Do Not Call Site Has AT&T Stats Tracker?

hookedup writes "The Register is carrying an article about suspicious content at the FTC's Do Not Call site. It has been a runaway hit with US consumers, with over fifty million signing up to avoid spam calls from telemarketers. But the web site hides a little secret: a 1x1 pixel image tracking visitors... and where does the trail lead but to the AT&T, one of the most persistent telemarketers." However, the tipster, James 'Kibo' Parry, notes: "There isn't any evidence proving they _are_ up to anything improper, but this relationship between the FTC and AT&T fails to avoid the potential for impropriety."

should be called

[joeldg]

the "don't call me, spam me" list.. saying they are collecting millions of email from users and have a dubious privacy policy.

Re:should be called

[pla]

the "don't call me, spam me" list.. saying they are collecting millions of email from users and have a dubious privacy policy.

Agreed. So, why do Slashdotters, a group I consider more privacy-aware than most people, sign up through their website? Use the 800 number, and you don't need an email address (and you don't really "give up" any info by telling them your phone number, since they need to know it to block it anyway).

Strange. I agree completely this looks a tad bit unkosher, but a very very simple way around it exists. Use the phone, Luke!

So what?

[larry+bagina]

Slashdot runs MS ads.

Re:So what?

[Kenja]

Dear God your RIGHT! Lock the doors Martha, there gona be comming for me any second now. Get out my good shotgun and push the couch up against the window. You'll never take me alive Slashdot Bastards! You or your Microsoft Overlords.

Re:So what?

[Paul+Jakma]

Oh even better, Slashdot run ads for bulk-mailers and spam, sorry, "opt-in" address list resellers. Kind of ironic considering slashdot's editorial stance on spam: "Spam is evil and bad", - unless of course its money they send you rather than spam...

Nitpick

[trveler]

Just a small nitpick - the article fails to mention that only users of browsers capable of (or set to by default) showing images can be tracked by this method.

Long live lynx!

More Info

[c0dedude]

I went to ftc.gov to see if such a link is standard operating procedure for them. It isn't on that site. Strange, no? Why would they track anyone who wants to stop receiveing phone ads? To make up for it in spam! :-)

Oh NO! A tracking pixel!

[DrEldarion]

I don't really see where this is cause for alarm. For all we know it could be a counter.

Anyways, what's the worst that could happen? AT&T knows which web browsers people use and what resolution they're at? Oh no!

-- Dr. Eldarion --

Kibo?

[kaden]

Kibo is submitting to Slashdot? Party like it's 1989!

Re:Kibo?

[joe_bruin]

wow, the same kibo of usenet fame now graces slashdot.
for those of you not familiar with one who has been once declared a "USENET Deity", here's a brief article describing the man, the myth, the legend.

There it is!!!

[EggMan2000]

It is http://aens.net/

Att Managed Services. I assume that it the ISP that is hosting this site or something?

Re:There it is!!!

[jsprat]

And it is inside a tag, which will only be fetched if javascript is disabled. Lynx and links will only fetch it if you ask them to.

It looks like its purpose is tracking how many people surf with javascript disabled.

ATT has the contract to impliment the DNC

[Christopher_G_Lewis]

Um...

AT&T Government Solutions Will Operate Do-Not-Call List

Re:ATT has the contract to impliment the DNC

[studpuppy]

I asked my wife about this, as she worked for AT&T implementing their consumer web site. Her reaction to the questions "wouldn't this give AT&T advance notice that they have 3 months to establish a relationship with these *specific* individuals?" was "Ha! It would take the consumer group 6 months to find out that AT&T even had a Gov't solutions group, and at least 6 more months to figure out how to transfer the information" So it looks like we are safe.. the right hand and left hands of AT&T probably don't realize they share the same body.... (of course, she loved the idea posted elsewhere here that encourages others to include the line of wb bug code into their own websites, and let AT&T track their stats along with DNCs...)

AT&T has the server logs!

The article says, "The FTC confirmed that AT&T Managed Services is its contractor, and hosts the website."

They don't need a 1x1 image to track usage... they have the server logs!

Re:AT&T has the server logs!

[matthewn]

Server logs don't tell you everything you need to know if you're going to run a serious, full-service Web site -- things like what resolution your lusers are running at, etc. You need to use 1x1 shenanigans for that. Period.

Re:AT&T has the server logs!

[pediddle]

As other people have mentioned, the image is inside a tag, which means it's very simply a tracker to see how many people surf with Javascript disabled. Server logs won't tell you that.

Re:AT&T has the server logs!

[Dave2+Wickham]

Err...what? People visit 1x1 gif => entry in server logs. Using 1x1 gifs is 100% based on server logs.

Re:AT&T has the server logs!

