Slashdot Mirror

← Back to Stories (view on slashdot.org)

Even the Ad Industry Doesn't Know Who's Tracking You

Posted by timothy on from the watch-this-ad-for-a-hamburger dept.

jfruh writes "The Internet advertising industry is keen to stave off government privacy rules and opt-in-only browsers by loudly proclaiming its adherence to a self-imposed code of conduct. Yet a little digging shows that even "self-regulated" advertisers link to services that link to other services that nobody's really sure what they do. That's why, for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones and won't return emails asking about their privacy policy."

16 of 98 comments (clear)

  1. Oh... by WizardFusion · · Score: 5, Informative

    And that is why Ghostery and other such tools should be used until all tracking is banned.

  2. Oh, yeah by Mitreya · · Score: 4, Interesting

    for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones

    The NoScript list of blocked domains on many (even legitimate) websites is scary indeed. One of my favorites is Javascript from ru4.com required to be able login into your banking account on chase.com. Based on the name, it looks like a phishing website to me...

    1. Re:Oh, yeah by Trepidity · · Score: 4, Informative

      From their whois record, ru4.com claims to be X Plus One, an "enterprise" data-analytics company with a lot of finance-sector clients. So it seems reasonably plausible to me that Chase is contracting with them.

      I don't get why large companies don't bring these things at least under their own subdomains, though. Even if you're having something hosted by a third party, it's not hard to set up its DNS at foo.chase.com.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    2. Re:Oh, yeah by Nyder · · Score: 3, Insightful

      for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones

      The NoScript list of blocked domains on many (even legitimate) websites is scary indeed. One of my favorites is Javascript from ru4.com required to be able login into your banking account on chase.com. Based on the name, it looks like a phishing website to me...

      What I like is when you allow a website and then suddenly you have 30 new addresses on the noscript list. Mainly when trying to read articles or see the videos attached, it becomes a guessing game (based on domain names) on who you should allow so you can see the text, or vid.

      --
      Be seeing you...
    3. Re:Oh, yeah by Mitreya · · Score: 3, Interesting

      From their whois record, ru4.com claims to be X Plus One, an "enterprise" data-analytics company with a lot of finance-sector clients.

      Yeah, and the fact that ru4.com does not seem to resolve or redirect (the WHOIS record points to http://www.aboutus.org/ru4.com) makes it sound very legitimate :)

      So it seems reasonably plausible to me that Chase is contracting with them.

      They can contract who they want, but the fact that a random analytics company has to execute javascript on my computer before I can even login to my Chase account galls me a bit.

      I don't get why large companies don't bring these things at least under their own subdomains, though.

      Yes! And I have chase.com in the whitelist already -- such a move would solve everyone's problem.

    4. Re:Oh, yeah by Em+Adespoton · · Score: 4, Interesting

      From their whois record, ru4.com claims to be X Plus One, an "enterprise" data-analytics company with a lot of finance-sector clients.

      Yeah, and the fact that ru4.com does not seem to resolve or redirect (the WHOIS record points to http://www.aboutus.org/ru4.com) makes it sound very legitimate :)

      So it seems reasonably plausible to me that Chase is contracting with them.

      They can contract who they want, but the fact that a random analytics company has to execute javascript on my computer before I can even login to my Chase account galls me a bit.

      I don't get why large companies don't bring these things at least under their own subdomains, though.

      Yes! And I have chase.com in the whitelist already -- such a move would solve everyone's problem.

      Chase is a significant offender in this regard, as they change contractors semi-regularly. I often get alerts about new domains wanting access to chase assets.

      But moving under chase.com wouldn't solve everyone's problem; I would no longer know that my data is being leaked, and Chase would suddenly be more accountable for their contractor's actions (as well as having to administer the DNS instead of letting their contractors administer their site.

      Really, that's what subdomains are for though; everyone SHOULD be doing this. Of course, the ones you don't know about probably already are.

    5. Re:Oh, yeah by gstoddart · · Score: 4, Insightful

      and Chase would suddenly be more accountable for their contractor's actions

      Good, because those contractors are doing this on behalf of Chase -- so ideally they couldn't do something like denying any responsibility because it was all done by the evil contractor.

