Slashdot Mirror
Advertising Network Caught History Stealing
jonathanmayer writes "Last week the Stanford Security Lab reported some surprising results on how advertising networks respond to opt outs and Do Not Track. This week we made a new discovery in the online advertising ecosystem: Epic Marketplace, a member of the self-regulatory Network Advertising Initiative, is history stealing with unprecedented scale and sophistication. And Epic is snooping some remarkably sensitive information, including pages from the FTC, IRS, NIH, Mayo Clinic, and more. Epic has written a response defending its practices."
Google currently owns the largest advertising network, and it will only expand (both internet wise and datamining wise) with Google+. If others can't history steal, it will put them out of business. In practice, Googles monopoly demands others to play bad.. I'm not saying it's a good thing, it is bad. Just stating the facts.
Google+ vs. Facebook, and why Google+ will fail
I'm confused here, so according to Slashdot:
downloading music from say piratebay without approval of copy right holder is not theft
BUT
getting someone's browser history is theft?
-- Note: These Comments are Generated by ME! Not You! ME!
a self-regulatory network. Just like the wall street bankers want to be self-regulatory or allow the market to be self-regulatory. It's all the same bullshit.
I got here through a series of tubes
Alright, I read the article on this one, and, there's a divergence of evidence here. Mainly..
"We applied the methodology from last week's study to examine Epic Marketplace's opt-out practices. (Epic Marketplace was one of the eleven NAI members not included in that study.) We found that Epic Marketplace leaves its tracking cookies in place after both opting out with the NAI mechanism and enabling Do Not Track. We also found that history stealing continues after using either choice mechanism." - This one's from the study.
"Furthermore, when the user opts out, all data collection efforts cease. The student erroneously concludes that users are unable to avoid participating in segment verification because the opt-out mechanism does not delete the cookie that exists on the user’s computer. Like many other networks have pointed out already in their responses, this is misleading and inaccurate. When a user opts-out, all further collection of behavioral data from that user stops and existing profile data is deleted, even though the cookie itself is not deleted. The reason for this is simple: these cookies provide important operational information necessary for the delivery of any ad, not just targeted ads. For example, Epic Marketplace needs this data to determine how many times a particular ad has been shown to a user, and to analyze whether fraudulent activity is taking place. Ironically, in order to give effect to a consumer’s decision to avoid data collection, the cookie has to remain, otherwise advertisers have no way of knowing that that particular consumer has elected to opt-out of that advertiser’s data collection practices." - and here's Epic's counter.
These two statements seem strictly at-odds to me; the study states that the History Stealing continues to run, not just that a cookie remains as Epic sems to be saying. Epic claims the data collection stops - straight conflict here. Someone either screwed up their study, or Epic is lying, or Epic is unaware that their 'stop stealing' code doesn't actually work. It looks like they're not gathering personally identifiable or geographical location, and so are in the clear there - but now you've got a pure 'He said, she said' in terms of continuing collection after opt-out. Anyone interested in trying to duplicate this study and add some more evidence to if it continues or not?
to pay each advertiser one bitcoin EACH just to not target my IP address with advertisements.
There should be a no tracking extension. It should make it so that the style for the link does not change unless you are accessing it from the same domain name (or same page the link was clicked on, for the paranoid). Additionally, it should make all users have the same information presented. The EFF's panopticlick shows the types information that should be made the same across all browsers. In addition, it should make sure information reported is the same with javascript on or off. As more information is used to identify, the extension can be upgraded to include it as well.
Easy solution: pass a new new law that I own perpetual, non-transferable copyright on all information about me or my activities. Certain specific implicit licenses will exist to allow people to use information as I intended. However, bottom line is that collecting personal information is a copyright violation, and is actionable.
Problem solved.
I don't think anyone but the most naive users were surprised at last weeks results, or at this. Even "Average Joe Internet User" knows that, in general, Internet advertisers and their practices are shady.
TFA:
When a user opts-out, all further collection of behavioral data from that user stops and existing profile data is deleted, even though the cookie itself is not deleted. The reason for this is simple: these cookies provide important operational information necessary for the delivery of any ad, not just targeted ads. For example, Epic Marketplace needs this data to determine how many times a particular ad has been shown to a user, and to analyze whether fraudulent activity is taking place. Ironically, in order to give effect to a consumer’s decision to avoid data collection, the cookie has to remain, otherwise advertisers have no way of knowing that that particular consumer has elected to opt-out of that advertiser’s data collection practices.
its been a while since I did web programming, but isn't an opt-out better implemented as data stored on THEIR systems and not mine? am I missing something here?