[crapulent]

Uh, what? How does loading a 1x1 GIF reveal anything about your screen resolution? It will simply be another entry in a log file, which records the URL, the IP address, the time, the referer, and the user-agent. All of those fields are present in the log of the server that's serving the main html page.

In order to determine any further info about the user, you'd have to use Javascript to get this information from the DOM, and then somehow code that into a URL which gets submitted or posted to a server somewhere. From the blurb in the article there was no such code, just a simple IMG tag.

Incest?

[rlandrum]

Big Brother and Ma Bell in cahoots? Say it's not so!

I'd be willing to bet that after the collosal failure of the FTC site after launch that the FTC sought the hosting services of a more robust entity. AT&T probably said "IT" first.

The real question

[b1t+r0t]

Kibo is the one who found this?

In that case, what everyone really wants to know is: "Is AT&T allowed ?

But....

[MobileDude]

It's just a tiny, wafer-thin image...

(please review Monty Python Meaining of Life prior to modding down)

Re:Oh NO! A tracking pixel!

[Kenja]

Sure, it seems like nothing now. But once all the Opera and Mozilla users have been rounded up, put into camps and executed it'll be too late.

AT&T is a huge corporation

[dcocos]

I'd be willing to be that AT&T hosting people don't even know that the AT&T phone people exist.

Re:AT&T is a huge corporation

[southpolesammy]

As someone who used to run www.att.com, I think I can safely say that they know each other.

Intimately.

So?

[Faust7]

Why do they need a 1x1 pixel tracking bug to maintain a Do-Not-Call list? Aren't the telephone numbers of the participants sufficient? What reason directly related to the administration of this list is there for this? If the answers to these questions were obvious, the Register (to give them the benefit of the doubt) wouldn't be asking them.

Re:So?

[Christopher_G_Lewis]

The web bug is to http://g6589dcs.nyc2.aens.net

Aens.net is
AT&T Enhanced Network Services (AENS6-DOM)
POB 919014
San Diego, CA 92191-9014
US

Which is basically AT&T Managed Services.

I'm assuming its a bug to make sure the site is up and running...

Course I could be wrong, and it is a part of a national conspiracy to make my dinner get cold.

Re:Off by a power of ten?

[c0dedude]

You must be new here. That's only one order of magnatude. Around here, that's pretty good.

Ahem...

[inertia187]

Will someone please tell me what would prevent a telemarketing company outside the US from obtaining this very accurate list of phone numbers?

Re:Ahem...

Nothing, considering they will be getting it on cd from the FTC in order to comply with the program if they are conducting buisness within the US, just like every other telemarketing company.....

Re:Ahem...

[edrugtrader]

i just found this list on a soviet russia telemarketing list... i think they already got it!

(408) 100-0000
(408) 100-0001
(408) 100-0002
(408) 100-0003
(408) 100-0004
(408) 100-0005
(408) 100-0006
(408) 100-0007
(408) 100-0008
(408) 100-0009
(408) 100-0010
(408) 100-0011
(408) 100-0012
(408) 100-0013
(408) 100-0014 ... ...
seriously, this goes on for pages!

huh?

[scovetta]

How is this a problem? The URL is not dynamic, so unless there is a back-end conspiracy between the dnc list and AT&T, what the hell is AT&T going to do with 50 million IP addresses? They can't look them up to people unless they get info from elsewhere. If AT&T and the dnc list were sleeping together, then the dnc list could give AT&T the IP/name/phone/etc ANYWAY, and that would be a MAJOR betrayal of trust. It's probably just for web-traffic analysis-- pretty standard these days, so the dnc people can say, ooh, 3000 people per second are signing up, and the such.

AT&T does in fact manage it

[Qbans]

I remember seeing one of AT&T's agents concerned about the amount of E-Mail being generated from the site and posted it on NANOG (North American Network Operators Group) which you can see here. I don't really think that there is any "shady" tactics going on here, I think it's more for one of their in house monitoring apps, especially considering the amount of traffic that they received initially.

Re:Off by a power of ten?

[Murdock037]

Wait until the story is duped a few times, they should all add up to the right number eventually.

Re:Oh NO! A tracking pixel!

[Kenja]

For all you know I could have been talking about the Japanese occupation of China, the US handling of accused terrorists, the US imprisonment of American citizens of Japanese descent or any other instance of mass imprisonment. Nothing said has anything to do with Goodwin?s Law, so bugger off ya Nazi. Oh dang.

check the privacy policy

[I+Want+GNU!]

First off, they can log information with or without these "web bugs." I know this because I run my own websites and I track visits because I like knowing how much traffic I'm getting, with what terms, etc.

Given that, this article is useless.

But even more so, if you go to the site it says at the bottom:

This site is operated by Consumer.net and is not operated or controlled by the US Government or the telemarketing industry
Consumer.net testified at Federal Trade Commission Workshops for Internet Privacy in 1997 and the "Do-Not-Call" Forum in 2000.
Consumer.net authored a paper for an Online Profiling workshop at the Department of Commerce in 1998.

