Do Not Call Site Has AT&T Stats Tracker?

hookedup writes "The Register is carrying an article about suspicious content at the FTC's Do Not Call site. It has been a runaway hit with US consumers, with over fifty million signing up to avoid spam calls from telemarketers. But the web site hides a little secret: a 1x1 pixel image tracking visitors... and where does the trail lead but to the AT&T, one of the most persistent telemarketers." However, the tipster, James 'Kibo' Parry, notes: "There isn't any evidence proving they _are_ up to anything improper, but this relationship between the FTC and AT&T fails to avoid the potential for impropriety."

Off by a power of ten?

[Delphix]

shouldn't that be FIFTY million, not five million?

Re:Off by a power of ten?

[Aidtopia]

It's fifty million phone numbers that have been registered, not customers. Many (most?) customers register more than one phone number, so there are probably fewer than 50 million customers, but certainly more than 5 million.

Re:Off by a power of ten?

[c0dedude]

You must be new here. That's only one order of magnatude. Around here, that's pretty good.

Re:Off by a power of ten?

[Murdock037]

Wait until the story is duped a few times, they should all add up to the right number eventually.

Re:Off by a power of ten?

[letxa2000]

Yeah, well to me the amazing thing in the story is that the government apparently paid AT&T $3.5 million to build the website. Have you visited the website? I've built more complex websites in a matter of weeks. Even charging $200/hour that would be easily less than $32k.

I would hope that "building" the site for $3.5 million also includes running it, ongoing maintenance, etc. Because if the government really paid AT&T $3.5 million to BUILD it and still has to pay some ongoing fee, they got ripped by an order or two of magnitude.

Government waste isn't surprising, but it's sad when it is made so obvious. A good percentage of the folks here at Slashdot could have done just as good a job for a fraction of the cost and STILL recorded a very good year income-wise.

Re:Off by a power of ten?

[avdp]

Weeks? What would take you weeks? Try hours!!!

Yeah, I sure hope it includes hosting, etc.

Re:Off by a power of ten?

The article was posted on august 8th, so at that time it mighta only been 5 mil.

Re:Off by a power of ten?

Obviously an american..

Re:Off by a power of ten?

[kosibar]

If you look at how much income tax some of these corporate executives have to pay, you'll find that the $3.5 Million works out to about $32,000. I haven't done the math, of course. :-)

Although, the way they mess with the books, they may find that they have a refund coming to them. So I guess we can't go by that.

Re:Off by a power of ten?

[Ohreally_factor]

The next dupe will mention the figure, 500,000, then the one after that will return us to 50 Million. So it should only take a half dozen dupes.

Re:Off by a power of ten?

[D'Sphitz]

hell, i wouldve charged a couple grand and done a much better job. And while hundreds of thousands of developers are out of work good ole uncle sam forks out 3500 large to a billion dollar corporation for work that could be done for 1/1000th of that with a sense of quality and pride.

Of course, as you said, if the deal includes maintenance, bandwidth etc tack on a zero, but even that would be overpriced.

Re:Off by a power of ten?

[letxa2000]

True. I was purposefully trying to be very liberal with how much time it would take and allowing ample time to, perhaps, export to some external database or system.

Anyway, the point is that they paid an absurd amout of money for a site that virtually anyone could have done in less than a month. And if the person had experience and was efficient I agree with you that we'd be talking about hours or a few days rather than weeks or months.

Re:Off by a power of ten?

[Ironica]

Have you visited the website? I've built more complex websites in a matter of weeks. Even charging $200/hour that would be easily less than $32k. ...
Government waste isn't surprising, but it's sad when it is made so obvious.

There's a few things to take into account:

- Private companies are paying this much for their websites (a friend was offered $150k to come up with a *proposal* for redoing McDonald's website, on a contract that would be $5 million).

- Government has a lot of trouble adjusting to changes. We demand accountability, which turns into bureaucracy after you've filed fifteen different forms to get the same change made. It takes more than someone in a position of power realizing that they need a new position to bring in folks with experience and knowledge to tell them things like "$3.5 million is a waste of money for this."

- Again due to laws that we, the people, demanded, government contractors have to go through a LOT to get those contracts. They have to comply with many, many regulations (such as demonstrating that they're an equal opportunity employer), they have to submit monthly invoices and progress reports that are longer than the latest Neal Stephenson novel, and they often have to comply with outdated regulations about what kind of equipment and software they can use (see above about governments being slow to adapt to change). In many cases they charge extra just because it's more work to do work for government.

- Government contracts aren't awarded like contracts in private business, based on human judgement and experience. There's too much potential for human greed and graft if they do it that way. This means that they're often awarded on the strength of a proposal and a bid, without any real way to know whether the company can deliver. Sure, if the cost estimate rises, the contractor is required to explain why... but there's very little that government agencies can do when it comes to firing incompetent contractors. Best case scenario has them starting all over again with the job; worst, the contractor gets to keep doing the job anyway and has absolutely no incentive to do it right.

After my experiences working for a government agency, I'm inclined to agree in theory with the sentiment that "government would be more efficient if it worked more like private enterprise" but usually not with the substance of the claim. Instead of the "efficiencies" of squeezing labor dry and cutting costs whereever they won't get sued, government needs to have more flexibility to get the job done *right*, and more efficient oversight to counterbalance the flexibility.

Re:Off by a power of ten?

[spockbert]

I am no authority on these types of things but as a person who works in the as a contractor in the IT field, that $3.5 million is probably a long-term contract. At least I hope it was for more than just building the site.

should be called

[joeldg]

the "don't call me, spam me" list.. saying they are collecting millions of email from users and have a dubious privacy policy.

Re:should be called

[elmegil]

how precisely does the 1x1 gif collect my email address for AT&T?

Re:should be called

[pla]

the "don't call me, spam me" list.. saying they are collecting millions of email from users and have a dubious privacy policy.

Agreed. So, why do Slashdotters, a group I consider more privacy-aware than most people, sign up through their website? Use the 800 number, and you don't need an email address (and you don't really "give up" any info by telling them your phone number, since they need to know it to block it anyway).

Strange. I agree completely this looks a tad bit unkosher, but a very very simple way around it exists. Use the phone, Luke!

Re:should be called

[joeldg]

I think I used a mailinator.com address when I signed up.

Re:should be called

so why not use a throwaway hotmail account?

Re:should be called

[domninus.DDR]

I have no idea either, just a guess, because I dont know how POSTDATA works, but, when do you send post data up to a server? when you request the source file, or when you request every file? so lets say if you sent your postdata long with a request for the gif... shrug. I dont know enough to answer you, heh.

Re:should be called

for the phone company to know in advance of the deadline who is signing up is worth $$$, and if you dial the 800 number, guess who finds out? probably, two phone companies. other permutations too... read the article.

Re:should be called

[pla]

for the phone company to know in advance of the deadline who is signing up is worth $$$, and if you dial the 800 number, guess who finds out? probably, two phone companies. other permutations too... read the article.

I consider it unfortunate you posted as AC, you have a good point deserving a score better than zero.

However, while I agree with you, consider the long-term (and not all that long, actually, a month or two) difference between giving them your phone number, vs giving them your email address. When this all settles down in a few weeks, the phone number will no longer benefit anyone (though admittedly it may do so until then). Once we start seeing enforcement of the DNC list, however, the email address will not only still exist, but becomes far more valuable, since it belongs to someone that telemarketers can no longer call (and even the information that it belongs to someone on the DNC list has value).

So, I maintain my original stance - Don't use the web form, just call. That way you give out the smallest amount of useful data necessary to get on the list.

Re:should be called

[Skapare]

When I signed up my phone number, and the number of several friends who asked me to do so for them, I used a unique email address for each one, never used before, never used since. If they get spammed, I'll definitely know. So far they have not.

Re:should be called

AT&T gets your IP address and browser info easily; POST data (the actual form contents) is only sent to the 'submit' button URL. In this respect an html POST is exactly the same as a GET.

BTW:
http://www.theregister.co.uk/content/6/333 01.html

Re:should be called

[WuphonsReach]

Or do the smart thing and sign up for a throw-away e-mail account somewhere (I think I used Hotmail... or something).

You only need the e-mail account to be valid long enough to reply to the confirmation e-mail.

Re:should be called

[the_Bionic_lemming]

how precisely does the 1x1 gif collect my email address for AT&T?


Not only that - I signed up from work. I used Mailinator for the e-mail address. And any calls that come in from the telemarketers now cost 11,000.00 to call - so I have no idea why this would be an issue.

BTW - Pepsi did announce that they were sending twelve packs of their product in return for being able to bypass the DNC list - Me? I have no problem with that - Before the DNC all I got was an annoying telemarketer that I got to harrass with the Judge Judy Soundboard - NOW - I'll be getting a twelve pack of Pop, and STILL be able to harass them with annoying sound blurbs.

Re:should be called

[00420]

BTW - Pepsi did announce that they were sending twelve packs of their product in return for being able to bypass the DNC list

I've never been called by a telemarketer representing Pepsi. They must already know that I prefer Pepsi over Coke*.

*This is not an advertisement. Please do not try Pepsi just because I like it.

Re:should be called

How can a glass be full to begin with?

Re:should be called

Just remember, there is no glass.

What could this do?

The phone number would never be sent to AT&T, so all they would know is IP addresses and any cookies they set.

--
uaY erA diputS

And what would AT&T do?

Call me? And risk getting fined?

So what?

[larry+bagina]

Slashdot runs MS ads.

Re:So what?

[Kenja]

Dear God your RIGHT! Lock the doors Martha, there gona be comming for me any second now. Get out my good shotgun and push the couch up against the window. You'll never take me alive Slashdot Bastards! You or your Microsoft Overlords.

Re:So what?

[rifter]

Slashdot runs MS ads.

They also have (or had at one time) web bugs on their site... :)

Re:So what?

[NanoGator]

"Slashdot runs MS ads."

So that means you can thank Slashdot for being here. Not just by providing a scapegoat for the world's problems, but also for paying Slashdot to stay alive!

Re:So what?

[themassiah]

The concept of having a "good" and a "not-quite-as-good" shotgun scares me. Who needs more than one at a time?

Re:So what?

[wo1verin3]

>> You'll never take me alive Slashdot Bastards!
>> You or your Microsoft Overlords.

I for one welcome our Microsoft overlords.

Re:So what?

[Gherald]

> I for one welcome our Microsoft overlords.

Heretic!! FLAY HIM ALIVE!

Re:So what?

idiot idiot idiot idiot idiot!!!!

Re:So what?

[NanoGator]

"idiot idiot idiot idiot idiot!!!!" ... and for attracting stalkers.

Hello Chickenhawk. :)

Re:So what?

[Paul+Jakma]

Oh even better, Slashdot run ads for bulk-mailers and spam, sorry, "opt-in" address list resellers. Kind of ironic considering slashdot's editorial stance on spam: "Spam is evil and bad", - unless of course its money they send you rather than spam...

Re:So what?

[addaon]

"Spam is evil and bad", - unless of course its money they send you rather than spam...

Um... don't most people hold this view?

Re:So what?

[t0ny]

Just like all the hypocrits around here, they can slam MS, but its all really about the Benjamins. Once Bill's advertising people start flashing the wad, the old trashtalkers backpedal REAL fast.

