More Web Site User Data Gathering Revealed

Three days ago, a small group called Interhack was featured in an AP wire story about some curious data transmission they'd found. The company receiving the data, Coremetrics, tracks unique visitors through its clients' corporate websites, and promises those clients "seamless performance," because: "data tags load invisibly as small transparent gifs, and information is encrypted to appear invisible to your customer." The customer is you, the user. The GIFs are web bugs. The information can be personally identifying, which most of its clients' privacy policies fail to mention. But -- importantly -- the company promises that "Any data Coremetrics tracks and reports is owned solely by our customers and we are contractually precluded from reselling or using this data." Is that enough? Emmett and I talked both to Coremetrics and to the hackers who put the spotlight on them.

Emmett Interviews Interhack

Slashdot: For those uninitiated, what's interhack all about?

Basically, we're a firm of hackers interested in pushing technology forward through research, making computing apply to people by developing custom products and consulting for folks who want to put the technology to use, and helping people understand exactly what the ramifications of these systems are. That's a pretty broad way of saying that we're all about the Internet and making it work.

Slashdot: When did you start researching this story, and how long did it take to put the pieces together?

Sometime in May, someone sent us a tip about Coremetrics and what it's doing. We took a quick look over their web site to see their advertised services and then started to look at how the service is actually implemented on various client sites. We examined several sites, most of which very clearly stated in their privacy policies that they're using Coremetrics for site monitoring and provided links necessary for people who don't like it to opt out of the system. Most of the sites with clear, full disclosure policies weren't even sending Coremetrics personally-identifiable information like names and addresses.

The more interesting part of our find was in the sites that did send personal information to Coremetrics, particularly those that carried the TRUSTe privacy seal. Over the course of about three weeks, we performed an investigation of these sites, gathering as much information as possible from them. We reverse-engineered the system by reading the sites' code, reading through the obfuscation, and comparing logs of our network's activity with the activity that would be perceived by an end user.

What we found was a clear difference in user expectations and what was actually happening, as well as a clear difference between what Coremetrics says it offers and what its eLuminate service makes technically feasible. After writing drafts of our report and press release, we decided to take a wait-and-see approach to the release. Specifically, we wanted to ensure that sites that just started to use the Coremetrics service had adequate time to update their policies and to have an accurate idea of what was happening with the system after having been in production.

After waiting and watching for more than a month, we decided to release our findings. So, on Monday morning, we sent a pre-release copy of our report to Richard Smith and some folks at Zero Knowledge Systems. In addition, we contacted each of the firms named in our report and Coremetrics so that if the failure to disclose or the ability to profile people across web sites was unintentional, there would be time for some investigation and a decision about how to fix the problem. After the end of business Monday, we released our report.

Slashdot: What needs to change? In a perfect world, how do we deal with this?

This is a very interesting question. In my perfect world, detailed levels of profiling would not take place at all. There would be no such thing as persistent cookies. In general, I'm just not comfortable with the level of privacy that the industry as a whole has given up for the sake of a little convenience.

How big of a deal, really, is it to have to enter your password when you login to a web site? Don't forget that the reason why we have passwords in the first place is so that you'll have to do something at the beginning of the session to prove who you are.

Web browsers also need to be more intelligent. That is, they need to be able to identify things like dependencies on third parties so the user can know whether those images should be fetched or ignored. Right now, browsers -- for the most part at least -- just aren't very defensive. The model of parsing everything you're given worked fine in the Old Days for which some of us long so much but the fact of the matter is that you really can't blindly trust anyone on the Internet.

I'm not suggesting becoming a luddite. I'm suggesting that folks take a sort of "trust, but verify" approach a la Ronald Reagan. Right now, there's a lot of trust and almost no way to verify.

Slashdot: This all comes down to trust. How many policies are just there so people will shut up about personal information so they'll start buying stuff online?

I couldn't say. Policies are almost always written by lawyers. That probably speaks to the covering-one's-posterior-position value of privacy policies.

Slashdot: Since we can't trust written policies, what should people be doing before they start conducting business with these websites?

Verify everything. As I said earlier, though, we're severely lacking in tools that are accessible to most people that can help in that regard. I think Zero Knowledge Systems' Freedom network is a huge step in the right direction. Tools like Muffin (muffin.doit.org) also help, but it would be cooler for that kind of functionality to live right in the browser itself. There are opportunities for eager hackers on this front.

It's also important to stress that tools alone won't do it -- there is no silver bullet. People are going to have to have some understanding of what's happening in order to use these tools effectively.

Finally, where you see discrepancies, point them out. Most of the time, they're oversights. Look at how Lucy.com and Fusion.com dealt with this problem: they updated their sites. So although the problem shouldn't have happened in the first place, they did the right thing. Contrast that with Toys "R" Us, which issued a statement saying that what they're doing isn't a violation. And their privacy policy still doesn't say a word about Coremetrics. They still haven't said anything to address the issue of having information collected on children.

Companies that don't fix their problems don't take your privacy seriously, no matter how much lip service they pay. So don't go to their sites. Don't buy their stuff. Tell them why you're not buying their stuff. Tell their competitors why you shop where you do, lest the new places you shop get the bright idea to try to hide something.

Jamie Talks to Coremetrics

Here's the service Coremetrics provides to corporate websites:

Many companies demand accurate knowledge of how their sites are being used: what sections are popular, what paths visitors take through the site, where people click over from, and so on. It's like web log analysis but more specialized for large shopping sites.

Since these demands are very much the same, and the code to do the analysis is similar, outsourcing happens. From a CEO's viewpoint, Coremetrics fiddles with the website to do better-quality tracking than the company could do on its own, and then makes the resulting statistics available over SSL.

But from your viewpoint and mine, that "fiddling" results in cookie-carrying web bugs all over the sites we visit -- web bugs which usually send back to the Coremetrics servers a unique visitor tag, like any other cookie, but one that sometimes includes your name, email address or other personally identifying information.

Coremetrics promises that this information remains private. When DoubleClick collects data from <img> cookies across multiple websites, they do so with the stated intention of tracking you personally; this is part of their business plan.

According to Coremetrics, they do things very differently. Data is not cross-correlated between their client websites, they say, because their contracts with their clients prohibit this. In fact, their contract forbids them from doing much of anything with that data except statistical analysis.

I gave the Coremetrics PR person I talked to a chance to explain, using the example of their client Toys 'R' Us:

"Coremetrics is merely an agent that collects this data on behalf of an individual customer, for that individual's sole use only. We do not collect data, as was inferred very incorrectly by Interhack, across multiple unrelated websites, with any intention of selling it to third parties -- or even distribution to third parties. That's because we, as the agent, do not own that data, nor do we have any rights to that data. Toys 'R' Us, and Toys 'R' Us only, is the sole owner of that data. So legally, we cannot do any of the possibilities that Interhack had alluded to in their report."

But here's the interesting thing.

If I'm browsing my favorite website, Coremetrics is clearly a third party. They have a special contractual relationship to keep my data private, which we shouldn't ignore. But nevertheless -- a third party.

So why do some of their clients' privacy policies not mention this?

Toys 'R' Us is a good example. As Interhack made clear, they do send personal data to Coremetrics' servers. But their privacy policy reads, "We do not share any personally identifying data about our guests with anyone outside of Toysrus.com, its parent, affiliates, subsidiaries, operating companies and other related entities."

So is Coremetrics one of their affiliates or a related entity? I wouldn't think so, but I'm not a lawyer. One interesting thing is hidden in that privacy policy's HTML; after the closing </html> tag is the hidden message: "<!--CoreMetrics Information if enabled-->." Hmmmmmm.

Coremetrics lists twenty clients; I tried to contact seventeen of them for comment, with marginal success by press time. Three reported that they had not yet activated Coremetrics or had decided not to use the service at all. One (guru.com) reported not sending any personal information -- presumably, only tracking visitors with a non-identifying unique ID.

Two sites (lucy.com and fusion.com) began mentioning Coremetrics in their privacy policies on August 1, the day after the Interhack report. One site (thewest.com) did not even have a privacy policy until yesterday; they'd been working on it, and my email may have made it a priority because it was on their site three hours later.

According to Coremetrics, they encourages all their clients to disclose the use of their service in their privacy policy, and include a link for users to opt out. But some sites reported as using or planning to use Coremetrics' services have privacy policies that could use some clarification.

Altrec.com informs me that "...in the near future ... we plan to add to our privacy statement our use of Coremetrics and the fact that Coremetrics neither owns, distributes, nor has rights to the data it sorts on Altrec.com's behalf." However, their current privacy policy states very simply: "Altrec.com will never sell or give your e-mail address (or any other information about you) to anyone else without your permission. Period."

(Last-minute update -- just before press time, Altrec.com clarified that they are "sending unique ID (unique to Altrec.com) and city, state and zip. No other personally identifiable information is being sent to Coremetrics.")

Bravanta.com bounced me between different people until I got to leave voicemail that wasn't returned by press time. Their policy says they "do not and will not sell, trade or rent the personal information of our customers or gift recipients to any third parties."

(Update two hours later: Bravanta reports that they also have decided not to use Coremetrics' service, and are not currently using it.)

Mall.com didn't get back to me either, and their policy reads "We will NEVER release your name and personal information to a third party..."

Getplugged.com has a rather confusing privacy statement that begins, "Any personally identifiable information GetPlugged.com collects will be used solely for the purposes stated within this Privacy Statement" and wanders around from there. I'm not sure what to make of it, frankly.

All these polices may indeed be correct, if the sites are stingy with personal data. Like guru.com (and altrec.com), they may be using the Coremetrics service only with non-personal IDs. But, as with Toys 'R' Us, that may also not be the case.

(fusion.com, getplugged.com, and altrec.com also happen to be TRUSTe licensees, but TRUSTe wasn't able to comment by press time. In the AP wire story on Monday, they had harsh words but were speaking hypothetically; no comment since then.)

It's hard enough to read privacy policies already. Most of them are designed to protect companies legally, and mostly manage to confuse users. The distinction between Coremetrics as a third party; or affiliate; or agent, is a little too fine for the average consumer, and needs to be spelled out in each policy, as Coremetrics itself recommends.

But is all this a tempest in a teapot? If a signed contract forbids a company from misusing data, is that all we need to know?

I don't think so. In the first place, at the very least, companies like Toys 'R' Us need to disclose such things in their privacy policies. That's just common sense.

In fact, according to Coremetrics privacy advisor Dave Farber, they plan contractually to require such disclosure with future clients. (The company could not confirm or deny this at this time.)

More importantly, we as consumers are being asked to trust a third party whose reputation we know nothing about. In fact, 99% of us will never even have heard of them and might not understand what they do. We're told that a contract protects us, but we're still being asked to trust something we can't see. And when evidence of policy violations is turned up by a group of hackers, that erodes our trust.

After speaking at length with Coremetrics' PR, I get a general feeling of trust from them. (Of course that's a large part of their PR staff's job, earning reporters' trust.) More importantly, Dave Farber is well-respected, and his confidence carries weight -- with me at least.

Still, as Interhack says, our motto should be "trust but verify." That's why I proposed, to Coremetrics, that they publicly post, on their website, the paragraphs from their clients' contracts which assure that our private data remains private. If the actual legal words that protect our data are up there for us to see, we don't have to trust anyone.

When I mentioned this to Coremetrics' PR person, he promised to consider it; Dave Farber thought it was "a very good idea." It's unusual for corporations to make contracts public, even in part, but in this case it would do a great deal to put everyone's fears to rest.

no more privacy

they can do whatever they want ann they will, for most people thats invisible and they dont give a shit, they wont even notice. If you dont want to be tracked the solution is "DO NOT ACCEPT COOKIES! and clear your cache once in a while...

Re:no more privacy

If you run your own dns servers....
Setup empty zones for the webmarketing companies.
We haven't been seeing doubleclick data for about six months or so.

Re:no more privacy

better yet, use junkbuster or some other cookie cutter.

Re:no more privacy

or, still simpler, just set the permissions of ~/.netscape/cookies to read-only. this is still better because you can keep exactly the cookies you want from one session to the next. adding new ones is trivial: enable writes to the file, fire up the browser, go to only the site you want, exit the browser, mark file read-only. this happens very rarely for me. harry truman capote

Re:no more privacy

[Phroggy]

Shift the context maintenance from the cookie to the URL. If you don't want them to understand or mess with the context state, then use obfuscation and hashing liberally.

My Web site uses themes; you can choose how the pages will be displayed. Most of the themes are based on (read: blatently stolen from) various operating systems, so the text shows up as if it were in a window, and that window can look like a Win95 window, a Mac OS window, an X window, etc. Each page is dynamically generated from a Perl script that takes two arguments in the query string (the end of the URL): "page" and "theme". Obviously, "page" indicates the name of the page to be viewed (except on the main home page, which is handled seperately), and "theme" indicates what theme you want to view it in. If "theme" is omitted, it chooses a default theme for you.

The problem with this is that the URL looks somewhat ugly, and if you link to a particular page from somewhere, you'd be linking to the page with a particular theme. I want the theme to be chosen for you automatically the first time you get to the site, since certain themes are not appropriate for certain browsers. That's why I want to use cookies instead - make it a local preference in the browser, and make it persist between sessions (in case you're demented enough to actually go back to my home page someday).

--

Re:no more privacy

[Phroggy]

they can do whatever they want ann they will, for most people thats invisible and they dont give a shit, they wont even notice. If you dont want to be tracked the solution is "DO NOT ACCEPT COOKIES! and clear your cache once in a while...

You're aware, of course, that this breaks a lot of Web sites? Sure, Slashdot still works, although you lose any hope of customization, but most e-commerce sites break. I'm working on figuring out how to use cookies on my home page, just because they're so darned neat, and one of the hardest things to do is gonna be figuring out how to make the site still work if cookies are off. A lot of companies don't bother, and simply require cookies.

--

Re:no more privacy

[plague3106]

If thats all they get, then so what?

Re:no more privacy

[plague3106]

Still, so what? How would they know that? How would they know who had that number? How do they know its not a router for 5 other computers in the house? I have yet to see anyone marketing b/c differnetly b/c they kept seeing the same ip visit the site. Its not equivelent b/c even if they have my ip they don't really know anything abouit me, or even if its the same ip. Besides, i had cable modem, and my ip did change every now and then. So what?

Re:no more privacy

[B'Trey]

If you're with a dial-up ISP and get a dynamic IP address, probably no big deal. If you have a cable modem, DSL or similar and have a static IP, then having that IP address may be equivalent to having all of your private data.

Re:no more privacy

[Roast+Beef]

The problem is that with web bugs and your IP address, it's just as easy to track you. They've got the pages you go to with times and your IP.

Re:no more privacy

You're aware, of course, that this breaks a lot of Web sites?

Simple fix:
ln -sf /dev/null ~/.netscape/cookies
Your cookies will all be accepted and valid while they remain in memory (that is, as long as you keep the web browser open), but will be flushed every time you close netscape -- giving you the best of both worlds.

Matt

Re:Web Bugs

Didn't they have some option to let you not load any image from a different server? It seems like that would accomplish the same thing and still allow for "page counter" gifs

Re:Web Bugs

[Phroggy]

Single pixel spacing doe not have it's own good purposes. Design the logical layout and then apply style. I sure prefer simple sites to sites that are so obfusciated as to need one pixel spacing...

If browsers weren't so buggy and annoying, we (Web designers) wouldn't need to work around them by using single-pixel GIFs for spacing and such. It is possible to create an attractive design that doesn't get in the way of the content, and easily run into a situation where you need a 1x1 spacer (or something even more annoying) to make it work in HTML.

--

Re:How many?

[Phroggy]

Toysrus.com sells information even tho they say in the privacy statement they don't? Welp, add another place not to shop to my list. Does anyone publish a listing of companies that don't sell information to other public/private companies anywhere? I'm sure it would be very useful to some.

I'm thinking the Better Business Bureau might not be a bad place to start.

--

Re:Web Bugs

[KnightStalker]

The day-before-yesterday nightly build of Mozilla will load images from "images.site.tld" but not completely different domains if you turn on the "disable images from different domains" feature -- I assume it works similarly with cookies.

The only problem with this is, if it becomes widespread, places like Doubleclick will quickly get domains like "dc.amazon.com" (or whatever) that all point to the same server.

--

Re:Web Bugs

[KnightStalker]

I thought of that... looking at the yahoo and yimg stuff, www.yahoo.com resolves to 200.71.200.67, 204.71.200.68, 204.71.202.160 whereas us.a1.yimg.com resolves to 206.191.161.51, 206.191.161.50. So that's out, too.

I don't think there's a good way around it, and I'm willing to put up with the odd site like Yahoo where I can't load the images.
--

Re:Spot the webbug

[Evangelion]

Because the image is sent down by a CGI script (presumably perl), which would be less efficient the bigger the image got (relative to the webserver sucking it off the drive).


--

Re:Web bugs on Slashdot?

[Roast+Beef]

It's probably for statistical purposes, but how it copes with cache's I'm not sure (and I don't care enough to look at the HTTP header for a Pragma: no-cache statment).

Actually, cache may be the reason they do it. If a cache caches the main page, there's no way for /. to track hits. The JavaScript generates a unique (time-based) request for the user, so there's no way it can be cached. The cache thinks it's a new URL.

THE ABOVE IS A TROLL

[Roast+Beef]

Comment tags keep browsers from displaying JavaScript code. The code still runs.

Re:THE ABOVE IS A TROLL

[ethereal]

It may be incorrect, but it is not a troll.