The Consumer.net Privacy Policy is found at PrivacyPolicy.com

This privacy policy states:

Web Site Log Files: We site log files are generated that collect the IP Address of the visitor, date, time, and pages visited. Aggregate reports for web site visitors are generated that do not contain personally identifiable information.

Advertising reports are generated that show the IP addresses of visitors who clicked on ads. This information may be sent to the advertiser to confirm the number of "click-throughs." The advertiser normally already has this information as a result of the user clicking on the adverstisement. No additional information about the visitor is supplied to the advertiser. The log files are eventually deleted.

There. Case solved. Stop being paranoid about such silly things. If you want to be paranoid, be paranoid that the MPAA might accidentally associate your IP with file sharing even if you don't file share, or be paranoid that John Ashcroft is using the PATRIOT Act or Patriot Act II (to be introduced in Congress soon) to spy on you for reasons unrelated to terrorism (as he has done). Better yet, donate some money to the ACLU to protect your civil liberties or to the EFF to protect your electronic freedoms.

Copy and Paste?

[akiy]

Soooooo....

What would happen if all of us started putting the below image on all of the websites that we run?

Hmm...

<img BORDER="0" NAME="DCSIMG" WIDTH="1" HEIGHT="1" SRC="http://g6589dcs.nyc2.aens.net/DCS000003_6D4Q/ njs.gif?dcsuri=/nojavascript">

Now THIS is interesting...

[MP3Chuck]

Shortly after I signed up for the Do Not Call list through the website, I began recieving calls (about 4 calls since around Sept 1, I believe) from AT&T about getting long distance service. Or I was eligable to recieve a phone card. Or something. I wasn't really listening. Since I live on a college campus there's really no reason for them to be calling.

Its to count the number of people w/o javascript..

[molo]

Here is the snippet from the page http://www.donotcall.gov/ Note that the img tag is embedded in the noscript tag. That is, this img is only loaded in graphical browsers that don't use javascript. Since AT&T has the government contract to implement the DNC list, I don't think there's anything sinister going on here, they just want a count of the number of users that don't use/enable javascript.

-molo

<noscript>
<img BORDER="0" NAME="DCSIMG" WIDTH="1" HEIGHT="1" SRC="http://g6589dcs.nyc2.aens.net/DCS000003_6D4Q/ njs.gif?dcsuri=/nojavascript">
</noscript>

Chances are...

[ElYonderboy]

YHBT. YHL. HAND.

Nothing "weirdo" about Lynx

[bkrrrrr]

There's nothing "weirdo" about using Lynx. It's very effective for many tasks, and far more efficient for using certain websites than Mozilla, et al.

bkr

Re:Oh NO! A tracking pixel!

[LVWolfman]

It probably is a counter. AT&T is the company that the FTC contracted to host the DNC servers. That was mentioned in articles when the DNC site went up and got slammed. The articles stated that AT&T was scrambling to add extra servers to the pool to handle the unexpected load.

But maybe MY tin-foli hat is on too tight

[orthogonal]

I'm glad this was reported, and I think it needs to be looked into more closely.

But.

There's this taunting little voice in my head wondering if somebody didn't say,

Web Developer 1: "Hey, let's add a web bug to Do Not Call page, and then we'll leak it to Slashdot."

Web Developer 2: "WTF would we want to do that?

Web Developer 1: "So when they find out about it, we can watch those Slashdot monkeys dance!"

Web Developer 2: "Yeah, yeah, dance dance dance in their tin-foil hats! Coool!"

Oh yea they wanna do that, how about this

[codepunk]

Just link that image into the slashdot home page. That ought to give them about 6 million worthless hits per day...

Re:Off by a power of ten?

[letxa2000]

Yeah, well to me the amazing thing in the story is that the government apparently paid AT&T $3.5 million to build the website. Have you visited the website? I've built more complex websites in a matter of weeks. Even charging $200/hour that would be easily less than $32k.

I would hope that "building" the site for $3.5 million also includes running it, ongoing maintenance, etc. Because if the government really paid AT&T $3.5 million to BUILD it and still has to pay some ongoing fee, they got ripped by an order or two of magnitude.

Government waste isn't surprising, but it's sad when it is made so obvious. A good percentage of the folks here at Slashdot could have done just as good a job for a fraction of the cost and STILL recorded a very good year income-wise.

Re:Oh NO! A tracking pixel!

[Liselle]

The joke is on them. Opera lets you pretend to be any one of a multitude of web browsers. Right now, I'm MSIE 6.0, tomorrow I could be Mozilla 4.78. Technology is grand!