Re:So what?

[metlin]

Its funny you should mention this, because I recently decided that I was perhaps being paranoid and opted to have my e-mail address displayed with Slashdot's spam armour (or whatever that its called).

And I ended up getting spam in the account after just 2 or 3 postings -- this is my school account and I receive absolutely ZERO spam -- that was my first spam mail.

Perhaps it was co-incidence, perhaps it was not. Perhaps there are bots and people hovering on Slashdot harvesting e-mail addreesses. I do not know. However, the fact that the spam was a techy-spam made me all the more suspicious.

Just my thoughts.

Re:So what?

this isn't afghanistan, people can tell a joke here. it's just that some people don't catch them

Re:So what?

As you just proved.

Re:So what?

[Improv]

That's funny, I don't see any advertisements...
(looks around) .. Oh, yeah, filtering web proxy.
So easy to forget about this advertising thing :)

Re:So what?

[calethix]

" The concept of having a "good" and a "not-quite-as-good" shotgun scares me. Who needs more than one at a time?"

People always look at me funny when I make the same argument for my underwear.

Re:So what?

[Paul+Jakma]

Yes, most do. And most techies /loathe/ spam. And stories relating to spam are regulars on /. (and its the stories that bring in the readers that bring in the advertisers). So on the one hand /. editorially appear very anti-spam, but OTOH /. (or OSDN) dont have any qualms about accepting advertising money from companies in the spam business.

Its mildly analogous to a healthcare journal accepting cigarette advertisements, imo.

Nitpick

[trveler]

Just a small nitpick - the article fails to mention that only users of browsers capable of (or set to by default) showing images can be tracked by this method.

Long live lynx!

Re:Nitpick

[wankledot]

They fail to mention it because there are so few instances of that... it's not worth mentioning.

Maybe we should include a "this does not affect the .01% of tinfoil hat-wearing weirdos that use lynx" disclaimer for any article having to do with anything related to the web.

Re:Nitpick

They also fail to mention that AT&T is only a small part of the origional AT&T and that all the baby bells where once part of AT&T.

Your post doesn't make a point just states a fact. That's my point.

Re:Nitpick

[rmarll]

Just a small nitpick - the article fails to mention that only users of browsers capable of (or set to by default) showing images can be tracked by this method.

Long live lynx!

Heh moderately funny.

Almost as funny as being moderated informative.

Re:Nitpick

Bah! Just telnet to port 80.. If there's an image you need, just grab it and decipher it in your head.. Much easier to decode than the Matrix. I don't see why more people don't do it that way.

Heck, why stop there! Just watch the incoming packets and piece the pages together yourself!

Re:Nitpick

Maybe we should include a "this does not affect the .01% of tinfoil hat-wearing weirdos that use lynx" disclaimer

So I guess you've never come across Mozilla's "Accept images that come from the originating server only" setting?

Re:Nitpick

[carlmenezes]

I disagree that this is Nitpicking.

If over 90% of the browser market share is owned by Internet Explorer, does that not mean that over 90% of visitors to the Do Not Call site will be affected?

That's a major effect to me. Not a nitpick.

Just how many people do you think actually browse the internet at all times with a text mode browser? I'm asking people here - not scripts or web spiders or any such thing, so be careful when quoting numbers :)

Re:Nitpick

[(eternal_software)]

Why are comments like this still getting modded up to +5?

It's 2003, the web has images, and noone uses Lynx to browse. Stop kidding yourselves.

Re:Nitpick

[Gherald]

> never come across Mozilla's "Accept images that come from the originating server only" setting

Oh he's come across it alright, but he doesn't consider it a valid option because it makes it harder to browse for porn with Google's image search.

Re:Nitpick

[Mattcelt]

Or Opera's "load cached images only"?

I love this feature - I can load images selectively, and often will only load one or two images per page.

This is especially great with dialup, when you can save a bunch of time on graphic-intensive websites.

It even helps with my cable modem when some sites are /.'ed!

Re:Nitpick

[nicomachus]

It's 2003, the web has images, and noone uses Lynx to browse. Stop kidding yourselves.

Well, I use lynx (lynx with ssl, to be precise) all the time. I only resort to Mozilla (or occasionally Konqueror) when I absolutely have to get something from a site designed by an idiot so as to be inaccessible without the pretty picture. (You do know that lynx is MIME-aware, right?) Sometimes, I resort to links to see tables properly rendered. There's also w3m.

Plain text is faster (I use dialup connections a lot), and I can still see pictures if I really need to. I find that most of the images on web pages are just bandwidth-absorbing decorations, with little value as information (of course, I don't know what you use the web for).

As for this fellow "noone", I didn't know he used lynx, and I don't know who he is, but glad to hear about it.

Re:Nitpick

[eyeye]

I used lynx yesterday and I am a full on graphical browser guy.
I normally use links when I am in a console window but it wasnt installed.

Re:Nitpick

[looie]

Just a small nitpick - the article fails to mention that only users of browsers capable of (or set to by default) showing images can be tracked by this method.

no, only browsers with javascript enabled will pull the main image.

there is a subsidiary image that is pulled if the browser has javascript disabled, or if the browser is so old (pre javascript 1.1) that it doesn't understand javascript image arrays.

mp

More Info

[c0dedude]

I went to ftc.gov to see if such a link is standard operating procedure for them. It isn't on that site. Strange, no? Why would they track anyone who wants to stop receiveing phone ads? To make up for it in spam! :-)

Re:More Info

[WTFmonkey]

Fine by me. Spam's a lot easier to filter than telemerketers.

Re:More Info

[wankledot]

right, since they can spam me if they know my IP and that fact that I'm using a Mac.

I know you're just joking around, but I don't see how this related to spam in any way, in fact, I don't see how it related to the DNC list, they can't gather any data from me loading that image that points to me as Tom Smith, (206) 555 -1486, tsmith@foo.com. So who cares, really?

Re:More Info

Whatever happened to callerID and turning off the ringer on the phone? ;)

Re:More Info

[Breakfast+Pants]

they get your IP. at&t also functions as an isp. if you are one of their customers they could line up your IP at x time with Tom Smith, (206) 555 -1486, tsmith@att.com.

Re:More Info

[d34thm0nk3y]

They get your IP as well... Not that that is necissarily a cause for concern.

Re:More Info

[wankledot]

That's information they already have. Do you think they're going to bug a website to get an IP for a customer they already have a record of? Comcast has my phone number, IP address, real address, hell... even my credit card!

And anyone that things they would call them or do anything else in some bizarre form of retribution for being on the DNC list is just... well... a nutball.

Re:More Info

[chedderslam]

Your computer is broadcasting an ip onto teh interweb!!!!11! /click here

Re:More Info

[baudilus]

Being that this do not call registry (technically) links e-mail addresses to phone numbers, I can almost believe your conspiracy theory, but I have a thought of my own: If you look on the first page, it says if you register after October 1st, the telemarketers have 3 whole months to call you before you can lodge a complaint. This list sounds like a great deal for companies looking for new people to call, ironic as it may seem.

But where is it?

[EggMan2000]

I can't find the referenced att pixel in the html. Is it on the actual DNC list? only see the page saying the list is closed.

Re:But where is it?

[Nerull]

From the 'list is closed' source:

<noscript>
<img BORDER="0" NAME="DCSIMG" WIDTH="1" HEIGHT="1" SRC="http://g6589dcs.nyc2.aens.net/DCS000003_6D4Q/ njs.gif?dcsuri=/nojavascript">
</noscript&g t;

Oh NO! A tracking pixel!

[DrEldarion]

I don't really see where this is cause for alarm. For all we know it could be a counter.

Anyways, what's the worst that could happen? AT&T knows which web browsers people use and what resolution they're at? Oh no!

-- Dr. Eldarion --

AT&T is more than a phone company

[pudding7]

Maybe the site is hosted by AT&T, maybe they contracted AT&T for some managed servers and DB support. Maybe AT&T is doing nothing more than generating traffic reports for the FTC. Or, maybe AT&T is collecting all the phone numbers to sell to a subsidiary so they can call them during dinner time!

Re:AT&T is more than a phone company

BINGO!

Yes, I checked, you posted before the poster in the link above.

Re:AT&T is more than a phone company

[JayBlalock]

Then why doesn't the FTC own up to it? I agree, simple user tracking would be a completely legitimate use for the "bug" - but if that was the case, they'd be completely up-front about it, wouldn't they?

Then again, in this government, it seems nebulous quasi-denials that sound suspicious are the defacto norm...

Re:AT&T is more than a phone company

[Doobian+Coedifier]

Maybe the site is hosted by AT&T, maybe they contracted AT&T for some managed servers and DB support.

Maybe you should read the article.

Re:AT&T is more than a phone company

[pudding7]

How do you know I didn't read the article? And if I didn't, why should I?

Not a peep...

Conspiracy? What are you talking about?...I signed up for the not call list and my phone hasn't ru...oh wait, hold on, there's someone on the other line I'll call you back...

Kibo?

[kaden]

Kibo is submitting to Slashdot? Party like it's 1989!

Re:Kibo?

[joe_bruin]

wow, the same kibo of usenet fame now graces slashdot.
for those of you not familiar with one who has been once declared a "USENET Deity", here's a brief article describing the man, the myth, the legend.

Re:Kibo?

[RevMike]

wow, the same kibo of usenet fame now graces slashdot.

No, you are thinking of Joel Furr.

Re:Kibo?

[Jah-Wren+Ryel]

No, it isn't the same Kibo. Personally, I'm waiting for B1FF!! to show up.

Re:Kibo?

[KodaK]

This is Slashdot, if you wanna find B1FF!!!11 read comments at -1. He's been here all along.

Re:Kibo?

[dukerobillard]

But has anyone seen Xibo recently?

Re:Kibo?

[CvD]

Damn... I've always wondered about Kibo. Nice link. Very informational. :-)

It's a managed service.

So they use this to manage it. DUH.

Typical YRO baby-poo. It was better when YRO just output RSS ban messages.

IP / Phone Number Database

[Bitwick]

... or just maybe AT&T is trying to link your phone number to your IP address. Imagine what you could link up with that kind of cross referenced database. That is scary!

Re:IP / Phone Number Database

Yeah, they could get one of the dozens of ip's that a dialup user might be assigned when they call in and link it to..... ummm.....

Well, they could get your geographical location and ISP and then pay some money under the table to get your personal information and then link your ADDRESS TO YOUR PHONE NUMBERS!!!!! ... Wait a second... *flips through a phone book* ... those evil Bastards! They are farther ahead of us than we thought!!!

Seriously though, it is this kind of tinfoil hat article that makes me weep for the future of slashdot.

Re:IP / Phone Number Database

it's hadrly a tinfoil hat article. Everyone in my university has thier own IP address that only changes once a year, and I'm sure many more places do the same thing.

There it is!!!

[EggMan2000]

It is http://aens.net/

Att Managed Services. I assume that it the ISP that is hosting this site or something?

Re:There it is!!!

[jsprat]

And it is inside a tag, which will only be fetched if javascript is disabled. Lynx and links will only fetch it if you ask them to.

It looks like its purpose is tracking how many people surf with javascript disabled.

Re:There it is!!!

[ericspinder]

Nothing to see here; please move along...