"we can't be sure you dont' want our shit, so we send you a cookie so we can know you don't want our shit."
WHAT???
do they expect technical people to say 'oh, ok, you are right' ?
so, unless I'm missing something, they should look at their LOCAL database of do-not-track ip addrs and users and not even TRY to write data to their disks (cookies). and if the user denies cookies (as I do on all sites that are not already whitelisted)? their 'design' doesn't allow for THAT case, does it?
these guys should be sued into negative oblivion. bottom feeding fuckwads.
--
"It is now safe to switch off your computer."
I don't care if that hits a site renevue stream enough that they will require paid registration (I will just register and pay). You either do something to block all ad network-supplied crap, or you are at a much increased risk of damage.
ad networks have, in the past:
1. distributed viruses and trojans (PNG exploits, for example)
2. distributed criminal matter (hate speech, k1dd13 p0rn, etc)
3. distributed content to mislead the user into visiting damaging sites
4. attacked the user browser to mine information
Exactly why do we tolerate that kind of crap, really? We should sabotage ad networks as much as we possibly can.
I removed AdBlocker about 2 years ago out of pity for ad supported websites. I'll be turning it back on now until I see some satisfactory government regulation.
Well they claim that what they are doing is not an issue. So I simply want to know what sites use them and what advertisers use them along with the name of the script.
That way I can have the freedom to choose if I want to go to those sites or not and let the site owners and advertisers that I don't like it. Not that it is ilegal or not but I don't like and don't want it to happen to me. That is all they have to do.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
If any of their tracking actually works in the case of user cookies being denied or not kept, then yes. If they choose to still do tracking for such users, they also need to honor do-not-track for those users.
now we need to go OSS in diesel cars
From Epic Marketing's Fine Rebuttal:
followed by
Hmmmm ...
Epic has no contract, expressed or implied, with the end user to run software on their computer. They have only an agreement with the website operator, who has no authority to grant Epic the right to execute any software on the end user's computer. That said software actually examines the users browsing history to determine if they have visited specific pages, should be considered illegal, even if they only send back a de-identified list of segments represented by those links. Until Epic has received user consent, their actions should be considered computer fraud.
make imaginary.friends COUNT=100 VISIBLE=false
Read a response from a professional advertisement and marketing agency? Why don't we just throw the idea of objective assessment out the window altogether.
May the Maths Be with you!
So you have a permanent IP assigned to you, and you want that the advertisers always know and keep track (no matter if you clear cookies, or if you enter Private browsing) that it's you the one visiting some pages?
Well, that might work for you, but the rest of the world doesn't have such luxuries and the IP is temporary so in order for them to keep such preferences, they must store the preferences in your computer.
IP addresses don't opt out of things; people do. There has to be some way of associating a request that they want to track, with an earlier opt-out request. Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The right solution is probably the browser ignoring actions based on domain. Another solution is to ignore sending cookies based on domain and also ensuring JS from that domain can't read certain data. It would require a black list, but if they aren't going to play ball, then we can play hard ball.
Jumpstart the tartan drive.
They can't be sure it's you without a cookie to verify it. IP addresses change, and so do browser agents.
If they stored they data on their side, you'd have to re-opt-in every time your ISP gave you a new IP, or you upgraded your browser.
It sounds like they're storing additional data on it, however, and that's not acceptable.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).
Not to mention that a do-not-track cookie and a do-not-track HTTP header member essentially have the same effect from a practical perspective (in that they both modify the HTTP header). However, an HTTP header would work across all domains, not just the domain that set it which might be a disadvantage to those who want to pick and choose who can and cannot track them.
Yes, you're missing something. Imagine you opt out of tracking and the company erases all information about you (including their cookies). What happens the next time you hit their system? You look like somebody they've never seen before. In most systems, that means they give you a cookie and start tracking you. But you just asked them not to track you...
The only way they can comply is to know that you fall into the group of people who don't want to be tracked. In general, they can do this with a generic "do-not-track" cookie value they drop (like an ID with all zeros, e.g.). Then you and everybody else who doesn't want to be tracked looks identical, but you all still have a cookie from them.