Re:What about normal page counters

[nosilA]

First of all, amazon.com would be stupid to have another company take care of their counting.

Second of all, eviladagency.com can't get a cooke for amazon.

Thirdly, why would EVILADAGENCY.com relase said information to the president? If they do, this is an entirely different problem.

I'm all for paranoia about the government, but if we don't look so paranoid about everything, people will take us more seriously about the things that really matter.
-nosilA

What about normal page counters

[nosilA]

I cannot run cgi's from any reasonably stable/fast server, so I use digits.com to perform counting on a particular part of my personal web page. It's really neat to know how many people visit your page. However, because I think those counters are really ugly, I make it 1x1.

Sure, Digits might be gathering more stats about you than I know, but what are they going to do with it? We're not talking about the FBI who is going to track you. We're not talking about someone who has access to your credit card information or home address - it's just your IP address, and browser info. So they link it between multiple sites. They know you look at my web page and the Sarah Michelle Gellar fan page (their #7 most active site) or the Irritable Bowel Syndrome Help Group (#1 site). IT DOESN'T MATTER!

The point is there are lots of things for us to be paranoid about, but whether someone is tracking your usage habits to send you more directed spam is pretty irrelavant in the scheme of things. Besides, use a proxy server hosted by someone you know/trust. Then they get less info on your page. problem solved.

-Alison

Re:What about normal page counters

[nosilA]

This thread is silly and I hate to continue it further, but... i know doubleclick gets all sort of info about you, but your credit card numbr?!? how? This is a big deal if the do....

nosilA

Re:What about normal page counters

[dale@redhat.com]

What about a person has been to amazon.com and bought a book, filling in their credit card number, home address, all of their information, and this was captured by EVILADAGENCY.com. Then suppose that same person goes to your site, with your web counter. The cookie that was left from amazon (with all of their information) now can be correlated. They know exactly who that person is, and that person went to your web site. Still pretty harmless though, huh? But, now let's imagine that person goes to www.ihategeorgebushandwanttoseehimrotanddie.com... And our (maybe) next president asks EVILADAGENCY.com who has been to his least favorite web site? That is the problem with this...

Re:What about normal page counters

[dale@redhat.com]

Ever heard of doubleclick? This is happening every day!

The cookie wouldn't be "from" amazon, it would be from EVILADAGENCY.com, which would then retrieve that cookie...

doubleclick has the ability to do this RIGHT NOW! This is not a scary paranoid conspiracy theory... The ability to do this exists. doubleclick, of course, says they do not do this... But who knows...

Why would EVILADAGENCY release info to the president? Because they are evil of course :-)

Re:Web Bugs

[EMN13]

You shouldn't be using 1x1 gifs for spacing anyway... In a decently designed website there is no need for them. Use CSS, or whatever else, but relying on 1x1 images for spacing isn't the brightest idea. It destroys the way HTML was indtended to function - structurally, with UI separated out. Why blame mozilla for having such difficulty making a browser work if the true culprits are the people abusing rendering implementations on specific browsers.

Apart from that, if anyone were to implement a 1x1 filterer, that obviously shouldn't effect layout, so it would still space things as before (to not break any web sites) but simply not load the images. Would only make your web server faster because of fewer requests.

Re:Web Bugs

[EMN13]

Single pixel spacing doe not have it's own good purposes. Design the logical layout and then apply style. I sure prefer simple sites to sites that are so obfusciated as to need one pixel spacing...

Re: or...give them MORE.

[symbolic]

Who says you can't write a little robot to visit select websites, meandering from page to page at various intervals, all while YOU are nowhere to be found. What they have, then, is purely fictitious data. And it serves them right.

Re:Protect Yourself

[Kyobu]

Admittedly, this isn't as convenient as having such preferences in the browser itself, but you can always use JunkBuster or Muffin. JunkBuster is great; I haven't tried Muffin, but the article mentioned it and it looks cool. Even does a couple things JunkBuster can't, like removing <BLINK> tags.

Re:DNS Entries

[xrayspx]

That would be an inference. It's more logical to say "slashdot used to be hosted at this colo center, images2 is AT this colo center, images2 is probably run by slashdot staff" than it would be to say "images2.slashdot.org used to be hosted at this colo center, therefore doubleclick staff have flown in a tigerteam in a silent black helicopter to run images2.slashdot.org"...

Or maybe I'm just not paranoid enough anymore.

Re:DNS Entries

[xrayspx]

Well, 209.207.224.245 (images2.slashdot.org) *IS* far removed from 64.28.67.48 and 64.28.67.57, www and images.slashdot.org respectively. 209.207.224.245 is owned by DigitalNation while the others are Exodus. Exodus is the current hosting company for slashdot, DigitalNation is the OLD hosting company. So images2.slashdot.org, while not sitting right next to images.slashdot.org, IS under their control, DNS does not point to doubleclick. So there we are.

This is actually the way user tracking SHOULD work, internally, for internal use. Not with crap bounced halfway around the net to some company who may/may not sell it to someone.

xrayspx

Re:Emmett and Interhack

[Xerithane]

I don't find where you work and post things about the quality of your work.
Hm, well lets see here. People get criticized all the time, especially /. posters. If you can't take it - than don't be in the public eye.

I work with Clyde on Time City. ...Matter of fact, I don't even know if Clyde is involved with Interhack.
I'm sure his interhack email address that goes to the time city mailing list *never* meant anything to you. Oops, caught again.
Emmett, it's really sad that I'm a damned programmer and I know more about jouranlistic integrity than yourself.
As for /., it's good for laughs, and links.

nerdfarm.org

Re:Emmett and Interhack

[Xerithane]

Never questioned the integrity of Interhack.
I questioned Emmett's ability to competently research and provide journalism unbiased to the public. You, nor members of Interhack (I'm assuming, very well could be wrong with this) are not journalists (nor pretend to be). Because of this, you merely were posting your findings, because Emmett's involvement both personally and professionaly with you outside of Slashdot he has comprised the whole premise behind journalism.
Which I've seen him do time and time again.


nerdfarm.org

Emmett and Interhack

[Xerithane]

Emmett Plant, "journalist" on slashdot.
Emmett Plant, founder Time City Project.
D. Clyde W., very visible member Time City Project
D. Clyde W., member of interhack
Hm, can we same shameless plug.. considering slashdot uses bugs I can't believe that they are slamming coremetrics.
Slashdot used to get worse on a monthly basis, then weekly, now it's with every post.

nerdfarm.org

Re:Emmett and Interhack

[Xerithane]

a) learn about interhack, find out if they give out email addresses.
b) there are other documents and also I have witnessed conversations with emmett present where clyde has stated his affiliations with interhack.


nerdfarm.org

Re:Emmett and Interhack

[dclydew]

Hi Jay,

Haven't seen you in eons...

BTW- I was in no way involved with this particular project. If you'd care to read the Interhack information, my name is not listed on any of the "cookie" investigations.

Have a Good Day.

D Clyde Williamson

Re:Emmett and Interhack

[dclydew]

Well, other than calling into question the integrity of Interhack, myself and the entire story... I gues you little joke was harmless. Right??

Re:Emmett and Interhack

[cwhicks]

Mom? Don't bother me when I'm looking important.

Re:Emmett and Interhack

[jasondlee]

But unless you've got a problem the facts or the way I present them, chill out.

Isn't that what he just did?

If I've said something untrue in my work, you've got a responsibility as a reader to point it out. You haven't done that, though.

How do ya figure? He doesn't work for slashdot. He has no responsibility whatsoever to the site. It is *your* repsonsibility to post true stories accurately, without bias (and I'm making no accusations here. I honestly don't care).

I don't find where you work and post things about the quality of your work. I don't question your professional integrity, because I really don't understand or know what you do for a living. At this point, I don't care. You just seem like someone who was really burned and you're working out your 'angry ex-girlfriend' mojo on me for some unknown reason.

Well, Emmit, you're a published author. Like it or not, that kinda puts you out there for public scrutiny. Politicians, celebrities, and other journalists put up with it all the time. You're gonna have to learn to, or quit. And, while we're focusing on the aspects of your profession, you might want to try to maintain a professional demeanor and not make personal jabs at a probably non-existant dating issue of one of your critics. Thicken that skin.

&gt Slashdot used to get worse on a monthly basis, then weekly, now it's with every post.

Then don't read it. Apparently it's causing you undue stress.

He has a point here, too. I used to read /. all the time for news. I still come here every time I feel like checking the news, but the quality of the site has plumetted, for whatever reason. I can go to linuxtoday.com and see 34 new news posts, and then come to /. and see 2 new posts, one about a little tiny computer, and then another expose from the hallowed /. journalists. I know you guys are trying to make a living and probably doing the best you can. I can't fault you there. But. As a long time reader, I just gotta say that it ain't like the good old days. I mainly come here now to make sure I don't accidentally miss something that some of the other sites fail to post.

While I'm in the (hopefully constructive) criticism mood, I'd just have to say that AC's are pure evil. You have a problem with AC's trolling? Ban AC's. Who needs 'em? If they want to troll anonymously, let them go somewhere else. At one point, this was a really good tech site where we could read about and discuss news in an intelligent manner. Now we have to wade through troll after troll cuz the powers that be don't want to take away someone's "right" to post anonymously on someone else's site. It's not like it used to be, and that is sad.

My $0.02, for what that's worth. I am just a 25 year old idiot from the middle of nowhere, so do with this as you will. :)

Re:Emmett and Interhack

[Machina]

Read the article again. It's not slamming Coremetrics for using web bugs, it's slamming them and their clients for unclear privacy statements.

Just because they are associates, doesn't mean it's a shameless plug. If your trying to trash slashdot's image, your gonna have to try harder than that.

Re:Emmett and Interhack

[Emmett+Plant]

Emmett Plant, "journalist" on slashdot.

Feeling bitter, Jay?

You've got all the right in the world to question my journalistic integrity. As a matter of fact, I welcome it. But unless you've got a problem the facts or the way I present them, chill out. If I've said something untrue in my work, you've got a responsibility as a reader to point it out. You haven't done that, though.

Stories are not created in a vacuum. As a reporter, I rely on relationships with people to get my job done. As a writer, I rely on the English language to convey facts to the audience.

The worst part is that you can't see beyond your own personal problems and outright bitterness to understand that Interhack does some very important work, and that this story is important to anyone who does business online.

What do you want me to say, Jay? Clyde clued me in to the Interhack press release. I work with Clyde on Time City. Clyde pointed me to it because he thought it was newsworthy. It was. I did some research, got together with Jamie, and we wrote the piece. I didn't write the piece as a favor to Clyde. Matter of fact, I don't even know if Clyde is involved with Interhack. I think he's related to Matt, though. Actually, I think you'd be amazed how many stories are submitted to me and Slashdot by personal friends that I reject. What do you want from me?

I don't find where you work and post things about the quality of your work. I don't question your professional integrity, because I really don't understand or know what you do for a living. At this point, I don't care. You just seem like someone who was really burned and you're working out your 'angry ex-girlfriend' mojo on me for some unknown reason.

I'm sorry you didn't like the article.

Slashdot used to get worse on a monthly basis, then weekly, now it's with every post.

Then don't read it. Apparently it's causing you undue stress.

--Emmett

Re:Emmett and Interhack

[technos]

And my crosswinds.net address forced you to believe I am an employee there? They do host on Linux boxes! In the last few years, I've had addresses at a .gov, newcourt.com, citgroup.com, att.com, ibm.com, yahoo.com, dynip.com, and excite.com. You can't tell shit about where I have worked or do work from them, however.

Email addresses are given out like candy.

Re:Emmett and Interhack

[cwhicks]

First, personal shit should be kept off /., especially by it's authors. Really unprofessional. Secondly, at the very least you should have disclosed your relationships with both people (relatives) and companies (Time City). I know that you must have friends all over the industry, but if you state that at the top of the article, then your girlfriends old boyfriend, would have little to say, and you wouldn't have had to respond.
And lastly, I hear she liked him better.;)

add these tidbits to your junkbuster .block file..

[Nickbot]

Add these to your Junkbuster .block file..

images2.slashdot.org/Slashdot/pc.gif
images.slashdot.org/cgi-bin/adlog.pl
images.slashdot.org/pagecount.gif

anybody want to ante up entries to block this coremetrics bull?

Re:DNS Entries

[Royster]

So images2.slashdot.org, while not sitting right next to images.slashdot.org, IS under their control, DNS does not point to doubleclick.

I'd like to know how one concludes from an IP number who the administrator *really* is.

Re:DoubleClick Ads on Slashdot

[ashpool7]

1. Set Netscape to warn on cookie transaction and poke around slashdot until you get a doubleclick cookie.
OR
Clear your cookie file, click like crazy on slashdot links, and then examine it.

2. Post your results to this forum

3. Get modded up and possibly an answer. :)

Mozilla???

[OneFix]

There has been some discussion here about how to fix this problem, and I don't think some of the people here "get it".

Mozilla has already implimented some of these features (at least for rejecting cookies) and being open sourced, Mozilla should be easy enough to change to allow for an exclution list for images, etc.

My guess is that, once Mozilla arrives at an initial final release (read complete and stable), one of the many anti-spam groups (like JunkBuster) will release a version of Mozilla (or even an add-on) focused toward ad filtering. A few options are ALREADY available, most in the form of proxies that can be installed locally or by an ISP.

But, until then, here's the link to JunkBusters.

JunkBuster Proxy - GPLed Ad Filtering Proxy

Just my $.02 worth, I could be wrong.

Re:Web Bugs

[Eimi+Metamorphoumai]

What if it didn't load the image, but instead did the spacing anyway? Use its own hardcoded 1x1 transparent gif instead of yours. Seems it would be a lot faster for the client, and wouldn't break spacing on sites (unless that 1x1 is some color other than transparent, which I would imagine is pretty rare).

"contractually precluded" is not good enough.

[jheintz]

"Contractually precluded" might, perhaps, be good enough for us to trust that the company won't sell the gathered data, but it relies on trusting the individual people who have access to the system not selling out.

I'm sure that internet advertising agencies will pay big bucks for a list of identities with data. No corporate contract will keep some people from immorally stealing and selling that data.

John Heintz

Re:This "web bug" thing is a dumb approach

[zhobson]

It's not so dumb if the user's IP changes with every request (a side effect from the proxies used by numerous ISPs, including AOL) or they refuse cookies (like most of us do). In fact, even my IP info isn't accurate, since I'm behind a firewall and every in my office accesses the web from the same IP address.

Remember kids, always be sure to learn a little something about how modern http browsing environments work before you call someone's web application dumb!

Just a little friendly advice,

-zack

Doesn't the term web bug

[Rombuu]

Seem like a really bad name for these things? I mean, they work exactly the way they are intended to. So why call them a bug?

Re:Doesn't the term web bug

[Tex+Bravado]

A microphone hidden in a table lamp or telephone works the way it's intended to, too. It's that kind of bug.

Here ya go

[FascDot+Killed+My+Pr]

http://world.std.com/~joeshmoe/sj/spj.ethics

In particular, check out 4b and 4c. "Potential conflicts" would presumably include "he's my friend's friend so I don't want to make him look back".

I just noticed the "joeshmoe" in that URL, but I don't feel like looking for a more reputable-seeming link.
--

Re:Web Bugs

[spRed]

Only allowing images from one site won't help. It is trivial to set up a proxy from /. (for example) to doubleclick, or anyone else. Doubleclick would still get the info, and to the browser it would look like /.

I agree with the current high scoring comment, if web sites are merely outsourcing their traffic analysis, there is no problem. You don't demand that sites that use WebTrends to analyse their logs say so in their privacy policy, do you? It only becomes a problem when the 3rd party trackers are allowed to aggregate the information they collect for their clients, and can resell that information. I would say that it is in the best interests of the collectors to NOT do this if they just want to sell a traffic analysis service.

-Red

Third parties are often not known to the users

[rshah]

Not mentioning third parties who have access to data in privacy policies is old hat. As this CNET Article notes, this is not uncommon. According to the article of August 1999, privacy policies of major sites often fail to mention third party cookies and that this data is available to third parties.

Correction

[msaavedra]

dude, try this:
ipchains -A output -D doubleclick.net -j REJECT

Actually, the -d is supposed to be lowercase. Uppercase -D means delete and can't be used in conjunction with -A.

---------------------------
"The people. Could you patent the sun?"

It's polite to ask

[leftorium]

If a company has such a tracking system on their web site, they should at least have a welcome page that informs the visitor of what's happening. And give the option of going or staying. The info mentioned in this welcome page should include every piece of info that the page is collecting about the visitor. At the very least there should be some place to see what was sent about you.
__________

Re:difference?

[generic-man]

Webcache notwithstanding, just about ANY user of a dial-up network is immune to tracking by IP address just as soon as they disconnect and reconnect. Similarly, some cable modems use DHCP and do not assign static IP addresses. I feel more secure on a dial-up than I do when my computer is left on a high-speed network connection with a static IP. However, the huge speed boost I get from my Ethernet hook-up makes it easy to install things like portsentry and sshd, not to mention ad-blocking software that some Slashdot readers' love so very much.

Outsourcing != third party...