Web bugs need to have a unique image name (or directory or query or whatever) or else everybody behind a proxy would apprear to be the same user. We all seem to be getting the same address.
Also I noticed that the <head> tag contains a javascript file called WebTrendScript.js. For those who haven't used it WebTrends is a common web log harvester. However it is interesting that I cannot seem to download that file.

<tinfoil shape="hat"> They do however, have your IP address </tinfoil>

Re:There it is!!!

[kevinale]

That NOSCRIPT tag is only called if javascript is off.. Otherwise in the WebTrendScript.js that it imports (www.donotcall.gov/WebTrendScript.js) it DOES create a unique URL to pull an image in this offending line:

.
.
var P ="http"+(window.location.protocol.indexOf('https:' )==0?'s':'')+"://"+TagImage+"/dcs.gif?"; .
.

Re:There it is!!!

[kevinale]

well as a follow up.. it's actually THESE lines:

var P ="http"+(window.location.protocol.indexOf('https:' )==0?'s':'')+"://"+TagImage+"/dcs.gif?";
for (N in DCS){P+=A( N, DCS[N]);}
for (N in WT){P+=A( "WT."+N, WT[N]);}
for (N in DCSext){P+=A( N, DCSext[N]);}

dcs_createImage(P); // this line pulls the image from the server

Deceit?

Could this plan be as deceitful as Michael Moore's Bowling for Columbine?

ATT has the contract to impliment the DNC

[Christopher_G_Lewis]

Um...

AT&T Government Solutions Will Operate Do-Not-Call List

Re:ATT has the contract to impliment the DNC

[edrugtrader]

dead on.

there should be no more posts to this story, and "simoniker" (who the fuck is simoniker) should be squarely kicked in the balls.

oh no, AT&T wants to gather the browser versions and screen resolutions we are using on a different server... EVIIIIIIIIIIIL.

Re:ATT has the contract to impliment the DNC

[phutureboy]

oh no, AT&T wants to gather the browser versions and screen resolutions we are using on a different server...

Is it possible to determine the screen resolution with a hidden single-pixel gif?

I know it can be done with Flash, but can't see how it could be done with a regular .gif.

Re:ATT has the contract to impliment the DNC

[edrugtrader]

the common way is to request a script that will generate and return a 1x1px image but pass in the width and height of the browser pane or screen using javascript or java.

then on the server side, associate that data with their session.

personally if you have to do this, i believe you are designing your site wrong.

Re:ATT has the contract to impliment the DNC

[studpuppy]

I asked my wife about this, as she worked for AT&T implementing their consumer web site. Her reaction to the questions "wouldn't this give AT&T advance notice that they have 3 months to establish a relationship with these *specific* individuals?" was "Ha! It would take the consumer group 6 months to find out that AT&T even had a Gov't solutions group, and at least 6 more months to figure out how to transfer the information" So it looks like we are safe.. the right hand and left hands of AT&T probably don't realize they share the same body.... (of course, she loved the idea posted elsewhere here that encourages others to include the line of wb bug code into their own websites, and let AT&T track their stats along with DNCs...)

AT&T has the server logs!

The article says, "The FTC confirmed that AT&T Managed Services is its contractor, and hosts the website."

They don't need a 1x1 image to track usage... they have the server logs!

Re:AT&T has the server logs!

[Dark+Lord+Seth]

The admin has access to the system logs, yes.

However, does the person who WANTS the data has that? If the admin is a bit like me, he'll laugh at the request for access to the logs and tell the person who requested log access to take a hike and find something creative instead.

Re:AT&T has the server logs!

yes, he will heartly laugh - until he got fired. how naive are you?

Re:AT&T has the server logs!

[matthewn]

Server logs don't tell you everything you need to know if you're going to run a serious, full-service Web site -- things like what resolution your lusers are running at, etc. You need to use 1x1 shenanigans for that. Period.

Re:AT&T has the server logs!

[Back+in+Brown]

The 1x1 pixel makes it easier for them to match IP address, etc. to the phone # you submit. Matching server logs requires intelligence and time, items prob. in short supply in their marketing dept.

Re:AT&T has the server logs!

[pediddle]

As other people have mentioned, the image is inside a tag, which means it's very simply a tracker to see how many people surf with Javascript disabled. Server logs won't tell you that.

Re:AT&T has the server logs!

[Dave2+Wickham]

Err...what? People visit 1x1 gif => entry in server logs. Using 1x1 gifs is 100% based on server logs.

Re:AT&T has the server logs!

[ChangeOnInstall]

How do you determine screen resolution using an image web bug?

Re:AT&T has the server logs!

[SyFryer]

I am interested how a client receiving a 1x1 gif can tell you more about the clients environment than the logs? Unless the gif isn't a gif really?

Re:AT&T has the server logs!

You all need to have your sarcasm detectors checked, especially the moderators. This is a joke.

Re:AT&T has the server logs!

[edrugtrader]

same data but rant on an editor and get -1...

mention "lusers" and get +5...

i love this place.

Re:AT&T has the server logs!

[matthewn]

You use javascript to determine browser width and height, which are the measurements you really care about. (I forget whether js can actually get you screen res; if it can, then you can capture those values if you prefer.) Anyway, client-side javascript gets you those values, but how do you get 'em back to the server? You again use javascript to dynamically write out an image tag. Something like . You put width=1 and height=1 in the image tag as well so that the 404ed image doesn't show up on the page -- but the 404ed image call appears in your logs, and presto, you've got information about how big your users' browser windows are. It's a horrible hack, but it works, and it's done all over the Web.

Should anybody fret about this? I don't think so.

Re:AT&T has the server logs!

[crapulent]

Uh, what? How does loading a 1x1 GIF reveal anything about your screen resolution? It will simply be another entry in a log file, which records the URL, the IP address, the time, the referer, and the user-agent. All of those fields are present in the log of the server that's serving the main html page.

In order to determine any further info about the user, you'd have to use Javascript to get this information from the DOM, and then somehow code that into a URL which gets submitted or posted to a server somewhere. From the blurb in the article there was no such code, just a simple IMG tag.

Re:AT&T has the server logs!

[Hard_Code]

Yeah, my screen resolution sure has a lot to do with my Do Not Call registration. Should I measure my private parts and send those numbers in too? Wouldn't want them to mess up my registration you know

Re:AT&T has the server logs!

[avdp]

Oh wow, that's really clueless of you. The IP address is always available to the web APPLICATION (in a server variable). There is no need to look at the server logs to retreive the IP address. If they want to keep track of what IP submitted what phone number (as they should) it IS TRIVIAL and requires neither a web bug, or any parsing of the server's logs.

Re:AT&T has the server logs!

[NFNNMIDATA]

It's probably just an easy-cheesy way to have the hit info populated somewhere else. Why is anyone's guess.

Re:AT&T has the server logs!

[Jboy_24]

Ok, giving up tradesecrets here,

You have a image with the html (using [ instead of reg)

[img src="" name="bug"]

then you have an onload javascript command that takes the name bug and does

var bugsrc = "http://mysite/bug.gif?x=" + window.xSize + "&y=" + ...

bug.src = bugsrc

can't remember the exact window method or field, or even if this is the exact javascript, but it doesn't matter, you get the point.

then when the image loads, on your server you get the url, plus all the extra data. Now of course, instead of just checking the server logs, the .gif could actually be a perl program that `cat`s out a gif at the end. The perl program will take you IP and store it in a database with all your parameters. Now they can track what you did on this site. And if you have multiple sites, you can add all the bugs on the various sites and track an ip between them all.

All very fun, another cool trick is to have a onclose window open that loads a bug with a unique id created on page load, that way you can track how long someone looks at a page.

I can't imagine the fun before webservers cracked down and didn't spit out emails etc.

Re:AT&T has the server logs!

trade secretes? anyone can analyze thecounter.com code....

Re:AT&T has the server logs!

[evilviper]

Okay, that's all well and good, but why should it go to the ATT-owned website, rather than the FTC site, where everything else is served up?

I'm not overly paranoid, and I can't think of any malicious uses, but this certainly seems fishy, and I haven't seen one reasonably explanation of what it does.

Re:AT&T has the server logs!

I have a vague feeling he was joking :-P

Re:AT&T has the server logs!

[phr1]

Besides the headers you mentioned, requesting the 1x1 gif also sends any cookies that were set by the referring page. You can use javascript on the referring page to set a cookie containing stuff like the user's screen resolution, and then log the cookie when the browser requests that 1x1 gif. Of course if JS is disabled, as for this particular gif, you don't get the resolution that way.

Re:AT&T has the server logs!

[pediddle]

Because... AT&T built and hosts the website. It's probably going to the same server farm anyway, as evidenced by a traceroute somebody else posted here. AT&T (at least the web-hosting department, within legal limits) already has access to all the server logs and data, so what's the difference?

Re:AT&T has the server logs!

[ChangeOnInstall]

Thanks for replying...didn't think about that at all. I've actually written JS code to send this info back before, but never though of using an image. Makes a great deal of sense though. You wouldn't have to deal with a 404 either, just build up a URL-encoded paramter string and make a request to a service that hands back a blank GIF.

Re:AT&T has the server logs!

[evilviper]

It's probably going to the same server farm anyway, as evidenced by a traceroute somebody else posted here.

Ah ha, good point. (I didn't see that traceroute posted)

Doesn't seem like the best idea to me. As a webmaster, you should definately try to reduce the number of DNS lookups as much as possible.

You are right, it does seem innocuous.

Re:AT&T has the server logs!

From what I remember, tags specify whether your browser supports script, not whether it's turned on.

Re:AT&T has the server logs!

[colinleroy]

Serious ? I can't think of any serious website that needs to know its visitor resolution to serve content. In fact such things are more an indication of lack of seriousness.

Re:AT&T has the server logs!

[pediddle]

Good point, I think you might be right. If so, I hope AT&T knows that, or else their interpretation of the results will give us more crappy javascript websites for years to come!

Re:AT&T has the server logs!

[matthewn]

How is it an indication of lack of seriousness to ensure that your users have a good experience?

Look. You don't *need* to know these things to serve content, and of course you try to design a site to look good and work well in any sized browser window, but if you care about your users, you test in an environment similar to theirs, just to check up on their experience. To do that, you have to know what their environment is.

Re:AT&T has the server logs!

[Fastolfe]

This isn't correct. In this case (as is usual for "web bugs"), the image is hosted on an entirely different server. Security policies restrict JavaScript and cookies to the server hosting the requested page. Since these images are on another server, cookies set via this page (or via JavaScript) could not be sent or interact in any with this image on another server.

However, you could use JavaScript to add parameters like screen solution or other interesting bits to a 1x1 pixel URI and make that request.

The worst telemarketers...

[Soulfader]

...are the damned phone companies. In our first apartment, 1 out of every 3 calls was Qwest offering us new services. That was the only DNC list I've ever felt the need to be put on.

I can't fathom what they think they might do with this information, though. Maybe my mind isn't quite twisted enough...

Re:The worst telemarketers...

[M.+Silver]

I've got the same problem. I've been answering the phone in the church office for a few months now, and I get probably one call a day from a phone company. And I'm only there for two or three hours.

