But when I see the anger that these types of plugins, especially AdBlock, produces in content publishers I wonder if we're not headed towards a new RIAA/MPAA-style battle front. As online publishers of all kinds get more established and consolidate their power they could start lobbying to regulate against these plugins. It might seem farfetched now but so did paying a tax to the RIAA for blank media, until it happened.
While this is awesome and powerful, it ends up being quite annoying. And Ghostery does not seem to miss anything, it blocks everything it should block, and allows everything it should allow. Just perfect.
I use the Ghostery add-on for Firefox, but note that if you enable "GhostRank" then the add-on will send every URL you visit to Evidon. This is purportedly for "tracking the trackers", but it does give one pause.
“When a user opts-in to GhostRank, Ghostery sends the following information each time a tracker is encountered:
the tracker identified by Ghostery
the blocking state of the tracker
domains identified as serving trackers
the time it takes for the tracker to load
the tracker’s position on the page
the browser in which Ghostery has been installed
Ghostery version information”
Nothing about the URL you visit. Do you have reason to believe they're lying?
Ghostery's Alert Bubble does not report any trackers on this Hacker News page, yet every time I reload this page, my HTTP monitor (Charles Proxy) logs a ping to ghostery.com:
Why does Evidon need to know about pages that have no trackers? The FAQ says the domains serving trackers will be identified, not the complete URL path (minus query string parameters) for pages that have no trackers.
Adam from Ghostery here. This is a known bug, and we're fixing the issue in the next releases. We don't need or want URLs that aren't associated with trackers.
My thoughts exactly. It's terrible, but completely expected in an age when sites like RottenTomatoes and TripAdvisor already know who I am, which of my friends are on their site etc when I haven't even signed up - all from deep Facebook Connect integration.
Both RottenTomatoes and TripAdvisor require me to authorize them on Facebook before they show me any social data. Are you sure you didn't authorize them in the past and forgot?
They were just two examples I could think of off the top of my head though. As the other commenter said about TWP, the practice is common. I see my name and other social data displayed on sites I've never signed up to regularly.
I see that too, but in that case the social data is served from Facebook and doesn't go through their server unless you authorize it. Unless there are exceptions I'm not aware of.
So when I see a Like button on a site I've never visited before, that displays my name, FB avatar + social data - you're saying that the site I'm on has no way to know that I've visited it unless I click the Like button? Only Facebook knows that and is displaying it in a way that is undetectable to the owner of the site?
This is a bit over my head programmatically but that doesn't seem possible. If Facebook is serving something to visitors on my site, surely there must be a way for me to capture that data?
When I worked at The Washington Post we were among the first group of companies to integrate the then new Social Graph. I immediately deleted my Facebook account.
I was appalled when I saw that we could identify, not only visitor's names, but their friends, access public photos, and all of their profile information. All of this without any action on the user's part and before there were any privacy controls.
This is just the next logical step-federating data collection across multiple sites, not just FB.
I'm obviously in the minority since FB has grown tremendously in the past 2 years but I've not looked back. I dread the forthcoming lack of privacy and anonymity our world is heading toward.
While you can see this data from Facebook--and yes, that's jarring-- what you're allowed to do with it is something different. You can't sell it, you can't sell it to an ad network/exchange, you can't retain it after the user revokes permission; you can't even sell derivatives of the data.
Facebook Connect is the most benign of these sorts of things there are-- it's access to data, and the implementors of its widgets and API-- have an onus to protect it.
Now, of course, there's plenty of bad actors out there, and I'm sure it's sold and exchanged, but technically and legally speaking, you're forbidden from doing so.
Well with Facebook you sign up and agree to a big EULA that presumably allows it. If I visit site A then site B, site B shouldn't be privy to whatever I said at a different location without agreeing to share it.
Yes. If I integrate with the Facebook API I can't access any user details without first showing them the permissions dialog box. It is possible that advertisers have other access, but I would be extremely surprised if it gave them access to the user's e-mail address.
If I'm understanding it correctly, the vendor is offering the following service: place a JS snippet on your website. When a user visits your site, data will be pushed to the vendor's server about the user and what they do on your site (probably keyed on IP and as many other things as they can use to fingerprint). In return for you sharing this data with the vendor, the vendor will give you all of the data on this same user that was contributed by their other clients.
Here is an extreme (yet possible) scenario. You go to a medical forum that uses this software and create an account using your personal email address and real name, both of which you select NOT to be displayed to the public. You then post a message asking about a specific type of back pain you're having. A few hours/days later, you're browsing for a gift for someone, and visit the website of a salon that also uses this software. They can identify that your browser visited medicalforum.com, see the email address and real name you created an account with (since they were passed your form submission directly, without regard to what privacy settings you used for the forum), and see the topic you posted on back pain. So just to be helpful, they email you an advertisement: "Hi {your real name}, we see that you're having some back pain - bring this email in to {salon} for 15% off a massage!"
EDIT: To add, how do you know that you can trust the vendor not to display seriously private data? What if an online store uses this JS, and the vendor has your credit card info, possibly not-so-securely stored? Your information becoming public would be as simple as Asshole Q. Pirate making a fake site with some link-bait, and creating an account with the vendor.
No, that's the wrong solution. The traffic still tells them that there is still interest to monetize, they just may need to stoop to new lows to get to it.
Loudly tell them that their spying is unacceptable, then actually follow up on that statement. Ghostery is awesome, but that's a proactive measure. We're talking about appropriate reactions.
While I agree with your count-point, it's worth pointing out that Ghostery blocks Google Analytics, too. So they might actually not notice the traffic if they're only looking at Google Analytics (or other blocked analytics tools). [1]
But anyways, I agree with what you're saying. If we care about privacy, we have to be loud about it. I just thought it was worth pointing out that facet of Ghostery.
[1] Yes, you can still see the traffic in the web server logs, but I don't see evidence of many companies still doing that. Google Analytics and the like seem to have completely replaced server logs for traffic analysis.
If they only use Google Analytics (or Piwik, or anything else) and not fact-check this with server logs, they deserve to feel "low on traffic".
But Ghostery is not able (correct me if I am wrong) to disable the server from logging you. And automatically reading server-logs is not so difficult at all.
The most funny thing here is, that in Germany, you should anonymize an IP-address, when tracking, because of the law, that is concerned with privacy.
But the server logs your full IP non the less.
On the original post:
The technology advertised to the author would be totally illegal in Germany. And if I would ever encounter (via Ghostery) a site that uses them and has a German base, I would inform the authorities against them.
I just hate this philosophy of bending/breaking the law/common sense, just because it is possible and might bring in some Bucks. And just because pressure from users might change the regulators minds in the future. It just feels so totally wrong, so disrespectful against fellow human beings, that imho everybody, that has something to do with things like this should be deported to somewhere like North Korea, or the likes. Or like in the middle ages should stand in the pillory (and not in a virtual one).
