RapLeaf Is Back and Bad As Ever

itwbennett writes "Privacy blogger Dan Tynan opted out of data aggregator RapLeaf back in 2010 — and wrote about it. At the time, opting out seemed to work well enough. But fast forward a couple of years and ... they're baaaack. While testing a privacy service called Safe Shepherd, Tynan discovered that 'not only [is he] not opted out of RapLeaf's database, they've also gathered far more information about [him] than they had before.' And it's a pretty good bet some of the data came from Facebook apps, which is a practice that the company was slapped for in 2010 and claimed to no longer do."

Cookie based opt-out

Opt-out policy

This company provides a cookie based opt-out. An "opt-out cookie" is set by the browser. This provides a request that ads should not be customized through your web browsing activities and preferences. You will continue to receive ads but this company will not use this information to select behavioral ads you see online. You must opt-out again if cookies are deleted and required for each browser type and new computer. Third party cookies must be accepted for opt-out to work.

So, if you wipe your cookies, you "opt back in".

Re:Cookie based opt-out

There are Firefox add-ons (and probably Chromium equivalents) that automatically give you opt-out cookies, and make sure they won't be deleted. Beef Taco comes to mind.

Re:Cookie based opt-out

[ben_shepherd]

There are two types of ways to opt out of Rapleaf that should be distinguished here. The more robust way (assuming they respect it) is to go through their "permanent opt-out" form (http://www.rapleaf.com/opt-out/), which removes you from their database. What the cookie opt-out does is disable their third party tracking of you as you browse the web. If you're interested in removing yourself from all of the major data broker and people search sites check out our manual opt out guides: http://blog.safeshepherd.com/how-to-block/ . Or better yet, give our service a try.. guarantee you it will save you a lot of time and worry if you care about these sites selling your personal information.

Re:Cookie based opt-out

[OptimalCynic]

I'd love to, but what kind of safeguards do you have? You ask for a lot of personal information, seems like creating a single point of potential failure to me. I think what you're doing is great, I'm just a bit paranoid about this.

Re:Cookie based opt-out

[gandhi_2]

just a bit paranoid

Is that a twitter bird next you your id?

Re:Cookie based opt-out

[ben_shepherd]

Hey there, we take privacy very seriously-- that's why we started Safe Shepherd. We go out of our way to encrypt as much info as possible through row-level encryption. Also we delete every single database row related to your account when you opt to cancel your service with us. Here's our privacy policy: https://www.safeshepherd.com/privacy . Feel free to hit us up with any questions, we're a 7 person organization and can respond to people individually.

Re:Cookie based opt-out

[OptimalCynic]

Yeah, it's how I log in to Slashdot.

Re:Cookie based opt-out

[OptimalCynic]

Thanks, that's pretty much the answer I was hoping for.

Re:Cookie based opt-out

[sorak]

Is this company run by the kid who would steal anything that wasn't nailed down and then say "you didn't say I COULDN'T have it"?

Re:Cookie based opt-out

[HiThere]

That "assuming you trust them" is my real sticking point. I'd rather not give them any information (or any correct information) to start with.

What we need is a character generation application, sort of like you get on angband, but customized to provide random user information for web sites. And a small database that tracks which web site you give which character information to. The only hard part would be the browser interface, so that the browser would automatically give the right website the right charcter information.

Re:Cookie based opt-out

[fast+turtle]

and this is just one more reason I use noscript and a dedicated host file since the dial-up days (I've been on broadband for a decade) to block ads and such crap. I used to use Ghostery but after I realized they were collecting and selling the same information that Google and other advertisers were, I quit using them. Noscript works quite well in providing me the full path name of the annoyance so I can add it if needed to my host file. Another option I take full advantage of is the many free hosts files online. The good ones include plenty of comments and I tend to combine several of them for my needs and this works quite well in regards to what I'm blocking.

Re:Cookie based opt-out

[OptimalCynic]

Or you could use privoxy, which has URL matching, not just host blocking.

Follow the money

[Jawnn]

This behavior not going away until it becomes to expensive, in terms of bad PR as well as fines, for dishonest practices. You either honor your customers' request/expectation of privacy or you don't. If you don't it should cost you. Currently it simply doesn't, so the so-called free market being what it is, we see rampant abuse like this. Mind you, the clueless legions who so blithely bend over to have their privacy raped by Facebook et al deserve a fair share of the blame here, but it is not realistic to expect most of them to fully understand just how bad an idea it is to let some of these go on. For that reason, regulation is in order, and I mean real regulation, with teeth and a budget to enforce it. I will not hold my breath.