I tell them "No, we run DSL on that line, and we've got a one-year contract with our Internet service provider," and that pretty much takes care of it. They don't ask when the contract will be up, or whether the ISP cares who runs the voice service.

I suppose "businesses" can't opt in to the DNC.

Re:The worst telemarketers...

[platipusrc]

If you want a specific company to quit calling, you can still ask them to put your company phone number on their company specific DNC list. It is legally binding for them.

Incest?

[rlandrum]

Big Brother and Ma Bell in cahoots? Say it's not so!

I'd be willing to bet that after the collosal failure of the FTC site after launch that the FTC sought the hosting services of a more robust entity. AT&T probably said "IT" first.

I did a whois on the tracking pixel code

[colenski]

Conspiracy theorists, go nuts. Registrant: AT&T Enhanced Network Services (AENS6-DOM) POB 919014 San Diego, CA 92191-9014 US Domain Name: AENS.NET Administrative Contact: CERFnet (CA597-ORG) cerf-admin@CERF.NET PO BOX 919014 SAN DIEGO, CA 92191-9014 US 619-812-5000 Technical Contact: AT&T Enhanced Network Services (CERF-HM) hostmaster@ATTENS.COM AT&T Enhanced Network Services P.O. Box 919014 San Diego, CA 92191 US 858-812-5000 fax: 858-812-3990 Record expires on 28-Jan-2012. Record created on 08-Oct-2002. Database last updated on 8-Oct-2003 18:18:32 EDT. Domain servers in listed order: NS-WEST.CERF.NET 192.153.156.3 NS-EAST.CERF.NET 207.252.96.3

Here's the HTML

Here's the URL for the "Bug" that they are speaking about I hope this line is longer than that filtered by the "lamness" filter.

Too bad they also get the referred, otherwise one could ramp up the counts on this from weird places.

http://g6589dcs.nyc2.aens.net/DCS000003_6D4Q/njs .g if?dcsuri=/nojavascript

Putting on my tinfoil chapeau

Your e-mail address can be nearly anonymous, but once you confirm a DNC entry from an e-mail; you might as well dump that address from a privacy chain. The government has now linked your e-mail with your phone and through that your physical address. Even if you use a free e-mail service and lie on the service's application; you're now linked at the government level through your own confirmation. Sneaky, huh?

I'm not saying there aren't other ways to track you down, but to just give away a piece of your privacy is a bit much, yes?

The real question

[b1t+r0t]

Kibo is the one who found this?

In that case, what everyone really wants to know is: "Is AT&T allowed ?

Re:The real question

[RevMike]

Real men don't go to kibo.com, they contact kibo through kibo@world.std.com.

Kibo # 66

AT&T is owned by spot, so it is not allowed.

Re:The real question

[YOU+LIKEWISE+FAIL+IT]

Kibo is the one who found this?

Yeah, they must have put put "kibo" in the ALT tag or something, I guess.

--YLFI

But....

[MobileDude]

It's just a tiny, wafer-thin image...

(please review Monty Python Meaining of Life prior to modding down)

Re:But....

[pboulang]

Please do not use any more Monty Python humor. That wasn't in the least bit funny. John Clease is coming to kick your ass.

Re:But....

[MobileDude]

>>John Clease is coming to kick your ass.

It wouldn't be the first time.....

Re:But....

.... but you're not Mr. Creosote!

Over rated

[Dorothy+86]

Ok, so there is a "tracking bug" on the FTC do not call list that links back to AT&T. Well, it could be used for FTC tracking purposes, since AT&T hosts them. It possibly gets info on where they came to the site from, etc. This is all overrated.

Re:Oh NO! A tracking pixel!

[Kenja]

Sure, it seems like nothing now. But once all the Opera and Mozilla users have been rounded up, put into camps and executed it'll be too late.

AT&T is a huge corporation

[dcocos]

I'd be willing to be that AT&T hosting people don't even know that the AT&T phone people exist.

Re:AT&T is a huge corporation

[southpolesammy]

As someone who used to run www.att.com, I think I can safely say that they know each other.

Intimately.

Whack a mole

[ninthwave]

For no reason other than curiosity what would happen if the slashdot users went to this web page

http://g6589dcs.nyc2.aens.net/DCS000003_6D4Q/njs .g if?dcsuri=/nojavascrip

and hit reload or refresh as many times as possible in the browser of choice and to see if the slashdot effect would happen on a 1x1 gif. I don't think it could happen but who knows is it worth doing????

Re:Whack a mole

[herrvinny]

Here's a link: Link. I'm refreshing as fast as possible....

So?

[Faust7]

Why do they need a 1x1 pixel tracking bug to maintain a Do-Not-Call list? Aren't the telephone numbers of the participants sufficient? What reason directly related to the administration of this list is there for this? If the answers to these questions were obvious, the Register (to give them the benefit of the doubt) wouldn't be asking them.

Re:So?

[Christopher_G_Lewis]

The web bug is to http://g6589dcs.nyc2.aens.net

Aens.net is
AT&T Enhanced Network Services (AENS6-DOM)
POB 919014
San Diego, CA 92191-9014
US

Which is basically AT&T Managed Services.

I'm assuming its a bug to make sure the site is up and running...

Course I could be wrong, and it is a part of a national conspiracy to make my dinner get cold.

Re:So?

Well, I guess they want to be able to monitor the site to make sure it's working correctly. Sounds reasonable, once you know they are the contractor. What do you think they are using it for?

BTW, The Register seems the be The National Inquirer for nerds. I don't believe anything they say without a second source.

Re:So?

[DAldredge]

Well, the could monitor the damn server directly, see as they run it and all.

There is NO need to track the users of the site. None.

Re:So?

[ukyoCE]

It could easily be to prevent someone from writing a script to add every number in the phone book to the list. They may have a flag get raised if for instance one ip address adds 100+ phone numbers

Re:So?

> There is NO need to track the users of the site

The whole point of the site is to enter your name and phone number. What more tracking could they possibly do?

Re:So?

[avdp]

Humm... I hate to point this out to you, but the site requires you to enter you name, email and phone number. And the web server log already has your IP address. I think that if AT&T had some nefarious plan, I don't think a web bug gives them anything they don't already have.

Re:So?

There is NO need to track the users of the site. None.

Except for the fact that THIS IS THE ENTIRE POINT OF THE SITE.

Do you expect them to operate a national do not call registry without taking any information about the user?

Hmmm

[NeoSkandranon]

Checking the page info with moz Firebird...i don't see it. Maybe they got rid of the thing?

Re:Oh NO! A tracking pixel!

Good riddance! I'm tired of the elitist bastards.

Ahem...

[inertia187]

Will someone please tell me what would prevent a telemarketing company outside the US from obtaining this very accurate list of phone numbers?

Re:Ahem...

Nothing, considering they will be getting it on cd from the FTC in order to comply with the program if they are conducting buisness within the US, just like every other telemarketing company.....

Re:Ahem...

[keesh]

From most countries it costs a fair bit to call the US... So probably not worth the money.

Re:Ahem...

[outZider]

Not much, they're running IIS on Windows 2000. ;)

Re:Ahem...

[NeoSkandranon]

Long distance charges.

Re:Ahem...

Will someone please tell me what would prevent a telemarketing company outside the US from obtaining American phone books?

Re:Ahem...

[JayBlalock]

Hey, better yet, let's combine it with the "809" Telephone Scam. People on that list are going to assume any business call left on their machine is legitimate - OR else be calling to get the ID of the company so they can sue. They'd make millions. (look here for info on the basic scam)

Re:Ahem...

Does the Federal Trade Commission care about companies outside the US? I could understand NAFTA, but not FTA.

Re:Ahem...

[edrugtrader]

i just found this list on a soviet russia telemarketing list... i think they already got it!

(408) 100-0000
(408) 100-0001
(408) 100-0002
(408) 100-0003
(408) 100-0004
(408) 100-0005
(408) 100-0006
(408) 100-0007
(408) 100-0008
(408) 100-0009
(408) 100-0010
(408) 100-0011
(408) 100-0012
(408) 100-0013
(408) 100-0014 ... ...
seriously, this goes on for pages!

Yes, and I'm sure ...

all of the 7 people out there still using lynx are feeling mighty vindicated about not jumping on that crazy "graphical browser" nonsense.

Re:Yes, and I'm sure ...

all of the 7 people out there still using lynx ...

Or those using Mozilla's "Accept images from originating server only" setting

Re:Yes, and I'm sure ...

[austad]

That's not funny, I use lynx to browse pr0n at work.

Re:Yes, and I'm sure ...

[Foolhardy]

What... ASCII pr0n??

Re:Yes, and I'm sure ...

Erotic stories?

It doesn't...

Back when you could register online for the DNC list; they asked for an e-mail address in addition to the phone number you wanted blocked. What reason would the government or AT&T have for wanting that e-mail address, much less linking it to a phone number, and through a directory of phone numbers a real name and physical address? One wonders...

tin foil cap time.

Re:It doesn't...

[kcornia]

I can say with certainty however, that they do NOT ask for your e-mail when you put your number on the list via telephone.

Re:It doesn't...

[D'Sphitz]

because you have to verify your email address, presumably so people don't go through randomly registering phone numbers, or perhaps automating the registration of every phone number.

huh?

[scovetta]

How is this a problem? The URL is not dynamic, so unless there is a back-end conspiracy between the dnc list and AT&T, what the hell is AT&T going to do with 50 million IP addresses? They can't look them up to people unless they get info from elsewhere. If AT&T and the dnc list were sleeping together, then the dnc list could give AT&T the IP/name/phone/etc ANYWAY, and that would be a MAJOR betrayal of trust. It's probably just for web-traffic analysis-- pretty standard these days, so the dnc people can say, ooh, 3000 people per second are signing up, and the such.

Re:Oh NO! A tracking pixel!

[wankledot]

You LOSE! ;)

hm...

[kevin+lyda]

does kibo do /.?

just curious...

The Kibo guy is a dick

[dcocos]

The whole if you have web tv page will crash your browser on a PC. The question is do you have a web tv? The answer is yes, but I'm not surfing with it right now

ATT = host

Mod parent up.

Re:Oh NO! A tracking pixel!

[c0dedude]

I know you're joking, but that information is really valuable. On a page with that many hits, a survey to be used in web design could be quite accurate of the general population and could likely be sold for quite a bit. Bet that wasn't in the contract... I'm not saying it is, or is going to be, but it could.

Re:Oh NO! A tracking pixel!

[Wyzard]

And what IP address they came from, which can tell them the ISP, geographic location, and potentially other sorts of demographic information.

If the user has a tracking cookie from AT&T, that'll be sent back as well, which could potentially provide a link to personally-identifiable information. For example, if you pay your AT&T phone bill online, you could get a cookie that way. Then when you visit the DNC site, AT&T knows exactly which of their customers it was.