You mentioned IP address as a way to track users, but that's really unreliable. So you want to go opt out again every time you restart your modem or connect to another network? If you're behind a NAT, your opt out would affect everybody behind the NAT (but only until the external address changed, at which point it would affect nobody).
As a side note: If you clear all your cookies every time you close your browser, your tracking starts fresh with every browsing session. It doesn't mean you aren't tracked - it just means the scope of the tracking matches the scope the cookie lifetime. I leave my browser up for days/weeks at a time, so deleting cookies on close would actually make me more trackable than an opt-out. A whitelist of sites you accept cookies from is the best way to minimize tracking, but most people won't understand or bother with that. Storing an opt-out cookie is a really simple next-best-thing.
good point. my work pc has firefox set to clear cookies and history at shutdown. so, my do not track request can't be respected after a reboot?
Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).
Or perhaps a simple "fuck off and don't track me" HTML header?
It doesn't actually have to identify you for them to get the message. If they'd honor it, that is.
-CCarrot (posting AC due to mods in this topic)
The legislature will never happen, because the government is starting to take advantage of all the private data amassed at corporate data centers, particularly through Patriot Act. We can expect more legislature that will make all your private info available to government "on demand".
You're over thinking things. What if you were allowed to tick a checkbox in your browser, and thereafter it would state clearly in every HTTP request header DO NOT TRACK ME. This enables notification that we do not want any tracking to be performed, and is delivered in the same set of headers that they are already parsing to read the "Cookies" they set.
It looks like this:
DNT: 1
Firefox4 and IE9 Support this, last I heard Chrome didn't (I hear there is a 3rd party plugin now). All those advertising bastards need do is not track people with those settings. Additionally, use a plugin like CookieMonster to manage your cookie settings.
Them: "Without cookies how will we know if you want to opt out?!"
Us: "Problem Solved. Read the DNT header fool."
Them: "We need cookies to makes sure people aren't fraudulently clicking ads, and to count clicks"
Us: "Not our problem; Besides, Cookies can be cleared -- Store your clicks & hits in YOUR OWN damn database!"
Them: "... [under breath] But we don't have to, and we won't comply sanely without mandatory regulation."
They'll cry us a river when it comes down to strict regulations -- The only bad thing is that the law writers don't understand technology enough to just say: "Advertisers must honor the 'DNT: 1' (do not track header) as if the user had followed the advertiser's opt-out procedure, and [insert other shit they should do like delete user records and not set cookies -- though I can manage my own damn cookies, but thanks]."
Web users are anonymous. You can't identify them, if you don't store something unique on their machine.
IP addresses don't opt out of things; people do. There has to be some way of associating a request that they want to track, with an earlier opt-out request. Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).
All fine and good, but why should I HAVE to opt out of something like this just to protect my privacy? What makes these marketing troglodytes think they have a right to track my browsing habits by default?
"So after all this, you make my case for me. To end this stalemate, you must die..."
well there are ways. one way is to come up with a browser plugin that creates a opt out cookie on open of browser from a list of sites that creates them. or some how create a do not track users agent... so plugins or browsers could when making requests from these users agent be ignored... those would be my sugestion I think user agent would be the better of the two ways a more permanent solution. in that is in the optout user agent and they start setting cookies ect flags can be triggers and the hammer of the web will com down.
Epic's statement refers repeatedly to the ease of opting out and how firmly they obey it when you do, but neglects to provide an opt-out link.
For your convenience: http://www.epicmarketplace.com/optout.php
Interestingly, I had (according to Epic) "not opted out" previously and had therefore given them permission to do whatever they like.
Disclaimer on page:
"Note that if you change or delete the Traffic Marketplace opt-out cookie, change browsers, or get a new computer, you may need to opt out again."
In other words, if you catch us it's probably your fault.
There's also a link to Network Advertising Initiative control panel for opting out of multiple ad networks. There's no way to sort it to show what networks you're active in (the message is actually a .gif, I suspect to inhibit searching).
Yes, of course they have to track you to know that you have opted out of tracking.
How else do think it would work?
This pattern is depressingly similar to how the whole legal system is going.
they do anything they can to get you to buy some shit you dont want including lying and stealing, then get all offended when you call them on it
...is "awaiting moderation". Since they'll never approve it, I reproduce it here:
http://epicmediagroup.wordpress.com/2011/07/20/epic-marketplace-response-to-behavioral-advertising-and-tracking-allegations/#comment-251
“NO data obtained from segment verification is personally identifiable information (PII), nor is that data ever merged with other data points that are, or may be, personally identifiable.”
