Slashdot Mirror
Advertising Network Caught History Stealing
jonathanmayer writes "Last week the Stanford Security Lab reported some surprising results on how advertising networks respond to opt outs and Do Not Track. This week we made a new discovery in the online advertising ecosystem: Epic Marketplace, a member of the self-regulatory Network Advertising Initiative, is history stealing with unprecedented scale and sophistication. And Epic is snooping some remarkably sensitive information, including pages from the FTC, IRS, NIH, Mayo Clinic, and more. Epic has written a response defending its practices."
Google currently owns the largest advertising network, and it will only expand (both internet wise and datamining wise) with Google+. If others can't history steal, it will put them out of business. In practice, Googles monopoly demands others to play bad.. I'm not saying it's a good thing, it is bad. Just stating the facts.
Google+ vs. Facebook, and why Google+ will fail
a self-regulatory network. Just like the wall street bankers want to be self-regulatory or allow the market to be self-regulatory. It's all the same bullshit.
I got here through a series of tubes
Let's see, in the first case someone has set up a server to share files intentionally, and in the second case everyday people are having files examined or copied from their personal computers without knowledge or permission. Yup, no difference.
Alright, I read the article on this one, and, there's a divergence of evidence here. Mainly..
"We applied the methodology from last week's study to examine Epic Marketplace's opt-out practices. (Epic Marketplace was one of the eleven NAI members not included in that study.) We found that Epic Marketplace leaves its tracking cookies in place after both opting out with the NAI mechanism and enabling Do Not Track. We also found that history stealing continues after using either choice mechanism." - This one's from the study.
"Furthermore, when the user opts out, all data collection efforts cease. The student erroneously concludes that users are unable to avoid participating in segment verification because the opt-out mechanism does not delete the cookie that exists on the user’s computer. Like many other networks have pointed out already in their responses, this is misleading and inaccurate. When a user opts-out, all further collection of behavioral data from that user stops and existing profile data is deleted, even though the cookie itself is not deleted. The reason for this is simple: these cookies provide important operational information necessary for the delivery of any ad, not just targeted ads. For example, Epic Marketplace needs this data to determine how many times a particular ad has been shown to a user, and to analyze whether fraudulent activity is taking place. Ironically, in order to give effect to a consumer’s decision to avoid data collection, the cookie has to remain, otherwise advertisers have no way of knowing that that particular consumer has elected to opt-out of that advertiser’s data collection practices." - and here's Epic's counter.
These two statements seem strictly at-odds to me; the study states that the History Stealing continues to run, not just that a cookie remains as Epic sems to be saying. Epic claims the data collection stops - straight conflict here. Someone either screwed up their study, or Epic is lying, or Epic is unaware that their 'stop stealing' code doesn't actually work. It looks like they're not gathering personally identifiable or geographical location, and so are in the clear there - but now you've got a pure 'He said, she said' in terms of continuing collection after opt-out. Anyone interested in trying to duplicate this study and add some more evidence to if it continues or not?
Yes it's almost like slashdot is not in fact a homogeneous group of readers with a common opinion.
No, getting a browser history is not theft.
It may be trespassing, or some other crime, but since the owner is not deprived use of his own browser history, it isn't theft.
It doesn't matter to me much, I have my browser set to delete history and cookies every time I close it.
The difference is that piracy costs the US 750 million jobs and over $30T each year, whereas "enhanced sharing" of "sensitive" information is good for the economy.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
Who is this "Slashdot" you are referring to?
Your comment is particularly ironic given your sig.
Those who can, do. Those who can't, sue.
In the first case, the taking is from "someone else" so that's OK. In the second case, the "someone else" is you, so that's not OK.
to pay each advertiser one bitcoin EACH just to not target my IP address with advertisements.
It can be argued that both sides use hyperbole and rhetorical speech to enflame the masses.
If you want to be pedantic, you could say that file sharing has the consent of both parties in the sharing (but excludes the third party of the content creation side). The content was, at some point, legally purchased from the creator.
The collecting of history data by the advertiser is non-consensual. They're not claiming the third parties who purchase this information are stealing data, but rather the actual collector who has not received the consent at the initial "transaction" point of your browser.
You're not claiming copyright or intellectual property rights on your history data (you cant' - it's not copyrightable) - but someone is nonetheless forcibly retrieving otherwise private data without your permission.