Re:Follow the money

[Joce640k]

Yep.

Earnings - fines = profit.

If earnings are bigger than fines then profit is a positive number. The fines are just operational overheads.

Re:Follow the money

This behavior not going away until it becomes to expensive, in terms of bad PR as well as fines, for dishonest practices. You either honor your customers' request/expectation of privacy or you don't. If you don't it should cost you. Currently it simply doesn't, so the so-called free market being what it is, we see rampant abuse like this. Mind you, the clueless legions who so blithely bend over to have their privacy raped by Facebook et al deserve a fair share of the blame here, but it is not realistic to expect most of them to fully understand just how bad an idea it is to let some of these go on. For that reason, regulation is in order, and I mean real regulation, with teeth and a budget to enforce it. I will not hold my breath.

This behavior will not go away until an individual is affected by it, in a very personal way (didn't get a job, lost a job, affected marriage, etc.). Then and only then will people wake up to the problems they are creating for themselves with an IDGAF attitude about privacy.

Until then, it will always be treated in the same way as unsafe sex. Bad shit will never happen to me, it's always "someone else".

Ignorance rules the planet right now.

Re:Follow the money

[tlhIngan]

This behavior not going away until it becomes to expensive, in terms of bad PR as well as fines, for dishonest practices. You either honor your customers' request/expectation of privacy or you don't. If you don't it should cost you. Currently it simply doesn't, so the so-called free market being what it is, we see rampant abuse like this. Mind you, the clueless legions who so blithely bend over to have their privacy raped by Facebook et al deserve a fair share of the blame here, but it is not realistic to expect most of them to fully understand just how bad an idea it is to let some of these go on. For that reason, regulation is in order, and I mean real regulation, with teeth and a budget to enforce it. I will not hold my breath.

Hint: You're not their customer. You're their product.

RapLeaf, Facebook, Google's customers are not who we normally consider the users. They're advertisers ,marketers, etc, the ones who pay these companies money in exchange for information collected.

Contrast this with say, buying an iPhone, in which case you're Apple's customer and Apple strives to satisfy the people who pay for it. For Microsoft, things are more blurry because you're their customer sometimes (e.g., buy Windows, Office, Xbox, etc), and sometimes you're the product (e.g., Bing, Hotmail/Outlook.com, etc).

Re:Follow the money

[Minupla]

Contrast this with say, buying an iPhone, in which case you're Apple's customer

Not quite true - otherwise Apple would not be in the advertising business (http://en.wikipedia.org/wiki/IAd)

In general, you can assume that any large company is treating you as the product. The only question is to what degree and if you're also a customer.

And if you bought a google nexus phone/tablet, you're also Google's customer as well as product.

Min

Re:Follow the money

[X0563511]

You do realize that the "clueless legions" you speak of have every right to place different values/definitions on their privacy, right? They do not have to care about it.

They should, but they don't have to. That's the wonderful thing about this world - we don't all think the same way.

Re:Follow the money

[VortexCortex]

Hint: You're not their customer. You're their product.

Hint: You're not my friend or follower, you're my target demographic.

Seriously, although I hate them and would rather folks join our forums or IRC, I must use social networks to connect with the community at large. I even bounce ideas off of them while letting interested folks know about what's up with the stuff (games) I'm working on. Also we get to share some other unrelated interests while we're at it.

As a "product" on the social networking sites I use them to subscribe to things I want to know about, but don't want to have to remember to check on. I'd love it if everyone just had RSS enabled and kept me up to date on their stuff that way, but not everyone does (indie game devs, specifically of Roguelikes, I'm looking at you). I don't ever use it for personal correspondence or to share "private" stuff with friends and family -- Sharing family photos and backing up grandma's hard drive is what our family's website and private cloud is for.

That said, if advertizing begins to drown out my message to those who're interested specifically in my stuff, or it begins to overly pollute the feed of data I wish to collect from others then I'm out. It's a fine line to walk. The point is that, not only are we the product, but they are a services and I'm using it for my benefit -- We call this situation "being a User". If you're not a user, you're a fool.

Re:Follow the money

[VortexCortex]

Seriously, although I hate them and would rather folks join our forums or IRC, I must use social networks to connect with the community at large.