Do you make this promise on behalf of yourself, or on behalf of all the customers you sell data to, or on behalf of your national security partners, or all of the above? If so, how do you know, and what visibility do you have into their use of data? Do you deploy security personnel to their data warehouses to enforce this policy? Lastly, what anti-reverse-engineering protections did you put in your Javascript to protect it from being re-used by malicious parties who do want to steal personal data? If you have no protection, you have advanced the state of the art of identity attack by publicly releasing this code, correct? Thanks in advance for your truthful and complete answers.
They are not tracking you regardless of your do-not-track request. You setup destroys their tracking info upon reboot.
do they expect technical people to say 'oh, ok, you are right' ?
so, unless I'm missing something, they should look at their LOCAL database of do-not-track ip addrs .
It's kind of ironic you talk about "technical people" and then start spouting absolutely useless nonsense like storing IP addresses. There is so much wrong with that ... It'd be funny, if you weren't serious. If you were, it's just sad.
Or maybe they need to go to an "opt-in" system, to make it easier for them to be honest. I suppose there could be a reason they wouldn't want that, though...
I think that is the idea. They don't want to be identified, yet storing something unique on their machine makes it pretty easy to identify them.
Yes, of course they have to track you to know that you have opted out of tracking.
Here's an idea. Maybe they could, you know, have people opt-in to tracking, and then the only people being tracked would be the ones who had asked the company to track them.
Of course as we all know, almost no-one would volunteer to be tracked unless there are financial benefits (e.g. supermarket store card discounts) and only inertia prevents most people from 'opting out' of online ad tracking.
Did you read the response? What a classic case of corporate misdirection. They redefine history stealing as "segment verification", which presumably means that they are using this technique to verify that a visitor is part of a particular segment of people that advertisers are trying to reach.
Clue: It doesn't matter what you do with the information, if your process involves checking to see whether a user has visited any of a list of sites in the past, that technique is known as history stealing and it is wrong. As in unethical. As in, shame on you, and browser makers should be working very hard to prevent you from doing it.
To try to claim that "segment verification" doesn't leak personally identifiable information is also disingenuous. If you were just checking one or two sites, maybe you could make that claim. But the whole point of this exercise is verifying which marketing segments a visitor is in. The full set of those segments can be used to build a detailed profile of who the visitor is and what she does with her browser. Combine with IP address, browser version, and any number of other available factors, and you get a remarkably unique fingerprint that will be, in many cases, unique to that person.
They should just say, "Yes, we use your browsing history to determine more or less who you are. It's very clever and completely legal." But being in advertising, they can't help but try to spin their way into looking like the good guys, being harassed by evil academics. Telling a story to sell bullshit, that's the game.
I have a new idea... Submit crap to their tracking URL in order to trash their data set.
#!/usr/bin/perl
use strict;
my $tracking_url_format_string = "http://i.pixel.trafficmp.com/a/bpix?pid=%s&plid=%s&top=%s";
my $i;
my $url;
for ($i = 0 ; $i 50000; $i++) {
$url = sprintf($tracking_url_format_string, 1, $i, $i);
my $result = `curl $url`;
}
At first I thought that somehow history was caught stealing something by an advertising network. It took me a minute to realize the title actually meant "stealing history". If the used word order is really that important, the submitter could've at least thrown a hyphen in there to make it a bit clearer.
Anybody want a peanut?
they should look at their LOCAL database of do-not-track ip addrs
So I need to opt out of tracking at home. And at work (blocking other people sharing the same outbound NAT who want to be tracked for some odd reason, possibly involving incentive programs). And at the coffee shop. And in motels. And in libraries. And every time my DHCP lease changes. Basically, every IP I'll ever occupy - however temporarily - I'll need to re-opt-out from.
so, unless I'm missing something
Yes, I think you're missing something.
Dewey, what part of this looks like authorities should be involved?
Lots of reasons:
1. We speak of "do not track" instead of "ok to track." The debate is already framed to their advantage.
2. You're ok with it. Almost everyone is ok with it. Otherwise, they wouldn't send the requests (complete with the cookies they asked you to send, the last time you communicated with them) to the ad servers, and especially wouldn't download and execute javascript which sends extra "histort stealing" information to them. Some people say they're not ok with it, but their behavior reveals how weak their conviction is. If you're really not ok with them tracking you, then they're not tracking you (because in the end, you're always in control).