Is it just my observation, or are there way too many stupid people in the world?
ooo - can I have some of this magic money that appears out of thin air?
Not quite. According to Slashdot: Downloading music is a copyright violation, as per the law. Not theft. We then proclaim that the copyright laws are unethical. Often the issue in question is a contract violation with civil, not criminal penalties. BUT Getting someone's browser history is an invasion of privacy (Felony)
excitingthingstodo.blogspot.com
The difference is that piracy costs the US 750 million jobs and over $30T each year, whereas "enhanced sharing" of "sensitive" information is good for the economy.
BULL. SHIT. Every pirated song or movie does not = a lost sale.
Those numbers seem a bit low. But you have a good argument!
Perhaps you should run for Congress.
*This post does not follow your rule.*
There are two types of people in the world: Those who crave closure
There should be a no tracking extension. It should make it so that the style for the link does not change unless you are accessing it from the same domain name (or same page the link was clicked on, for the paranoid). Additionally, it should make all users have the same information presented. The EFF's panopticlick shows the types information that should be made the same across all browsers. In addition, it should make sure information reported is the same with javascript on or off. As more information is used to identify, the extension can be upgraded to include it as well.
Easy solution: pass a new new law that I own perpetual, non-transferable copyright on all information about me or my activities. Certain specific implicit licenses will exist to allow people to use information as I intended. However, bottom line is that collecting personal information is a copyright violation, and is actionable.
Problem solved.
I don't think anyone but the most naive users were surprised at last weeks results, or at this. Even "Average Joe Internet User" knows that, in general, Internet advertisers and their practices are shady.
I have to agree that theft is a stupid label here, this would fall into spying or illegal wiretapping, it is an intensive surveying of what you are doing in your own home or on sites that the company gathering the information has no right to monitor. Applying theft to terms it doesn't have anything to do with is silly and stupid in all cases. This IMO is a much greater crime then piracy, but neither should fall into the category of "theft".
Sure...use BitCoin
ROFL, please tell me your joking about those numbers? Please?
You can't ACTUALLY be saying stopping half of the current "piracy" and we would could pay off the ENTIRE national debt?
TFA:
When a user opts-out, all further collection of behavioral data from that user stops and existing profile data is deleted, even though the cookie itself is not deleted. The reason for this is simple: these cookies provide important operational information necessary for the delivery of any ad, not just targeted ads. For example, Epic Marketplace needs this data to determine how many times a particular ad has been shown to a user, and to analyze whether fraudulent activity is taking place. Ironically, in order to give effect to a consumer’s decision to avoid data collection, the cookie has to remain, otherwise advertisers have no way of knowing that that particular consumer has elected to opt-out of that advertiser’s data collection practices.
its been a while since I did web programming, but isn't an opt-out better implemented as data stored on THEIR systems and not mine? am I missing something here?
"we can't be sure you dont' want our shit, so we send you a cookie so we can know you don't want our shit."
WHAT???
do they expect technical people to say 'oh, ok, you are right' ?
so, unless I'm missing something, they should look at their LOCAL database of do-not-track ip addrs and users and not even TRY to write data to their disks (cookies). and if the user denies cookies (as I do on all sites that are not already whitelisted)? their 'design' doesn't allow for THAT case, does it?
these guys should be sued into negative oblivion. bottom feeding fuckwads.
--
"It is now safe to switch off your computer."
I realise this is going to be confusing for you, but just try and stay with me:
Slashdot is not an individual. Slashdot is a collection of people of differing views and opinions.
Some people who read and post on slashdot think that downloading music without approval of the copright is not theft. Some people who read and post on slashdot think that downloading music without approval of the copyright holder is theft. Some people who read and post on slashdot think that getting someone's browser history is not theft. Some people who read and post on slashdot think that getting someone's browser history is theft.
Some people who read and post on slashdot think that there's a difference between private data and public data. Some people who read and post on slashdot think that there is no difference between private and public data and that "all information wants to be free".
Some people who read and post on slashdot think that Obama is the best President in all of history. Some people who read and post on slashdot think that Bush was the best President in all of history. Some people who read and post on slashdot think that Bush and Obama are both reptilian aliens in disguise.
Thus you can't expect to get a consistent opinion. Slashdot itself has no opinion, the people involved in it have opinions.
