Advertising Network Caught History Stealing

jonathanmayer writes "Last week the Stanford Security Lab reported some surprising results on how advertising networks respond to opt outs and Do Not Track. This week we made a new discovery in the online advertising ecosystem: Epic Marketplace, a member of the self-regulatory Network Advertising Initiative, is history stealing with unprecedented scale and sophistication. And Epic is snooping some remarkably sensitive information, including pages from the FTC, IRS, NIH, Mayo Clinic, and more. Epic has written a response defending its practices."

Adsense

[zget]

Google currently owns the largest advertising network, and it will only expand (both internet wise and datamining wise) with Google+. If others can't history steal, it will put them out of business. In practice, Googles monopoly demands others to play bad.. I'm not saying it's a good thing, it is bad. Just stating the facts.

Re:Adsense

[LWATCDR]

What?
Google does not have a monopoly. Facebook which is a monster does not use Google ads. Google does not have a monopoly on search. Bing and Yahoo which now uses Bing both serve ads and provide search so we can toss out your monopoly idea right there. Google plus has fewer users than Facebook, Twitter, MySpace and until recently Slashdot, so that isn't a monopoly in social networks.
So now that we know that the facts you are stating is false we can just toss the rest of the comment out.
They don't have to cheat to compete. Microsoft, Facebook, and Apple all have ad networks now. Apple is making a big push in the mobile ad space I would hope they are not history harvesting.

Re:Adsense

[_Sprocket_]

I thought it was more interesting when you did this post the first time. But I guess you can now copy and paste this in to anything Google related from here on out, right?

Now I'm wondering. Where does this copy-and-paste come from? When has an agent of Google said "privacy is not important"? And when does Google+, a "social network" service that not only features but stresses limiting communications to user-customizable groups and therefore controlling how public any given communications are, represent an example of privacy not being important?

Re:Adsense

[NeutronCowboy]

Brand new account, copy-paste of some barely supported claims that are a little out there, to say the least.... my shill-o-meter is ringing.

Re:Adsense

[_Sprocket_]

Some people use quotation marks for paraphrased quotes.

Right. And some people don't know what they're talking about and like to put words in other people's mouths. If you're going to quote someone, quote them.

What was actually said in the oft-misquoted Schmidt interview:

"I think judgment matters. If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place, but if you really need that kind of privacy, the reality is that search engines including Google do retain this information for some time, and it’s important to remember, for example, that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities." -- Eric Schmidt

Note that isn't a paraphrase. That's a real, gen-u-ine quote. I don't agree with him that the desire to maintain privacy is any way linked to whether I should or should not be doing something. But what I find even more interesting is that in the same breath, we're being warned about the Patriot Act. We're being told without actually being told (because that would be illegal) that Google is being served with Patriot Act requests. Nobody ever seems to key on that though.

Back on topic - nowhere does Schmidt say that privacy isn't important. I understand and share the concern over how much data and meta-data Google has access to. I'm even more concerned over the possibility of Google changing hands or Government access to data (i.e. Patriot Act). But let's limit criticism and concerns to real issues. The real issues are enough without making crap up.

Unless, of course, making crap up is part of a larger agenda.

...Actually Complying? Maybe, but Probably Not.

[Lance+Dearnis]

Alright, I read the article on this one, and, there's a divergence of evidence here. Mainly..

"We applied the methodology from last week's study to examine Epic Marketplace's opt-out practices. (Epic Marketplace was one of the eleven NAI members not included in that study.) We found that Epic Marketplace leaves its tracking cookies in place after both opting out with the NAI mechanism and enabling Do Not Track. We also found that history stealing continues after using either choice mechanism." - This one's from the study.

"Furthermore, when the user opts out, all data collection efforts cease. The student erroneously concludes that users are unable to avoid participating in segment verification because the opt-out mechanism does not delete the cookie that exists on the user’s computer. Like many other networks have pointed out already in their responses, this is misleading and inaccurate. When a user opts-out, all further collection of behavioral data from that user stops and existing profile data is deleted, even though the cookie itself is not deleted. The reason for this is simple: these cookies provide important operational information necessary for the delivery of any ad, not just targeted ads. For example, Epic Marketplace needs this data to determine how many times a particular ad has been shown to a user, and to analyze whether fraudulent activity is taking place. Ironically, in order to give effect to a consumer’s decision to avoid data collection, the cookie has to remain, otherwise advertisers have no way of knowing that that particular consumer has elected to opt-out of that advertiser’s data collection practices." - and here's Epic's counter.