3. Like lots of mass-surveillance techs, it was so impossible to do back when the basic parameters of who-has-the-right-to-what were spelled out in constitutions and philosophies. So there aren't any serious prohibitions (legal or cultural). Some places like Europe try to have privacy laws, but they are incomplete (though may work to varying degrees) and unenforceable. (read on, about enforceability)
4. They can get away with it, and could get away with it even if it were prohibited. The act of learning things about you, especially when they passively gather it from information that you send to them, is totally internal. Laws that essentially say "you're not allowed to pay attention to things people tell you" are unforceable. It's like violating DMCA in your home to watch a DVD: it might be against the law, but nobody is ever going to know that you did it, unless they're already after you. (Not that this stops there being a prohibition against watching DVDs, but everyone knows it's a stupid law so it's a harder sell to do things like that.) The only externally visible symptom is that they'll tend to show you better-targeted ads, and how do you prove anything from that?
5. They can outspend you. Should the opt-in-vs-opt-out question come up in a legislative body, they have a voice and you do not. This is how things will be until people start really voting.
HTH.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I regularly update my hosts file to block asshole companies like this.
"self-regulatory"
Well there's your problem.
Epic has written a response defending its practices."
If you still don't see what's wrong with these people, that sentence is all you need. Get caught with the hands in the cookie jar and then go about explaining why it was an ok thing to do.
How long until we as a society finally realize that corporations do not have ethics ? They are, almost by definition, psychopaths. We need to start treating them like the dangerous criminals they are.
No, I'm not a communist. I do, however, strongly advocate seing things the way they are, and not fool yourself with delusions of an idealized version of your world. And corporations behaving as valuable members of society is an abberation, not the norm.
Assorted stuff I do sometimes: Lemuria.org
You're spot on.
They claim that a click on an "I accept" button constitutes a binding contract. But a checkbox in the configuration that I don't want to be tracked doesn't?
Frankly, stop treating corporations like responsible citizens. They aren't. They are cheaters, liars and frauds. Their only purpose is profit. If they were humans, they would qualify as psychopaths.
Treat them like that.
Assorted stuff I do sometimes: Lemuria.org
A custom HOSTS file: To block out advertising, period! It's my bandwidth I pay for, for one thing (yours too), out of pocket - I want ALL of what I paid for (not just some, not 1/2... ALL!). It's apparently not only your money's worth being reamed by ad networks, but now also your privacy (as well as adbanners being shown & proven to harbor malicious script malware @ times since around 2004 as well (more than just a few times in fact)).
Not only do you surf NOTICEABLY FASTER using one, but also safer as well, and you get all of the bandwidth you pay for too (triple bonus).
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
FROM http://tech.slashdot.org/comments.pl?sid=1907528&cid=34532122
Now?
20++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added layered security:
1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).
2.) Bad news: ADBLOCK CAN BE DETECTED FOR: See here on that note -> http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars
HOSTS files are NOT BLOCKABLE by websites, as was tried on users by ARSTECHNICA (and it worked, proving HOSTS files are a better solution for this because they cannot be blocked & detected for, in that manner), to that websites' users' dismay:
PERTINENT QUOTE/EXCERPT FROM ARSTECHNICA THEMSELVES:
----
An experiment gone wrong - By Ken Fisher | Last updated March 6, 2010 11:11 AM
http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars
"Starting late Friday afternoon we conducted a 12 hour experiment to see if it would be possible to simply make content disappear for visitors who were using a very popular ad blocking tool. Technologically, it was a success in that it worked. Ad blockers, and only ad blockers, couldn't see our content."
and
"Our experiment is over, and we're glad we did it because it led to us learning that we needed to communicate our point of view every once in a while. Sure, some people told us we deserved to die in a fire. But that's the Internet!"
Thus, as you can see? Well - THAT all "went over like a lead balloon" with their users in other words, because Arstechnica was forced to change it back to the old way where ADBLOCK still could work to do its job (REDDIT however, has not, for example). However/Again - this is proof that HOSTS files can still do the job, blocking potentially malscripted ads (or ads in general because they slow you down) vs. adblockers like ADBLOCK!
----
3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.
4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 4-7 next below).
5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw ->
The Battle of Hastings is mine, Epic. You can't have it.