Ask HN: Question from a luddite re: cookies/web tracking, particularly by Criteo
Here is what happened: I was searching google for a stock photo. I clicked on one, which took me to a site called tradesy. I clicked within the tradesy website to look at the photo, but it was not what I wanted, so I clicked out. Moments later, I got an advertising email at my personal (yahoo) address from tradesy. Feeling thoroughly violated (and not in a good way), I discovered that the email was sent by Criteo, a "retargeting" company.
Somehow they got an email address that I have not used on any website, ever. I use my “spam” address for anything internet/app. The only people that have my personal address are, well, people. I am 100% certain that I did not give Tradesy my personal email address. I even checked my browser's auto-fill log and confirmed that no website has my personal email address saved. I have ad blockers and ghostery.
1) How did this Criteo company get my personal/private email address?
2) How is this okay? I don't mind some degree of advertising, but my comfort level is limited to not getting my name/address/phone number/email or other highly personal information that I should have control over, effectively stolen and used to spam me.
3) How can I block this company and similar ones from my online life? I already don't use Facebook/other social media.
I truly want to understand this phenomenon and the current internet advertising/privacy landscape, so if someone out there is able to clue me in, I would be very interested to learn. If you live in SF, I will even buy you coffee if you want to enlighten me in person!
11 comments
[ 2.6 ms ] story [ 34.1 ms ] threadUPD A couple of relevant posts:
https://freedom-to-tinker.com/blog/dreisman/cookies-that-giv...
https://freedom-to-tinker.com/blog/englehardt/the-hidden-per...
https://freedom-to-tinker.com/blog/englehardt/how-cookies-ca...
Another possibility is that you use some rare static IP, which Criteo could somehow connect to email. But it's probably a stretch.
Keep in mind also that some of your correspondents could agree to share their email list on some site or to some app, so that could leak the email itself and real name (but still it's unclear how it was connected to your browser).
Here is the note on the bottom of the email from Tradesy/Criteo:
To opt-out of receiving Tradesy emails, click here. This message is personalized by Criteo Email based on your previous browsing behavior. To understand why you received this email and access Criteo Email privacy policy, click here. If you want to opt-out only from Criteo Email personalized emails, click here.
When I went to their email privacy policy, it doesn't explain how they got my email address.
I am very disturbed by this kind of stealth data mining. Is there a way to set up my browser to become more anonymous on the internet? Clearly my ghostery and ad block is not effective. I deleted my Facebook and Linked in after Linked in somehow spammed me to link contacts that I sold random crap to on craigslist (and probably spammed them too.) Somehow they both still deposit cookies. I am willing to pay someone who is familiar with this landscape to block trackers from invading my internetting. Or block websites that use criteo and similar. Is this possible?
I'm not one of those people that wants to go "off the grid". I use credit cards, I use amazon, I know what I'm getting into. It just seems like Criteo has crossed a line.
Are you sure you don't have some shady/little-known extension/plugin/app? Those can share browsing history with advertisers. Some freeware firewalls/antiviruses can too (just googled an example: "AVG, the Czech antivirus company, has announced a new privacy policy in which it boldly and openly admits it will collect user details and sell them to online advertisers for the purpose of continuing to fund its freemium-based products. This new privacy policy is slated to come into effect starting October 15.").
Maybe try to communicate with someone from Criteo (not support, but somebody higher) and describe your weird case?
Theoretical possibility then:
You still use that personal email in the same browser? That means you visit Yahoo website, which can set some cookies identifying you, including third-party ones (advertising/tracking), if those are not blocked by Safari. The same tracking cookies can be used by Tradesy, so that site can tie your visit to your Yahoo identity.
I actually use the Apple mail client, so I get my spam mail and my personal mail in the same interface. My angry deleting of cookies and web history following the Criteo email would have cleared any log ins, but I haven't used the yahoo mail web interface for many years. However!! I remember going to flickr briefly about a month ago, and since it is a yahoo service, it would have been connected to my personal yahoo ID/email address (correct?). It's possible that I never logged out, so could it have mined my address that way? I am still incredulous and outraged that Criteo could use this to mine my address and spam me, but this could be how they got my personal email/yahoo ID.
Thank you so much for your insightful comments and for "investigating" with me! Even though this is still somewhat mysterious, I've learned from this and also discovered my ghostery settings were off which was very valuable. Now I just have to figure out how to block Criteo and similar invasive species. I may have to go off the grid after all.
http://www.independent.co.uk/life-style/gadgets-and-tech/cri...
>Some light digging unearthed the fact that the company responsible for this particular dark art is called Criteo, and the MD, John Buss, was happy to talk me through this relatively new technique. It's all legal, all cookie-based, but crucially its database – which learns about me and how I click around websites – anonymously links up with databases of email addresses it has licensed from other companies operating online. A match between the two, along with an assessment that I might be likely to splash some cash, triggers an email.
>How did my email address end up in the database in the first place? Well, at some point – and goodness knows how, because I do my utmost not to – I opted in to receive some communications "from selected third parties".
The reason I am fairly concerned about privacy is due to the nature of my work and the fact that I have a unique name. As it is, you can find my whole family and their address/phone number on a search's first page. I feel even less secure knowing that my sensitive personal info is so easily mined and distributed despite my best attempts to block ads/cookies/tracking and stay away from clickbait/social media who I would assume to be the primary offenders.
I am also a little surprised that no one else seems terribly bothered and a company like Criteo is instead lauded for its innovative methods. Do we as users just have to accept that a lack of control over personal info is the new normal?
I admit that I use tracking cookies on my website, but I looked to find a company (RocketBolt) I was comfortable with. Gotta keep my customers' trust at all cost, and the RocketBolt cookies I use end at the border of my site, don't tap into any private databases, etc. I'm simply trying to find ways to offer relevance to my customers. Honest question: does that level of tracking upset you?
I've never heard of Criteo, but I appreciate the heads up.