These two statements seem strictly at-odds to me; the study states that the History Stealing continues to run, not just that a cookie remains as Epic sems to be saying. Epic claims the data collection stops - straight conflict here. Someone either screwed up their study, or Epic is lying, or Epic is unaware that their 'stop stealing' code doesn't actually work. It looks like they're not gathering personally identifiable or geographical location, and so are in the clear there - but now you've got a pure 'He said, she said' in terms of continuing collection after opt-out. Anyone interested in trying to duplicate this study and add some more evidence to if it continues or not?

Re:...Actually Complying? Maybe, but Probably Not.

[gurps_npc]

As per the article, web histories count as identifiable information. So collecting them counts as gathering personally identifiable information.

Re:...Actually Complying? Maybe, but Probably Not.

[Lance+Dearnis]

Well, to summarize responses to all there of these:

Epic was certainly caught 'history stealing' - the contention is if they continue this practice even if you opt out, not that the practice occurs in the first place.

While it goes through your web history, it separates out into 'interest segments' rather than directly pulling URLs; in other words, while directly collecting them WOULD count as personally identifiable information, Epic isn't doing that. They don't read 'You went to groupon!', they read 'You went to a site about mass-consumer deals, of which there are 37 sites in this segment.'

Hey, they're fighting over the definitions of it. It's the typical PR spin move - redefine the words of the pratice to something better for you (Changing 'Copyright Infringement' to 'Intellectual Property Theft/Piracy' for example, to associate with things already known and considered criminal by most people rather than having to convince each person over again that this is bad.) If this practice gets labelled as 'History Stealing', then Epic's considered automatically guilty. If they manage to change the name to 'Historical Data Collection', it sounds pretty harmless now, don't it. And that matters to the Congresscritters who would hold a healing on that. Everyone wants to hear about 'History Stealing', but the latter? People gonna fall asleep.

Re:So this is theft? but downloading music isn't?

Yes it's almost like slashdot is not in fact a homogeneous group of readers with a common opinion.

Re:So this is theft? but downloading music isn't?

[JMJimmy]

ooo - can I have some of this magic money that appears out of thin air?

Re:So this is theft? but downloading music isn't?

[gurps_npc]

Not quite. According to Slashdot: Downloading music is a copyright violation, as per the law. Not theft. We then proclaim that the copyright laws are unethical. Often the issue in question is a contract violation with civil, not criminal penalties. BUT Getting someone's browser history is an invasion of privacy (Felony)

is this true? I'm not sure it is

[TheGratefulNet]

TFA:

When a user opts-out, all further collection of behavioral data from that user stops and existing profile data is deleted, even though the cookie itself is not deleted. The reason for this is simple: these cookies provide important operational information necessary for the delivery of any ad, not just targeted ads. For example, Epic Marketplace needs this data to determine how many times a particular ad has been shown to a user, and to analyze whether fraudulent activity is taking place. Ironically, in order to give effect to a consumer’s decision to avoid data collection, the cookie has to remain, otherwise advertisers have no way of knowing that that particular consumer has elected to opt-out of that advertiser’s data collection practices.

its been a while since I did web programming, but isn't an opt-out better implemented as data stored on THEIR systems and not mine? am I missing something here?

"we can't be sure you dont' want our shit, so we send you a cookie so we can know you don't want our shit."

WHAT???

do they expect technical people to say 'oh, ok, you are right' ?

so, unless I'm missing something, they should look at their LOCAL database of do-not-track ip addrs and users and not even TRY to write data to their disks (cookies). and if the user denies cookies (as I do on all sites that are not already whitelisted)? their 'design' doesn't allow for THAT case, does it?

these guys should be sued into negative oblivion. bottom feeding fuckwads.

Re:So this is theft? but downloading music isn't?

[nedlohs]

I realise this is going to be confusing for you, but just try and stay with me:

Slashdot is not an individual. Slashdot is a collection of people of differing views and opinions.

Some people who read and post on slashdot think that downloading music without approval of the copright is not theft. Some people who read and post on slashdot think that downloading music without approval of the copyright holder is theft. Some people who read and post on slashdot think that getting someone's browser history is not theft. Some people who read and post on slashdot think that getting someone's browser history is theft.