Marketo has done company-level tracking for years[0], and if you click through from an email or fill out a form they can keep tracking you as well as back-fill any previously anonymous visits you made (depending on your browser cookie settings, of course). Once it's in the system, they partner with a number of companies, some of whom can help populate contact data[1], eg: "over 1.5 billion opt-in email addresses" -- how plausible is that? They have as customers a few companies[2] you're likely familiar with (eg: VMware).
sencha.com, activestate.com, sandisk.com, clustrix.com, and about 2000 others use LandLander. I checked the privacy policies of those four sites and none of them say they are giving away your personal information. On the contrary, they all explicitly say they aren't.
"We do not share any information about you or your company to unaffiliated third parties, except as necessary to administer the communications we offer and as permitted by law. We may use a third party service provider to for communications; that company is prohibited from using our users’ personally identifiable information for any other purpose. If you follow us on Twitter, Facebook or on other social media services, we may use information provided by these services to customize our communications to you. We will not share the personally identifiable information you provide with other third parties unless we give you prior notice and choice." - http://www.sencha.com/legal/privacy/
Nearly every company using LeadLander is breaking the law because their posted privacy policies do not state that they are giving a third party your personal information, and that third party is giving it to others.
Edit: It looks like http://formalyzer.com/formalyze_call.js is the specific js file that uploads personal information. Of the sites I listed only clustrix.com is loading that (on the contact form). The other sites seem to be using LeadLander without the form tracking.
And then it says: "that company is prohibited from using our users’ personally identifiable information for any other purpose."
It turns out that sencha.com might not be sending personal information. clustrix.com appears to be, their privacy policy says:
"The Personal Information we collect is not shared, rented, or sold to any third-parties. We may provide your Personal Information to companies that provide services to help us with our business activities such as shipping your order or offering customer service. These companies are authorized to use your personal information only as necessary to provide these services to us." - http://www.clustrix.com/privacy-policy
I'm not a lawyer, but as a normal native English speaker I read that as they are not going to send my name, email, and phone number to another company, who will in turn share it with with anyone who pays them. But that's what they are doing. They are selling your personally identifiable information.
As I understand it, in the US the FTC enforces privacy policy violations. If you don't promise your customer anything, then you're more or less off the hook (as far as I know). But if you do have a privacy policy, and you violate it, then you're misleading consumers.
Is the weasel company's javascript (and/or flash bug) logging all form input back to its own servers to capture name/email when you sign up somewhere else? Are they capturing credit card numbers too?
We can tell the world all day long this is Bad and Unsafe, but within six months it'll be more popular than ad retargeting and the meebo crapbar (because, hey, analytics!).
Sadly, opportunistic jerkfaces aren't limited by our privacy-hat-wearing engineer imaginations. They can devise much, much worse schemes we would dismiss in five seconds out of "ethical" concerns. (privacy=dead, remember? do anything to track people and manipulate them into giving you money. if you aren't selling anything, sell the tracking as leadgen.)
I pretty much assume that anything I post to any website could someday come back to haunt me. Expect no privacy on the internet, and you won't be disappointed.
Doesn't look like it, at least not intentionally. They are trying to capture name, email, phone, and company. Source: http://formalyzer.com/formalyze_call.js
This kind of thing is what I've always seen as the potential end result of things like google analytics and also facebook connect. Both products that have javascript running on a vast number of websites, with the potential to link to personally identifiable information, in a similar manner to that discussed in article.
I can't imagine that I'm alone in this train of thought.
You're not, and it's why I largely avoid (at all costs) turnkey solutions that certain websites employ for parts of their site. For instance, the sites that use something like zoho.com or disqus.com for blog comments; even though they're overt about their usage (as opposed to hidden tracking code), I'd rather not be heard at all then to willingly yield my personal information.
I'm skeptical of this unnamed company's actual abilities. In the initial email how are they able to identify anything about your visitors before you've installed the tracking code? Since they apparently can see search terms used to reach your site the only thing I can think of is their code is running on some site that links to you (perhaps an off-brand search engine?) and they're tracking outbound clicks. Or it's fake.
It's pretty easy to guess company name from IP address, especially if you don't care about accuracy. You can kinda sorta do this in Google Analytics under Audience > Technology > Network. That seems to be roughly what they're doing in the screenshots posted. IMHO, this is not the most serious privacy issue on the web.
I would be very curious to hear exactly what percentage of visitors it is able to supply Name and Email for (and how many of those fields look bogus). This sort of individual-level tracking across sites is obviously possible, but I don't think it's common. Google/DoubleClick do not, as far as I know, do any sort of tracking at the level of an individual's name or email address (And why would they? It's asking for regulatory problems and it doesn't really help them much -- they target ads to groups of similar people based on demographics, not to particular named individuals.)
They can identify you by name/email if you've entered it on a site in their "network". Their network may not be huge, but a (presumably) similar service had a big enough network to capture Sumit Suman's email earlier this week (https://plus.google.com/u/1/106142598193409336347/posts/2jLJ...)
The article author signed up for a demo account after receiving the b2b marketing email containing "a report snapshot for 42Floors.com showing names, companies, and emails of site visitors and the information seemed plausible."
Like the parent, I have no idea how this information could have been obtained. It lists search terms, how could a 3rd party track clicks from SERPs to a website not running their tracking code?
If the site where the form was filled out sets the users' collected info as rather obviously-named Javascript cookies or PHP session vars (i.e. $_SESSION[email]=$_POST[email]), that's one method, no?
Was anything mentioned about the browser used? Maybe when "auto-fill" browser options are enabled for a user there's a way to access that data.
I imagine (though have no actual clue) that it's more of an e-mail sharing network between sites. You sign up for site A, the API tracks that and allows site B to see the signup details you entered.
One one level, I can see why sites do it. On another, one inch higher level, I can see how any site implementing it is so shortsighted that I'm amazed they didn't immediately go bankrupt as soon as they started.
It's a fair question and one that I asked myself. If the entire service is a fake, then it is an extremely elaborate one because the name and emails of the individuals it did indentify (which I noted was a small percentage) were real.
For users without showdead, the user darrennix (who appears to be the same Darren Nix who wrote the article) posted this comment. Why the mods or system would kill it I have no idea.
> It's a fair question and one that I asked myself. If the entire service is a fake, then it is an extremely elaborate one because the name and emails of the individuals it did indentify (which I noted was a small percentage) were real.
I don't know what kind of numbers we are talking about here, but if a user clicked through the OP's site to a tracked site, there would be referrer information that could be backtracked.
