Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

More Web Site User Data Gathering Revealed

jamie posted more than 14 years ago | from the trust-but-verify dept.

Privacy 239

Three days ago, a small group called Interhack was featured in an AP wire story about some curious data transmission they'd found. The company receiving the data, Coremetrics, tracks unique visitors through its clients' corporate websites, and promises those clients "seamless performance," because: "data tags load invisibly as small transparent gifs, and information is encrypted to appear invisible to your customer." The customer is you, the user. The GIFs are web bugs. The information can be personally identifying, which most of its clients' privacy policies fail to mention. But -- importantly -- the company promises that "Any data Coremetrics tracks and reports is owned solely by our customers and we are contractually precluded from reselling or using this data." Is that enough? Emmett and I talked both to Coremetrics and to the hackers who put the spotlight on them.

Emmett Interviews Interhack

Slashdot: For those uninitiated, what's interhack all about?

Basically, we're a firm of hackers interested in pushing technology forward through research, making computing apply to people by developing custom products and consulting for folks who want to put the technology to use, and helping people understand exactly what the ramifications of these systems are. That's a pretty broad way of saying that we're all about the Internet and making it work.

Slashdot: When did you start researching this story, and how long did it take to put the pieces together?

Sometime in May, someone sent us a tip about Coremetrics and what it's doing. We took a quick look over their web site to see their advertised services and then started to look at how the service is actually implemented on various client sites. We examined several sites, most of which very clearly stated in their privacy policies that they're using Coremetrics for site monitoring and provided links necessary for people who don't like it to opt out of the system. Most of the sites with clear, full disclosure policies weren't even sending Coremetrics personally-identifiable information like names and addresses.

The more interesting part of our find was in the sites that did send personal information to Coremetrics, particularly those that carried the TRUSTe privacy seal. Over the course of about three weeks, we performed an investigation of these sites, gathering as much information as possible from them. We reverse-engineered the system by reading the sites' code, reading through the obfuscation, and comparing logs of our network's activity with the activity that would be perceived by an end user.

What we found was a clear difference in user expectations and what was actually happening, as well as a clear difference between what Coremetrics says it offers and what its eLuminate service makes technically feasible. After writing drafts of our report and press release, we decided to take a wait-and-see approach to the release. Specifically, we wanted to ensure that sites that just started to use the Coremetrics service had adequate time to update their policies and to have an accurate idea of what was happening with the system after having been in production.

After waiting and watching for more than a month, we decided to release our findings. So, on Monday morning, we sent a pre-release copy of our report to Richard Smith and some folks at Zero Knowledge Systems. In addition, we contacted each of the firms named in our report and Coremetrics so that if the failure to disclose or the ability to profile people across web sites was unintentional, there would be time for some investigation and a decision about how to fix the problem. After the end of business Monday, we released our report.

Slashdot: What needs to change? In a perfect world, how do we deal with this?

This is a very interesting question. In my perfect world, detailed levels of profiling would not take place at all. There would be no such thing as persistent cookies. In general, I'm just not comfortable with the level of privacy that the industry as a whole has given up for the sake of a little convenience.

How big of a deal, really, is it to have to enter your password when you login to a web site? Don't forget that the reason why we have passwords in the first place is so that you'll have to do something at the beginning of the session to prove who you are.

Web browsers also need to be more intelligent. That is, they need to be able to identify things like dependencies on third parties so the user can know whether those images should be fetched or ignored. Right now, browsers -- for the most part at least -- just aren't very defensive. The model of parsing everything you're given worked fine in the Old Days for which some of us long so much but the fact of the matter is that you really can't blindly trust anyone on the Internet.

I'm not suggesting becoming a luddite. I'm suggesting that folks take a sort of "trust, but verify" approach a la Ronald Reagan. Right now, there's a lot of trust and almost no way to verify.

Slashdot: This all comes down to trust. How many policies are just there so people will shut up about personal information so they'll start buying stuff online?

I couldn't say. Policies are almost always written by lawyers. That probably speaks to the covering-one's-posterior-position value of privacy policies.

Slashdot: Since we can't trust written policies, what should people be doing before they start conducting business with these websites?