Not for "tracking"

[Bretski]

The last few hops of a traceroute to the 1x1 image at g6589dcs.nyc2.aens.net:

10 tbr1-cl1.n54ny.ip.att.net (12.122.10.1) 131.906 ms 95.429 ms 104.953 ms
11 gar4-p300.n54ny.ip.att.net (12.123.3.2) 89.893 ms 101.538 ms 101.920 ms
12 mdf16-gsr12-2-pos-7-0.nyc2.attens.com (12.122.255.214) 101.880 ms 182.536 ms 104.979 ms
13 mdf18-bi4k-2-eth-1-1.nyc2.attens.net (63.240.0.222) 92.881 ms 191.542 ms 104.929 ms

And the traceroute to the site itself:

10 tbr1-cl4.wswdc.ip.att.net (12.122.10.29) 96.025 ms 89.429 ms 89.945 ms
11 gbr5-p10.wswdc.ip.att.net (12.122.11.170) 92.848 ms 86.531 ms 89.952 ms
12 gar3-p360.wswdc.ip.att.net (12.123.9.65) 89.904 ms 89.535 ms 86.961 ms
13 mdf1-gsr12-1-pos-7-0.wdc1.attens.net (12.122.255.182) 89.883 ms 89.537 ms 89.938 ms
14 mdf1-bi8k-2-eth-2-1.wdc1.attens.net (63.240.192.250) 101.848 ms 101.584 ms 101.936 ms

They look similar, no? AT&T hosts the site, and the image isn't necessarily a "tracking" image at all. To jump to this conclusion is a bit paranoid.

Re:Not for "tracking"

[NotAnotherReboot]

There is no reason to have a 1x1 pixel image except to track usage. Whether this is shady or not is up for debate; AT&T is contracted to run the site.

Re:Not for "tracking"

Bretski@subfloor17.hq.fbi.gov wrote:

They look similar, no? AT&T hosts the site, and the image isn't necessarily a "tracking" image at all. To jump to this conclusion is a bit paranoid.

Just why are you so eager to make us think we're a bit paranoid?

Re:Not for "tracking"

[valkraider]

Unless it's a really cool image for people with really low resolution monitors...

Re:Not for "tracking"

i for one shared and enjoyed your humor-joke

Re:Not for "tracking"

[jafiwam]

I'd like to point out a reason why someone might put a 1x1 pixel gif in a web page.

Not all versions of IE and Netscape (especially the versions earlier than 4 and 5 of both) render table cells correctly unless there is an object in the cell. Sometimes the cell border is not drawn, or the size specification of the cell is ignored by the browser (which then in turn messes up the layout). So a single-pixel, transparent gif or a non-breaking space character can be put in the cell to make it behave. As a occasional HTML and web page designer, a single pixel gif is a good tool to have around.

In this particular case, it is easy to assume that something illicit is intended, but the presence of the <noscript> tag makes me think that it is an attempt to track what the ratio of JavaScript vs. non-JavaScript enabled browsers visit the page. This web page has had many more visitors and induced many people that may not have the latest and greatest stuff, whomever designed it is probably just trying to figure out what fancy whiz bang tools they can get away with.

Depending on their server set up they may be simply dumping the logs, or have several of the things in the site to generate specific information. (50 million numbers, times 1.2 for revisits, times the number of objects on the page, is one hell of a lot of bits in a log file.) They could have used different hostnames for images to host them on different physical machines, or whatever to break that up.

Note, that it is trivial to set up a virtual folder to point to a separate machine to do the same thing, without using a different hostname. So if it is a tool to link up phone numbers with IP addresses and email addresses (really that's all it would do) then they didn't put much effort into hiding it.

Has anybody thought of ASKING THEM why the thing is there?

I prefer Occam's razor, the simplest explanation is also the most likely one to be true.

Some news from the future

[Rosco+P.+Coltrane]

Sept 11, 2004 - US-AT&T-DHS - On the day of the 3rd anniversary of the Al Qaeda attack on the United States, the head of the US Dept. of Homeland Security Adolf Hitcroft announced today "new levels of cooperation between major telcos and the [Department]". The DHS has revolutionary new software tools to connect "suspicious internet activities with actual people", Hitcroft said, without revealing more details due to the recent new Government Secrecy Act.

Re:Some news from the future

I actually thought right away that this whole Do Not Call list is another Fatherland Security function disguised as a consumer perk.

I mean, how come it took them soo long? This telemarketer problem has been there for 20 years. And did you notice how quickly it made it through Congress?

What better way to get people to call in with REAL information (maybe even voice prints). On any other Gov't document, the average citizen may allow errors or lies to be submitted (think Taxes or even your driver's license address). But for the Do Not Call list --- the consumer wants that info to be PERFECT.

AT&T Runs the site!

IIRC, AT&T runs and hosts the site for the FTC - there's no way they could do it themselves... And the webbug is probably part of the standard configuration...

No it ought not to be there, but I assume they are all over the friggin place, and run WebWasher to filter them...

AT&T does in fact manage it

[Qbans]

I remember seeing one of AT&T's agents concerned about the amount of E-Mail being generated from the site and posted it on NANOG (North American Network Operators Group) which you can see here. I don't really think that there is any "shady" tactics going on here, I think it's more for one of their in house monitoring apps, especially considering the amount of traffic that they received initially.

Good grief!

In soviet russia the web bugs track AT&T!

Everyone, don your Linux-based tinfoil hats!

Re:Oh NO! A tracking pixel!

[Kenja]

For all you know I could have been talking about the Japanese occupation of China, the US handling of accused terrorists, the US imprisonment of American citizens of Japanese descent or any other instance of mass imprisonment. Nothing said has anything to do with Goodwin?s Law, so bugger off ya Nazi. Oh dang.

check the privacy policy

[I+Want+GNU!]

First off, they can log information with or without these "web bugs." I know this because I run my own websites and I track visits because I like knowing how much traffic I'm getting, with what terms, etc.

Given that, this article is useless.

But even more so, if you go to the site it says at the bottom:

This site is operated by Consumer.net and is not operated or controlled by the US Government or the telemarketing industry
Consumer.net testified at Federal Trade Commission Workshops for Internet Privacy in 1997 and the "Do-Not-Call" Forum in 2000.
Consumer.net authored a paper for an Online Profiling workshop at the Department of Commerce in 1998.

The Consumer.net Privacy Policy is found at PrivacyPolicy.com

This privacy policy states:

Web Site Log Files: We site log files are generated that collect the IP Address of the visitor, date, time, and pages visited. Aggregate reports for web site visitors are generated that do not contain personally identifiable information.

Advertising reports are generated that show the IP addresses of visitors who clicked on ads. This information may be sent to the advertiser to confirm the number of "click-throughs." The advertiser normally already has this information as a result of the user clicking on the adverstisement. No additional information about the visitor is supplied to the advertiser. The log files are eventually deleted.

There. Case solved. Stop being paranoid about such silly things. If you want to be paranoid, be paranoid that the MPAA might accidentally associate your IP with file sharing even if you don't file share, or be paranoid that John Ashcroft is using the PATRIOT Act or Patriot Act II (to be introduced in Congress soon) to spy on you for reasons unrelated to terrorism (as he has done). Better yet, donate some money to the ACLU to protect your civil liberties or to the EFF to protect your electronic freedoms.

Re:check the privacy policy

[oGMo]

There. Case solved. Stop being paranoid about such silly things. If you want to be paranoid, be paranoid that the MPAA might accidentally associate your IP with file sharing even if you don't file share, or be paranoid that John Ashcroft is using the PATRIOT Act or Patriot Act II (to be introduced in Congress soon) to spy on you for reasons unrelated to terrorism (as he has done). Better yet, donate some money to the ACLU to protect your civil liberties or to the EFF to protect your electronic freedoms.

I agree. People need to be far more discerning in their paranoia. If we yell "the sky is falling" everytime someone logs trivial information, no one will listen when we spot the asteroid on a collision-course for our rights. (Like the ones you mention.)

Another example is the rampant and ridiculous tinfoil-hat paranoia surrounding RFID. I don't know why a crowd composed of supposed techie geeks fall for so many obviously wrong urban legends and scare stories. Maybe it's just the vocal minority.

Get a grip, people. You'll need it when things really start to slide.

Re:check the privacy policy

ACLU is too liberal, i don't want to support the North American Man Boy love Association like the ACLU does

Just because you're paranoid...

[markt4]

doesn't mean they aren't out to get you.

All this carp...

[Atario]

...is exactly why I haven't signed up (and don't plan to) with the no-call list. Seems like a giant reverse honeypot. "Get on our website [tracker bug] so you can sign up [provide all your juicy contact & demographic info] so we can make sure you don't get bothered again [make sure ultra-crosslinked, up-to-date data on you is in all our 'affiliates'' clutches so you'll never recover from the flood you're about to get]."

It's like the occasional spams I get with the subject "Tired of spam?".

I'll take filtering any day.

(On the other hand, suing the bejesus out of spammers (of the phone or email persuasion) for boucoup bucks does sound tempting...)

Copy and Paste?

[akiy]

Soooooo....

What would happen if all of us started putting the below image on all of the websites that we run?

Hmm...

<img BORDER="0" NAME="DCSIMG" WIDTH="1" HEIGHT="1" SRC="http://g6589dcs.nyc2.aens.net/DCS000003_6D4Q/ njs.gif?dcsuri=/nojavascript">

Re:Copy and Paste?

[katarn]

An even better question: What if all of us started putting this image in our slashdot signatures?

Seriously though, I don't think this image is much of a problem. On the other hand, some of the other tracking images from other services arn't so innocent: perhaps their web bugs should go on SlashDot. Hmm, on the other hand that could back fire, and give the nasty organization just that much more data to mine... and give them a view into Slashdot readership.

Could a company sue and individual for doing something like that? Would it be a violation of the DCMA or some such stupid thing?

Re:Copy and Paste?

[Electrum]

What would happen if all of us started putting the below image on all of the websites that we run?

Nothing, because if they are smart, they look at the Referer header.

Re:Copy and Paste?

[drudd]

Quite a few people filter the Referer header now. I know because I admin a blog site which is forced to limit access to uploaded files (shared images and the like) to people with local refer tags, or people will start abusing the service (hosting images/video files).

In short, you can't trust the client to provide an acurate http_refer anymore, so it's getting close to useless.

Doug

Re:Copy and Paste?

[looie]

What would happen if all of us started putting the below image on all of the websites that we run?

< img BORDER="0" NAME="DCSIMG" WIDTH="1" HEIGHT="1" SRC="http://g6589dcs.nyc2.aens.net/DCS000003_6D4Q/ njs.gif?dcsuri=/nojavascript" >

nothing, because that is part of a "no script" tag, so all you do is make it look like a lot of people with javascript disabled showed up.

mp

Re:Copy and Paste?

[blibbleblobble]

"What would happen if all of us started putting the below image on all of the websites that we run?"

At a guess, they'd change its filename.

turning on my brain

If you've got a real domain with real email, you set up an account of the form donotcall.gov@example.com.

Use that as the confirming email address, then you know who is responsible for the spam. I faked out InfoUSA just like this, Baaaaaahstids.

Turn your brain on, duuuuuuuude. Gotta go, time to turn my love light on.

Now THIS is interesting...

[MP3Chuck]

Shortly after I signed up for the Do Not Call list through the website, I began recieving calls (about 4 calls since around Sept 1, I believe) from AT&T about getting long distance service. Or I was eligable to recieve a phone card. Or something. I wasn't really listening. Since I live on a college campus there's really no reason for them to be calling.

Re:Now THIS is interesting...

[Esion+Modnar]

Which is why I'm not an early adopter of anything. Not PDA's, cellphone, digi-cams, or do-not-call lists. I wait and see how many people walk into the whirling abattoir blades, before I decide to buy or sign up.