Some people who read and post on slashdot think that there's a difference between private data and public data. Some people who read and post on slashdot think that there is no difference between private and public data and that "all information wants to be free".

Some people who read and post on slashdot think that Obama is the best President in all of history. Some people who read and post on slashdot think that Bush was the best President in all of history. Some people who read and post on slashdot think that Bush and Obama are both reptilian aliens in disguise.

Thus you can't expect to get a consistent opinion. Slashdot itself has no opinion, the people involved in it have opinions.

You might seem to get a majority opinion shining through, but you can't compare them across areas. "Majority" may really just mean "loudest", the point remains the same.

For your example, a perfectly reasonable explanation would be that the "majority opnion" of people on slashdot who care enough about downloading music to be involved in a discussion about that topic is that it is not theft. And the "majority opinion" of the people on slashdot who care enough about data snooping by web based advertising networks to be involved in a discussion about that topic is that such snooping is theft of private data. This makes perfect sense, because *they are not the same people*. Or alternatively the "theft" being referred to in the data snooping case is that of privacy. In the music distribution case if someone downloads a copy of a song the original owner of the song has lost nothing - they still have their copy. In the data snooping case the original owner of the history has lost something - they no longer their privacy.

So there's two reasonable explanations of our observation, and there will be plenty more. So why are you confused by such a simple phenomenon?

Re:So this is theft? but downloading music isn't?

[Midnight+Thunder]

It is isn't theft. What it is is invasion of privacy and ignoring 'contractual' requirements of 'do not track'. This is why sometimes we need regulation. It is also why the best privacy protection is for the browser to protect itself.

The analogy here is asking the server not to put tomato sauce in in your hamburger and instead they decide to spit in it, with a big "f*@k you" attitude.

Computer fraud?

[gstrickler]

Epic has no contract, expressed or implied, with the end user to run software on their computer. They have only an agreement with the website operator, who has no authority to grant Epic the right to execute any software on the end user's computer. That said software actually examines the users browsing history to determine if they have visited specific pages, should be considered illegal, even if they only send back a de-identified list of segments represented by those links. Until Epic has received user consent, their actions should be considered computer fraud.

Re:Computer fraud?

[gstrickler]

No. The end user requested information from the web site they were visiting. That a third party is running software on their computer is not an implied or expressed condition of that request.

While it's common for sites to display ads from ad networks, and the simply displaying of an ad could be considered an implied contract of using most web sites, displaying an ad and running software (even javascript) is not an implied contract. In this case, the software goes out of it's way to ensure that it runs without any indication to the user, thus the user is completely unaware that there is even anything to which he should have be asked to consent.

Re:This is why you should always adblock

[jank1887]

if only there was a loosely associated group of computer hackers sometimes following the activist mindset and settling on particular targets of interest...

Re:is this true? I'm not sure it is

[VortexCortex]

You're over thinking things. What if you were allowed to tick a checkbox in your browser, and thereafter it would state clearly in every HTTP request header DO NOT TRACK ME. This enables notification that we do not want any tracking to be performed, and is delivered in the same set of headers that they are already parsing to read the "Cookies" they set.

It looks like this:
DNT: 1
Firefox4 and IE9 Support this, last I heard Chrome didn't (I hear there is a 3rd party plugin now). All those advertising bastards need do is not track people with those settings. Additionally, use a plugin like CookieMonster to manage your cookie settings.

Them: "Without cookies how will we know if you want to opt out?!"
Us: "Problem Solved. Read the DNT header fool."
Them: "We need cookies to makes sure people aren't fraudulently clicking ads, and to count clicks"
Us: "Not our problem; Besides, Cookies can be cleared -- Store your clicks & hits in YOUR OWN damn database!"
Them: "... [under breath] But we don't have to, and we won't comply sanely without mandatory regulation."

They'll cry us a river when it comes down to strict regulations -- The only bad thing is that the law writers don't understand technology enough to just say: "Advertisers must honor the 'DNT: 1' (do not track header) as if the user had followed the advertiser's opt-out procedure, and [insert other shit they should do like delete user records and not set cookies -- though I can manage my own damn cookies, but thanks]."

Advertising Network Caught History Stealing

[Tooke]

At first I thought that somehow history was caught stealing something by an advertising network. It took me a minute to realize the title actually meant "stealing history". If the used word order is really that important, the submitter could've at least thrown a hyphen in there to make it a bit clearer.