[heech]

First of all, I don't believe for a second this issue can be broken down into a simple analysis of right-wrong. There are definitely fuzzy boundaries here, and quite likely everyone will form their own opinions on whether Coremetrics or their clients are behaving in a moral and proper manner. That said, from the rough description given here, Coremetrics is providing an out-sourced service that seems completely legitimate. I'd also argue that Toysrus and others are completely within their rights to keep this out of their privacy policies, as long as they were not negligent in protecting the privacy they promised their users (and the contractual agreement on data-ownership would seem to suggest that they are not being negligent). If I call up customer service, there is a very high probability that the person answering the phone is provided by an out-sourced phone support agency. Do they need to explain to me that they aren't actually employeed by Foobar.com before taking my credit card order? As long as they're acting as agents of Foobar.com, and as long as Foobar.com has taken reasonable measures to protect my privacy (again, legal restrictions are the best you can ask for), I have no issues with this. Back in the online world... what if your pages are actually being served by Akamai? Are they also a 'third-party' that gets access to your private data? Most likely. What if the web-site is hosted by an ASP (like Loudcloud or Jamcracker)? Clearly they have complete access to your private information at all times as well. What if the databases your data were stored on are backed up using out-sourced storage servers? The privacy policy should clearly indicate all distribution of your personal data to other external parties. Firms that act as agents of a third company in handling your data should be aware that the privacy policy of the parent company (and any other promises made by the parent company) should be considered binding over their behavior as well, but it makes little sense that they must be disclosed to the user as well.

Re:Coremetrics..

[Tower]

FromTheSig: When they said that information wants to be free, they meant free as in speech, not free as in beer.

I just wish somebody would let everybody else know how they calculate credit ratings... the most mysterious system to date. Heck, just ordering a credit report on yourself lowers your rating somehow... Bah!

--

Re:Web Bugs

[Tower]

>No, filter out completely transparent images!

How do you know, until you download them...

>Disable cookies attached to graphic files

This should be an option everywhere... how many images are custom tailored to you, when the html is not?

>Cookies are evil, don't use them

A popular concept on /. - even if it means you have to post AC...

>I only read Slashdot, so what's this gotta do with me?

This one should win hands down...

--

Re:Web Bugs

[Tower]

And here I was just waiting for SSL to work...

Haven't had any stability problems since M12 on NT or Linux (Mandrake through 7.1 - replaced with stock kernel and XFree 4.0)

--

Re:How many?

[Tower]

I especially like it every time they redo my.weather.com... require e-mail, name and address again... I usually just fill in all of those fields from the following sentence:
I filled these out before
(or something similar)

and I place MAILER-DAEMON@weather.com in the e-mail slot, and click all of the 'send me...' buttons...

--

Re:How many?

[Tower]

>Can junkbuster filter out useless 1x1 images completely?

Your browser would have to do that... junkbuster doesn't get the sizing information...

Formatting would be screwed up on a *lot* of pages, if you happened to turn all 1x1s off.

--

Re:Spot the webbug

[dgl]

There is an option in my version of netscape 4.6 and mozilla: Advanced|Cookies and Accept only cookies that get sent back to the orginating server.
This provides a little protection but I think if the sites use JavaScript they can get around it (probally why slashdot use it on their "counter")
It is much better as many people have said to run junkbuster with a good block file or if you use squid there's a brilliant piece of software called squid_redirect that blocks most adverts and web-bugs.

Re:Spot the webbug

[Kronos.]

I've recently been trying out Opera 4, I don't know if it's in other versions but one thing it does do is tell me if a site tries to set a cookie that is not for the same domain as the site and already i have come across countless numbers of these. It's really probably quite simple to implement it to handle other content too although you can already filter out stuff with proxies like muffin which in my view is really where this should be done. My opinion is a browser is a browser.. it implements the w3c standards and dealing with stuff from other sites(banner and such) belongs at the proxy level and not in the browser.

Re:Web bugs on Slashdot?

[Wedman]

But it's the whole "Ah HA! A conspiracy! Just like on the X-FILES! I knew it. I knew it!" appeal that makes that comment interesting

Re:Web bugs on Slashdot?

[Wedman]

If it's for AC tracking, they could just use the logs of the _page_ request

Yeah, you're right, but the Web Bug theory makes everything more interesting and 'l337. My theory appeals to the lowest common denominator, while your theory makes sense. :P

Re:difference?

[CountZer0]

Isn't most of the same kind of information about users kept in such mundane tracking systems as the apache access logs?

Yes, but there is an issue of convenience. We use 1x1 gifs for tracking here for several reasons.

One log entry per pageview. This is the same thing any "hit counter" does, But without wasting bandwidth/annoying the user by displaying the count itself. It is much easier to parse a log file where ALL the data is relevent, instead of parsing an Apache log that lists every file transfered (images, html, etc) With the Apache logs for a single pageview you get many log entries (hundreds if you have a lot of images) Large log, hard to parse, easy to loose the signal due to noise. With the 1x1 gif method, you get one entry per pageview. Easier to parse and generate meaningful statistics.

Seperate logging server than web server. When you get hundreds of thousands of hits a day, it is nice to have a machine dedicated to tracking. So you serve the 1x1 images from that machine. It handles the tracking logs, and you can use it to generate stats, etc and don't have to transfer those huge Apache log files all over the network.

This said, we own all the servers used to serve the images/web-pages and so no data is going anywhere outside our company. Second, we don't add any personal data (or even collect any, we're not an e-commerce site) so all we are tracking is pageviews and click-streams. This way we know what portions of voila.com are getting used and what portions are losing our visitor's attention. This allows us to develop our weak areas with more interesting content, as well as put bigger servers into play to host more popular content, etc...

Coremetrics

[Ennslaver]

I think that web tracking is the next best thing in internet marketing, It is a great idea. How else are these big e-commerce based companys going to know who visits their sites and what their shopping patterns are? These so called 'web bugs' are used by slashdot even today, Interhack doesnt understand the technogoly and they are scared away from it. They call themselfs hackers yet do not understand the basic concept of what privacy really means, Coremetrics does not own the data, they just receive it and proccess it. They clearly state that they cannot sell the information to anyone. I dont see how I would even be effected by this, i know im not going to have marketers call me because of them. I hope that these .com companys will realize what great advantage using coremetrics has in the marketing world to be able to know your customers better.

Re:Coremetrics

[Ennslaver]

Your a moron if you think coremetrics sells your information or gives your information to anyone.

Re:Coremetrics

[ackthpt]

Oh, please... I'm being target left and right because I spend money online (too much, actually!) and that sets me up for all sorts of harassment.

Consider for a moment what is required to send a solicitor to my door or have one phone me. Paying someone for time to pester me, plus the unproductive time between pestering the next victim. Not very efficient. Now, run your data through a few filters and just send your spiffy spam to 20,000 people within one city in the blink of an eye.

It's not so much where it is, but where it's going. I'm already cleaning out 30+ spams a day, and the number from actual businesses is growing.

I'm not about to stop shopping online, but I'd like to not be tracked when I buy plane tickets, theater tickets, Dust Puppy T-shirts, etc. via the net.

It's also a drag to sift through spam when I get home from a trip.

Firewall

[BorgDrone]

What are the IP('s) of the machine('s) used for tracking so I can block them in my firewall ?
Is there a website with lists of servers/IP's hosting webbugs ?
---

Re:Spot the webbug

[belphegore]

Doesn't come from a different domain. Clearly is a web bug though. If a company wants to use web bugs, and is prepared to have someone be inserting them into their HTML, they'll add a DNS entry or two if necessary too.

Emmett Rocks!

[Nitrozac]

Hey, the slashdot and surrounding community are a pretty close-knit bunch. Emmett has been involved in that community longer than he's been at Slashdot.Freaking out over this minor Interhack association is kinda dumb. I think attacking Emmett's journalistic integrity is immature. I, personally really enjoy Emmett's *original* work here on slashdot. I think he brings a lot to slashdot and it's been a much better place since he's been on board.

Rock on, Emmett! Keep up the great work! :)
Your friend,

Re:Emmett Rocks!

[streetlawyer]

Your friend,

See, well fucking done! You just achieved something that "your friend", Emmett "hung like Robert" Plant couldn't quite get it up for! You just gave us .... a "disclaimer". So now, we can take with, shall we say, a grain of shit, your comment that "I think that attacking Emmett's journalistic integrity is immature" ("immature"!, ye fucking gods! Why not just say that you think it's "gay" or "spastic" if you don't have any arguments!). We can tell that, whatever your views on journalistic ethics, you're probably prepared to prostitute them in order to help out your friend.

Now, if you'd dropped in and said "Hi, I'm Nitrozac, I have no connection to Emmett or anything, I'm just a stuck-up internet loudmouth and censorship advocate with a wholly unrealistic view of "geek" culture. I just took time off from simultaneously patronising and demeaning women by calling them "Techno-Talking Babes in my ludicrously unfunny comic to drop over here and tell the world that, in my considered opinion, "freaking out" over a journalist providing free publicity to his cronies without disclosure is "kinda dumb. Now kiss my ass, and tell me how great you think my boots are." --- then that would be kind of dishonest.

And indeed, given that the context is a story about Internet privacy and "Your Rights Online", am I the only one to think that there is something supremely fucking hypocritical about you daring to raise your square head above the parapet, given that you're the proprietor of a bulletin board which is notorious for censoring contrary opinions and logging IP numbers of anyone who sails by? Though, I doubt that either Slashdot or Interhack will be doing an article on that any time soon.

Please feel free to reply here, or contact me by email, or indeed to do anything that will distract you from drawing another episode of that godawful comic, User Friendly. Before you make the obvious response, I'll point out that I don't read the fucking thing, I just think that you have far to many preteen dittoheads, and anything that reduces their numbers makes the world a less shit place. Not necessarily better, just less horribly shit.

In conclusion, fuck yourself.

Re:Coremetrics..

[James_G]

Those that do not wish to be tracked can surely disable it

So you're saying that for every commercial website I go to, I have to work out how they're collecting information about me, who they're sending it to, and work out how to disable it?

Why is that up to me to work out? It's not like they make it easy to opt-out.

Of course, what should really happen is that the default is opt-out, not opt-in. This will never happen though. How many people are going to look at a box that says "Click here to have your privacy invaded" and think "Oooh, I'd better do that, sounds like a greate idea"? That's right, none.

As has been mentioned before, a good start would be more defensive measures on the part of the browser. Wait a while.. I'm sure it will happen..

Re:Spot the webbug

[rkent]

Sure, to "track hits." Towards what end? To say that

1. It's not technically a web bug, and
2. it tracks hits

is not to say it's harmless. I mean, I'm not accusing anyone of any wrongdoing. I was just saying that that particular answer didn't really address the concern that slashdot might be tracking users, too.

Re:Spot the webbug

[rkent]

Well, rather than splitting semantic hairs, I think the point of bringing this up is to ask: what does Slashdot do with those invisible images? This has really nothing to do with whether or not they come from a foreign server. Let's not squabble about whether they're "technically" web bugs or not.

That said, it looks to me like it keeps track of which comments you've read, or what your comment preferences are, or something. If you don't want this tracked, don't accept cookies from slashdot! The site can be viewed perfectly without them, you just have to post as AC. Or, you can accept one lousy cookie when you log in and never ever accept another one.

Slashdot is not out to get you. Or if it, is, it's not trying very hard :)

Self-important web bugs that talk to themselves

[Rares+Marian]

Are you talking to you?
Am I talking to me?

Size...

[WolfTheWerewolf]

Web bugs, per-se, do not have to be 1X1 transparent GIF images. They could very well be some other company's logo, they could be a button, anything. Blocking image grabbing from remote sites would be a good start, though many pages are written to fetch images from afar. I honestly see no useful reason to do so other than to pass some form of information to another site/domain. Browsers or blockers need to have a way to say "No images/pages to be loaded outside of the domain I'm currently viewing."

Yah yah.

Mozilla to the rescue?

[101010]

Wouldn't this be a good nitch opportunity for Mozilla? They could focus on privacy and security in the browser, maybe watching for traffic going off to third party websites. What about a blacklist of websites that could be listed right in the browser settings?

Re:Mozilla to the rescue?

[British]

Good idea but..

1. It's already behind schedule

2. Blacklisting certain companies could get you all sorts of legal harassment from said companies. Look at the whole Cyber Patrol/peacefire thing.

Re:Web Bugs

[passion]

So - who's to stop the use of 1x2 or 2x1, or 2x2 images...?

Re:Protect Yourself

[Hangman+Jim+99]

dude, try this:
ipchains -A output -D doubleclick.net -j REJECT

works a charm.

Re:Who owns the data

[Hangman+Jim+99]

.... but do the companies they're collecting it for have a right to it? What rights do I have to it? It it is being sold, that means it has value.

There have been angencies collection credit information about you since you were born. And I'm sure sure whether you "allowed" to view that either.

My university lecturer turned his computer screen away from me, because it containing my personal information. Perhaps they didn't want me to see comments made about me.

If you and I own a peice of property, and you sell it without my knowledge or consent, and I find out about it, can't I sue for my share?

Well, do you own that property? Really? The "property" here is data. It wasn;t created by you, in fact you might not even know it existed. Perhaps the fact that its data "about" means nothing.

Re:(OT) HTML as design tool

[Aerolith_alpha]

would you REALLY want the entire web to be flash? *SHUDDER*

Re:Web Bugs

[Aerolith_alpha]

i had major and inexplicable problems with layers in netscape 4.7 to the point where i had to abandon the layer approach entirely in order to make it netscape compliant. These days I just say screw netscape and design for IE on my personal sites... I still use netscape on my linux box, but my winblows machine and my mac both have IE on them...

Re:difference?

[Aerolith_alpha]

I agree... we use webtrends on the apache logs here... Its scary but one of the best forms of anonyimity a user has is to be an AOL user. New IP each time?, plus having the webcache keeping some of your http requests from showing up on the server.

Re:Its not surprising this is happening

[Aerolith_alpha]

I would be more worried about corporate america at this point, just because we can actually stop them... I don't know if that is true for all of the recent news about carnivore... I just HOPE we can stop it.

Re:(OT) Use of 1x1 invisi-images

[Aerolith_alpha]

i was thinking that as well with the 1x1 streched, but i have used them at 1x1 before, and as a designer it pisses me off when my pages don't display right... its generally my fault when they dont, but I don't really want/need the extra hassel of another constraint placed on the way i design

Re:difference?

[Aerolith_alpha]

immune from SITE tracking, yes, but not demographic tracking, just because I don't have a consistent IP to track you by, doesn't mean that I can't gather a decent idea of where you are based out of via your IP. Granted with national ISP's this is virtually impossible, but I already stated that when I mentioned AOL.

Re:Web Bugs

[Aerolith_alpha]

instead of just domain checking they could check the IP as well, so that it its not close, they can block it... Maybe take a bit longer to figure a way around that... donno if that would work though, because I don't really know if all servers have close IP's for their domains... the ones that i have dealt with are only 1 number off, like C class stuff, but I dont know if that is the case everywhere.

Re:Web Design Bugs

[Aerolith_alpha]

you said it... Although I am a programmer as well, don't get me wrong on that score... But the client provides all of the content in 99% of the cases that I have worked on. I just make it look perty. And the client has to 'approve' that too...

Re:Coremetrics..

[Aerolith_alpha]

Its actually more detremental to give them fake information than to turn it off... For example, with double click across site tracking, if you enable cookies, then go to a bunch of completely unrelated sites that you would normally never go to, THEN disable cookies, you have built a user profile that is nothing like what you actually do. This is one very small anomaly in a large pool of statistics, but if enough people do it, it could really mess up their data...

Re:I have a real problem with this

[Aerolith_alpha]

It bothers me the most when they have a 'Privacy Policy' that they don't actually follow. If the privacy policy actually states what they do, then there isn't a big issue in my opinion. I recently had to add a privacy policy to a site that I do updates for, and it was complete crap in terms of keeping your stuff private. But they blatantly said that on the site: unless you tell us otherwise, we will call you, send you crap in the mail, and otherwise market the heck out of you... Ya gotta respect honesty

Re:Web Bugs

[Aerolith_alpha]

its not a matter of them using webtrends, its about what the do with the data afterwards, no?

Re:Web Bugs

[Aerolith_alpha]

esp. if it is something like yahoo--most of the images on there are adds anyway besides the main title graphic...

Re:(OT) HTML as design tool

[Aerolith_alpha]

hear hear... I do everything as a mockup in photoshop first to present to the client. Then it takes me anywhere from 4 hours to 2 days to build the pages in HTML/Java/DHTML, etc until i can get it to look and work like my model did. I would almost be tempted to do EVERYTHING in flash, just because its so easy, and it looks JUST LIKE you design it, even scaled, however as a linux user I don't feel the need to force people to use win/mac with flash viewer to see the site. For corporate sites i end up doing a lot of the infamous INTO FLASH, but I dont have much say in that...

Re:Web Bugs

[Aerolith_alpha]

i can tell you dont work in web design at all, nor do you have to deal with clients that have LOGOs. When I am given an image of a client logo that is not alterable because of the whole 'corporate idenity' business, I have to design around it, which sometimes necessitates doing things like small gifs to push the logo over to where it needs to go. Further, sometimes I must make a web page that looks exactly like a Print piece, which is very hard to do consistently between platforms/browsers. As a result I again have to use pixel spacers that wont change in size like an & nbsp ; would to make it happen the way the client wants it.