      They did it on your behalf, and you engaged them to do it, you are still responsible for it. You can't then say that what your contractors do isn't your problem.

      Essentially it lets them do an end run around their privacy policy. "We don't collect or share" becomes meaningless when the people who do the work for you do collect and share.

      --
      Lost at C:>. Found at C.
  3. and yet... by X0563511 · · Score: 3

    ... and yet they whine and moan about people using adblockers and such.

    Shut up, bitches. You made your bed, now you get to sleep in it.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  4. LOL ... by gstoddart · · Score: 4, Insightful

    And according to DoNotTrackMe, TFA has beacons for 5 tracking companies, plus two social media sites. So ITWorld are just as guilty of this shit as everyone else.

    I swear, between NoScript, AdBlockPlus, DoNotTrackMe, and blocking/deleting cookies -- I'm *still* not sure how much crap is out there I'm missing.

    I don't feel the slightest bit of guilt for blocking these sites so some marketing asshole can collect data.

    --
    Lost at C:>. Found at C.
  5. Install Collusion by vettemph · · Score: 3, Informative

    Install Collusion add-on into your Firefox browser and monitor it while surfing. After visiting a few web sites you will see links forming to ten other sites. etc...
    It becomes apparent that everyone is telling everyone else about you.

    looks like this...
    http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/2012/4/13/1334309538603/Collusion1.jpg

    --
    The government which is strong enough to protect you from everything is strong enough to take everything from you.
  6. No need for government. by noobermin · · Score: 3, Funny

    "Self Regulated"

    Good! They don't need government intervention, soon the free market will offer a privacy-friendly service and the free market will eventually choose that over these other services that don't respect my privacy.

    But, don't regulate! Keep your government off my information-tracking ad service!
    The only thing that can stop a bad guy with a spying/tracking ad service is a good guy with a spying/tracking ad service.

    1. Re:No need for government. by gstoddart · · Score: 5, Insightful

      Apparently you missed the part where they're stunningly incapable of self regulating.

      Self regulation is corporate speak for "let us do whatever the hell we want and leave us alone".

      --
      Lost at C:>. Found at C.
  7. Re:I'll tell you what I'm thinking by femtobyte · · Score: 3

    Sorry for the cynicism. I agree that stripping out all the junk is a great idea. The question is where to do this. Working through a third-party proxy as described above is great if the proxy is trustworthy. Unfortunately, it just adds another link in the chain that, if the idea takes off, would be attractive to scumsucking privacy invaders to exploit with their own deceptive variants. Working towards privacy-by-default on the browser side seems to me a better approach. Wouldn't it be cool if a default Firefox install would require the user to add a bunch of plugins if they wanted to unblock ads and tracking? Better browser privacy design to prevent "data leaks" (like what the EFF is trying to study with Panopticlick) can provide much of the benefit of proxies without requiring extra layers of trust (and costs for proxy operation).

  8. Re:This article is an apk summoning ritual. by Penguinisto · · Score: 3, Insightful

    You realize you just did the equivalent of saying "Beetlejuice" three times, right?

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  9. Use Firefox? Get Self Destructing Cookies add-on by neiras · · Score: 5, Interesting

    It lets the sites set their cookies, waits a few seconds (or until tab is closed), then nukes 'em. There's a whitelist for sites you actually use.

    https://addons.mozilla.org/En-us/firefox/addon/self-destructing-cookies/

    I like this solution because you don't have to wait for Ghostery to add support for an advertiser, or an updated filter definition for adblock. EVERYTHING gets nuked, except the sites you care enough about to whitelist. It's a better default cookie policy.

  10. Graph of web site third party dependencies by erlehmann · · Score: 4, Interesting

    I built a script to generate a graph of third-party resources a web page loads, which often represent advertising and tracking (sample output for Spiegel Online, a German newspaper).

    I also wrote a blog post about how advertising and tracking make sites slow (in German) that contains even more graphs from when I ran the script in January 2013.