Hmm... this could be taken to mean I hate the social networks, OR the community at large. Given the vast quantity of annoying idiots far outnumbering rational likeable folks, yeah, I'd say I hate most of "the community" for large values of "community". I hate social networks more that the worst of trolls though, but they're sadly a necessity. It's where people are.

Re:Follow the money

[HiThere]

If there were (real teeth in HIPAA privacy violations), medical agencies couldn't use web connected MSWindows machines.

So, yes, your point stands.

Re:Follow the money

[HiThere]

The behavior will continue until the individuals effected in the manner you specify are the people making the decisions about what business plans to pursue. And even then I expect that there would need to be about a decade of continual prosecutions and punishments to overcome the last several decades of improper conditioning.

Re:Follow the money

[MagusSlurpy]

The older I get, the less I'm sure that I agree with your "Thy should care about privacy" statement. As long as these companies aren't calling me or spamming me, I don't really care. If they want to track my browsing habits, whatever. If they are really that interested in seeing that a guy who browses Slashdot also regularly visits HardOCP, RPS, Penny Arcade, Netflix, Facebook, and a few gaming community forums so they can sell that information to WalMart and Amazon, whatever.

Personally, I think the whole data aggregation field is highly overvalued and sooner or later it's all going to come crashing down when companies realize that buying this data isn't enabling them to make any more profit.

Data harvesting: illegal, low-cost, high profits.

[h00manist]

Wikileaks showed us the way. The only thing left to talk about is public access to data, especially data on people in privileged positions.

Nothing can really be done to control black and gray market data. And, little or no actual control can be exerted on the "legal" companies and practices as well. Even if you manage to hide your own data through various means, it complicates and restricts life, and does nothing about the data of the rest of the population, which affects and includes your data.

The only real secrets are those of people who can afford the expenses of keeping secrets - corporations, governments, and their associated criminals.

No, the path is now to acquire public access to data on these people.

Opt Out?

[frootcakeuk]

I find it ironic yet unsurprising that the 'opt out' link doesn't work. https://www.rapleaf.com/opt_out

Re:Opt Out?

[frootcakeuk]

Sorry, typo in the OP's provided link. It does work.

Re:Opt Out?

[preaction]

The opt-out link I found was https://www.rapleaf.com/opt-out and it seems to work fine. Disclaimer: I hold no opinion on this site and what it does, I am interested only in well-reasoned arguments based on facts.

Re:Opt Out?

[macraig]

What makes you so bloody certain that it "works"? That the form and captcha simply appear at face value to be responsive? I actually entered an e-mail address which, if the process is actually "working" as expected, should have generated an e-mail challenge to verify that I owned said account and wasn't pranking an account I don't own. I've received no such challenge yet.

For all I know that form is simply a means to collect the e-mail addresses of people who they intend to data-mine even more intensely, precisely because of their stated intention to opt out. After all, only people who have valuable things to hide would ever feel compelled to opt out, right?

Re:Opt Out?

[macraig]

And BTW, that page relies on no less than 10 external "trackers", according to Ghostery:

AppNexus
DoubleClick
Google +1
Google AdWords Conversion
Google Analytics
HubSpot
MixPanel
Outbrain
ScoreCard Research Beacon
SnapEngage

People are quite likely collecting data on your choice to opt out....

Re:Opt Out?

[Sporkinum]

Isn't ghostery owned by Evidon, who also owns Rapleaf? I wouldn't trust either of them.
However, I wouldn't trust Safe Shepherd either as they are aggregating info as well.

Seem like best bet for yourself is to stop scripts from running and cookies from storing.
Also, most of that technology is rendered useless if you are blocking ads because you never see what their magic mojo is throwing at you.

Re:Opt Out?

[macraig]

I dunno about that, but I can tell you that Ghostery blocks "Rapleaf" by default. If there was really something sinister there, I'd expect to see it quietly whitelisted.

Re:Opt Out?

[Secret+Agent+Man]

Some cursory googling did not reveal any link between Evidon and Rapleaf. Got some sources to share?

Re:Opt Out?

[X0563511]

The difference is that you have explicitly told them not to track you. If they continue to do so, things are a little bit differently, legally.

Re:Opt Out?

[X0563511]

Does it actually block it, or does it only say that it does?

Re:Opt Out?

[preaction]

I don't know that it actually functions, like you I am not going to give them a real e-mail address just to test it. The link goes to a web page though, where as the person I was replying to had a bad URL. As mentioned, I'd rather light my torch and raise my pitchfork for a reasoned argument, and not a knee-jerk reaction based on a misspelling from - to _.

