Slashdot Mirror

← Back to Stories (view on slashdot.org)

Even the Ad Industry Doesn't Know Who's Tracking You

Posted by timothy on from the watch-this-ad-for-a-hamburger dept.

jfruh writes "The Internet advertising industry is keen to stave off government privacy rules and opt-in-only browsers by loudly proclaiming its adherence to a self-imposed code of conduct. Yet a little digging shows that even "self-regulated" advertisers link to services that link to other services that nobody's really sure what they do. That's why, for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones and won't return emails asking about their privacy policy."

28 of 98 comments (clear)

  1. Oh... by WizardFusion · · Score: 5, Informative

    And that is why Ghostery and other such tools should be used until all tracking is banned.

    1. Re:Oh... by Cinder6 · · Score: 2, Insightful

      Ghostery itself is a tracker: http://venturebeat.com/2012/07/31/ghostery-a-web-tracking-blocker-that-actually-helps-the-ad-industry/

      I use a combination of ABP, DNTMe, and Firefox's built-in DNT flag.

      --
      If you can't convince them, convict them.
    2. Re:Oh... by sdnoob · · Score: 2

      until all tracking is banned.

      like we can trust the web sites, ad networks, and (most) search engines to NOT track, even if it was 'banned'.

      browser functionality to block such behaviour, at least client-side, will pretty much always be necessary.

  2. Oh, yeah by Mitreya · · Score: 4, Interesting

    for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones

    The NoScript list of blocked domains on many (even legitimate) websites is scary indeed. One of my favorites is Javascript from ru4.com required to be able login into your banking account on chase.com. Based on the name, it looks like a phishing website to me...

    1. Re:Oh, yeah by Trepidity · · Score: 4, Informative

      From their whois record, ru4.com claims to be X Plus One, an "enterprise" data-analytics company with a lot of finance-sector clients. So it seems reasonably plausible to me that Chase is contracting with them.

      I don't get why large companies don't bring these things at least under their own subdomains, though. Even if you're having something hosted by a third party, it's not hard to set up its DNS at foo.chase.com.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    2. Re:Oh, yeah by Nyder · · Score: 3, Insightful

      for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones

      The NoScript list of blocked domains on many (even legitimate) websites is scary indeed. One of my favorites is Javascript from ru4.com required to be able login into your banking account on chase.com. Based on the name, it looks like a phishing website to me...

      What I like is when you allow a website and then suddenly you have 30 new addresses on the noscript list. Mainly when trying to read articles or see the videos attached, it becomes a guessing game (based on domain names) on who you should allow so you can see the text, or vid.

      --
      Be seeing you...
    3. Re:Oh, yeah by Mitreya · · Score: 3, Interesting

      From their whois record, ru4.com claims to be X Plus One, an "enterprise" data-analytics company with a lot of finance-sector clients.

      Yeah, and the fact that ru4.com does not seem to resolve or redirect (the WHOIS record points to http://www.aboutus.org/ru4.com) makes it sound very legitimate :)

      So it seems reasonably plausible to me that Chase is contracting with them.

      They can contract who they want, but the fact that a random analytics company has to execute javascript on my computer before I can even login to my Chase account galls me a bit.

      I don't get why large companies don't bring these things at least under their own subdomains, though.

      Yes! And I have chase.com in the whitelist already -- such a move would solve everyone's problem.

    4. Re:Oh, yeah by Em+Adespoton · · Score: 4, Interesting

      From their whois record, ru4.com claims to be X Plus One, an "enterprise" data-analytics company with a lot of finance-sector clients.

      Yeah, and the fact that ru4.com does not seem to resolve or redirect (the WHOIS record points to http://www.aboutus.org/ru4.com) makes it sound very legitimate :)

      So it seems reasonably plausible to me that Chase is contracting with them.

      They can contract who they want, but the fact that a random analytics company has to execute javascript on my computer before I can even login to my Chase account galls me a bit.

      I don't get why large companies don't bring these things at least under their own subdomains, though.

      Yes! And I have chase.com in the whitelist already -- such a move would solve everyone's problem.

      Chase is a significant offender in this regard, as they change contractors semi-regularly. I often get alerts about new domains wanting access to chase assets.