You might seem to get a majority opinion shining through, but you can't compare them across areas. "Majority" may really just mean "loudest", the point remains the same.
For your example, a perfectly reasonable explanation would be that the "majority opnion" of people on slashdot who care enough about downloading music to be involved in a discussion about that topic is that it is not theft. And the "majority opinion" of the people on slashdot who care enough about data snooping by web based advertising networks to be involved in a discussion about that topic is that such snooping is theft of private data. This makes perfect sense, because *they are not the same people*. Or alternatively the "theft" being referred to in the data snooping case is that of privacy. In the music distribution case if someone downloads a copy of a song the original owner of the song has lost nothing - they still have their copy. In the data snooping case the original owner of the history has lost something - they no longer their privacy.
So there's two reasonable explanations of our observation, and there will be plenty more. So why are you confused by such a simple phenomenon?
Here's the deal...
The advertising business is a crap hole. I treat ads like SPAM. I will take any measure to block ads, whether they come through the TV or the Internet. I will gladly help friends and family with setting up blocking software. To people crying "but how are we going to finance our 'free' business if we can't show ads?" I reply "not my problem".
Regarding music, if I want to share music that I purchased with my friends, I'll do that. I see nothing morally wrong with that. Fine, sharing it with the rest of the world is more problematic, but I really can't see the current system go on. In five years I expect that something like Spotify will exist completely free without ads, decentralized and supported by the public - unstoppable. The music industry has to change. Artist might get paid for performing or recording time but they won't get royalties. And labels are completely doomed as they work today.
So no, I'm not "stealing" music when I download it. According to the law I'm doing infringement of a fantasy copyright law. And no, I'm definitely not stealing when I block ads. If someone gets stuff from my hard drive, it's likely not theft (I really don't know), but maybe unauthorized computer access? The laws must first protect the citizens, then the corporations. I know that the US cares more about its corporations than about its citizens, but I really don't care much about the US.
Just my 5 Euro cents.
The difference is that piracy costs the US 750 million jobs and over $30T
Well, someone needs to say it:
You're a moron.
HERP DERP OVER TWICE THE NATIONAL DEBT EACH YEAR DURR.
Oh, by the way, it's called 'copyright infringement'. Piracy is when a motherfucker with an AK boards your ship, puts it to your head and says, "Hey, what's up, fucker? Oh, were you watching Game of Thrones while sailing the high seas? You've got a first world problem now, motherfucker."
ROFL, please tell me your joking about those numbers? Please?
HINT: What is the population of the USA?
In neither case is anything "taken", things are being duplicated with no loss of physical or digital property. This case is spying, wiretapping or something along those lines. It is taking potentially intimate details of the users life that never were intended to be seen or heard by anyone, and selling them to the highest bidder for personal profit. This is closer to the category of filming someone in a shower, then stealing their wallets.
Thanks for getting it:-) I was about to post this in reply: http://www.google.com/search?sourceid=chrome&client=ubuntu&channel=cs&ie=UTF-8&q=population+of+the+united+states
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
I don't care if that hits a site renevue stream enough that they will require paid registration (I will just register and pay). You either do something to block all ad network-supplied crap, or you are at a much increased risk of damage.
ad networks have, in the past:
1. distributed viruses and trojans (PNG exploits, for example)
2. distributed criminal matter (hate speech, k1dd13 p0rn, etc)
3. distributed content to mislead the user into visiting damaging sites
4. attacked the user browser to mine information
Exactly why do we tolerate that kind of crap, really? We should sabotage ad networks as much as we possibly can.
Theft is when it happens to me, unauthorized sharing is when it happens to you.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
The good readers of Slashdot got caught up in their own rhetoric when it comes to the "data as property" debate. Here's how it works in reality: data in my possession is my property. I can edit it, delete it, share it, or horde it; because it belongs to me. If I give you a copy of that data, that copy is now your property. You can edit it, delete it, share it, or horde it; I have no say over what you do. That doesn't imply that you can take a copy from me without my permission, it means that by giving you a copy I give you the rights to use that copy in any way you wish.
I removed AdBlocker about 2 years ago out of pity for ad supported websites. I'll be turning it back on now until I see some satisfactory government regulation.
Well they claim that what they are doing is not an issue. So I simply want to know what sites use them and what advertisers use them along with the name of the script.