Hmmm ...

[gstoddart]

So, you don't trust the company (which is a given), but somehow we're supposed to trust that opting-out actually does anything or causes them to delete anything?

If anything, it sounds like the fact that you opted out gave them more information about you and more reason to find more.

Opting out of this kind of shit is like "click here to unsubscribe" which comes with spam to make it look compliant -- they're not going to do it.

I mean, he's talking about logging into his account on their server to see what information they have about him -- I sure wouldn't sign up for this in the first place.

Laws need to change so the default position isn't "company can do whatever it wants without telling you". Of course, they'd scream and howl that it was cutting into their "freedom of speech" or corporate profits, but I don't see why it should be something which they decide how it gets used.

Triple take on the name

Please tell me I'm not the only one who had to read the title three times to realize it's not called "RapeLeaf."

Re:Triple take on the name

[Nemesisghost]

Nope, you are not the only one.

Re:Triple take on the name

[MagusSlurpy]

If it makes you feel any better, I had to read it three times to realize that it had nothing to do with mad urban beetz.

How we verify opt-outs at Safe Shepherd

[ben_shepherd]

Hey guys, I'm Ben, a developer at Safe Shepherd. Data brokers and people search sites like Rapleaf have a bad habit of blocking or flat out ignoring opt out requests. Recently we implement a system of verified removals whereby we check whether the opted out record actually still appears on the data broker's website. This allows us to identify whether they're being generally honest and whether another opt-out needs to be sent on a case-by-case basis. I set up the verified removals to run as a daily cron task, so we can identify whether records re-appear even after they've been removed (yes, data brokers do this). Also fwiw we've written up some manual opt-out guides for all the major data brokers and people search sites in case you want to do the removals yourself rather than through our service: http://blog.safeshepherd.com/how-to-block/

Re:How we verify opt-outs at Safe Shepherd

[ewhac]

It seems like, in order to get these nosy little snoops to stop snooping on you, you have to explicitly visit their site, provide them with even more info, and hope they keep their word that they won't compile data on you.

For those who are, shall we say, less sanguine about these companies being true to their word, can you suggest client-side methods users might try that either block the trackers' ability to collect data in the first place, or would give the trackers useless or conflicting data?

Re:How we verify opt-outs at Safe Shepherd

[ben_shepherd]

methods users might try that either block the trackers' ability to collect data in the first place

1. 1. Avoid publicly accessible pages on social sites like LinkedIn, OkCupid, Facebook. People search sites crawl these to build up their data sets. We recently added a social monitoring feature which will show you a snapshot of your social profiles from a non-logged in user perspective which can help with that.
2. 2. Practice safer browsing habits. Lots of plugins like Ghostery that can help with this.
3. 3. You're never going to completely prevent them from getting data as long as you're living a normal 21st century life. Most people have real estate records, voting records, retail stores selling their info, etc. That's why removals are a must if you care about people being able to buy your info online. I wrote a blog post about your question here: http://blog.safeshepherd.com/resources/steps-to-privacy-controlling-your-personal-information/

When we do opt outs we try to send the bare minimum amount of info.. But the data brokers and people search sites go out of their way to require ridiculous things such as faxes of photo IDs. We automate the process, though believe me we don't like having to ask our users for this info. We also go to extra measures to use encryption wherever possible. For example we literally can't view the photo IDs of our users even if we wanted to.

Re:How we verify opt-outs at Safe Shepherd

[BitZtream]

So if you can't view the photo IDs ... that means you can't use them for sending to anyone else to opt me out ... so why are you even storing them or asking for them? Do you fax out encrypted images for your users or something and expect some sort of fax-decrypter on the other end? Or is this some new quantum computing attribute where magically only the intended person can see it, because it exists in both an encrypted and decrypted superposition state?

Re:How we verify opt-outs at Safe Shepherd

[ben_shepherd]

Hey, sorry if that wasn't clear. Our app servers lack the SSH keys required to view the IDs under any circumstance, but our fax servers are capable of sending them as unencrypted images. This is setup so that a Rails glitch or console error can't result in the viewing of IDs.

Re:How we verify opt-outs at Safe Shepherd

[DMUTPeregrine]

RequestPolicy and NoScript for Firefox are quite handy for blocking trackers abilities to collect data. Also disallowing 3rd party cookies.

Re:...Evidon, who also owns Rapleaf?

[TaoPhoenix]

"Isn't ghostery owned by Evidon, who also owns Rapleaf? I wouldn't trust either of them.
However, I wouldn't trust Safe Shepherd either as they are aggregating info as well."