That said since a (very) long time I'm using separate Linux user accounts to: check my professional email + G+, surf my personal email + G+ + FB (my FB is using a fake but plausible name) and a third one to surf the Web.
The one surfing the Web is linked to a fake online identity: entirely made up, with fake friends / fake G+ circles, fake StackOverflow / OpenID and basically fake everything.
I then only ever surf using a transparent proxy for anything "work related": the IP can't be linked to my fake IP.
It's not difficult to set up: I did set up the transparent company Web proxy (VPN would to too) myself and basically Linux user accounts take care of the rest.
Now I'll start using different browsers too and, why not, maybe Tor in one of the account.
I take it I could take all this a step further and whitelist websites that my "personal" account is allowed to connect to (using iptables' owner-uid mod).
That seems extreme. Why not open your e-mail and social networks in incognito/private windows? Personally, I use a browser add-on to remove trackers, but I realise that isn't 100% foolproof.
Chrome Incognito mode (at least) allows cookies, though- it just isolates them to the incognito window and destroys them on close. I just logged into FB and it worked fine.
I'll second this. I find Incognito windows really useful when I want to hop on my wife's laptop and check FB/email/the handful of other things we both have accounts on.
Correct, cookies are stored for the duration of an incognito session.
I find it a little annoying though that cookies are not sandboxed by tab, rather than by window/session. If I log into FB in incognito, and then do a little more private browsing in a new tab the FB cookies are still accessible in the other tab.
I guess I could be more vigilant with my browsing habits but I think this is a fair feature to implement at browser rather than forcing user to jump through more hoops to protect privacy. On a side note, when will chrome finally offer API hooks to allow NoScript to be developed for it?!
Several of my friends use pseudonyms on Facebook, although ones that are usually recognisable as manglings of their real names ("John A Smith" -> "Jonas Mith", say). In their cases, I believe the main intent is to stop prospective employers finding their drunken-student-party photos, but I guess it might contribute to privacy in other small ways too.
42floors would have to know who the people are before they could tell Mixpanel. Further, Mixpanel wouldn't reveal that information to any other accounts other than 42floors.
Can someone provide a regex that would identify this tracker? I'd like to run it through our index and see if I can come up with a list of sites that employ it.
Probably not since none of us know who this firm is -- and thus the hostname(s) and/or IP(s) used; we'd probably need to contact the author for that info. Once we know that, the regex would be dead-simple...
HubSpot (and pretty much any other marketing automation tool) has this feature, too. They lookup company name and location by IP address and build an anonymous "prospect" record representing each visitor so that salespeople and marketers can detect whether prospects from a given company are hitting the site for information.
The second a prospect submits a web form, all that previous web activity is tied to their email address (and any other info you collected via the form). You now have a real lead.
I don't see any privacy issues with this.
What I would see an issue with is if the tracking company were sending the IP address and cookie back to a central database to query "Does anyone _else_ know who this visitor is?" and then provide PII any company who uses the tracking service.
The moment you start giving my PII to a company that I didn't voluntarily give it to is when I feel a line has been crossed.
According to the sales rep, their tracking capability goes far beyond ip lookup. It explicitly involves saving form data from site A and sharing that personal information with site B.
Most DMPs can do that you know. Some better DMPs like BlueKai do it anonymously, but there are companies out there that use and target PIIs. I believe RapLeaf was one such company (correct me if I am wrong)
> What I would see an issue with is if the tracking company were sending the IP address and cookie back to a central database to query "Does anyone _else_ know who this visitor is?" and then provide PII any company who uses the tracking service.
That appears to be exactly what's happening. The email mentions "access to our entire network of identified data ([...] we can identify any visitor [...] if that person has filled out a web form from any other website we are tracking)".
Well, isn't the scenario you would take issue with exactly what is happening here? From the article: "For example, if [a visitor] went to XYZ.com and filled out a web form and then [the visitor] later visited 42floors.com, [42Floors] would be able to identify [the visitor] by name/email as well as company details even though [the visitor] never filled out a web form on [42Floors.com]."
I misread the article, the company the OP mentions is doing something far more sinister than what Marketo does. I can understand not wanting to be tracked at all, though.
This isn't what Hubspot does at all. While you are correct in that they, along with Marketo, Eloqua, Pardot, etc all look up company/location via IP, none of these companies are getting information from another website to identify prospects.
In the case of marketing automation, all the data lives within the system and is used by the company - rather than giving that information out - a very different proposition.
Going to site A, not providing any info, then going to site B, C and D and seeing ads to site A haunting you is one thing, capturing your name and email is a new level. If you don't use a tracking blocker, clearing cookies is not always going to work, these persistent trackers are quite sophisticated, they use local storage if possible, IP address, header information and whatever is possible to be able to identify someone, there is a huge industry behind it. But this one is taking it a little bit too far, scary.
On the other side, most startups including YC ones, use some sort of tracking for analytics to improve usability and internal flow, so advocating against all trackers and for all users installing a blocker is a double edge sword.
Transparency: I'm a co-founder at Perfect Audience and we believe strongly in the benefits of retargeting for the end user, for the advertiser and for the content publisher.
I don't see a moral issue with retargeting because at its heart it's anonymous - all we know about a user is a string of sites and maybe search words. However, as soon as that data is correlated against personal information, as soon as the real world data and the digital paper trail are correlated and identifiable it becomes sufficiently creepy to me. Who knows - maybe 5 years from now this will seem innocent and benign compared to the mind-reading banners on the bus stops but this seems like a line in the sand I am willing to draw today.
Yes, I agree this is where the line passes, I don't see a big moral issue with ad retargeting as long as there is an opt out option and a privacy policy somewhere to read. We don't like it when we see ads we don't like (or worse when people looking behind our shoulders can know a lot about us just based on the ads we get on our laptop in the coffee house), but we all like it when we use it to promote our own projects, or when an actually relevant ad shows up
I am okay with companies displaying ads to me - this is what pays for the web to exist. If however things like this continue to exist then I will take up all options offered to opt out of identification and ad networks. Google and Microsoft etc should take note to shut this sort of behaviour down.
Several people mention Ghostery[0] against trackers. It offers only partial protection. It is possible to fingerprint a browser without any custom tracking data.
Instead of a script to embed, these firms could provide an API to identify users from the server side. The scripts that captures the profile would be served by the sites themselves rather than from third party services.
Toast.
A possible solution would be anonymize the browser fingerprint, at least in private mode, ie lie about the details of the system.
Yes, but it takes more than removing most of the identifying information.
First, the precise browser version and OS can probably always be identified by checking for supported features, bugs etc. even if the extreme measure would be taken to remove the user agent string.
Add the screen resolution, IP, timing and request patterns (+) and we are all screwed.