Re:Not for "tracking"

[jafiwam]

I'd like to point out a reason why someone might put a 1x1 pixel gif in a web page.

Not all versions of IE and Netscape (especially the versions earlier than 4 and 5 of both) render table cells correctly unless there is an object in the cell. Sometimes the cell border is not drawn, or the size specification of the cell is ignored by the browser (which then in turn messes up the layout). So a single-pixel, transparent gif or a non-breaking space character can be put in the cell to make it behave. As a occasional HTML and web page designer, a single pixel gif is a good tool to have around.

In this particular case, it is easy to assume that something illicit is intended, but the presence of the <noscript> tag makes me think that it is an attempt to track what the ratio of JavaScript vs. non-JavaScript enabled browsers visit the page. This web page has had many more visitors and induced many people that may not have the latest and greatest stuff, whomever designed it is probably just trying to figure out what fancy whiz bang tools they can get away with.

Depending on their server set up they may be simply dumping the logs, or have several of the things in the site to generate specific information. (50 million numbers, times 1.2 for revisits, times the number of objects on the page, is one hell of a lot of bits in a log file.) They could have used different hostnames for images to host them on different physical machines, or whatever to break that up.

Note, that it is trivial to set up a virtual folder to point to a separate machine to do the same thing, without using a different hostname. So if it is a tool to link up phone numbers with IP addresses and email addresses (really that's all it would do) then they didn't put much effort into hiding it.

Has anybody thought of ASKING THEM why the thing is there?

I prefer Occam's razor, the simplest explanation is also the most likely one to be true.

Web bugs are a violation of federal policy

[sakusha]

I clearly remember reading that the fedgov had implemented a strict ban on web bugs and cookies. I couldn't find the exact law, but here's an interesting tidbit from a .mil site:
http://www.defenselink.mil/nii/org/cio/doc/ cookies .html

The Office of Management and Budget (OMB) has reaffirmed (attachment 1) that it is Federal policy that each Federal agency operating a public web site, or contractors operating such sites on behalf of an agency, must post clear privacy policies at their principal web sites, at known, major entry points to the sites, and at those sites where the agency or the contractor collects substantial personal information from the public. The OMB emphasizes that it also is Federal policy that web technology, such as "cookies," should not be used at Federal web sites to identify and track the activities of web users unless a compelling need exists to collect such information, appropriate publicized procedures are established to safeguard the information, and collection has been personally approved by the head of the agency.

This Is FUD by the Telemarketing Industry

[Hiro+San]

I had more respect to the Standard before this. Tracking users is a standard practice for any company managing a website for a third party. After all they have to prove that they are performing for the client. What I am wondering is if someone at the Standard got a kickback from this. I think people need to wake up and smell the marketing Propogranda. The telemarketing industries is in fear of their lives because of the Do Not Call List, and they havea history of dirty tricks to steal money from people. Slaming being on of the more shameles examples. They are certainly not above trying to spread false new stories to increase FUD. Just think about it.

Telemarketers can suck my disk.

[rice_burners_suck]

Hmmm... I know a lot of people who signed up for that stupid do not call thing. They hardly ever got calls before. But now, they're getting tons of telemarketing calls. Know why? Because the law doesn't take effect until next year, and in the meantime, telemarketers have access to the list. Furthermore, to show you how stupid government is: The government is now mandating that companies purchase the list of people they cannot call, and furthermore, the law says that only companies that purchase this list are affected by the law. In other words, if you don't buy the list, you can make the calls. Punishing the companies that did buy the list. Does that make any sense?

That's your tax dollars at work.

It only goes to prove that GOVERNMENT SHOULD NOT GET INVOLVED IN STUPID STUFF LIKE WHO CAN CALL WHO. Don't like telemarketers? Nobody likes them? Then run marketing campaigns all over the damn country that tell everyone to HANG UP when a telemarketer calls! If EVERYBODY hangs up WITHOUT listening to anything that telemarketers say on the phone, then guess what? THE TELEMARKETERS WON'T CALL ANYMORE, BECAUSE IT WOULD NO LONGER BE PROFITABLE ANYMORE!!!

Check out the site's suspicious JavaScript

[Animats]

You can read the Do Not Call site's Javascript. Here's an excerpt:

• // START OF Data Collection Server TAG
  // Copyright 2002 NetIQ Corporation
  // V2.1
  ...
  var dcsADDR="g6589dcs.nyc2.aens.net";
  

What's that doing in there?

There's also a link to Microsoft's Intellisense web site on the Government's Do Not Call page, but that looks like typical Microsoft dreck from their page generator. The "NetIQ" stuff was put there on purpose.

All this is totally unnecessary. The pages are so simple that all this stuff is doing nothing useful.

NOT the same company

[shaunj]

AT&T the phone company is NOT the same as their hosting company. They may both be affiliated, but they can do seperate business. Common people!