Re:Web Bugs

[Aerolith_alpha]

As a web designer I am totally against this idea, because I use 1x1 gifs all the time for spacing purposes. I think a better option would be to limit all images on a page to a single server. That way stuff from other server's wouldn't load. This would be a problem when you have images.yourserver.com as well to load balance, but the solution to this would be having all of the images come from a consistent server, so if all the images came from images.yourserver.com, they would be allowed, but the little bug from statmarket would show up as broken... :)

Re:Web Bugs (OT)

[Aerolith_alpha]

better than I could have said it... :)

Re:(OT) Use of 1x1 invisi-images

[Aerolith_alpha]

part of my personal style is to make a table that has an extra cell around the right edge that is only 1 pixel wide to add a border effect. I use a 1px image as a spacer to keep this open. If you don't have anything there, it will show up as blank in netscape, IE handles it okay, but netscape gets all wierd about tables. Yes 'gets all wierd' is a technical industry term... or something. I was a hobbyist myself until I decided to put my resume out there... I am doing compE in school right now though, so this is more or less a temporary thing.

Re:Web Bugs

[Aerolith_alpha]

rooooiiiiight. So when a netscape user comes to the site, it looks like it got mauled by a script kiddie... Once they fix the way netscape handles CSS i will start using it. I already use it on my personal site, but the industry is another matter.

Re:Web Bugs

[Aerolith_alpha]

because its horizontal only... at least in all references i have seen... if not, please let me know.

Re:He has a point

[graniteMonkey]

Take the disclaimers from the previous post, and add this to have mine: I also, not having done any journalism, don't know anything about journalistic integrity, except that it exists.

Could someone add a little commentary about FascDot's suggestion that someone else do the interview? It does sound good to me intuitively, but I don't have the background to say anything more about it.

Re:He has a point

[graniteMonkey]

Oh yeah, another disclaimer: I have no idea who any of the people in this thread are. So no offense to anyone, I just want to know what the issues are.

Re:DoubleClick Ads on Slashdot

[graniteMonkey]

Gonna have to add another amen to that. You definitely haven't accused anyone of anything, and I might sound like I am, but I also just really want to know the answer to this question.

Ethics

[graniteMonkey]

Wow, dude. Thanks for the info.

Again, I've got to say that I don't know anyone involved with this, and I've got to say in the nicest possible way, Emmett(whom I don't know personally), that it sounds like you might want to take a look at that link.

I'm not saying that I think the article is somehow invalidated by the fact that you may know some of the other people involved, but FascDot's suggestion seems like a pretty valid one to me.

Absolutely nothing ... but ...

[rebill]

I want to be able to choose whether or not I am profiled by a company. If you choose to be profiled by the companies you deal with, great! I have philosophical problems with targetted advertising, as it seems to me that potential sales are lost that way - you cannot target someone who has not purchased X, and they can't know that X is for sale until you advertise to them.

The real problem here is that companies like Toys'R'Us are legally bound by the terms and conditions specified on their web site from the instant that someone agrees to their terms by making a purchase.

U.S. contract law requires both parties to act in a manner to minimize the damages once a contract has been broken - the companies that corrected their privacy policies upon notification of a problem are acting within this rule. Mistakes do happen, after all.

The companies who chose to whine that they are not in violation of the terms and conditions are exposiong themselves to sanctions, which is just plain DUMB.

Remove foot from mouth, mr. clueless.

[rakslice]

I assume that, since you appear to have left a valid e-mail address, that post wasn't a troll, so:

It's javascript, not HTML. See the script tags? Next time, get a clue before posting.

Re:What's wrong with user profiling?

[bakreule]

Who who really gives a damn? I usually buy books that have been recommended through word-of-mouth, anyway, who cares what Amazon's computer cooks up for you? Hell, I really don't care about the cookies on my computer - if someone steals my credit card number then it'll show up on the statement and I can get my money back. So what if Maxim ads always always pop up on yahoo sites for me? So I clicked on one, once.

What if they get your social security number?? Do you realize the damage they could do to your credit if they get that #?? And you don't just get your money back if someone uses your credit card. You are still liable under the law for up to $50. And you have to fill out a crap load of paperwork and deal with the CC companies. That's a pain in the ass.

The whole point of people arguing about this stuff is that it has to stop somewhere. If we let the corporations continue with no one to check them, they'll have a complete database filled with your life. Do you really want that? I'm willing to give up some convenience to keep my name off of people's lists.

Of course, a lot of people will say it's already too late.....

Re:Illegal in the UK.

[dingbat_hp]

It's potentially a criminal offence to collect user's CC numbers, post them to alt.warez and bill a bunch of Albanian badger-porn to them. This is unlikely to stop sites collecting CC numbers though.

The DPA is pretty toothless for protecting against privacy issues in today's automated data-capturing environment. It requires some degree of "consent", some requirements on careful storage, and some requirement for the subject's ability to review what is stored. As for defining what's a legitimate business purpose for collecting the data, and what's a gross invasion of privacy, then it's silent. IMHO, we'll never see a general bill of this nature that ever tries to define this issue, unless there's a mechanism (like P3P) that allows the user to negotiate the specifics of privacy with the site, on a per-access basis (and the extent of disclosure permitted thus becomes the subject of a contract).

The DPA 1998 Schedule 2, 2 (b) states one of the conditions for processing to be "necessary"

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

Any contract-drafting bottom-feeding lawshark can present a retail site such that it's accessed "with a view to entering into a contract".

Re:Protect Yourself

[Cowboy]

I'd really like a list of servers I could manually update, whose cookies would always be rejected. *.doubleclick.net, *.adforce.com ... you get the picture.

iCab 2.1 (get it now at versiontracker.com!), a browser for the Mac OS, does exactly that.

Webfree

[Draoi]

Mac users can selectively block image requests from specific domains using WebFree. It'll also suppress all cookies and crappy <BLINK> tags. Not sure what the Linux equivalent is, but I believe there *is* one ....

Re:Coremetrics.. opting out

[fishie]

"Why is that up to me to work out? It's not like they make it easy to opt-out. "


I couldn't agree more. And to save everyone time, here's the path to opt-out that I found:
Click here to get to their site.
Click on GET THE FACTS on their main page.
Read page and get a little irritated over it.
Find "Please click here to read our complete privacy policy." at the bottom of the page and click it.
Read more about how your privacy is not being invaded. Find "Visit our Opt-out page for more information." at the bottom of the page and click it.
Decide if you really want to get all pissed off or not, thus determining if you should read all of this page. Otherwise, click on "Opt-Out Now," which is this time conveniently located near the top of the page.
Finally make your choice to opt-out on this page. And they do ask you again to confirm this decision. AND they offer you the grand opportunity to opt-in, just in case you accidentally opted-out. How you'd accidentally do that is beyond me, given how many steps it takes to get to the opt-out option!!

Re:Spot the webbug

[cybercuzco]

Youll note however, that that little snippet of code is commented out, and therefore is not run when you load a page.
Heres what it really looks like:
<!--
now = new Date();
tail = now.getTime();
document.write("<IMG SRC='http://images2.slashdot.org/Slashdot/pc.gif?/ comments.pl,");
document.write(tail);
document.write("' WIDTH=1 HEIGHT=1>");
document.write("<IMG SRC='http://images.slashdot.org/pagecount.gif?/com ments.pl,");
document.write(tail);
document.write("' WIDTH=1 HEIGHT=1><BR>");
//-->

I don't think this is a bad thing

[vapour]

So what. Someone knows that you might be interested in their page. Does any one really care about this kind of stuff ? I mean, big deal.

I think sometimes that people care more about the theory of online privacy than the practice.
Okay, we need secure transactions for ob line banking that kind of thing, but as for if someone knows that I like to look at news site, what do they have. An IP. big deal.

Re:What's wrong with user profiling?

[ignorant_newbie]

Amazon, for instance, tracks all of my purchases, and, in return, gives me the only useful product recommendations I've seen on any commercial web site. Other sites could track my reading patterns (within their own site, not across others!) to figure out what types of articles actually interest me so that they can provide better content in the future. They need to plant a cookie on my browser to do that tracking, and they may even benefit from demographic information from me (to see what 20 year-old white males like to read), but they never need to know my real name, address, or phone number. i hate to do this, but i'm gonna have to whip out a Lars quote on this one.

That ultimately is what the biggest beef about this whole thing [is], is that Napster could have so easily avoided this whole thing. It's like, OK, 'It's January, my name is Napster, or I'm Sean, or whoever the CEO was at the time, we have this ervice, we would like to know if you are interested in being part of it.'

-- Lars Amazon does this with your knoweldge, to provide you a service. Toys R Us does this with out the knowledge of little suzy, to provide mattel with a service.

More powerful regexes for junkbuster

[guardian-ct]

# Look for gifs with tracking info tacked on the
# back
/.*\.(gif|jpe?g)\?.*
# Block some adloggers
/.*adlog.pl\?.*

An example of a coremetrics eluminate link is at the end of this comment (taken from www.coremetrics.com). Interesting how it keeps track of everywhere I looked on the site before I looked in the page source... Yes, it really was this long... Perhaps looking for CGIs with 'http' in the middle of the link will do it.

/.*http.*

This may break some other sites, but does seem to work on coremetrics.com.
http://data.coremetrics.com/cgi-bin/eluminate.cg i?pt%3DC%26vn1%3De2.2.8%26vn2%3De2.2.8%26c i%3D22222224%26rf%3Dhttp%253A//www.coremetrics.com /home2.html%26ul%3Dhttp%253A//www.coreme trics.com/asp_model.html%26se%3D%26pn%3DThe%2520AS P%2520Model%26pi%3DThe%2520ASP%2520Model %26cn%3DThe%2520ASP%2520Model%26sc%3DSolution%26ps 1%3D%26ps2%3D%26pn1%3D%26pn2%3D%26a1%3D% 26a2%3D%26a3%3D%26pa%3D%26pc%3DYes%26ts%3Dnull%26t p%3Dnull%26rnd%3D2387440

Radio Shack and Profiling.

[guardian-ct]

Every once in a while, I go in to Radio Shack, having forgotten how annoying they can be.

Went in a few days ago, looked around a bit, grabbed a headphone/microphone combination, and a CD cleaning kit. Total price around $30. Went to the counter.
I said "None of these need batteries" (first clue to the salesman 'I KNOW your pitch')
"What's your last name?"
"I'd rather not say." (Second clue)
"OK... Would you like to get $20 off your purchase today?"
"Err.. What do I have to do to get this?"
"Sign up for sprint long distance service at your house"
"No thanks" (third clue.. you don't stop marketting at me, you're out.)
"Do you have an ISP?"
"Yes"
"Which one is it?"
"Netplex"
"How much do they charge per month?"
clue-by-four:
At that point I stormed out the door, leaving the merchandise (unbought) on the counter.

I tried to opt out of Radio Shack, but the only way to do that is not to go into the store.

Toys'R'Us already stopped using coremetrics.

[guardian-ct]

Check out the graphic nav. on their home page, near the top, right side: "Important information about coremetrics"

According to T'r'us. April 20 through August 2 was how long they used the service, and they don't anymore.

Heh... oops... too powerful

[guardian-ct]

/.*http.*
Breaks much of www.fool.com...
so, add
~fool.com
~bigcharts.com
just after /.*http.*
so that any other blocks further down still
take effect.

Re:Spot the webbug

[mat+catastrophe]

I've seen that, as well. I've always wondered just how innocent those things are....

Re:Coremetrics..

[Lucretius]

I don't see a big deal; These companies decided to outsource their traffic analysis. While the capability surely exists for Coremetrics to track users across websites, a'la Doubleclick, their customers would be terribly pissed.

First of all, I must say that I agree that this has been blown a bit out of proportion, a couple of companies (in their infinite wisdom) forgot to document what was actually going on. The problem here is not the fact that they outsourced their traffic analysis, its the manner in which they did it. Instead of gathering the data themselves and sending to someone to be analyzed (something which I don't think anyone would have a problem with), they had the information sent directly to the 3rd party. This in itself is not a bad thing, however they did not inform the customer of this, thus they have breached the trust between the customer and themselves.

It's always been 'buyer beware'. What is so special about the net that it no longer applies? So the tracking is easier to do, and easier to analyze, and there is more of it, and it is more meaningful; Do you honestly think your bank, the telephone company, and the credit agencies aren't selling your spending habits to marketers?

Again, there is a difference here. Most likely, if you look at the statements that you signed to get your credit card (or the small print on the back of the credit card) you will see something that says the company reserves the right to collect data about your use of the card and it also reserves the right to sell that data to other companies. In this instance it is explicitly stated that this information is being gathered.

However, in this case, customers were not being informed that information was being gathered about them and their spending/surfing habits. While this seems to have just been a mess up in documentation (though there are many conspiracy theories of ToysRus trying to take over the world.... I personally find that very hard to beleive). If the companies had stated somewhere that they were using this company to collect the data, there would have been no uproar.

Re:What's wrong with user profiling?

[great+throwdini]

Amazon, for instance, tracks all of my purchases, and, in return, gives me the only useful product recommendations I've seen on any commercial web site.

I find it funny that the recommendations I receive from the Amazon are nearly useless, if only because they don't seem to keep in mind what I've already purchased *from them* (recommending past purchases time and again) ... then again, I do buy quite a bit from them. :P

One might take the stance that useful services (like the one you point to) might actually demonstrate the benefit of detailed profiling in certain cases. However, I would probably counter that such services should be "opt-in" rather than "opt-out" and openly disclosed, either way.

Yet, the case with Coremetrics is not the same as with the Amazon example offered above (exactly) -- the immediate advantage or interest in Coremetrics tracking appears to rest with the business and not the consumer/visitor. The business wants to track usage to better organize or understand their visitors (and potential consumers) in order to generate more business. This is not as direct a benefit to users as an automated recommendation system. And so, judging from the posts here, today, I can only imagine that certain groups of visitors are less likely to "submit" to such tracking -- if only because the benefit to users is not immediately apparent or altogether intangible.

I think it is the lack of immediate/direct usage of tracking stats that spooks people more than anything else. If the stats aren't being used now (say, feedback in the form of the recommendation system), when will they be used, by whom, and for what purpose?

Seriously off-topic, I know. But I work for a company that carries out direct email marketing, so I guess I've entitled myself to a mini-rant.

Browsers that support image blocking

[MrFancyPants]

I know of at least one browser, iCab for the Mac that allows you to filter images based on several factors: server the image is coming from, path of the url, filename, etc. All of this is customizable, and comes with several known ad companies' domain's blocked out already.
I use it to filter banner ads, but after reading this article, I realize it could also be used to stop WebBugs. The rest of iCab is so-so, BTW. It crashes a lot randomly. Although a new version just came out today (1.2) and I have yet to try it. Anyone want to add this to Netscape? :)
--
I don't follow the pack, but I'll follow a really cute girl.

Re:class action suit filed against Toys R Us

[jallen02]

ToysRus official statement...

This is from someone I know who developed portions of the ToysRus site.

--- Toys "R" Us has a long tradition of customer
trust built over more than 50 years in business.

Toysrus.com does not sell, rent or trade visitor
information to other
parties. Toysrus.com does not disclose customer
information outside of our business; however we have utilized the
services of CoreMetrix for the sole purpose of aggregating customer data such as
visitor traffic patterns and other site usage metrics so that we can better serve our customers. Under
our agreement with CoreMetrix, they are contractually prohibited from using or making such information available to
third parties. This service to help confidentially analyze our data is covered under our
current privacy policy.
---- If you would like more info.... contact Tuesday Uhland at Access 415-904-7070...

Jeremy


If you think education is expensive, try ignornace

Re:Spot the webbug

[jallen02]

Did you even.. READ what jamie just wrote????

He said it was a page counte to track hits...

Jeremy


If you think education is expensive, try ignornace

Re:The can is open, and there is no going back.

[jallen02]

Let's face it. The days of the Internet being a free-for-all are over. Corporations are going to find ways to collect demographic and personal data. Trying to legislate this out of existance is like trying to legislate Napster and Gnutella out of existance: It isn't going to happen.

We all know that this sort of thing is going to happen but when it comes to the wire do you want to be one of those who went down quietly, or do you want to be someone who stood up for something they believed in?

So like 10 years from now when I have no rights to speak of, I will at least feel vindicated I did my absolute best to do something I believed in.. and somewhere to someone that can make all the difference

Jeremy


If you think education is expensive, try ignornace

Re:DoubleClick Ads on Slashdot

[dkh]

Of course it's something you have control over. You refuse to take ads from their servers.

They go with their browser, pick it up and send it to you to put here. No problem, no fuss, no muss.

This really shouldn't be a big deal, your advertisers should realize that a healthy percentage of your readers ignore all doubleclick stuff regardless so its counter productive for them to insist that you serve them from there.

Re:DoubleClick Ads on Slashdot

[fridgepimp]

Ok,

I am posting this in a good faith effort to clarify my position on this issue, and the issue of posting in a public forum in general.

This morning I received an e-mail from Jamie (see, proper spelling this time) summarizing his thoughts on the issue and linking back to his comments on this article. I do appreciate this response and I also appreciate that he is likely a very busy person.

Why I posted publicly:

Well, mainly because I wanted to get an answer. I went about things the right way. I e-mailed someone that could get me the answer I needed. I got some response, but no answer. I waited. And waited.

So, I posted publicly. It tends to be a motivator. Every day on slashdot I read about people waxing philosophical about all of the injustices of the technological world--with privacy concerns at the top of the list.

I then noticed that DoubleClick (one of the largest offenders according to many articles) served ads were showing up on slashdot. Do I know why? Yup. Did I in fact suggest what I thought was happening when I wrote Jamie initially? Yup. Was I right? Yup. Do I yet have an answer to my question? Nope.