(+) e.g. rule out users that are using other sites at the same time. Note that it would be possible to determine if a page is in the currently focused and visible browser tab and forward that information to the tracker.
Force them to do detailed packet timing and their costs will go up, and it will become less economical for black hats to play around with your personal data.
I don't know if nuking the user agent string is a horrible idea, but it's less of a problem today than it was 5 years ago: today, a website can assume all browsers conform pretty closely to a standard. Only really advanced features require user agent sniffing (arguably, if you're sniffing the UA you're doing it wrong).
I think we should make that kind of fingerprinting opt-in, not opt-out.
Yes, but it takes more than removing most of the identifying information.
The trick is not to remove information, but to poison it.
For example, Panopticlick sees that I have dozens of "system fonts", enough to stand out. I want my browser to lie about the fonts I have, based on settings I choose.
There are many details about my browser and system that are irrelevant to what most sites need to do so lying about them should not interfere with viewing a site.
This is a great point. I totally agree, if you adjust simple things on each visit, then you can use their extra bits of identification against them, in a very obscure way, without limiting the actual checks of functionality that the sites use.
I don't want to provide less, but still accurate, data, I want to introduce suspect data. The end result should be that anyone collecting data on me without my consent should have no idea which of it are accurate such that all of it becomes useless.
This is another problem with having an advertising company (Google) supply a browser that is very popular (Chrome). In fact, Safari and IE are also run by companies with large presences in the online ad market.
I doubt Google in particular will risk antitrust suits by blocking these kinds of very, very unsettling but unfortunately legal trackers, which in part are not so technologically different to GA but combine a few more bits of tech which makes them awfully invasive. We might be able to hack technological solutions together here but this stuff rarely makes it out into people's mainstream browsers.
The most important way of securing people's data over the next 10 years is going to be by way of the browser and the mobile OS, but the thing that is most easily achievable is to have a solid browser that people can trust on to implement privacy-preserving technologies. The only browser I can realistically see doing that is Firefox.
I see both your points (browser vendors and extension distribution issues), and I think Mozilla has shown great respect for their users. However, Mozilla's primary revenue source is Google.
Maybe taking a page out of the enterprise play book and using a proxy, like Squid, would make sense. From reading the Squid manual, it seems like it could play a role as it is quite extensible and sophisticated. Making it easy to setup and customize would be pretty difficult from what I can tell, unfortunately.
Considering the development model used by most modern web browsers, I'm pretty certain those who do this type of fingerprinting in the real world will long ago have adjusted their matching algorithms to be aware of this. I doubt they even care if they get a fully unique fingerprint, they probably just define some percentage of matching as being "close enough to a likely match" to report you as being someone they have seen before.
Just mentioning this lest anyone get the wrong idea that setting your browser to update frequently might be a defense.
Identity matching algorithms use a fuzzy match to identify users because the only way to get an exact match is with by storing an identifier on the user's machine, or in memory for the duration of the browsing session. A lot of factors can change and it may not significantly alter the weight of the match.
One of the most effective methods of fingerprinting people is to enumerate the fonts they have installed on their machines (via flash). You don't even need the browser version number to uniquely identify most - the only solution is to disable flash.
The gmail + trick can be defeated, though. If you own a domain, you can use arbitrary addresses and it becomes more reliable.
I use Google Apps (possibly not a good idea but soo convenient :/) with a catchall. I didn't catch any offender so far...
However (off topic), spammers are spoofing addresses as if they were coming from my domain. I receive two to three dozens automatic replies from mail servers (this address does not exist...).
I've properly set up DKIM and SPF records, making it obvious that these mails are spoofed, but I'm afraid my domain will end up on grey/black lists... Anyone out here familiar with this kind of issue?
In my experience it's been ignorance rather than laziness. I suppose you could argue that the root cause of the ignorance is laziness. If someone is writing a validator, they probably ought to check what constitutes valid input.
It's not a sign of catching on, but of using an old email validation pattern from the days of Matt's Script Archive (seemingly). It's the sign of a website that has used cargo-code programmers. You're probably just seeing it more because you're trying to use plus-addressing more often (confirmation bias), but it's been this way for years and years. It's actually better now than it used to be.
fastmail.fm lets you set up wildcard mx records -- so if your email is user@example.com, you can get email at company1@user.example.doc, company2@user.example.com, etc. instead of user+company1@example.com. I imagine other email providers do this too.
Yes, I have my own domain and have been doing this for years. It generally works as expected, and so far I've had at least four unique addresses that were leaked to spammers. One of them was the address I used for newegg.
If you do go this route, I'd recommend using a whitelisting approach. I do get a lot of spam sent to random addresses at my domain.
I've also had personal information leaked through NewEgg. For me it was my name and my parents email address when I got them to buy me a video card when I was 16. Eventually they got an email addressed to my full name and their email about car insurance rates or some random spam. I would really think NewEgg would be better than that.
The + trick is becoming well known with spammers anyway. I registered with one site as "something+else@example.com" having never used the "something@example.com" address anywhere and within a few days I was getting spam to "something@example.com" and "something+else@example.com". Whoever got that list of emails was clever enough to know to try removing the + portion.
Obviously you can never give out the "something@example.com" address and then assume that everything that goes to that address must be spam, but I've had legitimate contact from companies who have had to email me by removing the + portion because their internal email system wouldn't allow addresses with a + in them.
I've been using catch all's for years. I get 100+ bounced spam emails a day from people spoofing my domains (also have DKIM + SPF). AFAIK none of my domains have ever ended up on blacklists and no one has had trouble receiving legit email from me.
It does indeed use version information, not just the browser's but also of every installed plugin including Flash. So a single rev is going to give a new fingerprint. Plus, far fewer people are checking it as when it first launched, making those who do check it from time to time even more unique.
But note that a constantly changing fingerprint doesn't make it useless for tracking - if a site can keep any kind of cookie to persist between browser updates, it could add the updated signature. Then when you purge cookies and persistent storage, a site can re-add the cookie to keep on identifying you if your signature hasn't changed.
You'd have to purge all persistant storage at the same time as an update to avoid this, and even then (or if you never had persistent data to begin with) your IP or even geographical location will likely be enough to identify you again.
"Maybe every time I rev Firefox Nightly I change identity."
Unless the nightlies have a different behavior than the releases, the patch level is not reported anymore. The changes went into 16.0.2 which was released on 10/26/2012. initial report on b.m.o[1] reads as follows:
Steps to reproduce:
1) Load http://www.delorie.com:81/some/url.txt
Actual results:
The User-Agent header exposes the security patch level as either a minor version
number or as an alpha/beta/pre indicator. This data is exposed twice: in the
Gecko version and in the application version.