Its to count the number of people w/o javascript..

[molo]

Here is the snippet from the page http://www.donotcall.gov/ Note that the img tag is embedded in the noscript tag. That is, this img is only loaded in graphical browsers that don't use javascript. Since AT&T has the government contract to implement the DNC list, I don't think there's anything sinister going on here, they just want a count of the number of users that don't use/enable javascript.

-molo

<noscript>
<img BORDER="0" NAME="DCSIMG" WIDTH="1" HEIGHT="1" SRC="http://g6589dcs.nyc2.aens.net/DCS000003_6D4Q/ njs.gif?dcsuri=/nojavascript">
</noscript>

And finally, monsieur, a wafer-thin mint.

[Ichijo]

KABOOM!

Warning

[nochops]

Warning:

Your computer is broadcasting an "IP Address" which others can use to track your activity on the Internet.

Gimme a break. This is every bit as lame as the above message we've all received as popup spam.

Re:WARNING

[Hatechall]

Also note: this 1x1 image, as well as not being able to load in lynx, is also not able to load using your microwave.
Unless you are using one of those web-capable microwaves, in which case I guess you can.

Re:WARNING

[Hatechall]

Unless you are using one of those web-capable microwaves, in which case I guess you can. Unless, of course, you are running lynx on your microwave.

Re:WARNING

Good fucking god, man. Why would you reply to yourself, twice? That fond of hearing your own keyboard, or just deparate for attention?

Re:WARNING

That cracked me up so much, I had to fire up Pine on the blender so I could e-mail my toaster.

AT&T hits a land mine

[soliaus]

AT&T, one of the most persistent telemarketers

Here is the real way to stop AT&T:
http://spark.ath.cx/att.htm

Re:AT&T hits a land mine

Nice try. I know better than to click on a link to the Christmas Islands when I'm reading Slashdot.

Re:AT&T hits a land mine

[soliaus]

Me too, but...ath.cx is just a dyndns domain.

Re:AT&T hits a land mine

[Excen]

WOW!!! A link to the Christmas Islands (.cx for those out of the loop) that doesn't involve a horribly stretched anus!

Kibo!!

[acxr+is+wasted]

I can't believe Kibo came up here! I LOVE Kibo!

convert!

[Mr._Anderson]

It's probably due to conversion of English numbers to metric.

Re:Oh NO! A tracking pixel!

[supun]

Oh yeah, just look at it IMG tag!!!! This is bad!!

<img BORDER="0" NAME="DCSIMG" WIDTH="1" HEIGHT="1"SRC="http://g6589dcs.nyc2.aens.net/DCS00 0003_6D4Q/njs.gif?
dcsuri=/nojavascript&name=supu n&ip=127.0.0 .1
&likes=long%20walks,ice&cream,supermodels&
dislikes=spiders,spiders,spiders&
breath=bad&cl ean_underwear=false&nose=picking" >

Kibo numbers, anyone?

[Tackhead]

> Kibo is the one who found this?
>
> In that case, what everyone really wants to know is: "Is AT&T allowed ?

I SLASHDOTTED K1B0!

Does that mean I can finally use a fractional Kibo number?

Or at least put a "K++++andahalf" in my Geek Code entry? I mean, [censored]ing Kibo's webserver is pretty close to [censored] with Kibo himself.

A Microsoft Conspiracy

[Kref1]

I just went to the site above, hit go a few times in IE and it crashed. Microsoft must be in kahoots with AT&T and offering them protection from the /. effect, hhhmmmmmm

Here's the 1x1 image in question

[carlmenezes]

From the source code of http://www.donotcall.gov/:

<span id="userHeader_lblError"><!-- Date: 10/8/2003 Time: 6:53 PM From: W3 --></span>

<br>
<noscript>
<img BORDER="0" NAME="DCSIMG" WIDTH="1" HEIGHT="1" SRC="http://g6589dcs.nyc2.aens.net/DCS000003_6D4Q/ njs.gif?dcsuri=/nojavascript">
</noscript>

.....

Re:Oh NO! A tracking pixel!

[robochan]

I wonder how long it would take to slashdot a server that's serving up a 1x1 gif...

Might be a bgp optimizer

Might be a bgp optimizer to track download speed across different links.

Re:Oh NO! A tracking pixel!

[Piquan]

I don't care what they do with those Opera/Moz freaks. I use Konqy, and they aren't going after us.

WARNING

[Hatechall]

IMPORTANT:
Also note: this 1x1 image, as well as not being able to load in lynx, is also not able to load using your microwave.

Re:Its to count the number of people w/o javascrip

[RealTimeFreeAgent]

Sir, how dare you throw cold water on my uninformed paranoia with your undeniable common sense.

Re:Oh NO! A tracking pixel!

[Kenja]

First they came for the Netscape users and I did not speak out because I was not a Netscape user.
Then they came for the Opera users and I did not speak out because I was not an Opera user.
Then they came for the Mozila users and I did not speak out because I was not a Mozila user.
Then they came for me and there was no one left to speak out for me.

If Pastor Martin Niemoller had been a Slashdot user.

Chances are...

[ElYonderboy]

YHBT. YHL. HAND.

Nothing "weirdo" about Lynx

[bkrrrrr]

There's nothing "weirdo" about using Lynx. It's very effective for many tasks, and far more efficient for using certain websites than Mozilla, et al.

bkr

routescience?

They could be using a RouteScience device.

http://www.routescience.com/technology/tec_measure ment.html

Look for the section titled "Routescience measurement techniques"

One or two frequently accessed Web pages such as the homepage or customer login page are instrumented by replacing one of the single-pixel GIF image references normally used by Web developers for spacing purposes with one that resolves to the PathControl device.

Re:Oh NO! A tracking pixel!

[LVWolfman]

It probably is a counter. AT&T is the company that the FTC contracted to host the DNC servers. That was mentioned in articles when the DNC site went up and got slammed. The articles stated that AT&T was scrambling to add extra servers to the pool to handle the unexpected load.

Re:Oh NO! A tracking pixel!

[Jon+Abbott]

But once all the Opera and Mozilla users have been rounded up, put into camps and executed it'll be too late.

I'm sure glad I'm using Safari (a Konqueror derivative)... :^)

Yawn

[4of12]

Those of us behind proxies (Squid) aren't too concerned about ATT finding 500 sign ups coming from megacorp.com .

They've probably found out that many dozens of employees at att.com have been signing up to avoid voice spam.

AT&T Won the Contract

AT&T won the contract to administer the list. It's ironic because AT&T is one of the biggest telemarketers. But this is the case with telemarketing--everyone who knows anything about it is a telemarketer. Check out SBC or Verizon, on one page, they're selling Privacy Manager to stop telemarketers; if you go to their corporate pages, they have PRI and telemarketing services.

No, I'm New Here

[New+Here]

No, I'm New Here

Re:No, I'm New Here

No, you're new whore.

Re:No, I'm New Here

ahahahah a karma whore joke hahhahah

Re:Its to count the number of people w/o javascrip

[euph436]

everyone should add that img tag to their signature lines.

The offending code

[Skapare]

From the article:

Here's the offending code:-

< IMG BORDER="0" NAME="DCSIMG" WIDTH="1px" HEIGHT="1px"
SRC="http://g6589dcs.nyc2.aens.net/DCS000003_6D4Q/ njs.gif?dcsuri=/nojavascript">

Actually, the code I found is:

<IMG BORDER="0" NAME="DCSIMG" WIDTH="1" HEIGHT="1" SRC="http://g6589dcs.nyc2.aens.net/DCS000003_6D4Q/ njs.gif?dcsuri=/nojavascript">

Anyway, here is my responding code:

zone "aens.net" {
type master;
file "disabled-zone.db";
allow-transfer { none; };
};

where "disabled-zone.db" is a zone file that has a wildcard record to give a local IP address for all name queries, for a web server that always delivers my own little 1x1 transparent GIF.

Re:The offending code

[bcore]

Have you considered just turning on javascript to block the image? :)

Re:The offending code

[Skapare]

What? And let someone take over my browser? How do I know there isn't some Javascript code to do something else nasty?

Actually, I already have the DNS setup to block several domains for things like this. It was trivial to add one more. No need to have to remember to turn Javascript on (which I wouldn't do, anyway).

But maybe MY tin-foli hat is on too tight

[orthogonal]

I'm glad this was reported, and I think it needs to be looked into more closely.

But.

There's this taunting little voice in my head wondering if somebody didn't say,

Web Developer 1: "Hey, let's add a web bug to Do Not Call page, and then we'll leak it to Slashdot."

Web Developer 2: "WTF would we want to do that?

Web Developer 1: "So when they find out about it, we can watch those Slashdot monkeys dance!"

Web Developer 2: "Yeah, yeah, dance dance dance in their tin-foil hats! Coool!"

Re:But maybe MY tin-foli hat is on too tight

[Sri+Lumpa]

Your tinfoil hat seems defective.

This webbug is actually put there to be discovered by us so that we will not suspect the existence of a far more ghastly thing lurking in the code of the DNC website ;).

Re:But maybe MY tin-foli hat is on too tight

[orthogonal]

This webbug is actually put there to be discovered by us so that we will not suspect the existence of a far more ghastly thing lurking in the code of the DNC website ;).

Cthulhu?

Gary Coleman?

Re:But maybe MY tin-foli hat is on too tight

[Chicks_Hate_Me]

Web Developer 2: "Yeah, yeah, dance dance dance in their tin-foil hats! Coool!"

So Beavis and Butthead are web developers for the DNC list? Dear god I knew there was more to this! Where's the Lone Gunmen when you need them?

Oh yea they wanna do that, how about this

[codepunk]

Just link that image into the slashdot home page. That ought to give them about 6 million worthless hits per day...

Re:Oh yea they wanna do that, how about this

[0x0d0a]

Then they just grep based on host referrer.

Re:Oh NO! A tracking pixel!

[MetalOne]

How is a tracking pixel able to send back information?

Earth calling 1972 come in please

ive heard a rumour that TV is in color now, allthough i dont think it will catch on, at least i cant see it on my set

Boy do I feel less than 'leet doing this

[be-fan]

Could somebody tell the non-web-developers in the audience how a 1x1 pixel can track you? Sounds a bit evil to me...

Re:Boy do I feel less than 'leet doing this

[(H)elix1]

Could somebody tell the non-web-developers in the audience how a 1x1 pixel can track you? Sounds a bit evil to me...

Most folks call them web bugs. The idea is the img src makes an HTTP request to a web server - the sneaky buggers then return a transparent 1x1px graphic. One the client side, it has very little impact. On the server side, you get all sorts of data you can mine from the request - browser type, os, IP, etc - usually just pulled from the log files, though some go strait to cgi (or their counterparts).

Even more interesting is sticking these into office documents. Not a guaranty, but when someone who is connected to the net opens it, its logged. Nothing quite like seeing if someone bothered to look at something, or better yet, if they passed it around....

Re:Oh NO! A tracking pixel!

[imaginate]

Count me in... Once all the opera & moz users are rounded up, where else would I want to be?