Nice bit of homework there. Is there a more free/open plugin that does the same kind of thing that Ghostery does by providing lists of blocked trackers? I'd be happy to use that instead.

Re:...Evidon, who also owns Rapleaf?

[magic+maverick+]

RequestPolicy will block all third party requests by default, which will block the cookies that come with it. (They do allow, by default, links between a site and it's CDN domain though.)

Re:...Evidon, who also owns Rapleaf?

[X0563511]

AdblockPlus + easylist + easyprivacy + noscript (for the extra careful). Kind of hard for doubleclick to track me if I don't load resource from them and don't run their scripts!

I'm sure there are some items that slip through, but implementing them requires more significantly more coordination between the trackers and the site itself. I'd wager this gets rid of nearly all of it.

(and advertisements in general, which I -do-not-want- anyway. I know that's how sites get paid, frankly I don't care. Friendly fire. You all ruined that party yourselves - had you not been stupid assholes about it for so long, I might not block you like I do now.)

Disclose Your IPs

[VortexCortex]

I think all companies should be required to disclose all their public facing IP addresses, and business parters that they share data with. This way we can create a web spider that can completely block all of one's traffic between yourself and the company. Think about it. The problem is that we don't know where our browsers are connecting to -- The browser does, but users typically don't know except for the address bar (which is only a small percentage of the connections made on a typical page). Seriously, if your browser popped up "Would you like me to send a request to 'DoubleClick.Net'? [y/N] [x] remember this choice" Would ANYONE actually say yes?

Re:Disclose Your IPs

[genkernel]

Enter RequestPolicy, an add-on for firefox that does essentially this.

Re:...Evidon, who also owns Rapleaf?

[TaoPhoenix]

I got half way there - I have been using adblock for years. However, however flawed it might be, Ghostery at least pointed out those lists of cookie-whatever tracker companies that aren't actually serving ads.

I haven't heard about easyprivacy before, so I might look into that. I think I tried and abandoned noscript a few times because it's a bit too fierce and it became a lot of work to add-in the sites I wanted to run stuff (yahoo mail, monster jobs site, but a surprising number of others now escaping me.)

Elsewhere someone mentioned requestpolicy.

However, I was particularly interested in finding one of these services that doesn't just block stuff, but produces the ordered list in realtime of what in fact it did block. For example, besides Google, that SafeShepherd site uses "Mix Panel" and "Perfect Audience". So that's why these "privacy companies" make me giggle grumpily - "hmm, so you're a company that wants to offer to remove tracking info, so why do you have those enabled and what do they track?" This is something like the third of these "privacy services" showing up this year, each with little wiggly angles they are playing.

Re:W00t 7p

[yahwotqa]

Message received and decoded. Operation Pastry Badger is go.

Re:...Evidon, who also owns Rapleaf?

[X0563511]

Just a note: I'm sure some of those trackers are actually from the advertisements, which are loaded from third-party systems that the site does not have immediate control over.

Did/does the site have any kind of advertisements on it that you noticed?

Re: trackers are actually from the advertisements

[TaoPhoenix]

Hi there.

I didn't do any extensive analysis, which in some ways is my point - the data to do the analysis with on these kinds of questions eventually buries into "company proprietary info". To clarify, the other half of my point is that I am used to and sorta don't care that the top "newsrags" have a huge collection of stuff going on. Let's say that Ghostery works, and blocks them, and then Evidon does whatever they want later. In the modern age, I expect many sites to deploy stuff.

But I hold "privacy companies" to far higher standards because of the specific nature of the services that they purport to sell. So as a consumer, it's absolutely not my job to be wondering why those elements are on a privacy site's page.

Re:...Evidon, who also owns Rapleaf?

[cheros]

Sadly, what you have done is not enough.

You missed Google fonts. Practically EVERY Wordpress template contains them as it's one of the few resources available to create a better design without having to license fonts for download. Google doesn't do that out of the gentleness of their non-existing hearts: every time you load a Wordpress page which uses Google fonts you create a hit on their fonts API.

Granted, if you nuke cookies they will not have a fully accurate lock on you as a person, but that's where geolocation comes in - Google does not HAVE to be accurate, all they need is a reasonable approximation. In principle we should ALL use the web via proxy, but it's ridiculous that I have to defend what is my RIGHT because setups like Google are allowed to break the law with impunity (at least in Europe)?