That way I can have the freedom to choose if I want to go to those sites or not and let the site owners and advertisers that I don't like it. Not that it is ilegal or not but I don't like and don't want it to happen to me. That is all they have to do.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
If any of their tracking actually works in the case of user cookies being denied or not kept, then yes. If they choose to still do tracking for such users, they also need to honor do-not-track for those users.
now we need to go OSS in diesel cars
It is isn't theft. What it is is invasion of privacy and ignoring 'contractual' requirements of 'do not track'. This is why sometimes we need regulation. It is also why the best privacy protection is for the browser to protect itself.
The analogy here is asking the server not to put tomato sauce in in your hamburger and instead they decide to spit in it, with a big "f*@k you" attitude.
Jumpstart the tartan drive.
From Epic Marketing's Fine Rebuttal:
followed by
Hmmmm ...
Epic has no contract, expressed or implied, with the end user to run software on their computer. They have only an agreement with the website operator, who has no authority to grant Epic the right to execute any software on the end user's computer. That said software actually examines the users browsing history to determine if they have visited specific pages, should be considered illegal, even if they only send back a de-identified list of segments represented by those links. Until Epic has received user consent, their actions should be considered computer fraud.
make imaginary.friends COUNT=100 VISIBLE=false
Unauthorized access to a computer system is a much more serious offense than copyright violation. There are good arguments that copyright itself is unethical and counterproductive, but none to suggest that unauthorized computer access is.
Give me Classic Slashdot or give me death!
Read a response from a professional advertisement and marketing agency? Why don't we just throw the idea of objective assessment out the window altogether.
May the Maths Be with you!
So you have a permanent IP assigned to you, and you want that the advertisers always know and keep track (no matter if you clear cookies, or if you enter Private browsing) that it's you the one visiting some pages?
Well, that might work for you, but the rest of the world doesn't have such luxuries and the IP is temporary so in order for them to keep such preferences, they must store the preferences in your computer.
IP addresses don't opt out of things; people do. There has to be some way of associating a request that they want to track, with an earlier opt-out request. Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Does not compute. How can it be costing the USA of twice the population of the country (hint: USA has a population of 300 million), in term of jobs? Add to that the percentage of people impacted by this is far smaller than the real population. I am guessing that it is even below 5% (I don't have figures to validate that estimate)?
Clearly from the Master of Bullshit Arts line of education?
Jumpstart the tartan drive.
The right solution is probably the browser ignoring actions based on domain. Another solution is to ignore sending cookies based on domain and also ensuring JS from that domain can't read certain data. It would require a black list, but if they aren't going to play ball, then we can play hard ball.
Jumpstart the tartan drive.
They can't be sure it's you without a cookie to verify it. IP addresses change, and so do browser agents.
If they stored they data on their side, you'd have to re-opt-in every time your ISP gave you a new IP, or you upgraded your browser.
It sounds like they're storing additional data on it, however, and that's not acceptable.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
WWOOOOOOOOOOSH
I'm confused here, so according to Slashdot:
downloading music from say piratebay without approval of copy right holder is not theft
BUT
getting someone's browser history is theft?
Taking someone's browser history is theft. It's theft of privacy. If I go into a store should I expect to have to tell them every place I stopped on my way there so they can sell that info. I would think not. Are stores allowed to put tracking devices on my car to see the other places I visit or other stores I go to? No.
Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).
Not to mention that a do-not-track cookie and a do-not-track HTTP header member essentially have the same effect from a practical perspective (in that they both modify the HTTP header). However, an HTTP header would work across all domains, not just the domain that set it which might be a disadvantage to those who want to pick and choose who can and cannot track them.
Yes, you're missing something. Imagine you opt out of tracking and the company erases all information about you (including their cookies). What happens the next time you hit their system? You look like somebody they've never seen before. In most systems, that means they give you a cookie and start tracking you. But you just asked them not to track you...
The only way they can comply is to know that you fall into the group of people who don't want to be tracked. In general, they can do this with a generic "do-not-track" cookie value they drop (like an ID with all zeros, e.g.). Then you and everybody else who doesn't want to be tracked looks identical, but you all still have a cookie from them.
You mentioned IP address as a way to track users, but that's really unreliable. So you want to go opt out again every time you restart your modem or connect to another network? If you're behind a NAT, your opt out would affect everybody behind the NAT (but only until the external address changed, at which point it would affect nobody).