The reason these adds are showing up on Slashdot is because a number of people use outsource banner add management to DoubleClick. These people then want to run ads on Slashdot, so Slashdot must pull the ads from DoubleClick. Business is Business.

My question was, and still is, can we expect these adds to perform the tracking they are known to do. Now, you say, what am I afraid of? What personal info is there on slashdot? None, really. I'm not worried that they'll get my nick and my e-mail address. It's all publicly available via my user info page anyway.

The issue for me is the princple. As much as people would like to deny this, publications, online or otherwise, project an image. This image is driven by the editorial staff. This image garners a reputation (good or bad) for the publicatoin. When a marketing decision flies in the face of obvious editorial position, I believe it becomes the obligation of the publication to comment on the activity. I'm glad that they are separate, and I applaud slashdot for the community that it has built. I do believe that as a journalistic organization it still has much maturing to do.

These are of course, my opinions. And I have no reasonable expectation that the Slashdot editors abide by them.

Those are my thoughts. I'll check into the behaivor of the DoubleClick adds myself and I may post the results. I may not. At this point, I have enough of an answer. Privacy is not a priority for Slashdot.

Thanks,

fp

Re:DoubleClick Ads on Slashdot

[fridgepimp]

The only reply I could find was here.

While I DO appreciate the response, It still doesn't answer my basic question which was likely unclear in my initial post(s).

Can we expect these DoubleClick Ads to behave similarly to the ads and DoubleClick systems described in any of these stories?

While the answer may be a resounding maybe, I want to clarify again that my goal is not to "expose" this or anything like that. I really did try to go about it the right way (or I thought so anyway) by emailing the member of the Slashdot Team that appears to be the most concerned about these type of issues. I got some response, but never an answer. I'm a full disclosure kind of guy, and I believe wild speculation is a waste of my time. Notice that I never accused anyone of anything underhanded, I just asked a question. Sometimes, as we've all read, posting in a public forum is the only way to get an answer.

Thanks

-fp

Re:DoubleClick Ads on Slashdot

[fridgepimp]

So I'm a troll? Why? Because I'm curious about this?

Jaime and I exchanged like 4 e-mails on the subject, and then, all of a sudden, he wouldn't get back to me. I realize that people are busy, but it seems odd when they can respond as quickly as he initially did, and then just stop all at once.

My e-mail address is valid, so if anybody wants to shed some light on this, it'd be great.

My respect for slashdot diminishes daily.

-fp

Re:DoubleClick Ads on Slashdot

[fridgepimp]

I apologize for my spelling. Many of the main page articles suffer the spelling problems once in a while :-).

Again, as I've posted now i think 3 times (both in this SID and one other) that I don't take it personally, I'm just looking for an answer. Sure I figure he's busy. I'm busy. Do I think I fell to the bottom of the priority list? Sure. I bet I did. Does that offend me? Not really, but it in no way changes my need/desire for an answer.

I admire your readiness to defend him, but no one is being attacked (save possibly myself). I'm just looking for answers to questions. Ya'll are about the only people I know of to ask.

Anyway, I'm sorry if I made it seem like I' m pissed. I realize that my last comment may suggest that, but I believe that I can lose my respect for the decisions made by Andover (to carry double-click ads in particular...which even Mr. Bates admits is lamentable) without calling it complete crap.

Life's about trade-offs and so the organization trades my respect to make money. That's ok, to each their own. It only becomes a problem when that balance is so upset that there are no more customers.

I'm flattered that you find my input on the issue worth your effort.

Again, sorry for mangling the name.

-fp

Re:Spot the webbug

[Anomalous+Canard]

Please note that all these images come from slashdot's own servers.

We as users have no way of knowing if images2.slashdot.org is your server or an ad.doubleclick.net server added to your DNS entries. Now I, a trusting soul, trust /. more than, say the NY Times or any other random provider, but you have to admit that the user has no way of telling who is tracking them. "Same domain" dosn't mean anything more than coming from the same DNS server. It dosn't tell me that the server is under the administrative control of the domain holder. Hell, murphy.dialup.[redacted].net is administered by me, not by my ISP.

I'm glad that I don't allow Javascript to run on Slashdot or on any other site.

--
Anomalous: deviating from what is usual, normal, or expected

Re:Web Bugs

[homer_ca]

Mozilla already tried it in an earlier version, but they abandoned it because it breaks so many sites. Many sites serve out images from akamaitech for load balancing purposes, and Yahoo loads images, both ads and content, from their yimg.com domain.

Oh well, back to playing whack-a-mole with my junkbuster blockfile.

I have a real problem with this

[Docrates]

First off, even if ToysRus discloses in their privacy policy that they use coremetrics, and even if ToysRus has a contract with coremetrics that prohibits coremetrics to use my information, if they actually do use it in some illegal form (or in any way that affects me), i haven't signed or approved any kind of contract between myself and coremetrics, meaning that the use of my information is regulated only by a contract between two parties, leaving me out of the picture. so coremetrics sells my info to a terrorist group. i sue ToysRUs (with whom i have an agreement) and they state that I agreed to a policy that allows them to give the info to coremetrics. then i sue coremetrics and they can just claim that they i never agreed to anything with them so... (this probably won't work in the US, but if it's a web server hosted in a country where laws in these issues aren'good enough...)

Also, if i've signed one privacy policy on a web site (and thus agree to use the site on their terms), and suddenly they "add" the fact that coremetrics is now involved, and i never get to re-sign the agreement, just by visiting the website my personal information would be compromised without me ever knowing.

i don't like it one bit.

Re:Web Bugs

[beebware]

But what about 'single pixel spacers' - usually used just to enable tables to render correctly. Sometimes height=1 width=600 (or whatever) is used for 'drawing lines', but single's do have their own good purposes...
Richy C.
--

Re:Web bugs on Slashdot?

[beebware]

If it's for AC tracking, they could just use the logs of the _page_ request which would be a lot more honest than image requests (ie 'no graphics' people will also be tracked).
It's probably for statistical purposes, but how it copes with cache's I'm not sure (and I don't care enough to look at the HTTP header for a Pragma: no-cache statment).

Richy C.
--

Re:Web Bugs

[BloodyStupidJohnson]

In iCab for the macintosh you can filter images by size and by server. If an ad gets through, just right-click on it and tell iCab to filter images of that size or from that server or both. It is VERY handy. All web browsers should have that feature.

Re:What's wrong with user profiling?

[Klync]

I'm glad that JWZ likes profiling, because there certainly is a lot of it out there! My video shop has a profile on me too: Tim (the video shop owner) often stops to talk to me as he's walking his dog up our street. He keeps his profile of me in his head, which is where I keep my profile of him! As for the execs in California/New York/Ft. Mead... I'd rather not have them profiling me.

Really, the problem isn't the profiling per se, but that it's done without my full knowledge of the extent and purpose. If Congress wants to do something useful, they should make that illegal, at least. I let Slashdot carry a profile on me... even though I've never met Rob or anyone else who has access to it (anyone!). But, it's my choice to do so. I trust slashdot (at least so far) to filter their news for me, but I don't want CNN or Micro$oft deciding which news I should see, because they have completely different purposes.

Oh, and albamuth says:

The young, hip adults designing advertisements aren't publishing propaganda for some ideological purpose; they're using their imagination and creativity to drive capitalism - that's their job.

Guess what? Capitalism is an ideology -- and it's not mine! You think that you and I are all immune to advertising. Consider that over 75% of drivers rate themselves as "above average"! Personally, I don't believe that a more efficient market is necessarily good for society. After all, everyone thought that the computer revolution would increase productivity so much that no one would have to work more than 30 hours a week; yet, we're all putting in 60 hours, and seem even worse off than before (unless you're a controlling shareholder).

I could go on, and on, but I'll leave it here: deception is bad.

Re:Spot the webbug

[_xeno_]

I'm glad that I don't allow Javascript to run on Slashdot or on any other site.

The JavaScript is basically irrelavent - it just determines the time the client read it as opposed to the time the server read it. If you have JavaScript disabled, then the same image is used, this time created through a set of <NOSCRIPT> tags. The ONLY difference is that the numbers generated in this case are generated server-side, not client-side. You might wanna try blocking images2.slashdot.org instead. (In the case of Mozilla, bring up the context menu for the image, and choose Block Image from Loading and all adds will be gone. Eventually they may allow you to add sites manually, but for the time being, it works. Assuming you can find the 1 pixel...)

Also: Spyware from RealNetworks

[gauron23]

Real Player/Jukebox comes with spyware that reports back all downloaded files. See here for more details.

Re:Spot the webbug

[abe1x]

iCab does one better and letter you automatically block all cookies not sent by the server hosting the page you are visiting. Mac only though.

'Meaningful' info?

[PopeAlien]

So the tracking is easier to do, and easier to analyze, and there is more of it, and it is more meaningful; Do you honestly think your bank, the telephone company, and the credit agencies aren't selling your spending habits to marketers?

That concerns me much more than online tracking - I need to give accurate personal info to the Credit Card companies, I have no real reason to give accurate personal info online. So just because the tracking is easy online, and there is more info, I hardly think that means it is more meaningfull..

I know this is the kind of thing that is impossible to determine, but I'm curious what the percentage of online info given (filled out forms etc) is accurate or usefull. I'm sure slashdot readers have a higher percentage of not giving personal info online, but of overall web-users (that constant stream of newbies), how many feel the need to give true personal info when asked by some market-droid site looking for that big info-goldrush?

As far as super-market cards go, some of the names I have them registered under are:

1. Don T. Botherme

1. Anita Prawduct

1. I.M. Shawpin

1. Lee Vamealone

preventing tracking and the benefits of tracking

[twistedfuck]

Not downloading images of certain size is a stupid suggestion and would make lots of web designers and monkeys look incompetent. Another browser feature that might work, would be to only allow the components of a page to be downloaded from the same domain. That way only the people that publish the site get the data, what they do with it from then on is another story. But this would help put DoubleClick out of business. It would also fuck with people in the media buy business as most banners send stats to the people who are paying for the space, which brings me to my next point. The statistics collected on the web help pay for the web and its development. Statisitcs are used to decide on budgets, gathering investment and understanding where a site is doing things right and where its not. These are necessary evils if we want to encourage the development of the web. Server logs often don't provide enough of this information, unless you have extended your logging to be able track users across multiple visits.

I'll tell you whats wrong....

[photozz]

Lets try this, a murder is commited, the police can't find the killer, but they know he used a .22 pistol. unable to find any recent purchases through gun stores, they supena information from WEBTRACK1 (fictional) about everyone in a geographical area that has been looking at websites on murder guns, police,....ect... armed with this information they issue a search warant for your home. Scary? I think so.

Re:Spot the webbug

[ZoneGray]

All these replies are about cookie handling. And those are good features, but...

The real problem with web bugs is that they don't really need cookies to learn something about you. Just the fact that you hit the page, and load an image that causes a hit on another server, can be a problem.

For example, an embedded image in an HTML e-mail message can act as a read receipt. A bunch of sequential hits from the same IP address can be associated, and if one of the sites provides your cookie info to the bug company, then it doesn't matter if the others send out cookies or not.

Again, the only real protection would be if your browser warned that the page you're loading consists of content from multiple domains.

Re:Spot the webbug

[ZoneGray]

Seems like it would be easy enough for a browser to implement a feature that warns if a page is loading content from multiple domains.

If they wanted to get really fancy, they'd let the user accumulate an "okay" list and a "don't load from multiple domains" list.

Re:What kind of encryption?

[DrTomorrow]

Thank you moderator, you finally got one right.

fame, of a sort, I suppose

[streetlawyer]

I posted that troll, to a thread about Napster-alikes, yesterday. In context, it was quite funny and satirical, I thought. In a completely irrelevant thread, it becomes spam.

Stop using my copyrighted material. Slashdot is not an anonymous network, the content provided above is very clearly owned by me, and you're misusing it.

Re:What's wrong with user profiling?

[baka_boy]

Voluntary profiling can lead to better customer service. Just like in the standard world of retail, where a salesperson who knows you, or knows the right questions to ask, can pick out products that you might like more effectively than someone who knows nothing about you.

However, most sites give you no opt-out, other than disabling JavaScript or cookies, which often renders them unusable. That's like a retail store that refuses to let anyone shop there who doesn't want their height, weight, favorite color, and home town recorded at the point of sale.

Re:Web Bugs

[the+coose]

Actually, I've found that it is IE, not Netscape, that seems to have issues with CSS. I set up a class for div to have left and right margins of 5%. Within that I placed an img that was much longer than the body's width but was relying on the div to stop it from running off the right. This worked fine in Netscape 4.7, but IE 5.0 ignored the div's right margin of 5% and used the img's default size instead. Same thing with container elements and tables. Yeah, it's easy to workaround but just kind of annoying...

Re:(OT) HTML as design tool

[MrBogus]

Eventually: it will either be Flash, W3C DHTML + Time extentions + SVG, Microsoft PPT format. Think TV. (Yes, I'm a cynical coot.)

Re:(OT) HTML as design tool

[MrBogus]

Actually, I wish folks like you would just recommend Flash or PDF to clients that want 'printed output'-like pages. Then we can get the HTML back nice and simple, and it will be easier for me to add dynamic content to pages that aren't junked up with nested tables and spacer gifs.

Of course, this could backfire, and next thing you know I'd be writing a database backend to a Flash application.

Re:Web Bugs

[PollMastah]

Let's find out what people think about the various alternatives:

Poll: which of the following is the best solution?

1. Filter out all 1x1 gif's!
2. No, filter out all gif's 2x2 or smaller!
3. No, filter out completely transparent images!
4. Only allow images from the same domain as the page
5. Disable cookies attached to graphic files
6. Cookies are evil, don't use them
7. Who cares if they track my personal info?? They're the ones wasting money and resources sending me junk mail which *plonk*s into the killfile anyway!
8. I only read Slashdot, so what's this gotta do with me?

Re:Legitimate use of a 1x1 GIF

[uriyan]

> If not you could use an index.cgi
In most of the cases, CGI files and HTML pages are on different directories on the server (sometimes even on different servers). Using a .cgi instead would recquire lots of time redoing the links (including links from external sites). It's not such a good idea.
1x1 pixel GIFs were originated in the time when Netscape collapsed empty table cells (<tr></tr>). It messed the layout, so something had to be put inside. Transparent or small GIFs were convenient for this. Later on &nbsp; was introduced for forcing a space as a new character, but in some places it was too difficult to get the GIFs out.
The CGI use is also quite common. It is convenient and simple. I used it for a while in a counter (yes, with a cookie). I don't think that blocking such images will be a good idea.

Re:Forcefeeding and poisoning the cookies

[chrome+koran]

i'm glad to hear someone else is doing this besides me...i go through the cookies about once a week and change numbers, dates and even urls around to fuck up their tracking data...if enough people started doing this, it would all be worthless :-)

Guru.com also a partner for Coremetric!!!

[cOdEgUru]

I found Guru.com to be in the Coremetric partner page, however Guru.com doesnt mention Coremetric at all at their Privacy page. However they do mention DoubleClick, but no mention is made to their partnership with Coremetric or the notorious invisible gifs that might be splattered across their pages.

Someone has to make a stand. We are not mere eyeballs meant to be captured and targeted. I have found these invisible gifs in the huge amount of junk emails that I receive in my hotmail account. I wish Icould just reach in and just wring that stupid's neck who sent it to me. But thanks to the preliminary screening for emails targeted to me through the Bcc option, I atleast dont have them on my inbox. Nowadays I dont even open them, I just block their addresses and move them to the trash can. Regardless of that, I still get around 10 junk emails per day.

The Govt should stop pursuing small time companies like napster and 2600.org and start concentrating on these firms who dont give a dick about privacy and sell individuals like commodities with no qualms about their rights.

Opt Out

[sonnerbob]

WebVeil added Coremetrics to its opt out list soon after the story broke (though incorrectly listing them as an ad network ala' Doubleclick). If you don't block cookies or filter third party cookies, but such tracking worries you...get all the opt out cookies in one fell swoop.

Re:(OT) Use of 1x1 invisi-images

[jphillip]

A useful trick used in the webcomics world (and could be used in any image archive) is to load a comic image in a 1x1 IMG in order to cache it.

So say you're reading through some archived pages on a site. While you're reading July 24's comic, the one for July 25 is loading into a 1x1 pixel down in the corner. Click the "Next" button to go to July 25's page, and boom, the comic is loaded directly from the cache. And while you read that one, July 26's is loading quietly in the corner.

Granted, the images aren't originally 1x1, but are merely shrunk to that size. Plus, the traditional usage seems to take a 1x1 transparent GIF and stretch it to larger sizes for layout purposes. So maybe 1x1 images which are specified to display 1x1 could be filtered. It'd break *some* pages, but not nearly as many.

Re:(OT) Use of 1x1 invisi-images

[jphillip]

I *thought* I had seen some bastardized HTML tag which achieved the same effect as a 1x1 transparent GIF... the SPACER tag. Introduced in Netscape 3. I can only assume that IE doesn't support this, and that CSS makes the whole thing moot anyway. But if that can eliminate the need for 1x1 transparent GIFs for layout, then we can safely block such.

Boycotting

[Lepidoptera]

I think that enough people care about this kind of bigbrotherhood that a blacklist would be really effective.

Someone needs to set up a web site with a list of "safe" and "unsafe" sites, with details on how the "unsafe" sites violated privacy. The maintainer of the site would notify companies of their status. Perhaps it would be most effective if it used a slashdot-type setup with moderated contributions. Does such a site exist?