While it is of value to expose this data to e.g. AMO, exposing it to all sites
makes the browser more fingerprintable (see https://panopticlick.eff.org/ ) and
doesn't serve a purpose more important than user privacy. Point releases don't
change functionality beyond security and stability fixes, so sites shouldn't be
sniffing the patch level anyway.
Making trunk, alpha and beta builds look like release builds for sniffing
purposes reduces sniffing-related failures that waste time when treated as
functionality-related regressions by mistake.
Expected results:
Expected the version numbers to show the major version of the most recent
Firefox beta that Mozilla has shipped and not to show the security patch level
or an alpha/beta/pre indicator.
Additional information:
Internet Explorer doesn't expose the security patch level in its UA string."
Well, some pieces of information, it can be useful to provide to the server. But, yes, standardizing or even dropping certain fields seems like a nice first step.
This also has the advantage that no other solution has: it completely hides your location as well, whereas even with a "standard" browser, your IP address + time zone alone can do a lot to identify you.
if the data transfer is done from the client (and i bet it is, as it's much harder to persuade people to run code on their servers) then ghostery and the like still work, because they block the transfer (since the code to do the transfer must be loaded from the weasel site - same origin policy).
+-------+ +----------------+ +------------+
|Browser|<==A==>| Visited server |<==B==>| ID service |
+-------+ +----------------+ +------------+
The client data acquisition is done through A (AJAX), then that info is sent through B (API call) to get the identity. The browser doesn't interact directly with the ID service.
The data acquisition scripts would be served directly by the web sites.
A good workaround for panopticlick would be to append a random string to the useragent for example, effectively making your fingerprint unique all the time.
It would have to be something a human couldn't engineer around. Like, adding one random extension that you don't have installed. Though, this could cause issues with legitimate sites. The problem is that if it's bogus noise, it can be removed. If it's legitimate information, it's going to screw up something legitimate that relies on it. Maybe make up an extension name that doesn't exist for every request?
Rather than trying to hide everything another tactic is to provide random misinformation (different user-agent strings, only presenting a subset of fonts and plugins, etc). Enough to defeat the fuzzy matching that does go on.
Sure you've got to be careful that you don't do things that may break some sites that rely on this information remaining stable during a session, but that's got far less common with the frequent browser upgrades that go on nowadays.
Instead of a script to embed, these firms could provide an API to identify users from the server side. The scripts that captures the profile would be served by the sites themselves rather than from third party services. ... Toast.
Not really. If they share data on the server side, they wouldn't be able to share a cookie - they would have to rely on other means to identify you, such as IP address etc. Not entirely impossible, but not as precise either. And that is spoofable through proxies etc.
No, but the identification relies on a cookie placed on the 3rd-party site (leadlander.com). With that domain blocked, there would not longer be a way to identify the user across different sites, which is a key element of this thing working.
I'm quite surprised that panopticlick says I'm uniquely identifiable with Chrome based solely on the browser plugins reported, even though the ones I have are quite pedestrian: just Chrome PDF viewer, QuickTime, PepperFlash, and Flash.
In Firefox, the plugins get them to 1 in 860,000 which leaves only 3 possibilities in their DB of 2.5 mln, even though Firefox loads only QuickTime and Flash.
It must be the combination of codecs I have installed. How do I go about cleaning that up?
AdBlock blocks requests by URL matching and hides DOM nodes based on a handful of selectors. Whether this blocking and hiding is targeted towards ads or not is incidental.
I wonder why some of these sites would want to participate in an information exchange that seems rather asymmetric. I couldn't find detailed information on the service but I assume they have some kind of mechanism, similar to those in P2P systems, to "encourage" sites to contribute large amounts of information(?) or maybe sites can buy information without having to sell?
I had to give Dick Smith (A NZ retailer) my phone number before I bought an external the other day.
"Do I _have_ to give you my number before I buy this?"
"yes, but it's for return purposes only"
Of course I received 'promotional' txts the next week. I was hesitant to give it to them for just this reason, and because I acknowledged I had a phone number I felt obligated to give it to him. Dick Smith is a member of a larger chain it's no stretch of the imagination to hook up CCTV cameras to an OpenCV instance and send txts to customers when they walk in.
No matter the law, morals people hold, or customer wants large companies are always motivated by profit margins. The Consumer Guarantees Act, the Privacy Act, the Bill of Rights Act all become murky when you're dealing with new technology, and law will find it hard to keep up.
I'm surprised tat NZ doesn't have stringent laws prohibiting this. In Australia, if you give info for a pacific reason, that's the only thing it can be used for. Heavy fines can result if it's used in any other way.
Please... A clever use of GA + Wolfram Alpha can reveal a lot of potentially identifiable information already. You can't expect the Internet to become a big part of our society and, at the same time, remain a place for complete anonymity.
I can see how being a big part of society would exert pressure to realign with society's default approach towards anonymity (1) but I don't see how that would imply any final status of online anonymity. Other forces might exert pressure in the other direction. The technology itself might resist some pressure. Access to certain technologies changes the societies themselves.
(1) And of course society in general used to be and still is pretty anonymous. I can easily buy a newspaper in almost perfect anonymity through regular channels, apparently I need to take special precautions to get the same status online.
I may be one of the few and perhaps I've just been desensitized with all the social network invasion, but I don't find this stuff that reprehensible. At worst, its moderately annoying because its one more email that I have to archive but its definitely on the lowest totem pole of annoyances. Recruiters have been cold calling and emailing me for years based off of my LinkedIn and Github profiles and all I have to do is tell them "no thanks" and my life goes on.
it means if you visit a website they could know exactly who you are, might not be an annoyance when it's a technology startups homepage but what if it's a pornography site, or a site for an engagement ring, or a surprise holiday you're planning? There's lots of examples where this could be a concern. Anything with questionable legality (eg: piracy) would be a more pressing concern.
"Buys K-Pop from Amazon.com"
"Visits RedTube at least 3 times a week"
"Spends at least 15 minutes in gay porn section"
"Made campaign donations to Republican National Convention"
"Attends Clivesville Baptist Church"
* no this is not really his web profile. But this is the kind of things web bugs leak. And while your life my be so boring that it doesn't matter to you, may other people have information they would rather not share with every stranger on the net.
We used to call the Soviet Union the "Evil Empire" for collecting about one tenth or less of this data on its people. That and rounding them up en masse to send to the labor camps.
In the US we had this thing called "McCarthyism". For a while back in the 1950's you could very easily be fired from a professional job for having read certain materials (mainly those from the Evil Empire of course) or having had certain political discussions when in college.
Just wait a few years until you need to find a health insurance plan that will agree to pay for the expensive medical treatments that will let you live a few decades extra. We'll see if your past web surfing and consumer habits make you worth keeping around.