As a side note: If you clear all your cookies every time you close your browser, your tracking starts fresh with every browsing session. It doesn't mean you aren't tracked - it just means the scope of the tracking matches the scope the cookie lifetime. I leave my browser up for days/weeks at a time, so deleting cookies on close would actually make me more trackable than an opt-out. A whitelist of sites you accept cookies from is the best way to minimize tracking, but most people won't understand or bother with that. Storing an opt-out cookie is a really simple next-best-thing.
good point. my work pc has firefox set to clear cookies and history at shutdown. so, my do not track request can't be respected after a reboot?
Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).
Or perhaps a simple "fuck off and don't track me" HTML header?
It doesn't actually have to identify you for them to get the message. If they'd honor it, that is.
-CCarrot (posting AC due to mods in this topic)
This is closer to the category of filming someone in a shower, then stealing their wallets.
Incidentally, that's my favorite type of voyeur porn...
Oh, so if I share my information with google and google alone (per our agreement) and then google sets up a server to share all of it with anybody who wants it, that's ok?
If I can just reach out with my words and touch a butthole, just one, it will all be worth it.
The legislature will never happen, because the government is starting to take advantage of all the private data amassed at corporate data centers, particularly through Patriot Act. We can expect more legislature that will make all your private info available to government "on demand".
Slashdot is not an individual. Slashdot is a collection of people of differing views and opinions. Thus you can't expect to get a consistent opinion.
You can't get a consensus opinion. The slashdot crowd does have consistent opinions on things, despite the dynamic nature of the population. It is not nonsense to talk about usual slasdotter opinions. Nearly any parameter you can measure of nearly any natural population has a distribution, but you can still make statements about the mean. Most clovers in a field have 3 leaves. Yes, some have 4 and some have less, but 3 is the usual number. Most slashdotters are opposed to the RIAA's crackdown on music sharing. Yes, some people probably really like the RIAA, but most don't.
Getting someone's browser history is spying, of course.
The Tao of math: The numbers you can count are not the real numbers.
You're over thinking things. What if you were allowed to tick a checkbox in your browser, and thereafter it would state clearly in every HTTP request header DO NOT TRACK ME. This enables notification that we do not want any tracking to be performed, and is delivered in the same set of headers that they are already parsing to read the "Cookies" they set.
It looks like this:
DNT: 1
Firefox4 and IE9 Support this, last I heard Chrome didn't (I hear there is a 3rd party plugin now). All those advertising bastards need do is not track people with those settings. Additionally, use a plugin like CookieMonster to manage your cookie settings.
Them: "Without cookies how will we know if you want to opt out?!"
Us: "Problem Solved. Read the DNT header fool."
Them: "We need cookies to makes sure people aren't fraudulently clicking ads, and to count clicks"
Us: "Not our problem; Besides, Cookies can be cleared -- Store your clicks & hits in YOUR OWN damn database!"
Them: "... [under breath] But we don't have to, and we won't comply sanely without mandatory regulation."
They'll cry us a river when it comes down to strict regulations -- The only bad thing is that the law writers don't understand technology enough to just say: "Advertisers must honor the 'DNT: 1' (do not track header) as if the user had followed the advertiser's opt-out procedure, and [insert other shit they should do like delete user records and not set cookies -- though I can manage my own damn cookies, but thanks]."
Web users are anonymous. You can't identify them, if you don't store something unique on their machine.
IP addresses don't opt out of things; people do. There has to be some way of associating a request that they want to track, with an earlier opt-out request. Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).
All fine and good, but why should I HAVE to opt out of something like this just to protect my privacy? What makes these marketing troglodytes think they have a right to track my browsing habits by default?
"So after all this, you make my case for me. To end this stalemate, you must die..."
well there are ways. one way is to come up with a browser plugin that creates a opt out cookie on open of browser from a list of sites that creates them. or some how create a do not track users agent... so plugins or browsers could when making requests from these users agent be ignored... those would be my sugestion I think user agent would be the better of the two ways a more permanent solution. in that is in the optout user agent and they start setting cookies ect flags can be triggers and the hammer of the web will com down.
Epic's statement refers repeatedly to the ease of opting out and how firmly they obey it when you do, but neglects to provide an opt-out link.
For your convenience: http://www.epicmarketplace.com/optout.php
Interestingly, I had (according to Epic) "not opted out" previously and had therefore given them permission to do whatever they like.