This seems like the kind of thing that a functional government would have set up long ago, but perhaps that would be a case of the fox guarding the henhouse.

Re:Spot the webbug

[ichimunki]

Unless I seriously misunderstand this, the placement of these small GIFs on the web page gives the GIF server no information that is not in your typical HTTP header. In the Slashdot case, both the page server and the "non-bug" server belong to Slashdot. What this provides them is no more or less than they already have. What it might provide is the ability to turn off some logging on a busier server and turn that duty over to a less busy server (i.e. the one that exists only to pump out single pixel GIFs). This is also useful if you have multiple servers doing the bulk of the work, and would like to track usage centrally. This way the bug-server gets a unified sense of all visits, while the page-server is able to distribute the load as needed without worrying about discontinuous visit information. Simply put, this is the most efficient way to track this. They could theoretically track it 100 other ways, but I can't think of a way that improves on this technique.

I think the Slashdot usage is not only understandable, but acceptable. However, I think the undisclosed gathering of even this readily available HTTP header information, where the bug URL is not in the same domain as the referring page is as objectionable as using banners to enable cookies from a single domain to be activated by what appears to be a completely separate. It's a tradeoff, since they get only HTTP header information out of the deal, they get less information, but there is also no way to turn off these GIFs, like there is with cookies. Well, yeah, you could use Lynx. *smirk*

Re:DoubleClick Ads on Slashdot

[java_sucks]

Amen to that my brother

I'm guessing that the sales department might be seperate from the geek department at slashdot. Once you are part of a larger company these type of thigs can happen. It's kind of sad really... maybe they just need to get together and have a big ol meeting so they can discuss why they don't want to sell ads to anyone who uses doubleclick..

Bun in the meantime just make sure you have your junkbuster proxy configured and running. The sad thing is that /. is only hurting themseves by running the doubleclick ads as many of there readers are pretty vocal about the fact that they block those from there machines.

...

[Fist+Prost]

time to use that Mosaic emulator! At any rate Someone ought to put this one feature into mosaic:block any images below certain size.

Cookie tricks

[jawtheshark]

Cool! I'd never think of such a trick....is there a similar trick under Winblows (using Netscape)?
Right now I automatically delete the cookie.txt file at bootup (Dayly bootup anyay), but I'm not sure if it works well: for example I always have to log *twice* into /.
I've read the read-only trick too, I'm going to try that but I'd appreciate other solutions.

Re:Web Bugs

[Ranalou]

Someone should write an option into Mozilla or it's ilk to NOT LOAD any image with a height and width of 1. That would stop the web bugging industry at least for a little while, don't you think?

Or, more to the point, since a 1x2 transparent image would do the job just as well- examine the image. If the entire image is transparent (possibly, even if it's all the same color) then drop it.

By the time you've examined the image, however, you've already downloaded it. Part of the damage, at least, is already done.

You could, however, highlight the web bug and bring it to the attention of the user, where they might be able to in their browser, in their favorite proxy, or even in their firewall establish that either this particular bug, or bugs with similar URLs should never be downloaded again. This would help to defeat some data correlation, helping to minimize the damage.

For extra credit, one might set up an RBS-like database that could be trusted to serve as a source of web bugs that exist, and a plugin or modification to browsers to help keep others from downloading them. That's a full-scale effort, however, and probably far less practical.

got it! :-)

[ida_no]

mozilla's options for images: accept all images accept images that come from the originating server only do not load any images ask me before downloading an image personally I usually don't load any images.

Web-Bug filtering

[eagle_grinder]

I doubt adding the ability to filter out gifs of height and width of 1 will do anything. They'll just bump their images sizes up. What we need is a browser option that will disable 3rd party content.

When I create a web site, pretty much all the media I use is centralized. Either it's all on one box in an organized directory structure(/images, /flash, etc), or it's on separate machines on the same subnet.

Someone should write a utility that ignores any reference on a website to an ouside server. I mean, if you're visiting www.blitheringfool.com (123.45.67.89), it should be easy to filter out a gif being loaded from www.maliciousAdAgency.com (243.20.43.219).

Come to think of it... I'm not doing anything productive right now... I think I'll write it myself...

Coremetrics Clientelle

[Lechter]

Has anyone gotten a hold of a list of Coremetrics clients, and checked to see what they're doing with this service? It would be nice to see a general site with information listing of e-businesses that take this sort of private info, highlighting those business that don't disclose the fact that they are doing so. That way we would know perhaps to boycott them, since legislating, and catching this sort of thing is probably really difficult. Does anyone know of such a site?

Re:What's wrong with user profiling?

[KevinMS]

That spam problem is curable, just use sneakemail, and at the same time you dont have to be paranoid about privacy if you dont want to. Its basically a "no abuse" contract between a e-business and an e-customer. (sorry about those "e-'s")

OSU rulz!!

[skinnymofo]

Matt Curtin representin' the big 'O' !!

Re:Web Bugs

[skoda]

I was going to say that might not be a good idea since it would destroy the layout of many web sites and negatively affect others. Then I realized that the use of 1x1 images is probably pretty low (since they're normally 'stretched' when used as page layout devices) So, yeah, you've got a decent idea there :)

But I wonder if there's a way to filter on the the contents of the SRC tag value, and avoiding the minor risk of upsetting someone's page layout.

(OT) Use of 1x1 invisi-images

[skoda]

As an amateur (hobbyist) web designer, I'm wondering what you use 1x1 images for. In my very limited experience, they're handy when stretched to various sizes, but I haven't seen a need (yet) for a one pixel offset. So can you give a pointer or two on the secrets of web design? :) My attempts at HTML coding can be seen at fischer_dj.tripod.com.

(OT) HTML as design tool

[skoda]

juniorbird & Aerolith_alpha have given some excellent comments on this. But there is another issue that is raised by your point. "HTML is a logical markup language where the client (not the server) makes formatting decisions. " That is exactly right! Which is why HTML is really the wrong language to be using for today's web design purposes. The original intent of HTML, if I understand correctly, was to provide a method for describing the abstract format of the content, and then allow the viewer to format that content according to his desires. Want BIG BOLD headlines? Got it. Want small italic body text? No problem. Want everything mono-space fonts? Can do. The problem is that that is not a good way to present most information, nor is it generally desireable. Further, companies (and many users) want you to see their information in a very specific way, and don't want you mucking around with it. Pepsi wants you to see their blue cans blue, not mauve with pink polka dots. IBM wants their computer specs presented with a certain combination of fonts, sizes, and images they think is most enticing to a potential buyer. They don't want you to fool around with their formatting and maybe make something less enticing to yourself. And so on. What web designers want to do is page layout! Not logical formatting. The thing is, HTML sucks as a page layout device. That's not what it's meant to do, but that's what we use it for. Which is why web designers (even the finger-painting equivalent of designers, like me) do un-natural and perverse things with 1x1 invisi-gifs; so we can get things to right. As Murphy said, when all you have is a hammer, everything looks like a nail.

Re:difference?

[closedpegasus]

So, web bugs are certainly not any more evil than other methods of tracking, and in fact they make things load quicker for the user. Whats the big uproar? Web bugs don't gather any more information than the company already knew about you anyway. I think it's a pretty ingenious way of doing things.

Re:preventing tracking and the benefits of trackin

[mobius+caduceus]

That would completely eliminate one of the best parts of the internet: reusability. By only allowing files served from the current server, you prevent links to remote scripts, images, and content(think headlines). Everything would have to be hosted locally, leading to redundancy, broken links, and bloat.I agree completely that banning 1x1 gifs would be a far worse choice, but there are certainly better solutions.

Quit Touching Me!

[Nanookanano]

A cookie aint nothin but a virus with a badge.

Re:Web Bugs

[Expecting+Rain]

Someone should write an option into Mozilla to get it to load web pages without crashing my computer in the process. They could put a little checkbox in the Preferences that says "Crash Computer Frequently." If you don't want it to do that, you could simply uncheck the box. *That* would be a useful feature.

Re:Did anyone say...

[ackthpt]

Let's see... My marketing research on this thread reveals:

One with an interest in fishing.

One probable catholic

One mind raped and pilaged by Madison Ave.

I wonder how much this data is worth to the right bidder...

got rights?

[ackthpt]

The fact that I'm receiving spam targetted at me suggests the tip of the iceberg begins with the lifting of my email address. The bottom of the ice berg is the buying and selling of info about me among enterprises. I've had a number of pre-approved credit card apps appear in the mail for the last 20 years and a congress which refuses to pass progressive legislation utterly barring solicitors from phoning me (free speech my a**).

I prefer to exercise the right to privacy. Before *anyone* may solicit me, or share info on me, they *must* seek my permission first. Without it, they are tresspassing.

Re:Web Bugs (OT: 1x1 spacing = NOT insightful)

[bald+anders]

WTF is so hard to understand about Hyper *Text* Markup Language? You can't design HTML, period. So you either use Cascading Style Sheets and hassle the browser-vendors for not implementing it right, or you leave it. Text is about content, style is about design. And remember to give all images alt-tags. I feel sorry for the braille or lynx users who (don't!) have to wade through 300 spacers with a little text scattered about.

As I said to a friend: Websites that rely heavily on design or JavaShit are often lacking content and thus not worth visiting. Web-designers who *rely* on graphical capabilities on the client side aren't.

But I never rant without giving a tip: Close your Frontpage Express, download the [X]HTML/CSS-spec from w3c.org, and at least read the intro. Then, with your favorite text-editor, hand-craft an HTML-file. At least for me, this was a truly enlightening experience. (Don't bother with CSS2 yet, support sucks.)

Similarities

[TJamieson]

The whole webbug thing seems similar to software cracking to me, in a way.
Here's what I mean:

A program comes out, has a "Enter Serial to Register" function. Someone dupes it. Author learns of this, fixes it, releases new version. Sure enough, new version is defeated as well.

Now the Webbug side of it:
It was proposed to make browsers more defensive. But would that really solve anything? Just as the developer tried to make his software more defensive it was still defeated.

My point is this:
No matter what, some 'webbugging' is always going to find a way to track (or try and track) everyone and what they do.

Re:Similarities

[Jerf]

You have an interesting point, but it's backwards.

In the end, it comes down to "What information can the advertiser extract from the HTTP request to identify me?" This is why things like Junkbuster obfuscate as much of the request as technically possible, including User-Agent.

When it boils down to it, we don't have to send them anything more then "send me this page". The only other identifiers we must leave behind are the IP address we are recieving at, obfuscatable with a proxy server.

At this point, the only choice the advertisers will have is to either grant us service, or deny us service, despite the inability to tell who are. If we feed them nothing, they can't pull the information out of the air.

Denying us service is not likely, either; advertising knowlege is nothing compared to actual profit obtained from a purchased item.

We don't have to put up with this. When Mozilla comes out, there's a few patches I want to make (like completely blocking the "onclose" event from firing)... maybe a few other hackers making a few other security patches can nail down that browser well enough for actual use. (Block 3rd party cookies, strip out some useless HTTP header information, and put some sandbox-style warnings into other parts of Javascript (like form submission) and you're a lot of the way there... it'd mostly be a matter of selectively removing features, which is usually not so hard :-) )

Re:Its not surprising this is happening

[alex_white]

Surely since these privacy statements on webites using data gathering services (or any website, for that matter) is supposed to be a legal document, then can't these people be held legally responsible for having a misleading statement? Or breach of "contract"? (IANAL)

Yet another reason....

[droma]

Yet another reason to use programs like Junkbuster. It's not everything you should use for secure surfing, but it's a start.

Re:Yet another reason....

[droma]

Yes I do.
Since there is no such thing as a 100% safe and secure internet. I'd suggest not surfing at all. ;)
Laters, droma

Black List for cookies

[Mnemia]

Does anyone know if there is anyone trying to create an RBL-style list for cookies instead of spam?

Don't we give up our data everyday?

[ReefrBaby]

Online companies and brick & mortar stores have been collecting info about us for years. This doesn't seem to be any different EXCEPT for the fact that this information ISN'T being sold by the company (Coremetrics). While I think Toys-R-Us should have followed recommended procedure and commented about Coremetrics in their privacy statement, that is their responsibility not the responsibility of the site providing the service to them. Here's what I don' get: When we walk into a Radio Shack and they ask for our name and address, they pull up a whole page of info on us. (Things we have bought in the past...address, etc..) We pay with credit cards and all of our purchases are tracked by the credit card agency. They ALSO have our name, address, etc... You don't think that they SELL this stuff? Right. We buy from Amazon and they try to recommend new purchases based on purchases made in the past. This type or demographic information is nothing new to business, it's just refined for today's technology. Don't be scared of Toys-R-Us stalking you and your children, or Coremetrics, finding out where you live. Be scared of digital fingerprints on driver's licenses, random drug tests, and abuse of power by the local police. My $.02

Legitimate use of a 1x1 GIF

I've been using a 1x1 transparent GIF for 18 months, but not for spacing. I use it to trigger a CGI program when the index.html home page is loaded. The purpose of this CGI program is to rotate the cartoon and other eye candy on the page, so that a reload gives a new look. After its work is done, the CGI program spits out a one-pixel transparent GIF just to keep the http server and the browser from being too disappointed at not getting what it is expecting.

Yes, caches do screw up the system. To fool the caches, the next index.html page that is written by the CGI program puts in the IMG SRC for the GIF with a PATH_INFO after the name of the program that spits out the GIF. This PATH_INFO consists solely of the process ID number. Cache servers think it's an entirely new link and go out to fetch it, but our http server ignores the extra path info and loads the same program. You also need all the standard NO-CACHE headers in the html page, of course.

You can do all sorts of things in this CGI program. The point is that in order to get a straight html page to also activate a program automatically whenever it is loaded, you have to use something like a IMG SRC. Otherwise you have to resort to Java or something similar, which has a huge amount of overhead associated with it.

Re:Legitimate use of a 1x1 GIF

[Chester+K]

I've been using a 1x1 transparent GIF for 18 months, but not for spacing. I use it to trigger a CGI program when the index.html home page is loaded. The purpose of this CGI program is to rotate the cartoon and other eye candy on the page, so that a reload gives a new look. After its work is done, the CGI program spits out a one-pixel transparent GIF just to keep the http server and the browser from being too disappointed at not getting what it is expecting.
The point is that in order to get a straight html page to also activate a program automatically whenever it is loaded, you have to use something like a IMG SRC.

Wouldn't you be better off in that case just executing your maintenance script via SSI, rather than relying on a seperate web request from the client?
Something like
<!--#include virtual="updatemainpage.cgi" -->
would do the same thing, and not rely on the client. Assuming, of course, your server can do SSI. If not, you could use an index.cgi instead of index.html, just have it dump out the page, then do the maintenance as part of that request. It'd save you on network traffic too.

Using a 1x1 IMG to do it is one solution, but it's not by any means, the only solution.

Re:DoubleClick Ads on Slashdot

[Clifton+Wood]

This MAY be because of the fact that Jamie (please not the PROPER spelling, guy) is busy as hell working on other projects in addition to Slashdot. But that may not have occured to you, did it?

BTW - Several people have answered your question in this SID, please read them and quit thinking that everything is a personal attack against you. People will take you more seriously that way.

- Cliff

Re:Web Bugs

[Phroggy]

I was going to say that might not be a good idea since it would destroy the layout of many web sites and negatively affect others. Then I realized that the use of 1x1 images is probably pretty low (since they're normally 'stretched' when used as page layout devices) So, yeah, you've got a decent idea there :)

You'd be surprised. One of the reasons I use 1x1 transparent GIFs is, say I've got a table, and one cell has a background, but no foreground text or graphics - just a background color, or repeating background pattern, and I'm using this cell (probably not very big) for layout and design purposes, because there's no other way to do it. Well, if I don't include that 1x1 GIF, then the browser thinks the table cell is empty and won't render it at all (so I don't get my background). This is remarkably annoying. I used to use &nbsp; instead, but then I started doing these with really small areas where a whole &nbsp; wouldn't fit, so I've switched to 1x1 GIFs. For an example of what I'm talking about, check out my home page.

--

Re:Web Bugs

[arivanov]

No it will not. They will simply use transparent gifs. Which is just the same. And it is not just gif as PNG also has transparency channel.

Re:How many?

[arivanov]

First: you are referring to the Slashdot crowd. For example I am sufficiently paranoid to put my old address or my company address on warranty cards and other stuff like this when I buy personal kit so my snail mail address does not get out. But this is me. Joe average random luser puts his personal information. Both in a conventional store and online

Second: correlation analysis is a great thing and statistics is a great science. If there is enough information and the criteria for filtering bogus data are well defined it can be filtered and your real you to show up.

Re: or...give them MORE.

[FPhlyer]

Okay. But how many supermarkets are willing to sell information about you to product manufacturers? "The holder of Credit Card 4000500060007000 purchased your product five times over the course of four months."

You won't be sending a little robot to the local store anytime soon, and it is a lot easier to track you down that way then it is via the web.

But you are right. Writing your little robot would be the /correct/ response to this invasion of privacy. Writing a browser plug-in to reject such bits of information would be another.

Legislating it out of existance or banning it /would not/ be the correct form of action. I see way too many people who would look at this type of thing as "something that should be regulated" and yet those same person's take offense at the government regulating Napster.

The internet has a way of policing itself. If we keep the government from interfering, than this kind of intrusion will meet it's own extinction at the hands of people like you. People who will write software that makes their software obsolete.

