Advertising Network Caught History Stealing

jonathanmayer writes "Last week the Stanford Security Lab reported some surprising results on how advertising networks respond to opt outs and Do Not Track. This week we made a new discovery in the online advertising ecosystem: Epic Marketplace, a member of the self-regulatory Network Advertising Initiative, is history stealing with unprecedented scale and sophistication. And Epic is snooping some remarkably sensitive information, including pages from the FTC, IRS, NIH, Mayo Clinic, and more. Epic has written a response defending its practices."

Adsense

[zget]

Google currently owns the largest advertising network, and it will only expand (both internet wise and datamining wise) with Google+. If others can't history steal, it will put them out of business. In practice, Googles monopoly demands others to play bad.. I'm not saying it's a good thing, it is bad. Just stating the facts.

Re:Adsense

[_Sprocket_]

I thought it was more interesting when you did this post the first time. But I guess you can now copy and paste this in to anything Google related from here on out, right?

Now I'm wondering. Where does this copy-and-paste come from? When has an agent of Google said "privacy is not important"? And when does Google+, a "social network" service that not only features but stresses limiting communications to user-customizable groups and therefore controlling how public any given communications are, represent an example of privacy not being important?

...Actually Complying? Maybe, but Probably Not.

[Lance+Dearnis]

Alright, I read the article on this one, and, there's a divergence of evidence here. Mainly..

"We applied the methodology from last week's study to examine Epic Marketplace's opt-out practices. (Epic Marketplace was one of the eleven NAI members not included in that study.) We found that Epic Marketplace leaves its tracking cookies in place after both opting out with the NAI mechanism and enabling Do Not Track. We also found that history stealing continues after using either choice mechanism." - This one's from the study.

"Furthermore, when the user opts out, all data collection efforts cease. The student erroneously concludes that users are unable to avoid participating in segment verification because the opt-out mechanism does not delete the cookie that exists on the user’s computer. Like many other networks have pointed out already in their responses, this is misleading and inaccurate. When a user opts-out, all further collection of behavioral data from that user stops and existing profile data is deleted, even though the cookie itself is not deleted. The reason for this is simple: these cookies provide important operational information necessary for the delivery of any ad, not just targeted ads. For example, Epic Marketplace needs this data to determine how many times a particular ad has been shown to a user, and to analyze whether fraudulent activity is taking place. Ironically, in order to give effect to a consumer’s decision to avoid data collection, the cookie has to remain, otherwise advertisers have no way of knowing that that particular consumer has elected to opt-out of that advertiser’s data collection practices." - and here's Epic's counter.

These two statements seem strictly at-odds to me; the study states that the History Stealing continues to run, not just that a cookie remains as Epic sems to be saying. Epic claims the data collection stops - straight conflict here. Someone either screwed up their study, or Epic is lying, or Epic is unaware that their 'stop stealing' code doesn't actually work. It looks like they're not gathering personally identifiable or geographical location, and so are in the clear there - but now you've got a pure 'He said, she said' in terms of continuing collection after opt-out. Anyone interested in trying to duplicate this study and add some more evidence to if it continues or not?

Re:So this is theft? but downloading music isn't?

[gurps_npc]

Not quite. According to Slashdot: Downloading music is a copyright violation, as per the law. Not theft. We then proclaim that the copyright laws are unethical. Often the issue in question is a contract violation with civil, not criminal penalties. BUT Getting someone's browser history is an invasion of privacy (Felony)

Re:So this is theft? but downloading music isn't?

[nedlohs]

I realise this is going to be confusing for you, but just try and stay with me:

Slashdot is not an individual. Slashdot is a collection of people of differing views and opinions.

Some people who read and post on slashdot think that downloading music without approval of the copright is not theft. Some people who read and post on slashdot think that downloading music without approval of the copyright holder is theft. Some people who read and post on slashdot think that getting someone's browser history is not theft. Some people who read and post on slashdot think that getting someone's browser history is theft.

Some people who read and post on slashdot think that there's a difference between private data and public data. Some people who read and post on slashdot think that there is no difference between private and public data and that "all information wants to be free".

Some people who read and post on slashdot think that Obama is the best President in all of history. Some people who read and post on slashdot think that Bush was the best President in all of history. Some people who read and post on slashdot think that Bush and Obama are both reptilian aliens in disguise.

Thus you can't expect to get a consistent opinion. Slashdot itself has no opinion, the people involved in it have opinions.

You might seem to get a majority opinion shining through, but you can't compare them across areas. "Majority" may really just mean "loudest", the point remains the same.

For your example, a perfectly reasonable explanation would be that the "majority opnion" of people on slashdot who care enough about downloading music to be involved in a discussion about that topic is that it is not theft. And the "majority opinion" of the people on slashdot who care enough about data snooping by web based advertising networks to be involved in a discussion about that topic is that such snooping is theft of private data. This makes perfect sense, because *they are not the same people*. Or alternatively the "theft" being referred to in the data snooping case is that of privacy. In the music distribution case if someone downloads a copy of a song the original owner of the song has lost nothing - they still have their copy. In the data snooping case the original owner of the history has lost something - they no longer their privacy.

So there's two reasonable explanations of our observation, and there will be plenty more. So why are you confused by such a simple phenomenon?

Re:So this is theft? but downloading music isn't?

[Midnight+Thunder]

It is isn't theft. What it is is invasion of privacy and ignoring 'contractual' requirements of 'do not track'. This is why sometimes we need regulation. It is also why the best privacy protection is for the browser to protect itself.

The analogy here is asking the server not to put tomato sauce in in your hamburger and instead they decide to spit in it, with a big "f*@k you" attitude.

Computer fraud?

[gstrickler]

Epic has no contract, expressed or implied, with the end user to run software on their computer. They have only an agreement with the website operator, who has no authority to grant Epic the right to execute any software on the end user's computer. That said software actually examines the users browsing history to determine if they have visited specific pages, should be considered illegal, even if they only send back a de-identified list of segments represented by those links. Until Epic has received user consent, their actions should be considered computer fraud.