Disclaimer on page:
"Note that if you change or delete the Traffic Marketplace opt-out cookie, change browsers, or get a new computer, you may need to opt out again."
In other words, if you catch us it's probably your fault.
There's also a link to Network Advertising Initiative control panel for opting out of multiple ad networks. There's no way to sort it to show what networks you're active in (the message is actually a .gif, I suspect to inhibit searching).
Why not try reading what I wrote?
You know the bit which talked about exactly that point and how you can't compare them because not everybody cares about the same things equally.
Please show the evidence for that. All I see is that "most slashdotters who comment on articles about the RIAA's craskdown on music sharing are opposed to it", which is a very different claim.
Yes in articles about the RIAA cracking down on music sharing the most popular opinion on slashdot is that copyright infringement is not theft.
Yes in articles about snooping browser histories the most popular opniion on slashdot is that such browser snooping if theft.
There is no inconsistancy or strangeness in both those things being true*. It isn't the same people. Some people are more interested in sharing music and hence make up the bulk of the opinion in articles about that. Different people (with overlap of course) are more interest in privacy and hence make up the bulk of the opinion in articles about that.
* Note: I'm not arguing one way or the other about those actually being "the slashdot opinion", I'm just taking the original claim.
Zzzzing!
Yes, of course they have to track you to know that you have opted out of tracking.
How else do think it would work?
This pattern is depressingly similar to how the whole legal system is going.
they do anything they can to get you to buy some shit you dont want including lying and stealing, then get all offended when you call them on it
I have to laugh at the responses you have gotten in spite of the dead-giveaway signature of yours. Bravo!
Help! Help! I'm being repressed!
...is "awaiting moderation". Since they'll never approve it, I reproduce it here:
http://epicmediagroup.wordpress.com/2011/07/20/epic-marketplace-response-to-behavioral-advertising-and-tracking-allegations/#comment-251
“NO data obtained from segment verification is personally identifiable information (PII), nor is that data ever merged with other data points that are, or may be, personally identifiable.”
Do you make this promise on behalf of yourself, or on behalf of all the customers you sell data to, or on behalf of your national security partners, or all of the above? If so, how do you know, and what visibility do you have into their use of data? Do you deploy security personnel to their data warehouses to enforce this policy? Lastly, what anti-reverse-engineering protections did you put in your Javascript to protect it from being re-used by malicious parties who do want to steal personal data? If you have no protection, you have advanced the state of the art of identity attack by publicly releasing this code, correct? Thanks in advance for your truthful and complete answers.
Or alternatively the "theft" being referred to in the data snooping case is that of privacy. In the music distribution case if someone downloads a copy of a song the original owner of the song has lost nothing - they still have their copy. In the data snooping case the original owner of the history has lost something - they no longer their privacy.
Following that line of argument, the owner of the copyright on the song has lost something as well - the ability to control who/ when/ where the song can be copied.
They are not tracking you regardless of your do-not-track request. You setup destroys their tracking info upon reboot.
Taking someone's browser history is theft. It's theft of privacy. If I go into a store should I expect to have to tell them every place I stopped on my way there so they can sell that info. I would think not. Are stores allowed to put tracking devices on my car to see the other places I visit or other stores I go to? No.
Checkout workers are almost uniformly asking for zipcodes now. I decline, but might not be able to in the future.
do they expect technical people to say 'oh, ok, you are right' ?
so, unless I'm missing something, they should look at their LOCAL database of do-not-track ip addrs .
It's kind of ironic you talk about "technical people" and then start spouting absolutely useless nonsense like storing IP addresses. There is so much wrong with that ... It'd be funny, if you weren't serious. If you were, it's just sad.
Or maybe they need to go to an "opt-in" system, to make it easier for them to be honest. I suppose there could be a reason they wouldn't want that, though...
I think that is the idea. They don't want to be identified, yet storing something unique on their machine makes it pretty easy to identify them.
Yes, of course they have to track you to know that you have opted out of tracking.
Here's an idea. Maybe they could, you know, have people opt-in to tracking, and then the only people being tracked would be the ones who had asked the company to track them.
Of course as we all know, almost no-one would volunteer to be tracked unless there are financial benefits (e.g. supermarket store card discounts) and only inertia prevents most people from 'opting out' of online ad tracking.
