Ask HN: Question from a luddite re: cookies/web tracking, particularly by Criteo

3 points by corvallis ↗ HN
Hi there, hackers! I experienced something very disturbing a few days ago that's been eating at me. To preface, I completely accept that browsing free websites and free content comes with the trade-off of tracking and advertising attempts. I'm not particularly tech savvy but I am careful about my internet habits because privacy is a concern for me.

Here is what happened: I was searching google for a stock photo. I clicked on one, which took me to a site called tradesy. I clicked within the tradesy website to look at the photo, but it was not what I wanted, so I clicked out. Moments later, I got an advertising email at my personal (yahoo) address from tradesy. Feeling thoroughly violated (and not in a good way), I discovered that the email was sent by Criteo, a "retargeting" company.

Somehow they got an email address that I have not used on any website, ever. I use my “spam” address for anything internet/app. The only people that have my personal address are, well, people. I am 100% certain that I did not give Tradesy my personal email address. I even checked my browser's auto-fill log and confirmed that no website has my personal email address saved. I have ad blockers and ghostery.

1) How did this Criteo company get my personal/private email address?

2) How is this okay? I don't mind some degree of advertising, but my comfort level is limited to not getting my name/address/phone number/email or other highly personal information that I should have control over, effectively stolen and used to spam me.

3) How can I block this company and similar ones from my online life? I already don't use Facebook/other social media.

I truly want to understand this phenomenon and the current internet advertising/privacy landscape, so if someone out there is able to clue me in, I would be very interested to learn. If you live in SF, I will even buy you coffee if you want to enlighten me in person!

11 comments

[ 2.6 ms ] story [ 34.1 ms ] thread
I would recommend you to block third-party cookies in browser settings, that's probably how you were tracked - the same cookie(s) were used on tradesy and some another site which could connect you to your email address.

UPD A couple of relevant posts:

https://freedom-to-tinker.com/blog/dreisman/cookies-that-giv...

https://freedom-to-tinker.com/blog/englehardt/the-hidden-per...

https://freedom-to-tinker.com/blog/englehardt/how-cookies-ca...

I already block third party cookies. I have it set to allow cookies "from current website" only. I had once tried to set it to never but then I couldn't log in anywhere so that was a bust. I really don't know how they would have gotten my personal address if I never enter that one anywhere. I only use my "spam" address for any/all internetting. That's what is most creepy to me. Thanks for the links! Mostly over my head but maybe someone else reading this thread will appreciate.
Hmm, interesting! I assume you use Safari ("from sites I visit" is their preferences language)? In the last link authors actually differentiate between "Some 3p = Safari-style third-party cookie blocking" and "All 3p = Blocking all third-party cookies", so I guess Safari's method of blocking is not the strictest.

Another possibility is that you use some rare static IP, which Criteo could somehow connect to email. But it's probably a stretch.

Keep in mind also that some of your correspondents could agree to share their email list on some site or to some app, so that could leak the email itself and real name (but still it's unclear how it was connected to your browser).

Yes, I use Safari! I actually have cookies set as "from current website only" - I wrote the wrong one and edited. I suppose it's possible that one of my contacts entered in my personal email in some new website/app referral and that's how it was mined, but I clear out my cookies fairly often and don't remember clicking on anything in the recent past.

Here is the note on the bottom of the email from Tradesy/Criteo:

To opt-out of receiving Tradesy emails, click here. This message is personalized by Criteo Email based on your previous browsing behavior. To understand why you received this email and access Criteo Email privacy policy, click here. If you want to opt-out only from Criteo Email personalized emails, click here.

When I went to their email privacy policy, it doesn't explain how they got my email address.

I am very disturbed by this kind of stealth data mining. Is there a way to set up my browser to become more anonymous on the internet? Clearly my ghostery and ad block is not effective. I deleted my Facebook and Linked in after Linked in somehow spammed me to link contacts that I sold random crap to on craigslist (and probably spammed them too.) Somehow they both still deposit cookies. I am willing to pay someone who is familiar with this landscape to block trackers from invading my internetting. Or block websites that use criteo and similar. Is this possible?

I'm not one of those people that wants to go "off the grid". I use credit cards, I use amazon, I know what I'm getting into. It just seems like Criteo has crossed a line.