Re:Web Bugs

[Sloppy]

As a web designer I am totally against this idea, because I use 1x1 gifs all the time for spacing purposes.

That doesn't make sense. The web uses HTML, and HTML is a logical markup language where the client (not the server) makes formatting decisions. Why would a "web designer" ever need to micromanage such detailed issues as spacing?

---

Re:Spot the webbug

[jfrisby]

That's an HTML comment, not a JavaScript comment. It is there for browsers that don't understand JavaScript, so they wont display it to users. This is a very common practice.

The JavaScript is still executed.

-JF

He has a point

[FascDot+Killed+My+Pr]

I have no issues with Mr Plant--I don't know him at all. Nor do I know anything about Time City.

However, I do know that doctors don't operate on their friends (or family of friends) or families (or friends of family). Same goes for journalism. From the facts presented by "Jay" and you, it seems as though you've interviewed a friend of a friend for your article. That's a no-no, regardless of newsworthiness. Why not just have roblimo or someone interview the friend?
--

Who owns the data

[Shotgun]

"Coremetrics is merely an agent that collects this data on behalf of an individual customer, for that individual's sole use only. We do not collect data, as was inferred very incorrectly by Interhack, across multiple unrelated websites, with any intention of selling it to third parties -- or even distribution to third parties. That's because we, as the agent, do not own that data, nor do we have any rights to that data. Toys 'R' Us, and Toys 'R' Us only, is the sole owner of that data. So legally, we cannot do any of the possibilities that Interhack had alluded to in their report."

I'd have to agree that Corematics doesn't have a right to that data, but do the companies they're collecting it for have a right to it?

What rights do I have to it? It it is being sold, that means it has value. Where's might cut of the proceeds? If you and I own a peice of property, and you sell it without my knowledge or consent, and I find out about it, can't I sue for my share?

The corps can't have it both ways can they? If it is intellectual 'property', then aren't I half owner?

Re:How many?

[British]

What about if you consistenly use the same bogus info to several websites? perhaps some company is compiling info about "Hugh Jass" someday hoping to get his/her real info and send them TONS of junk mail.

Can junkbuster filter out useless 1x1 images completely? I mean, I can live without a 1 pixel image or three on a web page.

Re:Web Bugs

[TheTomcat]

I wish I had some mod points.

Hey moderators: This post, #170 is HIGHLY deserving of being modded right up to +5.

Sorry for abusing my +1.

Re:Web bugs on Slashdot?

[Wedman]

I'd like to hear an explanation.

I figure it's so that Anonymous Cowards are not so anonymous. If need be, Slashdot can check the page and time, then cross reference it with their logs to determine who from where was doing what when. No?

Anonymous Cowards are not anonymous anymore.

Slashdot's justification is probably that they're using it to track 'trouble makers' on Slashdot.

Oh yeah, and to turn in Anonymous Cowards to mega corporations and goverment agencies for bounty

What is the real concern?

[drteknikal]

Are we concerned about what Coremetrics DOES, or about what they CAN DO? There is a wide gulf between posession of power and abuse of power.

It would appear from the article that the problem is not what they do, but how their customers inform the public about the arrangement.

And if we are to attack them because they COULD do something bad, isn't that unfair, or at least prior restraint?

Obligatory ad blocking hosts file post

[gad_zuki!]

# Death to banner ads!
#
#
# This is a ad-blocking hosts file compiled by Mike Skallas (user245@hotmail.com)
# Just add '127.0.0.1 ADSERVER' to the bottom to continue the list.
# The rest are instructions from MS:
#
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost #this is not an ad server, this is your PC
127.0.0.1 www.doubleclick.net
127.0.0.1 ad.preferances.com
127.0.0.1 ad.doubleclick.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.preferences.com
127.0.0.1 ad.washingtonpost.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.doubleclick.net
127.0.0.1 ads.i33.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 adforce.imgis.com
127.0.0.1 ads.enliven.com
127.0.0.1 Ogilvy.ngadcenter.net
127.0.0.1 oz.valueclick.com
127.0.0.1 doubleclick.net
127.0.0.1 ads.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad2.doubleclick.net
127.0.0.1 ad3.doubleclick.net
127.0.0.1 ad4.doubleclick.net
127.0.0.1 ad5.doubleclick.net
127.0.0.1 ad6.doubleclick.net
127.0.0.1 ad7.doubleclick.net
127.0.0.1 ad8.doubleclick.net
127.0.0.1 ad9.doubleclick.net
127.0.0.1 ad10.doubleclick.net
127.0.0.1 ad11.doubleclick.net
127.0.0.1 ad12.doubleclick.net
127.0.0.1 ad13.doubleclick.net
127.0.0.1 ad14.doubleclick.net
127.0.0.1 ad15.doubleclick.net
127.0.0.1 ad16.doubleclick.net
127.0.0.1 ad17.doubleclick.net
127.0.0.1 ad18.doubleclick.net
127.0.0.1 ad19.doubleclick.net
127.0.0.1 ad20.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.ch.doubleclick.net
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.linkexchange.com
127.0.0.1 banner.linkexchange.com
127.0.0.1 adcount.hollywood.com
127.0.0.1 ads*.focalink.com
127.0.0.1 ads.imdb.com
127.0.0.1 www.ad-up.com
127.0.0.1 bannerswap.com
127.0.0.1 commonwealth.riddler.com
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
127.0.0.1 nrsite.com
127.0.0.1 www.nrsite.com
127.0.0.1 ad-up.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.atlas.cz
127.0.0.1 ad.blm.net
127.0.0.1 ad.dogpile.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.net-service.de
127.0.0.1 ad.preferences.com
127.0.0.1 ad.vol.at
127.0.0.1 adbot.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adbureau.net
127.0.0.1 adcount.hollywood.com
127.0.0.1 add.yaho.com/
127.0.0.1 adex3.flycast.com
127.0.0.1 adforce.adtech.de
127.0.0.1 adforce.imgis.com
127.0.0.1 adimage.blm.net
127.0.0.1 adlink.deh.de
127.0.0.1 ads.criticalmass.com
127.0.0.1 ads.csi.emcweb.com
127.0.0.1 ads.filez.com
127.0.0.1 ads.i33.com
127.0.0.1 ads.imagine-inc.com
127.0.0.1 ads.imdb.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.mirrormedia.co.uk
127.0.0.1 ads.msn.com
127.0.0.1 ads.narrowline.com
127.0.0.1 ads.newcitynet.com
127.0.0.1 ads.realcities.com
127.0.0.1 ads.realmedia.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.tripod.com
127.0.0.1 ads.usatoday.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.web.de
127.0.0.1 ads.web21.com
127.0.0.1 adserv.newcentury.net
127.0.0.1 adservant.guj.de
127.0.0.1 adservant.mediapoint.de
127.0.0.1 adserver-espnet.sportszone.com
127.0.0.1 advert.heise.de
127.0.0.1 banners.internetextra.com
127.0.0.1 bannerswap.com
127.0.0.1 customad.cnn.com
127.0.0.1 dino.mainz.ibm.de
127.0.0.1 ganges.imagine-inc.com
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
127.0.0.1 207-87-18-203.wsmg.digex.net
127.0.0.1 Garden.ngadcenter.net
127.0.0.1 Ogilvy.ngadcenter.net
127.0.0.1 ResponseMedia-ad.flycast.com
127.0.0.1 Suissa-ad.flycast.com
127.0.0.1 UGO.eu-adcenter.net
127.0.0.1 VNU.eu-adcenter.net
127.0.0.1 a32.g.a.yimg.com
127.0.0.1 ad-adex3.flycast.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.ca.doubleclick.net
127.0.0.1 ad.de.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fr.doubleclick.net
127.0.0.1 ad.jp.doubleclick.net
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.linksynergy.com
127.0.0.1 ad.nl.doubleclick.net
127.0.0.1 ad.no.doubleclick.net
127.0.0.1 ad.preferences.com
127.0.0.1 ad.sma.punto.net
127.0.0.1 ad.uk.doubleclick.net
127.0.0.1 ad.webprovider.com
127.0.0.1 ad08.focalink.com
127.0.0.1 adcontroller.unicast.com
127.0.0.1 adcreatives.imaginemedia.com
127.0.0.1 adex3.flycast.com
127.0.0.1 adforce.ads.imgis.com
127.0.0.1 adforce.imgis.com
127.0.0.1 adfu.blockstackers.com
127.0.0.1 adimage.blm.net
127.0.0.1 adimages.earthweb.com
127.0.0.1 adimg.egroups.com
127.0.0.1 admedia.xoom.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 adremote.pathfinder.com
127.0.0.1 ads.admaximize.com
127.0.0.1 ads.bfast.com
127.0.0.1 ads.clickhouse.com
127.0.0.1 ads.enliven.com
127.0.0.1 ads.fairfax.com.au
127.0.0.1 ads.fool.com
127.0.0.1 ads.freshmeat.net
127.0.0.1 ads.hollywood.com
127.0.0.1 ads.i33.com
127.0.0.1 ads.infi.net
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.link4ads.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.madison.com
127.0.0.1 ads.mediaodyssey.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.ninemsn.com.au
127.0.0.1 ads.seattletimes.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.smartclicks.net
127.0.0.1 ads.sptimes.com
127.0.0.1 ads.tripod.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.x10.com
127.0.0.1 ads.xtra.co.nz
127.0.0.1 ads.zdnet.com
127.0.0.1 ads01.focalink.com
127.0.0.1 ads02.focalink.com
127.0.0.1 ads03.focalink.com
127.0.0.1 ads04.focalink.com
127.0.0.1 ads05.focalink.com
127.0.0.1 ads06.focalink.com
127.0.0.1 ads08.focalink.com
127.0.0.1 ads09.focalink.com
127.0.0.1 ads1.activeagent.at
127.0.0.1 ads10.focalink.com
127.0.0.1 ads11.focalink.com
127.0.0.1 ads12.focalink.com
127.0.0.1 ads14.focalink.com
127.0.0.1 ads16.focalink.com
127.0.0.1 ads17.focalink.com
127.0.0.1 ads18.focalink.com
127.0.0.1 ads19.focalink.com
127.0.0.1 ads2.zdnet.com
127.0.0.1 ads20.focalink.com
127.0.0.1 ads21.focalink.com
127.0.0.1 ads22.focalink.com
127.0.0.1 ads23.focalink.com
127.0.0.1 ads24.focalink.com
127.0.0.1 ads25.focalink.com
127.0.0.1 ads3.zdnet.com
127.0.0.1 ads3.zdnet.com
127.0.0.1 ads5.gamecity.net
127.0.0.1 adserv.iafrica.com
127.0.0.1 adserv.quality-channel.de
127.0.0.1 adserver.dbusiness.com
127.0.0.1 adserver.garden.com
127.0.0.1 adserver.janes.com
127.0.0.1 adserver.merc.com
127.0.0.1 adserver.monster.com
127.0.0.1 adserver.track-star.com
127.0.0.1 adserver1.ogilvy-interactive.de
127.0.0.1 adtegrity.spinbox.net
127.0.0.1 antfarm-ad.flycast.com
127.0.0.1 au.ads.link4ads.com
127.0.0.1 banner.media-system.de
127.0.0.1 banner.orb.net
127.0.0.1 banner.relcom.ru
127.0.0.1 banners.easydns.com
127.0.0.1 banners.looksmart.com
127.0.0.1 banners.wunderground.com
127.0.0.1 barnesandnoble.bfast.com
127.0.0.1 beseenad.looksmart.com
127.0.0.1 bizad.nikkeibp.co.jp
127.0.0.1 bn.bfast.com
127.0.0.1 c3.xxxcounter.com
127.0.0.1 califia.imaginemedia.com
127.0.0.1 cds.mediaplex.com
127.0.0.1 click.avenuea.com
127.0.0.1 click.go2net.com
127.0.0.1 click.linksynergy.com
127.0.0.1 cookies.cmpnet.com
127.0.0.1 cornflakes.pathfinder.com
127.0.0.1 counter.hitbox.com
127.0.0.1 crux.songline.com
127.0.0.1 erie.smartage.com
127.0.0.1 etad.telegraph.co.uk
127.0.0.1 fp.valueclick.com
127.0.0.1 gadgeteer.pdamart.com
127.0.0.1 gm.preferences.com
127.0.0.1 gp.dejanews.com
127.0.0.1 hg1.hitbox.com
127.0.0.1 image.click2net.com
127.0.0.1 image.eimg.com
127.0.0.1 images2.nytimes.com
127.0.0.1 jobkeys.ngadcenter.net
127.0.0.1 kansas.valueclick.com
127.0.0.1 leader.linkexchange.com
127.0.0.1 liquidad.narrowcastmedia.com
127.0.0.1 ln.doubleclick.net
127.0.0.1 m.doubleclick.net
127.0.0.1 macaddictads.snv.futurenet.com
127.0.0.1 maximumpcads.imaginemedia.com
127.0.0.1 media.preferences.com
127.0.0.1 mercury.rmuk.co.uk
127.0.0.1 mojofarm.sjc.mediaplex.com
127.0.0.1 nbc.adbureau.net
127.0.0.1 newads.cmpnet.com
127.0.0.1 ng3.ads.warnerbros.com
127.0.0.1 ngads.smartage.com
127.0.0.1 nsads.hotwired.com
127.0.0.1 ntbanner.digitalriver.com
127.0.0.1 ph-ad05.focalink.com
127.0.0.1 ph-ad07.focalink.com
127.0.0.1 ph-ad16.focalink.com
127.0.0.1 ph-ad17.focalink.com
127.0.0.1 ph-ad18.focalink.com
127.0.0.1 realads.realmedia.com
127.0.0.1 redherring.ngadcenter.net
127.0.0.1 redirect.click2net.com
127.0.0.1 regio.adlink.de
127.0.0.1 retaildirect.realmedia.com
127.0.0.1 s2.focalink.com
127.0.0.1 sh4sure-images.adbureau.net
127.0.0.1 spin.spinbox.net
127.0.0.1 static.admaximize.com
127.0.0.1 stats.superstats.com
127.0.0.1 sview.avenuea.com
127.0.0.1 thinknyc.eu-adcenter.net
127.0.0.1 tracker.clicktrade.com
127.0.0.1 tsms-ad.tsms.com
127.0.0.1 v0.extreme-dm.com
127.0.0.1 v1.extreme-dm.com
127.0.0.1 van.ads.link4ads.com
127.0.0.1 view.accendo.com
127.0.0.1 view.avenuea.com
127.0.0.1 w113.hitbox.com
127.0.0.1 w25.hitbox.com
127.0.0.1 web2.deja.com
127.0.0.1 webads.bizservers.com
127.0.0.1 www.PostMasterBannerNet.com
127.0.0.1 www.ad-up.com
127.0.0.1 www.admex.com
127.0.0.1 www.alladvantage.com
127.0.0.1 www.burstnet.com
127.0.0.1 www.commission-junction.com
127.0.0.1 www.eads.com
127.0.0.1 www.freestats.com
127.0.0.1 www.imaginemedia.com
127.0.0.1 www.netdirect.nl
127.0.0.1 www.oneandonlynetwork.com
127.0.0.1 www.targetshop.com
127.0.0.1 www.teknosurf2.com
127.0.0.1 www.teknosurf3.com
127.0.0.1 www.valueclick.com
127.0.0.1 www.websitefinancing.com
127.0.0.1 www2.burstnet.com
127.0.0.1 www4.trix.net
127.0.0.1 www80.valueclick.com
127.0.0.1 z.extreme-dm.com
127.0.0.1 z0.extreme-dm.com
127.0.0.1 z1.extreme-dm.com
127.0.0.1 ads.forbes.net
127.0.0.1 ads.newcity.com
127.0.0.1 ads.ign.com
127.0.0.1 adserver.ign.com
127.0.0.1 ads.scifi.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adengine.theglobe.com
127.0.0.1 ads.tucows.com
127.0.0.1 adcontent.gamespy.com

Protect Yourself

[rkent]

You know, even with "old" Netscape 4.x, you can just click on "refuse all cookies" or at least "warn me before accepting cookies." With mozilla, it's even better; it remembers your cookie preferences for each server.

Granted, this is not the easiest thing to use ever. I'd really like a list of servers I could manually update, whose cookies would always be rejected. *.doubleclick.net, *.adforce.com ... you get the picture.

Point is, though, you do have recourse. You don't have to "blindly trust" all those baddies trying to set cookies on your harddrive. Now I think the priority should be making this easier for newbies to pick up, and educating them about it.

Re:How many?

[brunes69]

Yeah really. Someone should Mod this up, and maybe some marketing braindead's will see it. No one I know EVER puts in their real information, real email, or anything, unless they absolutely have to. And I'm not just talking about us l33t hackers, I'm talking about joe average Internet user. In schools around where I live, they actually teach you not to ever give your real information (including email) unless its someone you absolutely trust.

So what I would liek to know is, what good is all this tracking, when your'e tracking fake people? It's just a huge waste of time. Not that I reallly care, I added all banner ads to my hosts file being redirected to 127.0.0.1 a LONG time ago

Re:Web Bugs

[mOdQuArK!]

Doesn't this break the web-wide caching system being implemented by companies such as "akamai"? I thought they provided load-balanced web services for those web services which were expecting high peaks of service requests.