I recognize these screenshots - it's definitely Leadlander.
I'm not sure if they do what he claims they do, but they can identify by your IP which company you belong to (assuming you're connecting from the office). There are a lot of companies doing that right now actually.
239 comments
[ 2.8 ms ] story [ 232 ms ] threadBut when I see the anger that these types of plugins, especially AdBlock, produces in content publishers I wonder if we're not headed towards a new RIAA/MPAA-style battle front. As online publishers of all kinds get more established and consolidate their power they could start lobbying to regulate against these plugins. It might seem farfetched now but so did paying a tax to the RIAA for blank media, until it happened.
“When a user opts-in to GhostRank, Ghostery sends the following information each time a tracker is encountered:
Nothing about the URL you visit. Do you have reason to believe they're lying?We'll make a blog post soon, too.
I remember being disturbed when I saw that recently, and immediately sought out and installed a social widget blocker.
They were just two examples I could think of off the top of my head though. As the other commenter said about TWP, the practice is common. I see my name and other social data displayed on sites I've never signed up to regularly.
This is a bit over my head programmatically but that doesn't seem possible. If Facebook is serving something to visitors on my site, surely there must be a way for me to capture that data?
I was appalled when I saw that we could identify, not only visitor's names, but their friends, access public photos, and all of their profile information. All of this without any action on the user's part and before there were any privacy controls.
This is just the next logical step-federating data collection across multiple sites, not just FB.
I'm obviously in the minority since FB has grown tremendously in the past 2 years but I've not looked back. I dread the forthcoming lack of privacy and anonymity our world is heading toward.
Facebook Connect is the most benign of these sorts of things there are-- it's access to data, and the implementors of its widgets and API-- have an onus to protect it.
Now, of course, there's plenty of bad actors out there, and I'm sure it's sold and exchanged, but technically and legally speaking, you're forbidden from doing so.
If I'm understanding it correctly, the vendor is offering the following service: place a JS snippet on your website. When a user visits your site, data will be pushed to the vendor's server about the user and what they do on your site (probably keyed on IP and as many other things as they can use to fingerprint). In return for you sharing this data with the vendor, the vendor will give you all of the data on this same user that was contributed by their other clients.
Here is an extreme (yet possible) scenario. You go to a medical forum that uses this software and create an account using your personal email address and real name, both of which you select NOT to be displayed to the public. You then post a message asking about a specific type of back pain you're having. A few hours/days later, you're browsing for a gift for someone, and visit the website of a salon that also uses this software. They can identify that your browser visited medicalforum.com, see the email address and real name you created an account with (since they were passed your form submission directly, without regard to what privacy settings you used for the forum), and see the topic you posted on back pain. So just to be helpful, they email you an advertisement: "Hi {your real name}, we see that you're having some back pain - bring this email in to {salon} for 15% off a massage!"
EDIT: To add, how do you know that you can trust the vendor not to display seriously private data? What if an online store uses this JS, and the vendor has your credit card info, possibly not-so-securely stored? Your information becoming public would be as simple as Asshole Q. Pirate making a fake site with some link-bait, and creating an account with the vendor.
Loudly tell them that their spying is unacceptable, then actually follow up on that statement. Ghostery is awesome, but that's a proactive measure. We're talking about appropriate reactions.
But anyways, I agree with what you're saying. If we care about privacy, we have to be loud about it. I just thought it was worth pointing out that facet of Ghostery.
[1] Yes, you can still see the traffic in the web server logs, but I don't see evidence of many companies still doing that. Google Analytics and the like seem to have completely replaced server logs for traffic analysis.
But Ghostery is not able (correct me if I am wrong) to disable the server from logging you. And automatically reading server-logs is not so difficult at all.
The most funny thing here is, that in Germany, you should anonymize an IP-address, when tracking, because of the law, that is concerned with privacy.
But the server logs your full IP non the less.
On the original post: The technology advertised to the author would be totally illegal in Germany. And if I would ever encounter (via Ghostery) a site that uses them and has a German base, I would inform the authorities against them.
I just hate this philosophy of bending/breaking the law/common sense, just because it is possible and might bring in some Bucks. And just because pressure from users might change the regulators minds in the future. It just feels so totally wrong, so disrespectful against fellow human beings, that imho everybody, that has something to do with things like this should be deported to somewhere like North Korea, or the likes. Or like in the middle ages should stand in the pillory (and not in a virtual one).
[0] http://www.marketo.com/small-medium-business/inbound-marketi...
[1] http://launchpoint.marketo.com/strikeiron-inc/747-strikeiron...
[2] http://www.marketo.com/customers/
"We do not share any information about you or your company to unaffiliated third parties, except as necessary to administer the communications we offer and as permitted by law. We may use a third party service provider to for communications; that company is prohibited from using our users’ personally identifiable information for any other purpose. If you follow us on Twitter, Facebook or on other social media services, we may use information provided by these services to customize our communications to you. We will not share the personally identifiable information you provide with other third parties unless we give you prior notice and choice." - http://www.sencha.com/legal/privacy/
Nearly every company using LeadLander is breaking the law because their posted privacy policies do not state that they are giving a third party your personal information, and that third party is giving it to others.
Edit: It looks like http://formalyzer.com/formalyze_call.js is the specific js file that uploads personal information. Of the sites I listed only clustrix.com is loading that (on the contact form). The other sites seem to be using LeadLander without the form tracking.
Doesn't that wrap things up? They'd just argue they've shared it with an affiliated third party.
It turns out that sencha.com might not be sending personal information. clustrix.com appears to be, their privacy policy says:
"The Personal Information we collect is not shared, rented, or sold to any third-parties. We may provide your Personal Information to companies that provide services to help us with our business activities such as shipping your order or offering customer service. These companies are authorized to use your personal information only as necessary to provide these services to us." - http://www.clustrix.com/privacy-policy
I'm not a lawyer, but as a normal native English speaker I read that as they are not going to send my name, email, and phone number to another company, who will in turn share it with with anyone who pays them. But that's what they are doing. They are selling your personally identifiable information.
IANAL, YMMV, etc.
http://en.wikipedia.org/wiki/Online_Privacy_Protection_Act
We can tell the world all day long this is Bad and Unsafe, but within six months it'll be more popular than ad retargeting and the meebo crapbar (because, hey, analytics!).
Doesn't look like it, at least not intentionally. They are trying to capture name, email, phone, and company. Source: http://formalyzer.com/formalyze_call.js
I can't imagine that I'm alone in this train of thought.
Anyone know if GA's privacy policy firewalls the data collected by GA from AdSense and other parts of Google?