Did you read the response? What a classic case of corporate misdirection. They redefine history stealing as "segment verification", which presumably means that they are using this technique to verify that a visitor is part of a particular segment of people that advertisers are trying to reach.
Clue: It doesn't matter what you do with the information, if your process involves checking to see whether a user has visited any of a list of sites in the past, that technique is known as history stealing and it is wrong. As in unethical. As in, shame on you, and browser makers should be working very hard to prevent you from doing it.
To try to claim that "segment verification" doesn't leak personally identifiable information is also disingenuous. If you were just checking one or two sites, maybe you could make that claim. But the whole point of this exercise is verifying which marketing segments a visitor is in. The full set of those segments can be used to build a detailed profile of who the visitor is and what she does with her browser. Combine with IP address, browser version, and any number of other available factors, and you get a remarkably unique fingerprint that will be, in many cases, unique to that person.
They should just say, "Yes, we use your browsing history to determine more or less who you are. It's very clever and completely legal." But being in advertising, they can't help but try to spin their way into looking like the good guys, being harassed by evil academics. Telling a story to sell bullshit, that's the game.
I have a new idea... Submit crap to their tracking URL in order to trash their data set.
#!/usr/bin/perl
use strict;
my $tracking_url_format_string = "http://i.pixel.trafficmp.com/a/bpix?pid=%s&plid=%s&top=%s";
my $i;
my $url;
for ($i = 0 ; $i 50000; $i++) {
$url = sprintf($tracking_url_format_string, 1, $i, $i);
my $result = `curl $url`;
}
At first I thought that somehow history was caught stealing something by an advertising network. It took me a minute to realize the title actually meant "stealing history". If the used word order is really that important, the submitter could've at least thrown a hyphen in there to make it a bit clearer.
Anybody want a peanut?
Let me award you a well-deserved "whoosh".
The real "Libtards" are the Libertarians!
Not in California
The real "Libtards" are the Libertarians!
Does not compute. How can it be costing the USA of twice the population of the country (hint: USA has a population of 300 million),
Compute better then. I think the AIs are gaining on you.
It's sad if AIs pass the Turing test because the humans have become stupider ;).
they should look at their LOCAL database of do-not-track ip addrs
So I need to opt out of tracking at home. And at work (blocking other people sharing the same outbound NAT who want to be tracked for some odd reason, possibly involving incentive programs). And at the coffee shop. And in motels. And in libraries. And every time my DHCP lease changes. Basically, every IP I'll ever occupy - however temporarily - I'll need to re-opt-out from.
so, unless I'm missing something
Yes, I think you're missing something.
Dewey, what part of this looks like authorities should be involved?
Hey, it's my turn with The Opinion!
WALSTIB!
You know the bit which talked about exactly that point and how you can't compare them because not everybody cares about the same things equally.
I'm not getting how that dictates you can't generalize the prevailing opinion on a subject. Some people care more and some less about the RIAA, but most people are opposed to it.
Most slashdotters are opposed to the RIAA's crackdown on music sharing
Please show the evidence for that. All I see is that "most slashdotters who comment on articles about the RIAA's craskdown on music sharing are opposed to it", which is a very different claim.
I'm afraid I don't see much distinction. Those that comment on articles about the RIAA crackdown would be a sample of slashdotters at large. It's going to be skewed towards people with strong opinions either way, yes, but I think it's a safe assumption that the lurkers on such stories are not significantly different from the commenters in terms of pro RIAA or anti RIAA. If 80% of the comments are opposed to the RIAA, I'm guessing the percentage of slashdotters opposed to the RIAA is going to be closer to 80% than 50%.
Getting back to the original point, I do think it's likely that a significant portion of slashdotters do think that violating copyright and downloading music is not theft while downloading someone's browser history is an invasion of privacy. I do not think that OP's point was absurd per se for the reasons you brought up.
Lots of reasons:
1. We speak of "do not track" instead of "ok to track." The debate is already framed to their advantage.
2. You're ok with it. Almost everyone is ok with it. Otherwise, they wouldn't send the requests (complete with the cookies they asked you to send, the last time you communicated with them) to the ad servers, and especially wouldn't download and execute javascript which sends extra "histort stealing" information to them. Some people say they're not ok with it, but their behavior reveals how weak their conviction is. If you're really not ok with them tracking you, then they're not tracking you (because in the end, you're always in control).