Re:Spot the webbug

[graniteMonkey]

Okay, Jamie, so now we've established that Richard M. Smith himeself says the code on this web-page is not a "web bug". Now that I know it's there, what does Slashdot/Andover with this "non-web bug" to differentiate it from a genuine web bug? Just curious, really. Does the information reach some corporate entity outside Slashdot.org? Andover.net? Is the information for the sole non-resellable use of Slashdot.org? Andover.net?

Or send back corrupted data

[JSBiff]

You could also send back data that they are expecting, just corrupt it to be totally wrong, e.g. $address="18459 nowhere lane, nullville, OH 00000" ;-)

This "web bug" thing is a dumb approach

[Animats]

After all, the server providing the main page already knows the IP address and cookie information. All that's needed is to ship the server log info to Big Brother Central for correlation. "Web bugs" are just a way of offloading the intercommunication job onto the client. If somebody isn't already marketing a complete server-side solution for this, they probably will be soon.

Re:Spot the webbug

[Digital+Mage]

Although the ad might not come from an outside source, my question is...Why is the number associated with the pagecounter image also associated with the advertising image?

I'm going to have to go diving through the ad code (assuming the slashdot guys use the one from sourceforge) to see exactly what the number is used for.

My guess is that the number is used to see how many eyeballs saw that particular ad, but what they do with the number beyond that is unknown.

Example:
<IMG SRC="http://images.slashdot.org/pagecount.gif?/art icle.pl,965319456" WIDTH=1 HEIGHT=1>
.....
<IMG SRC="http://images.slashdot.org/banner/tkgk0082en. gif?965319456" WIDTH=468 HEIGHT=60 ALT="Click Here!"></A><BR>

Re:Coremetrics..

[rgmoore]

Of course, what should really happen is that the default is opt-out, not opt-in. This will never happen though. How many people are going to look at a box that says "Click here to have your privacy invaded" and think "Oooh, I'd better do that, sounds like a greate idea"? That's right, none.

Of course no site would put up a box saying "click here to have your privacy invaded." Instead, they'd set up a system so that the user gained some small benefit from having their privacy invaded- like not having to re-enter their password every time they visited the site or having customized content- and ask customers if that's what they wanted. If they worded it right, you'd be surprised at how many people would opt in.

Actually, the well known grocery card business is a good example of this. People are willing to give supermarkets personally identifying information on an opt-in system in order to get marginal price benefits. They're even willing to swipe their card when they don't have anything in their cart that actually gets a price break based on minute chances of winning a car or something. Don't overestimate people's desire for privacy.

DoubleClick Ads on Slashdot

[fridgepimp]

Ok,

I sent e-mail to Jaime almost 2 weeks ago asking about the use of doubleclick served adds (from doubleclick servers) on Slashdot. He promised to get back to me. He never did.

Would anyone on the Slashdot Team like to comment on whether or not these adds perform functions similar to DoubleClick ads on other sites? I've seen posts about this in some discussions, but this seems like the good place to post it.

I have noticed a STEADY increase in the number of DoubleClick served adds since I initally contacted Jaime. All the SuSE ads, the Genuity add, and now some IBM (and I'm sure others) ads are all DoubleClick served. This is true on other Andover sites like freshmeat as well. Many adds are served from Slashdot's addserver, but often DoubleClick ads load.

I can provide links to any and all ads that I've seen if I need to, but I think that it would be overkill.

Just curious

-fp

Re:DoubleClick Ads on Slashdot

[Hemos]

Please see my reply above, in which I answered the same questions.

The basic problem is that a huge percentage of advertisers outsource their advertising operations to DoubleClick. To have them advertise, you grab images off of DoubleClick. That's not anything we have control, unfortunantely, as that's the advertisers choice to go through DBL. I wish it were otherwise.

Re:Spot the webbug

[_xeno_]

Hemos tried to explain this in this post.

For the truely lazy:

RE: Doubleclick.

Believe me, if I had my way, we wouldn't be using it. But DoubleClick is what many of the advertisers use as their service, because DoubleClick does a good job of tracking click-thrus and such for them. That, and the honest truth, most big companies don't know how to run their own web server for ad serving, and so outsource. So - unfortunantely, a necessary evil of serving banner ads.

As for the webbug - I've never called it bad or evil. I think it's stupid, but Andover uses it to track traffic. I think caches fuck it up, but...c'est la vie. It doesn't do anything, so I don't particularly care about. I'm more concerned with stopping advertisers from using Java in banner ads, or sound,or shockwave, or...

It's all about choosing your battles.

Re:What's wrong with user profiling?

[albamuth]

You bring up a good point - that as much information as they are gathering it really doesn't amount to anything if you don't buy into their bullshit. I mean, we're bombarded with advertising every waking moment of our lives (which is why I don't have a TV at home) but I think most of us have learned how to tune it out. People doing market research are working for the same soul-less corporations that you or I are working for, they're just people after all. The young, hip adults designing advertisements aren't publishing propaganda for some ideological purpose; they're using their imagination and creativity to drive capitalism - that's their job.

So who really gives a damn? I usually buy books that have been recommended through word-of-mouth, anyway, who cares what Amazon's computer cooks up for you? Hell, I really don't care about the cookies on my computer - if someone steals my credit card number then it'll show up on the statement and I can get my money back. So what if Maxim ads always always pop up on yahoo sites for me? So I clicked on one, once.

Spam is pointless - I'm immune to it. I'm sure everyone who's grown up with television is, too. I'd rather go outside and sit in the sun anyway (but I'm stuck here at work).

Hmm, actually now does feel like a good time for a smoke break...

One word....

[zlite]

*Disclosure* There's nothing wrong with interviewing friends, writing about companies affliated with friends, etc---as long as you tell the reader about the connection.

Really, it's a simple as that. You don't even have to clutter your copy with parenthetical disclaimers, just a link to the relevent information about the connection for those readers who care.

C'mon guys. Like it or not, you're journalists now, so play the game properly.

Re:Illegal in the UK.

[AndrewD]

Any contract-drafting bottom-feeding lawshark can present a retail site such that it's accessed "with a view to entering into a contract".

Hey! I resemble that remark!.

Seriously, folks. I think that the above analysis of the DPA is a little pessimistic. The Act does in fact define gross invasions of privacy in a roundabout way: there is a list of items of "Sensitive Personal Data" which are subject to much stronger regulation.

The Act provides for civil and criminal penalties for breach of the provisions as to fair processing; it is not toothless.

As to the "taking of steps" point, that provision is also governed by the requirement that the processing be proportional to the need and transparent to the data subject, and the Data Protection Commissioner has power to rule on what is and is not within that requirement of fairness. For example, she has stated that those "opt out of our spam list" checkboxes are not fair on the data subject: they should be "opt-in" boxes.

As to "presenting a retail site such that it's accessed 'with a view to entering into a contract'", that has to be done with an eye on the remainder of the Act, which limits what you can and cannot do, the various dicta of the Data Protection Commissioner, one's own liability if one colludes in the commission of a criminal offence or advises a client to commit one and, in the UK, the Unfair Contract Terms Act 1977, which is a prize pain in the backside for those in the business of ripping off consumers.

The whole point of the DPA, you see, is to make it easier and more cost-effective for the lawyer to advise the client to comply than to infringe. Being a naturally conservative crowd, that is exactly what we do.

Illegal in the UK.

[AndrewD]

Anyone thinking of using this service in the UK (or anywhere in the EU for that matter) should think again. It's (potentially) a criminal offence to collect any data on a person without telling them you're doing it (Data Protection Act 1998, generally and Schedule 1 part I in particular). The fact that you're using a third party based abroad to dig the dirt on your site visitors will avail you nothing with the Data Protection Commissioner if she decides to land on you with both hobnailed boots.

Those privacy statements, whose status in the US I cannot comment on (IAAL but NAUSQL) are binding in the UK and breach of them potentially sounds in damages (section 13 of the Act isn't in force yet, but soon, soon) as well as criminal liability and all manner of interesting and exciting regulatory action.

For the rights of data subjects generally, see Part II of the Act generally and the register of Data Controllers is maintaned at the Data Protection Commissioner's site and is fully searchable. Go on, look up your favourite corporation and dob them in if they aren't playing by the rules. (Non-UK readers may be amused to know that an assortment of pranksters make a point of doing this with political party membership lists when they use them for mailshotting purposes.)

How many?

[Jon+Shaft]

How many of us actually put in proper information into websites? Usually the only time I ever put in proper information is when I'm going to purchase something, and being a poor college kid, that is very rare. I can see being extremely worried about it if I were making more money and able to spend it on things, but that's far off.

Right now there is probably a lot of junk mail and phone calls going to 1642 Slackware Ave, Retro, CA (111)222-3334...

I can't remember putting in real information in a long time... actually the last time I put in that information was when I bought a DeCSS TShirt.

Toysrus.com sells information even tho they say in the privacy statement they don't? Welp, add another place not to shop to my list. Does anyone publish a listing of companies that don't sell information to other public/private companies anywhere? I'm sure it would be very useful to some.

difference?

[closedpegasus]

I'm not sure how web bugs are any different than conventional methods of gathering information...Isn't most of the same kind of information about users kept in such mundane tracking systems as the apache access logs? Why do you need a gif image to get the same information you can get at the time of a page request, like IP address and info about cookies? Granted, the 1x1 pixel gif is deceiveing, but can't they get that information without it?

Tracking proliferation

[blues.mongrel]

Naviant is another company that purports to track customers across the web. They say they have a database that correlates online personas with physical addresses (like Double-Click was trying to do) "with over 17.5 million records and hundreds of thousands more coming on file each month." Their customers include some pretty big names. I guess I'd be interested in what Interhack could dig up on these guys, too.

Use WebWasher to protect yourself from web bugs.

[wires8]

WebWasher is a personal proxy server that filters out most banner ads and more importantly, 1x1 images. No more web bugs! www.webwasher.com

Spot the webbug

[FascDot+Killed+My+Pr]

Do they look anything like this:

now = new Date();
tail = now.getTime();
document.write("<IMG SRC='http://images2.slashdot.org/Slashdot/pc.gif?/ comments. pl,");
document.write(tail);
document.write("' WIDTH=1 HEIGHT=1>");
document.write("<IMG SRC='http://images.slashdot.org/pagecount.gif?/com ments.pl, ");
document.write(tail);
document.write("' WIDTH=1 HEIGHT=1>
");
--

Re:Spot the webbug

[cwhicks]

Bad Moderation Alert: What classifies this as a troll? Is it such comman knowledge what these "webbugs" on /. are?
Is the person saying something inflametory that they know to be false to get a response? Just because you are satisfied with the explanation, doesn't mean everyone has to be. Or is it that /. is somehow holy and never should be questioned?
Personally, I've seen these images at the top and was suspicious, and now from the informative responses, I know what they are.

Re:Spot the webbug

[jamiemccarthy]

I knew someone would bring this up (trolls have been spamming our comments with it). I'll just post the same info I posted to another thread yesterday:

Please note that all these images come from slashdot's own servers. They're pagecounter images. I'll just forward along the email I got from Richard M. Smith, the guy who coined the term "web bug", when I asked him about it:

Date: 7/2/00 3:00 PM
Received: 7/2/00 11:59 AM
From: rms2000@bellatlantic.net (Richard M. Smith)
To: jamie@mccarthy.org (Jamie McCarthy)

Yep, to really be a Web Bug, the IMG tag must come from
another domain. I'll need to make this clearer in the
next revision of the FAQ. Now, if I can just find the time to
keep my Web site up to date...... ;-)

Jamie McCarthy

Web Bugs

[AlexZander]

Someone should write an option into Mozilla or it's ilk to NOT LOAD any image with a height and width of 1. That would stop the web bugging industry at least for a little while, don't you think?
(web bugs are EVIL)

Evil never dies -- It just comes back in reruns

Re:Web Bugs

[juniorbird]

Not only does this Web designer use one-pixel gifs... pretty much every Web designer does. The reason is that browsers suck. Theoretically, by using CSS, visual presentation of information can be managed. But CSS support is horrible -- only IE 5 for Mac really has it (among released browsers at this point).

So Web designers are forced to use HTML for visual presentation of information (no, just putting it in a simple list isn't good enough -- 400 years of learning how to effectively present information says otherwise. See Edward Tufte's works FMI). And the only way to do that is to micromanage detailed issues like spacing.

But all that's moot. The worst part about this whole article is that the companies are lying to their customers about how their information is being used. There is almost no way an educated user, without the benefit of infinite time and tools, could have known to protect him- or herself from this information theft. That's why Truste needs to sue and the FTC needs to get involved. Personally, I think that the companies who did this need to be permanently banned from having a Web presence in order to set an example, but I don't know how that could be done legally.

You can do something: opt out
http://www.coremetrics.com/opt_out_ options.html

Automatically polute their data

[dsplat]

I just had a look at Muffin (mentioned in the article). It seems to me that the way to get rid of these invasive tactics is to attack them. Instead of filtering out all cookies and WebBugs, build a filter that returns a standard response. When you are probed for a cookie, return one that contains the GNU Manifesto or a randomly selected file from the Mozilla source.

Its not surprising this is happening

[wrenling]

I dont think these companies are even paying attenion to their own policies. In a way, that has to do with the corporate structure as it exists today. These companies are so used to using subcontractors and counting them as part of the 'workforce' that they consider affliates in much the same light.

It is up to us, the geek consumers, to push back at these companies, voice our concerns, refuse to buy products from them or use their web services. Since they understand best off of their pocketbooks, that is what will get their attention. This is also something that my mom and dad can understand. If I tell them 'the following websites are collecting private information about you' they wont use those sites. They are finally convinced its not the hackers out there that are going to be taking away their privacy, but instead, the government and corporate america.

Just my two... sleepy thursday cents

DoubleClick Ads on Slashdot

[fridgepimp]

Slashdot has run numerous stories about the questionable behaivior of DoubleClick and its affiliate sites. In fact, this article aludes to it.

However, slashdot has been serving DoubleClick ads with increasing frequency of late. NOW, I am NOT suggesting that Slashdot is corrupt or evil. I'm just curious to know whether or not we can expect these adds to behave similarly to the DoubleClick ads that have been described in previous stories.

If so, doesn't that fall into the "web bug" catagory. Why hide it in a 1x 1 GIF when it's right there in a DoubleClick ad?

Anyway, I'm just curious. I posted this on the root level of the story and have already been modded down to -1. So moderators, do your worst. I'm just looking for an answer, not a flame war.

-fp

class action suit filed against Toys R Us

[Jeremi]

article here

What's wrong with user profiling?

[JohnZed]

Profiling is an incredibly important tool to promote good customer service! We shouldn't do away with it because it COULD constitute a violation of privacy. That's like saying that we should do away with telephones just because they allow telemarketers to invade our privacy (try caller id).
Amazon, for instance, tracks all of my purchases, and, in return, gives me the only useful product recommendations I've seen on any commercial web site. Other sites could track my reading patterns (within their own site, not across others!) to figure out what types of articles actually interest me so that they can provide better content in the future. They need to plant a cookie on my browser to do that tracking, and they may even benefit from demographic information from me (to see what 20 year-old white males like to read), but they never need to know my real name, address, or phone number.
For me, the biggest privacy concern is spam and telemarketing. I WANT people to get enough data about me to serve banner targetted ads, because those are more likely to be interesting to me (I might buy a boxed copy of Enhydra, but I probably won't buy a copy of Cosmopolitan), as long as they don't invade my Inbox with those ads.
--JRZ

The can is open, and there is no going back.

[FPhlyer]

Let's face it. The days of the Internet being a free-for-all are over. Corporations are going to find ways to collect demographic and personal data. Trying to legislate this out of existance is like trying to legislate Napster and Gnutella out of existance: It isn't going to happen.

The best you can do is write a browser plug-in that will reject such data and prevent the corporation from gaining any valuable data from your visit.

No amount of legislation can stop this kind of thing. If you ban companies from collecting data like this in the United States, they will simply move their servers outside the border and continue to do business as usual.

In the information age, it is no longer the job of government to protect our privacy - they can't, it's an insermountable job. The only way to protect online privacy is to do it yourself.

Forcefeeding and poisoning the cookies

[AJWM]

Mostly I avoid the problem by using a filtering proxy (eg Internet Junkbuster), but just for kicks sometimes I'll skip that, collect a few cookies then go and edit my cookies.txt file.

Interesting things to do with entries in the cookies file:
- randomly change some of the ID numbers -- let them think you're somebody else (or nobody)
- if there's a timestamp, change the date to something bogus -- 1956, or 1842, or 2003. Maybe somebody's database will break.
- insert really really long strings of random characters (or numbers if numeric) into the cookie values -- maybe it'll overflow a buffer somewhere.
- add a few hundred or thousand bogus cookie entries for some domains, maybe the cookie eater will choke.

How much of this actually adversely affects the cookie server I don't know -- not my area of expertise -- but it at least screws up their tracking somewhat. You want cookies? Here, I'll give you cookies....

Coremetrics..

[(-)erd+of+(ats]

I don't see a big deal; These companies decided to outsource their traffic analysis. While the capability surely exists for Coremetrics to track users across websites, a'la Doubleclick, their customers would be terribly pissed.

Personally, I don't see the issue of online tracking as being more than 'a tempest in a teapot'. Those that do not wish to be tracked can surely disable it, and the tracking companies and user data mining companies will continue to make money off the mindless drones that populate the net.

It's always been 'buyer beware'. What is so special about the net that it no longer applies? So the tracking is easier to do, and easier to analyze, and there is more of it, and it is more meaningful; Do you honestly think your bank, the telephone company, and the credit agencies aren't selling your spending habits to marketers?