I know they modified the privacy policy a year or so ago to integrate data across all their products but does it include GA?
It's pretty easy to guess company name from IP address, especially if you don't care about accuracy. You can kinda sorta do this in Google Analytics under Audience > Technology > Network. That seems to be roughly what they're doing in the screenshots posted. IMHO, this is not the most serious privacy issue on the web.
I would be very curious to hear exactly what percentage of visitors it is able to supply Name and Email for (and how many of those fields look bogus). This sort of individual-level tracking across sites is obviously possible, but I don't think it's common. Google/DoubleClick do not, as far as I know, do any sort of tracking at the level of an individual's name or email address (And why would they? It's asking for regulatory problems and it doesn't really help them much -- they target ads to groups of similar people based on demographics, not to particular named individuals.)
So I signed up for a demo account and installed (and hastily removed) the tracker
http://news.ycombinator.com/item?id=4911542
Like the parent, I have no idea how this information could have been obtained. It lists search terms, how could a 3rd party track clicks from SERPs to a website not running their tracking code?
Was anything mentioned about the browser used? Maybe when "auto-fill" browser options are enabled for a user there's a way to access that data.
One one level, I can see why sites do it. On another, one inch higher level, I can see how any site implementing it is so shortsighted that I'm amazed they didn't immediately go bankrupt as soon as they started.
> It's a fair question and one that I asked myself. If the entire service is a fake, then it is an extremely elaborate one because the name and emails of the individuals it did indentify (which I noted was a small percentage) were real.
That said since a (very) long time I'm using separate Linux user accounts to: check my professional email + G+, surf my personal email + G+ + FB (my FB is using a fake but plausible name) and a third one to surf the Web.
The one surfing the Web is linked to a fake online identity: entirely made up, with fake friends / fake G+ circles, fake StackOverflow / OpenID and basically fake everything.
I then only ever surf using a transparent proxy for anything "work related": the IP can't be linked to my fake IP.
It's not difficult to set up: I did set up the transparent company Web proxy (VPN would to too) myself and basically Linux user accounts take care of the rest.
Now I'll start using different browsers too and, why not, maybe Tor in one of the account.
I take it I could take all this a step further and whitelist websites that my "personal" account is allowed to connect to (using iptables' owner-uid mod).
I find it a little annoying though that cookies are not sandboxed by tab, rather than by window/session. If I log into FB in incognito, and then do a little more private browsing in a new tab the FB cookies are still accessible in the other tab.
I guess I could be more vigilant with my browsing habits but I think this is a fair feature to implement at browser rather than forcing user to jump through more hoops to protect privacy. On a side note, when will chrome finally offer API hooks to allow NoScript to be developed for it?!
facts (detected by a ghostery at 42floors.com): ClickTale, Facebook Connect, Google +1, Google Analytics, MixPanel, Optimizely, Twitter Button
...by 42 floors. They're still telling all those networks that I visited the website.
To name a few -
http://trends.builtwith.com/analytics/LeadLander http://trends.builtwith.com/analytics/Hubspot http://trends.builtwith.com/analytics/Marketo
There's a lot of them out there now and mostly all of the big ones are continue to grow in popularity.
But I could be completely wrong; is the guy who relpied with the rx Darren?
The second a prospect submits a web form, all that previous web activity is tied to their email address (and any other info you collected via the form). You now have a real lead.
I don't see any privacy issues with this.
What I would see an issue with is if the tracking company were sending the IP address and cookie back to a central database to query "Does anyone _else_ know who this visitor is?" and then provide PII any company who uses the tracking service.
The moment you start giving my PII to a company that I didn't voluntarily give it to is when I feel a line has been crossed.
That appears to be exactly what's happening. The email mentions "access to our entire network of identified data ([...] we can identify any visitor [...] if that person has filled out a web form from any other website we are tracking)".
In the case of marketing automation, all the data lives within the system and is used by the company - rather than giving that information out - a very different proposition.
On the other side, most startups including YC ones, use some sort of tracking for analytics to improve usability and internal flow, so advocating against all trackers and for all users installing a blocker is a double edge sword.
I don't see a moral issue with retargeting because at its heart it's anonymous - all we know about a user is a string of sites and maybe search words. However, as soon as that data is correlated against personal information, as soon as the real world data and the digital paper trail are correlated and identifiable it becomes sufficiently creepy to me. Who knows - maybe 5 years from now this will seem innocent and benign compared to the mind-reading banners on the bus stops but this seems like a line in the sand I am willing to draw today.
https://panopticlick.eff.org/ <-- check how unique your browser is.
Instead of a script to embed, these firms could provide an API to identify users from the server side. The scripts that captures the profile would be served by the sites themselves rather than from third party services.
Toast.
A possible solution would be anonymize the browser fingerprint, at least in private mode, ie lie about the details of the system.
Google, Mozilla, Opera, can you hear me?
--
[0] http://www.ghostery.com/
Google, Mozilla, Opera, can you hear me?
== This. The system needs to be fixed. Need to know (only) vs nice to know info exch, etc.
First, the precise browser version and OS can probably always be identified by checking for supported features, bugs etc. even if the extreme measure would be taken to remove the user agent string.
Add the screen resolution, IP, timing and request patterns (+) and we are all screwed.
(+) e.g. rule out users that are using other sites at the same time. Note that it would be possible to determine if a page is in the currently focused and visible browser tab and forward that information to the tracker.
Force them to do detailed packet timing and their costs will go up, and it will become less economical for black hats to play around with your personal data.
I don't know if nuking the user agent string is a horrible idea, but it's less of a problem today than it was 5 years ago: today, a website can assume all browsers conform pretty closely to a standard. Only really advanced features require user agent sniffing (arguably, if you're sniffing the UA you're doing it wrong).
I think we should make that kind of fingerprinting opt-in, not opt-out.
The trick is not to remove information, but to poison it.
For example, Panopticlick sees that I have dozens of "system fonts", enough to stand out. I want my browser to lie about the fonts I have, based on settings I choose.
There are many details about my browser and system that are irrelevant to what most sites need to do so lying about them should not interfere with viewing a site.
This is another problem with having an advertising company (Google) supply a browser that is very popular (Chrome). In fact, Safari and IE are also run by companies with large presences in the online ad market.
I doubt Google in particular will risk antitrust suits by blocking these kinds of very, very unsettling but unfortunately legal trackers, which in part are not so technologically different to GA but combine a few more bits of tech which makes them awfully invasive. We might be able to hack technological solutions together here but this stuff rarely makes it out into people's mainstream browsers.
The most important way of securing people's data over the next 10 years is going to be by way of the browser and the mobile OS, but the thing that is most easily achievable is to have a solid browser that people can trust on to implement privacy-preserving technologies. The only browser I can realistically see doing that is Firefox.