Re:Its to count the number of people w/o javascrip

[pinheadeleven]

Um, not exactly, if you look at the you'll find this:

<script src="WebTrendScript.js" language="Javascript1.1"></script>

Which is part of WebTrends' "enhanced" logging/reporting capability. Could certainly be put to ill use, but basically benign.

p11

My Personal Struggle Against AT&T Telemarketin

[istartedi]

Thanks to Google for archiving my struggle against AT&T.

Not sure if I mentioned it in the USENET postings, but I just started documenting things around Oct. 1, when DNC was supposed to go into effect. We registered our number almost as soon as DNC was available. In reality there were at least 10, perhaps even 15 calls to me from AT&T "Advantage" wireless, and even without the DNC they are still not supposed to be telemarketing me after I've informed them that I don't want to be called.

I have no prior business relationship with AT&T.

So. What did they do? They started asking for my father. He owns the land line in our house, and has AT&T long distance. Notice, that doesn't excuse AT&T--they were asking for *me*.

So today I got a call (not documented on USENET yet) and what did they do? They asked for my father. Serves them right. My father is 80 yrs old and hard of hearing. He has to ask them twice sometimes before he understands what they are saying and then of course he has no desire to get a wireless phone.

What's really funny is that half the time the calls sound like they are coming from the bottom of a well filled with sand paper and angry bees. Yeah. (sarcasm on)I really want wireless from these guys(sarcasm off).

Anyway, I didn't think /. would become the forum for me to vent my rage at AT&T, but now it is. Great. Let me reiterate: If you have AT&T "Advantage" Wirelesss, drop it and go with somebody else. If you are thinking of getting wireless, don't get AT&T. When you cancel your AT&T wireless, tell them it's because istartedi told you he hates being called.

Now, if I could just convince my father to get AT&T LD off our land line...

Re:Oh NO! A tracking pixel!

[Guppy06]

Except that us Moz users also tend to have the PrefBar Images checkbox cleared on many sites. Heck, if someone is feeling bored one weekend I'm sure they could hammer out a XUL plugin to automatically disable images (and/or Flash) in certain domains.

How about submitting the URL...

"http://g6589dcs.nyc2.aens.net/DCS000003_6D4Q/njs. gif?Question=Does%20this%20not%20violate%20the%20F TC%20Privacy%20Policy?"

ATT Persistence

[Austerity+Empowers]

I am under the impression that AT&T and other regulated telephone and airline agencies are already regulated in terms of telemarketing calls they can make and are not affected by the Do Not Call list. At least that's what the rules of the do not call list indicate.

Maybe we're just a little paranoid?

Re:Oh NO! A tracking pixel!

[Liselle]

The joke is on them. Opera lets you pretend to be any one of a multitude of web browsers. Right now, I'm MSIE 6.0, tomorrow I could be Mozilla 4.78. Technology is grand!

Image Size...

[phorm]

I wonder if you somebody could make a browser patch/feature to ignore images under size X by Y (for example, any 1x1 pixel). Of course, this wouldn't work for images without size tags (since you can't get the size without checking the image), but at least it might work for pixels.
Of course, a feature for ignoring images not linked from the originating domain would work just as nicely in most scenarios.

Re:Image Size...

[anagama]

If everyone starts ignoring 1x1 images, what is to prevent anyone from using an image that looks like it belongs on the page? There is nothing about the image itself that is special, it's all about the scripts and logging of the server that hosts the image. Anyway, these images don't have to be tiny or invisible to remain stealthy, at least from a display perspective.

Re:Oh NO! A tracking pixel!

Speak for you? Shit, I'd call the tips hotline and turn you in.

Lost distance charges

[phorm]

Will probably prevent them from calling. Seriously, do you think telemarketers would be so prolific here if it cost them $0.25/min to call? If so, it'd be hella fun to stick 'em on the line for awhile.

Re:Lost distance charges

[inertia187]

I'm in California, and I've gotten South Dakota. What's the charge for calling New York from Ontario? Well, if it does turn out to help them scam us, we'll always be able to say, "Blame Canada!"

DNC is hosted by AT&T

FWIW, the Do Not Call site is designed, hosted and administered by AT&T to the FTC's spec.

thats why

[_avs_007]

since I have my own domain, I made the email in such a way, that I will know that if I get spammed, I know EXACTLY where they got the email address from....

Web bugs are a violation of federal policy

[sakusha]

I clearly remember reading that the fedgov had implemented a strict ban on web bugs and cookies. I couldn't find the exact law, but here's an interesting tidbit from a .mil site:
http://www.defenselink.mil/nii/org/cio/doc/ cookies .html

The Office of Management and Budget (OMB) has reaffirmed (attachment 1) that it is Federal policy that each Federal agency operating a public web site, or contractors operating such sites on behalf of an agency, must post clear privacy policies at their principal web sites, at known, major entry points to the sites, and at those sites where the agency or the contractor collects substantial personal information from the public. The OMB emphasizes that it also is Federal policy that web technology, such as "cookies," should not be used at Federal web sites to identify and track the activities of web users unless a compelling need exists to collect such information, appropriate publicized procedures are established to safeguard the information, and collection has been personally approved by the head of the agency.

Re:Web bugs are a violation of federal policy

[Pionar]

This has nothing to do with cookies. It's a simple image used to find out how many people use non-javascript-enabled browsers. It's that simple. Take off your tinfoil hats, people. Besides, a federal policy is not a "ban", nor is it a law. The executive branch (which the FTC and FCC are a part of) passes no laws. They have policies and regulations. I also assume that the head of the FTC has given implied consent to any logging they need to do.

Re:Web bugs are a violation of federal policy

Read the site. "This site is operated by Consumer.net and is not operated or controlled by the US Government or the telemarketing industry
"

Re:Web bugs are a violation of federal policy

[sakusha]

Read the policy. It applies to subcontractors, and anything with a .gov domain.

No Tinfoil Here...

[Alyeska]

It's not the "conspiracy" theories or loss of my *individual* information that p*sses me off about this practice. That information is valuable, because it helps corporations exploit consumers. Instead of asking us what we want, they take a skinnerian approach, jolt us here and there, reward us with pellets, see how we react. Eventually they'll figure out a way to convince us to spend more for the same goods and services. These companies simply don't deserve the extra money, and should disclose tracking practices -- especially on a government contract....

Re:Its to count the number of people w/o javascrip

Exactly.

From the SmartSource admin guide on the WebTrends SmartSource doc site, the bug in question (njs.gif) is documented as:

Name of a valid SDC uri-stem for
hits from browsers not supporting
the scripting language used in the
SDC tag (JavaScript or VBScript). /njs.gif

Re:Its to count the number of people w/o javascrip

um,
SmartSource doc site

Name of a valid SDC uri-stem for
hits from browsers not supporting
the scripting language used in the
SDC tag (JavaScript or VBScript). /njs.gif

This Is FUD by the Telemarketing Industry

[Hiro+San]

I had more respect to the Standard before this. Tracking users is a standard practice for any company managing a website for a third party. After all they have to prove that they are performing for the client. What I am wondering is if someone at the Standard got a kickback from this. I think people need to wake up and smell the marketing Propogranda. The telemarketing industries is in fear of their lives because of the Do Not Call List, and they havea history of dirty tricks to steal money from people. Slaming being on of the more shameles examples. They are certainly not above trying to spread false new stories to increase FUD. Just think about it.

Umm did somebody forget to mention this?

[iLL_L0gic]

AT&T is a phone company. It is my understanding that phone companies are EXCLUDED from the DNC list. That means even if you're on it, phone companies can still call you.

Hmmm that explains something.

[Alpha27]

It explains why they have called me 8 times since I've signed up for the Do Not Call List.

Eh brainiac

[jhylkema]

That would be a FACTOR of ten, not a power.

(Musta gone to public school . . . )

Re:Eh brainiac

[lcsjk]

Let's see now! (5 x 10) is a factor of 10.
(5) x (1x10^1) is a ... Wait.. Hold up 5 fingers on the left hand and 1 finger on the right. Now.. wait.. I'm still confused, say it again!

FTC Spokesman

"I think you're barking up the wrong tree"

What is he trying to get at that we shouldn't be worried about it or we shouldn't be talking about it. I hope it is the first one because his ass will be with out a job soon if its the other.

Re:Oh NO! A tracking pixel!

Yeah! Those pricks and their superior browsers!

How dare they try and let us know of their positive browsing experiences and get us to dump the one true browser that MS gave us, which is holey in all ways?

No, that's not a typo

Re:ATT has the contract to implement the DNC

[hawaiianbro]

The AT&T press release does a decent job of summing up their involvement.

"...contract calls for software, applications and database development and the integration of voice services into an Internet environment."

$3.5 million is a good junk of change, but by the time you develop the application/database logic (including the simple/functional website) and integrate it all with an interactive voice response system and then pay the subcontracts... not much $ is left.

The $3.5 million contract only covered through September 2003. I assume the contract was extended (up to nine years), but I haven't seen any details on the contract extension.

Web Bugs? Not going to lose any sleep. Anyhow, I am more worried about that stupid gov't chip implanted in my head.

And I click through every one of them

[Licensed2Hack]

I kinda like the idea of MS financing /.

Of course I click through ALL MS ads on every site. I also click through other evil companies ads sometimes. My little contribution to /., et al may not be much, and it certainly won't break the bank at MS, but if everyone does it, everytime...

At least /. and OSDN can pay their utility bills...

Re:Oh NO! A tracking pixel!

[FIT_Entry1]

Well, considering ATT is hosting the sight I doubt they need a web bug to track people with ..

Why is this news?

[digitalgimpus]

http://uptime.netcraft.com/up/graph/?host=www.dono tcall.gov

It's hosted by AT&T. AT&T provides statistical services to it's customers IIRC.

Many hosting providers offer such services.

That's how the FCC is able to tell us how many vistors the site has. Without wasting all that time dealing with logs.

Checking education level?

[Charles+Dodgeson]

they just want a count of the number of users that don't use/enable javascript.

At list one study has shown (not suprisingly) that different sorts of people run without JS than run with JS.

Re:Its to count the number of people w/o javascrip

[KingTank]

I think your courier font is scanning my brainwaves.

Telemarketers can suck my disk.

[rice_burners_suck]

Hmmm... I know a lot of people who signed up for that stupid do not call thing. They hardly ever got calls before. But now, they're getting tons of telemarketing calls. Know why? Because the law doesn't take effect until next year, and in the meantime, telemarketers have access to the list. Furthermore, to show you how stupid government is: The government is now mandating that companies purchase the list of people they cannot call, and furthermore, the law says that only companies that purchase this list are affected by the law. In other words, if you don't buy the list, you can make the calls. Punishing the companies that did buy the list. Does that make any sense?

That's your tax dollars at work.

It only goes to prove that GOVERNMENT SHOULD NOT GET INVOLVED IN STUPID STUFF LIKE WHO CAN CALL WHO. Don't like telemarketers? Nobody likes them? Then run marketing campaigns all over the damn country that tell everyone to HANG UP when a telemarketer calls! If EVERYBODY hangs up WITHOUT listening to anything that telemarketers say on the phone, then guess what? THE TELEMARKETERS WON'T CALL ANYMORE, BECAUSE IT WOULD NO LONGER BE PROFITABLE ANYMORE!!!

Re:Telemarketers can suck my disk.

[morganew]

Sorry, that's just not right.