      But moving under chase.com wouldn't solve everyone's problem; I would no longer know that my data is being leaked, and Chase would suddenly be more accountable for their contractor's actions (as well as having to administer the DNS instead of letting their contractors administer their site.

      Really, that's what subdomains are for though; everyone SHOULD be doing this. Of course, the ones you don't know about probably already are.

    5. Re:Oh, yeah by gstoddart · · Score: 4, Insightful

      and Chase would suddenly be more accountable for their contractor's actions

      Good, because those contractors are doing this on behalf of Chase -- so ideally they couldn't do something like denying any responsibility because it was all done by the evil contractor.

      They did it on your behalf, and you engaged them to do it, you are still responsible for it. You can't then say that what your contractors do isn't your problem.

      Essentially it lets them do an end run around their privacy policy. "We don't collect or share" becomes meaningless when the people who do the work for you do collect and share.

      --
      Lost at C:>. Found at C.
    6. Re:Oh, yeah by Sarten-X · · Score: 2

      Even if you're having something hosted by a third party, it's not hard to set up its DNS at foo.chase.com.

      It's not hard to set up DNS, but it is hard to get third-party programs to use it. The browser requests the script from foo.chase.com, and that's hosted at ru4.com... but the script requests another script, likely without knowing it's supposed to be at Chase... so it'll request from ru4.com, The uncertainty is still there, but now it's hidden under another layer of obscurity.

      Alternatively, the third-party script gets a custom-branded version for each major contractor, which increases development cost, or the script is made aware of how it was requested, which involves more painful scripting and also drives up costs. Reassuring paranoid users just doesn't make business sense.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    7. Re:Oh, yeah by fast+turtle · · Score: 2

      Then you're using noscript the wrong way. Instead, use a whitelist of those places you need scripting active and block everyone else by default. Far easier on the system then the other way. Another issue is that firefox gets slower and slower to start/shutdown along with unstable the more you add to the blocked sites. The solution I found that works the best is a combination. I use the Noscript list to build a host file and block at that level. It's more effective and actually protects more of the system since it's a system wide blocking instead of being limited to firefox only. This is very important when on a system with a second browser such as IE/Safari/Konqueror/Opera or any other.

      --
      Mod me up/Mod me down: I wont frown as I've no crown
    8. Re:Oh, yeah by Rolgar · · Score: 2

      I have a Chase account, and I have ru4.com disabled in NetScript, and I can login just fine.

  3. and yet... by X0563511 · · Score: 3

    ... and yet they whine and moan about people using adblockers and such.

    Shut up, bitches. You made your bed, now you get to sleep in it.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  4. LOL ... by gstoddart · · Score: 4, Insightful

    And according to DoNotTrackMe, TFA has beacons for 5 tracking companies, plus two social media sites. So ITWorld are just as guilty of this shit as everyone else.

    I swear, between NoScript, AdBlockPlus, DoNotTrackMe, and blocking/deleting cookies -- I'm *still* not sure how much crap is out there I'm missing.

    I don't feel the slightest bit of guilt for blocking these sites so some marketing asshole can collect data.

    --
    Lost at C:>. Found at C.
    1. Re:LOL ... by xQuarkDS9x · · Score: 2

      And according to DoNotTrackMe, TFA has beacons for 5 tracking companies, plus two social media sites. So ITWorld are just as guilty of this shit as everyone else.

      I swear, between NoScript, AdBlockPlus, DoNotTrackMe, and blocking/deleting cookies -- I'm *still* not sure how much crap is out there I'm missing.

      I don't feel the slightest bit of guilt for blocking these sites so some marketing asshole can collect data.

      I run those exact same addons you do in firefox along with Social fixer plus to actually straighten out the mess facebook is, Cookies Manager+ to see all my cookies and block cookies, and finally Element hiding helper for adblock plus which comes in handy. My wife insists on me playing that "oh so popular game" on facebook called Songpop.

      With element hiding helper I ended up having to block five or six items that even adblock plus missed so they won't show. And now lately i've came across the RARE sites that demand you to disable adblock plus and or noscript? Screw you I say and I go elsewhere.