This all is actually puzzling, because ghostery should theoretically protect you even if Safari doesn't block all third-party cookies. You can try to switch to uBlock which is similar in functionality.

Are you sure you don't have some shady/little-known extension/plugin/app? Those can share browsing history with advertisers. Some freeware firewalls/antiviruses can too (just googled an example: "AVG, the Czech antivirus company, has announced a new privacy policy in which it boldly and openly admits it will collect user details and sell them to online advertisers for the purpose of continuing to fund its freemium-based products. This new privacy policy is slated to come into effect starting October 15.").

Maybe try to communicate with someone from Criteo (not support, but somebody higher) and describe your weird case?

I went to confirm that I only had the three extensions (ad block, ad block plus, and ghostery) and when I clicked into the ghostery settings, it turns out that none of the trackers were selected to be blocked!!! Not sure how long it was like that, or how, but it's fixed now. Do you think this explains how they got my personal email address? I am still not seeing the connection, but there are obviously many things I don't understand about this space.
I don't quite understand how Safari's third-party cookie blocking works :( According to the link I posted it's more relaxed than Chrome/Firefox's third-party cookie blocking, so some cookies are allowed. But how is that decided?

Theoretical possibility then:

You still use that personal email in the same browser? That means you visit Yahoo website, which can set some cookies identifying you, including third-party ones (advertising/tracking), if those are not blocked by Safari. The same tracking cookies can be used by Tradesy, so that site can tie your visit to your Yahoo identity.

I think you solved this!

I actually use the Apple mail client, so I get my spam mail and my personal mail in the same interface. My angry deleting of cookies and web history following the Criteo email would have cleared any log ins, but I haven't used the yahoo mail web interface for many years. However!! I remember going to flickr briefly about a month ago, and since it is a yahoo service, it would have been connected to my personal yahoo ID/email address (correct?). It's possible that I never logged out, so could it have mined my address that way? I am still incredulous and outraged that Criteo could use this to mine my address and spam me, but this could be how they got my personal email/yahoo ID.

Thank you so much for your insightful comments and for "investigating" with me! Even though this is still somewhat mysterious, I've learned from this and also discovered my ghostery settings were off which was very valuable. Now I just have to figure out how to block Criteo and similar invasive species. I may have to go off the grid after all.

Found this article after some googling:

http://www.independent.co.uk/life-style/gadgets-and-tech/cri...

>Some light digging unearthed the fact that the company responsible for this particular dark art is called Criteo, and the MD, John Buss, was happy to talk me through this relatively new technique. It's all legal, all cookie-based, but crucially its database – which learns about me and how I click around websites – anonymously links up with databases of email addresses it has licensed from other companies operating online. A match between the two, along with an assessment that I might be likely to splash some cash, triggers an email.

>How did my email address end up in the database in the first place? Well, at some point – and goodness knows how, because I do my utmost not to – I opted in to receive some communications "from selected third parties".

I could swear up and down that I have never used my personal address on any website/app ever. (I use my "spam" address for all internetting.) So if I had accidentally opted in somewhere, it would have been with my "spam" address. Even then, they should not be able to get my email address, period! My fear is that they have other info that I am supposed to have control over, such as my address/DOB/credit card/SSN. Can they mine all of those things just from cookies/browsing or when I purchase something from amazon?

The reason I am fairly concerned about privacy is due to the nature of my work and the fact that I have a unique name. As it is, you can find my whole family and their address/phone number on a search's first page. I feel even less secure knowing that my sensitive personal info is so easily mined and distributed despite my best attempts to block ads/cookies/tracking and stay away from clickbait/social media who I would assume to be the primary offenders.

I am also a little surprised that no one else seems terribly bothered and a company like Criteo is instead lauded for its innovative methods. Do we as users just have to accept that a lack of control over personal info is the new normal?

That's awful, corvallis. I agree with you that it's super-sketchy.

I admit that I use tracking cookies on my website, but I looked to find a company (RocketBolt) I was comfortable with. Gotta keep my customers' trust at all cost, and the RocketBolt cookies I use end at the border of my site, don't tap into any private databases, etc. I'm simply trying to find ways to offer relevance to my customers. Honest question: does that level of tracking upset you?

I've never heard of Criteo, but I appreciate the heads up.