3. Like lots of mass-surveillance techs, it was so impossible to do back when the basic parameters of who-has-the-right-to-what were spelled out in constitutions and philosophies. So there aren't any serious prohibitions (legal or cultural). Some places like Europe try to have privacy laws, but they are incomplete (though may work to varying degrees) and unenforceable. (read on, about enforceability)
4. They can get away with it, and could get away with it even if it were prohibited. The act of learning things about you, especially when they passively gather it from information that you send to them, is totally internal. Laws that essentially say "you're not allowed to pay attention to things people tell you" are unforceable. It's like violating DMCA in your home to watch a DVD: it might be against the law, but nobody is ever going to know that you did it, unless they're already after you. (Not that this stops there being a prohibition against watching DVDs, but everyone knows it's a stupid law so it's a harder sell to do things like that.) The only externally visible symptom is that they'll tend to show you better-targeted ads, and how do you prove anything from that?
5. They can outspend you. Should the opt-in-vs-opt-out question come up in a legislative body, they have a voice and you do not. This is how things will be until people start really voting.
HTH.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I regularly update my hosts file to block asshole companies like this.
Oh, I thought that was a bird. :)
Jumpstart the tartan drive.
"self-regulatory"
Well there's your problem.
Epic has written a response defending its practices."
If you still don't see what's wrong with these people, that sentence is all you need. Get caught with the hands in the cookie jar and then go about explaining why it was an ok thing to do.
How long until we as a society finally realize that corporations do not have ethics ? They are, almost by definition, psychopaths. We need to start treating them like the dangerous criminals they are.
No, I'm not a communist. I do, however, strongly advocate seing things the way they are, and not fool yourself with delusions of an idealized version of your world. And corporations behaving as valuable members of society is an abberation, not the norm.
Assorted stuff I do sometimes: Lemuria.org
You're spot on.
They claim that a click on an "I accept" button constitutes a binding contract. But a checkbox in the configuration that I don't want to be tracked doesn't?
Frankly, stop treating corporations like responsible citizens. They aren't. They are cheaters, liars and frauds. Their only purpose is profit. If they were humans, they would qualify as psychopaths.
Treat them like that.
Assorted stuff I do sometimes: Lemuria.org
A custom HOSTS file: To block out advertising, period! It's my bandwidth I pay for, for one thing (yours too), out of pocket - I want ALL of what I paid for (not just some, not 1/2... ALL!). It's apparently not only your money's worth being reamed by ad networks, but now also your privacy (as well as adbanners being shown & proven to harbor malicious script malware @ times since around 2004 as well (more than just a few times in fact)).
Not only do you surf NOTICEABLY FASTER using one, but also safer as well, and you get all of the bandwidth you pay for too (triple bonus).
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
FROM http://tech.slashdot.org/comments.pl?sid=1907528&cid=34532122
Now?
20++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added layered security:
1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).
2.) Bad news: ADBLOCK CAN BE DETECTED FOR: See here on that note -> http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars
HOSTS files are NOT BLOCKABLE by websites, as was tried on users by ARSTECHNICA (and it worked, proving HOSTS files are a better solution for this because they cannot be blocked & detected for, in that manner), to that websites' users' dismay:
PERTINENT QUOTE/EXCERPT FROM ARSTECHNICA THEMSELVES:
----
An experiment gone wrong - By Ken Fisher | Last updated March 6, 2010 11:11 AM
http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars
"Starting late Friday afternoon we conducted a 12 hour experiment to see if it would be possible to simply make content disappear for visitors who were using a very popular ad blocking tool. Technologically, it was a success in that it worked. Ad blockers, and only ad blockers, couldn't see our content."
and
"Our experiment is over, and we're glad we did it because it led to us learning that we needed to communicate our point of view every once in a while. Sure, some people told us we deserved to die in a fire. But that's the Internet!"
Thus, as you can see? Well - THAT all "went over like a lead balloon" with their users in other words, because Arstechnica was forced to change it back to the old way where ADBLOCK still could work to do its job (REDDIT however, has not, for example). However/Again - this is proof that HOSTS files can still do the job, blocking potentially malscripted ads (or ads in general because they slow you down) vs. adblockers like ADBLOCK!
----
3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.
4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 4-7 next below).
5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw ->
The Battle of Hastings is mine, Epic. You can't have it.