I worked (very peripherally) on the Do Not Call list, and there was some discussion as to the jurisdictional issues between the FTC and FCC, but those were dealt with. If you would like more information, go the the FTC's website which has the language of the rule, plus a layman's interpretation.

Check out the site's suspicious JavaScript

[Animats]

You can read the Do Not Call site's Javascript. Here's an excerpt:

• // START OF Data Collection Server TAG
  // Copyright 2002 NetIQ Corporation
  // V2.1
  ...
  var dcsADDR="g6589dcs.nyc2.aens.net";
  

What's that doing in there?

There's also a link to Microsoft's Intellisense web site on the Government's Do Not Call page, but that looks like typical Microsoft dreck from their page generator. The "NetIQ" stuff was put there on purpose.

All this is totally unnecessary. The pages are so simple that all this stuff is doing nothing useful.

Lynx the Hammer?

[frostman]

So, if we all just took a few minutes to surf around there with lynx, could we potentially force the company to deploy good JS-less pages?

Re:Lynx the Hammer?

[pediddle]

No, because even though lynx doesn't do javascript, it wouldn't download the image either, so the server would assume you're using a javascript-enabled browser. Sorry.

Re:Lynx the Hammer?

[frostman]

DOH!

I use Lynx regularly, and I still posted that. Where's the "Retract Embarrassing Comment" button?

This is front page news?

Oh no! A webpage has a counter? They're spying on us(!)

Seriously though, it's probably just for the developers to see how many stone-age lynx boys can't actually use the page. If it's enough they'll probably take out javascript.

Re:Oh NO! A tracking pixel!

[looie]

If the user has a tracking cookie from AT&T, that'll be sent back as well, which could potentially provide a link to personally-identifiable information. For example, if you pay your AT&T phone bill online, you could get a cookie that way. Then when you visit the DNC site, AT&T knows exactly which of their customers it was

put down that crack pipe and take a reality check. cookies can only be read from the domain in which they are issued.

it is impossible for att or anybody else to "grab" personal information from you in the manner described.

furthermore, companies like att are very sensitive to what is done with cookies because of the potential for abuse. cookies are not insecure because of what they do on your browser, they are insecure because everything that goes into the cookie goes into the server log file. they don't want sensitive information floating around the company in logs that usually are not secured.

criminy, are there any web-literate people on this site anymore?

mp

Re:Its to count the number of people w/o javascrip

[NightParrot]

And of course it will work perfectly, since no one who would disable JavaCrap would also disable image loading or anything.

Or mine e-mail addresses...

[wodelltech]

Send out tons of spam - heck, pick random addresses if you want. Embed a 1x1 img tag with a unique name (e.g., 0001.gif, 0002.gif, etc.) and correlate these names with the e-mail address you sent each to. Most users of Outlook Express will have HTML-view enabled - as soon as they preview the e-mail, you're web server will 'see' the img get referenced and voila...you've verified an e-mail address.

the panic of the lemmings

[looie]

seldom have i seen less thought go into more verbiage than in this thread.

first of all, government sites are forbidden to use cookies! DOH! period, no exceptions, end of story. there is no cookie tracking (aka permanent cookies). if it ends in .gov and it is a government agency (there are a couple exceptions, such as the federal reserve bank, which is not a gov't agency), there are no permanent cookies being served on the page.

and now for some facts and a lesson in web technology

the referenced code comes from the Data Collection Server, a product of WebTrends, which is a division of NetIQ Corp.

DCS works by collecting clientside information from javascript embedded on the page. that information is sent to a special web server at the customer end (the owner of the dcs installation, in this case, att, apparently). that server takes the url of the image and converts the query string into a log entry, w3c extended format, and writes it to a log.

the owner of the dcs installation then runs another netiq product, such as webtrends reporting center, against the log and produces reports of site activity.

these reports do not contain any personally verifiable information. anyone with a brain larger than a walnut could figure this out. how do you think they are going to process web server log files in the gigabyte size range to extract personal information?

the dcs image called in the javascript is never written to the page. it doesn't need to be. the only thing that dcs requires to work is that the image call be made with the necessary information. That information includes such dangerous items as, the name of the page (document.url), the referrer (document.referer), the browser (navigator.userAgent), the time zone (getTimezoneOffset()), the color depth of your video (screen.colorDepth) and the screen resolution (screen.width "x" screen.height).

here is an example of how the information is transmitted: DCS image URL

it's not unusual for dcs servers to serve a cookie for visitor tracking purposes. the server has an optional plugin that can be used to set this cookie. the cookie set by the dcs server contains only an identifying number that allows the subsequent log file analysis to distinguish between new and returning visitors. if a cookie is served by the dcs server, that is all it can do. more on that later.

because the image is not written to the page, "scrubbers" are worthless and it can't be detected in the browser unless you look at the code on the page. it's just att's bad luck that they left the "no script" tag on the page, which is designed to let them know how much traffic is generated from browsers with javascript disabled. since that traffic is generally less than 5% and usually in the 1%-2% range, they would have been better off to just leave out that code, anyway. as it is, the slashdot lemmings have all rushed off the cliff and are probably on their way to a psych ward for recovery. if att had left off that code, this conversation would not even be taking place! it's fairly evident that neither James Parry nor Andrew Orlowski possessed the technical skills to find the image, otherwise.

variations of this code have been in production use of some of the largest sites on the web for over 3 years. i personally know some sites that are using this technology that are among the most heavily trafficked sites on the 'net and which are undoubtedly regularly used by slashdot lemmings. i know this, because i work for netiq as a consultant on webtrends products and i have helped with the installation of the product or its maintenance for many sites around the country.

finally, for those who can stop goosestepping in the panic storm, there are simple checks that can be made on any site using javascript.

worried about cookies?
javascript:alert(document.cookie) in the address bar will show you

Re:the panic of the lemmings

[looie]

apparently, there's a size limit for the comment display and i went past it. sorry. if you hit the "reply to this" button, you see the whole comment. that looks like a bug in slashcode. for simpler reference, here's the part that was cut off:

worried about cookies?
javascript:alert(document.cookie) in the address bar will show you what cookies are being sent back from that page.

worried about dcs tracking?
load the page in mozilla's javascript debugger and it will show you all the .js on the page and allow you to look at what it does.

worried about "invisible" images?
use internet exploder v.6. among its features is the "privacy report", which will provide you with a complete list of images served on a site, whether or not they are written to the page, along with whether or not the serving of that image includes a cookie.

more information about that cookie
if we look at the privacy report in internet exploder for the do-not-call site, we find that a cookie is indeed being served by the dcs server. isn't that a violation of the gov't policy? let's find out by looking at the cookie in mozilla's cookie manager. go here to see the results.

there's an old saying: think first, then talk. it really is a shame that it isn't heeded by more people around here. but, i reserve most of my contempt for the guy who made the original report, James Parry, and Andrew Orlowski, the reporter who wrote it up. neither of these individuals did the slightest research before producing their foaming-at-the-mouth print item. i don't know if they were just lazy, or indifferent to being accurate in their reporting. either way, they have no credibility with me, and should have none with you. simply put, they are not reliable sources of information.

mp

Re:the panic of the lemmings

[tspauld98]

very well said... I'm not a moderater (IANAM) today but I would've given this post all 5 of my mod points. I wonder if folks will now realize what a doomsayer The Register really is. I find this kind of article very irresponsible. Thanks again, mp, for responding appropriately.

tims

NOT the same company

[shaunj]

AT&T the phone company is NOT the same as their hosting company. They may both be affiliated, but they can do seperate business. Common people!

Logical Explanation

[ninji]

Maybe AT&T wants to findout whos on the list as they sign up so they dont call anyone before they see an updated version of the list and have to pay that fine??? Its only logical....

att privacy statement

In addition, on some Web sites, AT&T and its advertisers may use small bits of code called "one-pixel gifs," or "clear gifs" embedded in some Web pages, to make cookies more effective. AT&T will not associate the information these software devices collect with your name or email address.

expressly stating they won't associate the gif with PII, hmmmm? But if it collects phone number isn't that PII??? Definite appearance of impropriety.

I cant believe I just added myself to the DNC

[joboosc]

oh well its good to know I'm rid of spammer even if my number gets into somebody's R&D database. lesser of the two evils

Re:Oh NO! A tracking pixel!

[Richard_L_James]

Oh no NOT another 1x1 pixel story !

I think most people either forget or simply don't know that effectively *any* webserver object that is linked to "could" be a program which performs all sorts of functions in relation to querying the web browser before serving the "expected" advertised content.

So why is it that people still keep going on and on about 1x1 pixels?

Now before I get flamed to death regarding not knowing about 1x1 pixels... A little story: I wrote an experimental webbug which I emailed to a close friend (SimonW) for a joke, basically the bug was designed to email him again to say something like "Hi, why did it take you so long to open the first email. It's now X time on X date etc". The webbug also blind copied me on all the emails every time it was activated which leads me onto a handy programming tip... If for whatever warped reason you decided to write a webbug, do make sure that you include within your design a routine to prevent excessive execution. I was feeling lazy and couldn't be bothered when I wrote mine.....

Unfortunately for me my friend Simon quickly guessed that I would have designed the script to email myself as well as him. Needless to say he cleverly got his own revenge by generating a lot of automatic emails back to me! And.... because I didn't have access to my webserver remotely at the time he launched his revenge... he had the added pleasure of me calling him up to beg for mercy as it was costing me money every time he ran the damn thing since all my emails were being sent to my mobile phone!!!!!

Which well as I'm sure the slashdot crowd will all agree served me right! Webbug lesson learnt! :-)))))

Re:Oh NO! A tracking pixel!

[Wyzard]

put down that crack pipe and take a reality check. cookies can only be read from the domain in which they are issued.

Exactly. You visit att.com to pay your bill, and receive a cookie which will be sent back in future requests to att.com. Next, you visit the do-not-call list site, which includes an image from att.com. Your browser includes the cookie in the HTTP request for this image.

This is a common technique for tracking users from site to site. It's especially effective if you're a company that serves banner ads to thousands of other websites: every one of those banner images comes from the same domain, so a unique identifier set in a cookie along with one banner image will be returned in requests for other banner images. Look at the HTTP referer and you know what site that user was visiting.

This is why some browsers now offer an option to disable loading of images from domains other than the one that the HTML page came from.

Re:Oh NO! A tracking pixel!

[looie]

Exactly. You visit att.com to pay your bill, and receive a cookie which will be sent back in future requests to att.com. Next, you visit the do-not-call list site, which includes an image from att.com. Your browser includes the cookie in the HTTP request for this image.

although that is true in particular cases, this is not one of them. (and, in addition, i don't think you can demonstrate that it is at all "common." i travel the country working on medium to large scale web sites and i have yet to see this technique being used.) it's important to stick with the facts in evidence when making decisions about how to behave in given circumstances.

first, the cookie set was not from att.com, it was from aens.net. second, as you should have seen had you read the entire comment and followed the links, the cookie was a session cookie -- it expired when the visitor session ended.

therefore, all the "what might have been" scenarios are not relevant. i am not big on conspiracy theories and generally want some evidence before concluding that something wrongful is occurring. the only thing that was wrongful in this case was some lurid opinionating masquerading as journalism.

mp