Maybe taking a page out of the enterprise play book and using a proxy, like Squid, would make sense. From reading the Squid manual, it seems like it could play a role as it is quite extensible and sophisticated. Making it easy to setup and customize would be pretty difficult from what I can tell, unfortunately.
Maybe it's forgotten. Maybe it lies. Maybe every time I rev Firefox Nightly I change identity.
What is true is that every time I leave an email address, it's tagged with the name of the site where I left it.
Indeed; the user agent is part of the fingerprint.
Just mentioning this lest anyone get the wrong idea that setting your browser to update frequently might be a defense.
I use Google Apps (possibly not a good idea but soo convenient :/) with a catchall. I didn't catch any offender so far...
However (off topic), spammers are spoofing addresses as if they were coming from my domain. I receive two to three dozens automatic replies from mail servers (this address does not exist...).
I've properly set up DKIM and SPF records, making it obvious that these mails are spoofed, but I'm afraid my domain will end up on grey/black lists... Anyone out here familiar with this kind of issue?
https://en.wikipedia.org/wiki/Email_address#Valid_email_addr...
If you do go this route, I'd recommend using a whitelisting approach. I do get a lot of spam sent to random addresses at my domain.
Obviously you can never give out the "something@example.com" address and then assume that everything that goes to that address must be spam, but I've had legitimate contact from companies who have had to email me by removing the + portion because their internal email system wouldn't allow addresses with a + in them.
But note that a constantly changing fingerprint doesn't make it useless for tracking - if a site can keep any kind of cookie to persist between browser updates, it could add the updated signature. Then when you purge cookies and persistent storage, a site can re-add the cookie to keep on identifying you if your signature hasn't changed.
You'd have to purge all persistant storage at the same time as an update to avoid this, and even then (or if you never had persistent data to begin with) your IP or even geographical location will likely be enough to identify you again.
Unless the nightlies have a different behavior than the releases, the patch level is not reported anymore. The changes went into 16.0.2 which was released on 10/26/2012. initial report on b.m.o[1] reads as follows:
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=728831"Within our dataset of several million visitors, only one in 857,908 browsers have the same fingerprint as yours."
As it doesn't allow for plugins, my fingerprint should (cookies aside) match that of any other <popular device> user.
So maybe the solution here is coming up with a 'secure browse' profile that every browser reports the same fake fingerprint.
Security in numbers.
There already is: https://www.torproject.org/projects/torbrowser.html.en
This also has the advantage that no other solution has: it completely hides your location as well, whereas even with a "standard" browser, your IP address + time zone alone can do a lot to identify you.
The data acquisition scripts would be served directly by the web sites.
you can certainly make something that is "ghostery proof", but (1) this isn't it and (2) it would be more complex to deploy and so gain less traction.
It wasn't about this very company, but tracking in general, which can be implemented without serving code from a third party server.
If solutions like Ghostery become the norm, there are still workarounds, and they will catch up if nothing else works.
The browser UA is only one component of the fingerprint, and probably not the most important one.
Plus one for this. I wonder if a plugin alone could change enough info to fool the trackers?
Rather than trying to hide everything another tactic is to provide random misinformation (different user-agent strings, only presenting a subset of fonts and plugins, etc). Enough to defeat the fuzzy matching that does go on.
Sure you've got to be careful that you don't do things that may break some sites that rely on this information remaining stable during a session, but that's got far less common with the frequent browser upgrades that go on nowadays.
imho the best strategy would be to copy one behaviour everywhere, so that there could be no way to differentiate between users.
Not really. If they share data on the server side, they wouldn't be able to share a cookie - they would have to rely on other means to identify you, such as IP address etc. Not entirely impossible, but not as precise either. And that is spoofable through proxies etc.
These scripts will only track you and not receive information.
I've worked on a similar tracking snippet/system for http://www.projectcounter.org/ and this was one of the first things we attempted.
If you block the leadlander domain(s) the script will obviously not run and also consequently won't be able to send fingerprint details back.
In Firefox, the plugins get them to 1 in 860,000 which leaves only 3 possibilities in their DB of 2.5 mln, even though Firefox loads only QuickTime and Flash.
It must be the combination of codecs I have installed. How do I go about cleaning that up?
Surprisingly, AdBlockPlus doesn't seem to block it.
Edit: actually it's LeadLander.com as pointed out by NiekvdMaas here http://news.ycombinator.com/item?id=4891764
https://easylist-downloads.adblockplus.org/easyprivacy.txt
you'll see that Demandbase is there.
Hardware manufacturers & telecomms seem to feature heavily:
(a selection) ... Adobe, Dell, IBM, AMD, Box.net, Cisco, CSC, Comcast, Freescale, HP, Lenovo, Motorola, Novell, Qwest, Salesforce.com, Siemens, Symantec, Verisign, VMWare, Vodafone.
And there's several anti-virus/anti-malware companies listed there.
UPDATE: The LeadLander.com site also lists their customers - Microsoft, Motorola, Red Hat and Cisco, among others.
"Do I _have_ to give you my number before I buy this?"
"yes, but it's for return purposes only"
Of course I received 'promotional' txts the next week. I was hesitant to give it to them for just this reason, and because I acknowledged I had a phone number I felt obligated to give it to him. Dick Smith is a member of a larger chain it's no stretch of the imagination to hook up CCTV cameras to an OpenCV instance and send txts to customers when they walk in.
No matter the law, morals people hold, or customer wants large companies are always motivated by profit margins. The Consumer Guarantees Act, the Privacy Act, the Bill of Rights Act all become murky when you're dealing with new technology, and law will find it hard to keep up.
Dick Smith used to pull this all the time in Aust before they got pulled up over it. I always told them "sorry, not available" and they just moved on.
(1) And of course society in general used to be and still is pretty anonymous. I can easily buy a newspaper in almost perfect anonymity through regular channels, apparently I need to take special precautions to get the same status online.
What's the big deal?
"Buys K-Pop from Amazon.com" "Visits RedTube at least 3 times a week" "Spends at least 15 minutes in gay porn section" "Made campaign donations to Republican National Convention" "Attends Clivesville Baptist Church"
* no this is not really his web profile. But this is the kind of things web bugs leak. And while your life my be so boring that it doesn't matter to you, may other people have information they would rather not share with every stranger on the net.
In the US we had this thing called "McCarthyism". For a while back in the 1950's you could very easily be fired from a professional job for having read certain materials (mainly those from the Evil Empire of course) or having had certain political discussions when in college.
Just wait a few years until you need to find a health insurance plan that will agree to pay for the expensive medical treatments that will let you live a few decades extra. We'll see if your past web surfing and consumer habits make you worth keeping around.