      --
      You must master your joystick like a fisherman masters bait! - Gimpy
  5. Install Collusion by vettemph · · Score: 3, Informative

    Install Collusion add-on into your Firefox browser and monitor it while surfing. After visiting a few web sites you will see links forming to ten other sites. etc...
    It becomes apparent that everyone is telling everyone else about you.

    looks like this...
    http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/2012/4/13/1334309538603/Collusion1.jpg

    --
    The government which is strong enough to protect you from everything is strong enough to take everything from you.
  6. No need for government. by noobermin · · Score: 3, Funny

    "Self Regulated"

    Good! They don't need government intervention, soon the free market will offer a privacy-friendly service and the free market will eventually choose that over these other services that don't respect my privacy.

    But, don't regulate! Keep your government off my information-tracking ad service!
    The only thing that can stop a bad guy with a spying/tracking ad service is a good guy with a spying/tracking ad service.

    1. Re:No need for government. by gstoddart · · Score: 5, Insightful

      Apparently you missed the part where they're stunningly incapable of self regulating.

      Self regulation is corporate speak for "let us do whatever the hell we want and leave us alone".

      --
      Lost at C:>. Found at C.
    2. Re:No need for government. by noobermin · · Score: 2

      Poe's Law bro, Poe's law ...

  7. Re:Are you Evil? by gstoddart · · Score: 2

    1b. If you answered No to the above, you will be marked as Evil.

    --
    Lost at C:>. Found at C.
  8. Re:I'll tell you what I'm thinking by femtobyte · · Score: 3

    Sorry for the cynicism. I agree that stripping out all the junk is a great idea. The question is where to do this. Working through a third-party proxy as described above is great if the proxy is trustworthy. Unfortunately, it just adds another link in the chain that, if the idea takes off, would be attractive to scumsucking privacy invaders to exploit with their own deceptive variants. Working towards privacy-by-default on the browser side seems to me a better approach. Wouldn't it be cool if a default Firefox install would require the user to add a bunch of plugins if they wanted to unblock ads and tracking? Better browser privacy design to prevent "data leaks" (like what the EFF is trying to study with Panopticlick) can provide much of the benefit of proxies without requiring extra layers of trust (and costs for proxy operation).

  9. Yay Ghostery. by DdJ · · Score: 2

    There's extensions for just about every browser. Good stuff.

    http://www.ghostery.com/

  10. not responding to emails by codepigeon · · Score: 2

    Maybe that company that sells ringtones is really a front for the CIA/NSA? That's what I would do if I were them. Pretend to be an advertiser whilst collecting/building profiles.

  11. Re:This article is an apk summoning ritual. by Penguinisto · · Score: 3, Insightful

    You realize you just did the equivalent of saying "Beetlejuice" three times, right?

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  12. Tracking Illegal in the U.S.? by Jane+Q.+Public · · Score: 2

    I think all trackers should be removed from the (U.S.) internet immediately, because:

    (A) Tracking of those 13 years of age and younger is illegal, and

    (B) trackers can't possibly know for sure who is 13 and who is not.

  13. Use Firefox? Get Self Destructing Cookies add-on by neiras · · Score: 5, Interesting

    It lets the sites set their cookies, waits a few seconds (or until tab is closed), then nukes 'em. There's a whitelist for sites you actually use.

    https://addons.mozilla.org/En-us/firefox/addon/self-destructing-cookies/

    I like this solution because you don't have to wait for Ghostery to add support for an advertiser, or an updated filter definition for adblock. EVERYTHING gets nuked, except the sites you care enough about to whitelist. It's a better default cookie policy.

  14. Graph of web site third party dependencies by erlehmann · · Score: 4, Interesting

    I built a script to generate a graph of third-party resources a web page loads, which often represent advertising and tracking (sample output for Spiegel Online, a German newspaper).

    I also wrote a blog post about how advertising and tracking make sites slow (in German) that contains even more graphs from when I ran the script in January 2013.

  15. Re:Ghostery itself is a tracker by TaoPhoenix · · Score: 2

    Yeah, I admit I use Ghostery as an intermediate step. I got to like their organized layout, and haven't put in the 20 hours to really nail down a pure replacement. For me it's important not just to block junk, but to know *who was there in the first place* (and then block them!) I have learned a lot about which "magazine sites" etc use more or less trackers from Ghostery. It's taught me a lot. So no, not perfect at all, but not bad for a beginner to the topic.

    --
    My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine