and also speed download times) is to add a line to your hosts file (/etc/hosts c:\windows\hosts) to direct that domain to the null IP address 0.0.0.0 . Then they won't be able to track you and you won't have to look at the adds.

Opt out

[rjamestaylor]

Please forgive me for not reading each post to see if this information is already given, but I'm tired tonight and my wife has had a sick baby all day (and it's my turn...see? I'm rambling).

Here's the DoubleClick answer: Opt Out. Follow this link and get an untraceable cookie.

At least, that's what they say... They assign you a cookie with the unique id "OPT_OUT" and they leave you alone.

Of course, my conspiratorial side says that this will only draw their attention to you for closer surveillance....

:-only kona in my cup-:
:-robert taylor-:

Yet more proof that COOKIES AND JAVA ARE EVIL!!!!!

Keep cookies and java(script) disabled and keep yourself safe. Always be anonymous. When it's necessary to create accounts (like with New York Times web site), always supply bogus data, bogus names, and bogus email. For truly evil sites that require a valid email address to mail your real password back to, which you must receive before access is granted, get an anonymous throw away account (yahoo, hotmail, etc.) to receive this password. Never give out any real information. For regular email, use anonymizers (replay.com). Use SSL proxy servers to mask yourself behind. They are all against you. If some site needs geographical data (like to get TV listings), give zipcodes near you, but not your actual one. Within 50 miles is good enough for TV. And for better security use combinations of the above to anonymize yourself better. Chain through many proxies, remailers, anonymizers, preferable located in many different nations to make tracking you a logistical and bureaucratic nightmare. Go through nations that don't like your nation to deliberately hamper trace attempts. Would Cuba or Serbia help the US attorney general track down some h4x0r? Or Libya? Take advantage of political strife to hide yourself. As for your ISP, dynamic IP is your enemy (though static IP assigned only to you is worse). Dynamic IP can be linked to specific phone calls. Go for multi-user shell ISPs that have many users all logging on and off of the same machine (IP). Prepay service with money orders (use false name on them). Get the address off of a (distant) streetlight controller box and give that to the ISP as your home address. Surf from a laptop via telephones in motel rooms. Pay cash for your stay. And move around a lot. If you need to make LD calls, get one of those phone cards from the vending machine at 7-11. Using crypto wherever possile goes without saying. Use "n/a" and your name and company name for all software you install on your laptop, and bogus addresses. You never know what MS is sending back to the black helicopters. Do all of this and keep the information goons in check for another day.

B1t Thr45h3r,
s0UTH3rn h4X0rz

Me Too! ;) Re:Bad

I've done the same thing. Input and output from all my know doubleclick addresses is blocked. I also ban flycast.com in the same fasion. I don't remember where I first saw them, but they seemed to be behaving similar to doubleclick. (Note that some of the masks are /23, or some other odd number. When I looked these up on arin.net, there were holes in their assignments as seen.)

I hope this is useful to som people. Please post bug reports, too. :)

One more thing, don't forget to use junkbuster as well. (My firewall/router redirects port 80 through squid which then goes through junkbuster. Quite nice. :)

Here are the addresses I have so far:

# undesirable sites, init here for uniformity elsewhere
BANNED_SITES=""

# doubleclick.net
BANNED_SITES="$BANNED_SITES"\
"208.10.202.0/24 216.94.59.64/27 208.228.78.0/24 208.228.86.0/24 "\
"209.167.73.128/27 208.229.75.0/24 208.32.211.0/24 208.211.225.0/24 "\
"199.95.206.0/23 199.95.208.0/23 209.67.38.99 "

# flycast.com
BANNED_SITES="$BANNED_SITES"\
"216.32.96.0/21 207.240.119.0/24 192.216.105.0/24 216.52.4.0/22 "\
"209.191.72.0/26 207.251.152.224/31 "

for BANNED in $BANNED_SITES ; do
ipchains -A input -d $BANNED -j REJECT -l
ipchains -A output -d $BANNED -j REJECT
done

Re:Bad

[jsm]

Yes! If I had points I'd moderate you up.

If installing a CGI script somewhere is easier than installing the Junkbuster, then see my CGIProxy. Along with proxying pages, it can filter ads with either your own blocklist or a default one.

Here's the middle ground I'd like to see

[MattMann]

Now, if we could lay some ground rules for trust, I wouldn't mind having ads personalized for me and my tastes. I mean, I like drinking beer, and I don't like cola, so I'd rather see beer ads than cola ads. However, I'd want it to be "relatively" anonymous. That is (random list off the top of my head),

• I don't care if a computer knows that I have hemorroids, but I don't want a person to be able to look it up
• I don't mind if a person knows aggregate things like "a beer drinker just saw your ad on Slashdot"
• but I want to know what they'll know about me if I click on the ad, then I can decide whether to click. A promise of "aggregate" statistics is not good enough: what if the aggregate is "wine drinkers with hemorroids"
• Promising me "We won't sell your info" is not good enough. "We won't look at it with your name attached" is what I want.
• If info is shared between different domain names, I want to know.
• I'd like the "no sharing" promise enforced through merger and acquisition. What if Slashdot goes public and Microsoft acquires it, and the backup tapes? Yipes! I never agreed to that!

I would accept promises from companies. I think most are trustworthy enough. But, promising alone is not enough, I want recourse and/or punishment. IRS employees keep getting caught sneaking peeks: the death penalty is what I'd like to see (don't like it? don't peek and even if you are the President (hi Echelon) something they've been known to do) But assuming others aren't that etreme, how about firing, pension loss... something serious. At least tell me what the punishment is. A simpler case to illustrate: I haven't forgiven Real Networks for its spying transgressions, but they could have repaired a lot of trust if they said, "we screwed up, and we are going to delete all the info we grabbed, plus one month worth of all our server logs, and we fired that guy."

A more global pet proposal of mine is this: as a compromise between the privacy nuts and data gulpers: if information about me is stored in a database and includes any sort of address/contact information, then the database owner must tell me once a year what they have on me. It would cost only a small amount per person, and if it does not have that much economic value, don't keep it. Then at least the average person would develop an awareness of what's out there.

Re: Intermute

>If you're willing to pay ($19.95) and use Windows, try interMute.

interMute is terrific & does more than block ads and cookies.
Their web site says they plan Linux & Mac support this Spring...

However...

[Millennium]

So what? A bad action is still a bad action whether or not you're making money on it or not.

Point for your side. But there's one thing: consider motives again.

Let's look at DeCSS. Why was it made? It was made so Linux (and other alternative OS users) could play legitimately-purchased DVD's. Yes, you can copy disks, but that was not the intent of the project, nor its primary use. In short, the intent of the act is benign.

DoubleClick's info-harvesting exists for one purpose only: to sell the information. Furthermore, to sell it to people who will use it in ways that DoubleClick knows will use it for the sole purpose of doing a primitive psychoanalysis on people and pushing ads based on the results. This is something that no one wants. So the intent is, albeit mildly, malicious.

Information wants to be free, yes. But it does not want to be misused. That is the difference between DeCSS and DoubleClick's data-harvesting.

browsers

I think it is about this point that our browsers should really be held responsible. Both Netscape and M$ have given companies this ability to track us, and they also have the ability to stop it. Perhaps a simple solution would be to require more than just an id to access a cookie. For example, if the IP address of the site requesting the IP were also checked, would this doubleclick scheme still work?

Re:Bad

[PooF]

Everyones forgeting a bunch of servers.
127.0.0.1 ad2.doubleclick.net
127.0.0.1 ad3.doubleclick.net
127.0.0.1 ad4.doubleclick.net
127.0.0.1 ad5.doubleclick.net
127.0.0.1 ad6.doubleclick.net
127.0.0.1 ad7.doubleclick.net
127.0.0.1 ad8.doubleclick.net
127.0.0.1 ad9.doubleclick.net
you might want to add in these for when they grow...
127.0.0.1 ad10.doubleclick.net
127.0.0.1 ad11.doubleclick.net
127.0.0.1 ad12.doubleclick.net
127.0.0.1 ad13.doubleclick.net
127.0.0.1 ad14.doubleclick.net
127.0.0.1 ad15.doubleclick.net
127.0.0.1 ad16.doubleclick.net
127.0.0.1 ad17.doubleclick.net
127.0.0.1 ad18.doubleclick.net
127.0.0.1 ad19.doubleclick.net
127.0.0.1 ad20.doubleclick.net

There ;-)

Aaron "PooF" Matthews
E-mail: aaron@fish.pathcom.com
To mail me remove "fish."
ICQ: 11391152
Quote: "Success is the greatest revenge"

Shop button

[Joe+Rumsey]

This would be much more useful than the latest Netscape feature, the "Shop" button. What a waste of real-estate.

Have you noticed that "Shop" and "Stop" are very similar in appearance, and placed right next to each other on the toolbar? I guess it's only because I turn the images on that bar off, but I think it's kind of funny that they're trying to trick me into clicking "Shop" by mistake when I meant to click "Stop".

Do most people turn the images off, or do you like wasting all that space too?

advertisers will find a way

[xdc]

Yes, I agree that there is a very real possibility that advertisers will find a way of getting their messages to us even if we filter or opt out of banner ads.

I stopped using GeoCities when their pop-ups became unbearable. If a lot more websites resort to doing things more insidious and annoying than banner ads, we'll probably yearn for the good old days of waiting for banners to load so we can see a page.

As the web gets XMLified, I expect to see more nifty agent programs that can go out and distill content from the web. The thought has occurred to me, though, that sites may block these agents/bots in the same way that we can block their ads, just to try to force us to view their sites with approved programs that will show us ads. Two can play at this game.

Another interesting fact.

[pen]

AFAIK, many of the pay-you-to-watch-banners people use DoubleClick's banners. However, many of them use Microsoft's IE controls for grabbing ads, and the controls use the same settings as IE itself, which includes the proxy settings.

With AllAdvantage, I have successfully routed their banners through my proxy and I now have two blank boxes where the banners would be.

--

Re:Opt-Out (yeah... right..)

Does anyone actually trust them on their 'Opt-Out' option? A while ago they said they weren't tracking users. They lied. Now we should trust them on this?

It's equally likely that hitting the 'Opt-Out' link will just get you tagged to receive all sorts of specifically targeted direct marketing 'protect your privacy' junk mail.

The real solution requires actually recognizing that our privacy rights apply to databases too. Unfortunately, that might adversely affect the corporations. And whatever the corporations want, they get. After all, that's what they spend all that campaign donation money for. This is why corporations can have secrets "protected" from individuals by the gun wielding state-run police, but individuals have no such right to have their own secrets protected from the corporations (or their databases).

If this doesn't make you furious, you aren't paying attention.

What we really need is a way to completely "opt-out" of the Abacus Database (and any other database we don't want to be on). And there will need to be some realistic means of enforcement. But so long as we keep electing politicians without principles who will suck up to anything for enough campaign money, nothing short of bloody revolution is going to prevent this trend.

Simple. No more cookies.

[mindstrm]

I've always been the one to say people are too paranoid about cookies.. but I suppose that's mainly because of the way the media misrepresents them.

All legalities aside.. HTTP cookies were designed the way they were for several reasons, one being anonymity; granted, this wasn't a huge focus, and it's by no means a true security model.. but the spirit was there. IF used appropriately, cookies were very useful.

Now.. by tying sites together in this manner.. doubleclick has basically violated that spirit. So.. screw 'em.

You know... it would be nice if we had appropriate privacy laws in north america.

Something along the lines of:

1) A business may only require information from you that is directly necessary in order to complete the business in a fair manner.
2) This information can *ONLY* be used for the plain and obvious reasons it was given. It cannot be sold or transferred to another party, unless for continuing business reasons (ie: Collection agency so they can collect, lawyers, so they can file suits, but even then, it must remain the business at hand) The video store has your name & number *ONLY* so they know who has their property, so they can come get it when you don't bring it back.
3) The penalties for this information leaking must be *HARSH*
4) You cannot take information from someone to track their behavior/actions unless you state *explicitly and clearly* that this is what you will be doing with said information. (ie: 'points' cards, 'Air Miles', 'Club cards' at grocery store.)

5) Generation of demographics from customer information is fine, so long as those demographics are anonymous. (so it's fair to say that 300 college-age white kids from a 2 mile radius rented horror movies this week, or ate kraft dinner, or whatever.)

Folks.. it's not about cramping the freedom of people to keep records.. but those records have to have *some* kind of purpose. Your name and phone number should never be just a *commodity*, to be bought, sold, and traded.

In other words.. forming a business to 'track' things in this manner (consumer profiles) is basically like spying! Were you aware this company has a file on you, Mrs. Smith, a foot thick? they know everything about your shopping habits? This is spying, and the citizen deserves to be protected from it.

In the end.. don't give your name to people who don't need it. Don't give it just because some clerk *asked*. Don't feel awkward.. make *them* feel awkward.
Those grocery store 'discount' or 'club' cards? Do they ID you? no.. *lie* on them. They aren't credit, they aren't monetary.. they just want to track you.
web sites..
Guess it's time to remove the cookies permanently.

Lets all use the same cookie!

[Greyfox]

Someone pull the doubleclick cookie out of your cookie file and post it. Then we can all paste it into our cookie file and re-chmod the cookie file to be read only. Then it'll end up just being one person hitting every web page on the planet thousands of times a day (It would actually be interesting to see what kind of junk mail that guy gets after a year.)

Webwasher is a free proxy for windows boxes

There is also a Webwasher from Siemens, which is for Windows and it's free. You can find it here, http://www.webwasher.de.

Privacy Laws

[mindstrm]

Folks.. this is where the need for good privacy protection laws need to be. And it's not hard to do, either.

These laws are fairly straightforward, and simply say that, if you give personal information (name, phone number, address, etc) in the due course of business to a business, they are obliged to *ONLY* use that information in the due course of business. It does not become *their* information to give/sell to someone else. They can keep it on file, but only for themselves, only for the obvious purpose you knew of when you gave it to them.
For instance.. radio shack. I buy something.. and the dude asks 'Can I have your name?' I say 'Why do you want it?' he says 'In order to cover the 3 year on-site guarantee on the laptop you just bought, we must record your name and date of purchase and contact info'. Okay.. fine. so I give it to him.
Now.. does this not sound like an agreement? A verbal contract? He said what he was going to use this information for. If he uses it for *anything* else, I should be able to sue his ass.

Hey... if we make it a high crime to leak this customer information... perhaps they won't even keep it around, as it increases their liability!

Here is a simple solution...

In netscape go to Edit:Preferences:Advanced and under "Cookies" select "only accept cookies originating from the same server as the page being viewed".

This way you effectively have a different identity on every site. For example, double-click can only give a cookie if you visit their site.

We Await silent Tristero's Empire

[Guy+Harris]

Don't Ever Antagonize The Horn.

Re:We Await silent Tristero's Empire

[Guy+Harris]

Sorry about that; not intended to be posted to this thread. Please moderate it and this reply to -1, Offtopic.