Verify everything. As I said earlier, though, we're severely lacking in tools that are accessible to most people that can help in that regard. I think Zero Knowledge Systems' Freedom network is a huge step in the right direction. Tools like Muffin ( also help, but it would be cooler for that kind of functionality to live right in the browser itself. There are opportunities for eager hackers on this front.

It's also important to stress that tools alone won't do it -- there is no silver bullet. People are going to have to have some understanding of what's happening in order to use these tools effectively.

Finally, where you see discrepancies, point them out. Most of the time, they're oversights. Look at how and dealt with this problem: they updated their sites. So although the problem shouldn't have happened in the first place, they did the right thing. Contrast that with Toys "R" Us, which issued a statement saying that what they're doing isn't a violation. And their privacy policy still doesn't say a word about Coremetrics. They still haven't said anything to address the issue of having information collected on children.

Companies that don't fix their problems don't take your privacy seriously, no matter how much lip service they pay. So don't go to their sites. Don't buy their stuff. Tell them why you're not buying their stuff. Tell their competitors why you shop where you do, lest the new places you shop get the bright idea to try to hide something.

Jamie Talks to Coremetrics

Here's the service Coremetrics provides to corporate websites:

Many companies demand accurate knowledge of how their sites are being used: what sections are popular, what paths visitors take through the site, where people click over from, and so on. It's like web log analysis but more specialized for large shopping sites.

Since these demands are very much the same, and the code to do the analysis is similar, outsourcing happens. From a CEO's viewpoint, Coremetrics fiddles with the website to do better-quality tracking than the company could do on its own, and then makes the resulting statistics available over SSL.

But from your viewpoint and mine, that "fiddling" results in cookie-carrying web bugs all over the sites we visit -- web bugs which usually send back to the Coremetrics servers a unique visitor tag, like any other cookie, but one that sometimes includes your name, email address or other personally identifying information.

Coremetrics promises that this information remains private. When DoubleClick collects data from <img> cookies across multiple websites, they do so with the stated intention of tracking you personally; this is part of their business plan.

According to Coremetrics, they do things very differently. Data is not cross-correlated between their client websites, they say, because their contracts with their clients prohibit this. In fact, their contract forbids them from doing much of anything with that data except statistical analysis.

I gave the Coremetrics PR person I talked to a chance to explain, using the example of their client Toys 'R' Us:

"Coremetrics is merely an agent that collects this data on behalf of an individual customer, for that individual's sole use only. We do not collect data, as was inferred very incorrectly by Interhack, across multiple unrelated websites, with any intention of selling it to third parties -- or even distribution to third parties. That's because we, as the agent, do not own that data, nor do we have any rights to that data. Toys 'R' Us, and Toys 'R' Us only, is the sole owner of that data. So legally, we cannot do any of the possibilities that Interhack had alluded to in their report."

But here's the interesting thing.

If I'm browsing my favorite website, Coremetrics is clearly a third party. They have a special contractual relationship to keep my data private, which we shouldn't ignore. But nevertheless -- a third party.

So why do some of their clients' privacy policies not mention this?

Toys 'R' Us is a good example. As Interhack made clear, they do send personal data to Coremetrics' servers. But their privacy policy reads, "We do not share any personally identifying data about our guests with anyone outside of, its parent, affiliates, subsidiaries, operating companies and other related entities."

So is Coremetrics one of their affiliates or a related entity? I wouldn't think so, but I'm not a lawyer. One interesting thing is hidden in that privacy policy's HTML; after the closing </html> tag is the hidden message: "<!--CoreMetrics Information if enabled-->." Hmmmmmm.

Coremetrics lists twenty clients; I tried to contact seventeen of them for comment, with marginal success by press time. Three reported that they had not yet activated Coremetrics or had decided not to use the service at all. One ( reported not sending any personal information -- presumably, only tracking visitors with a non-identifying unique ID.

Two sites ( and began mentioning Coremetrics in their privacy policies on August 1, the day after the Interhack report. One site ( did not even have a privacy policy until yesterday; they'd been working on it, and my email may have made it a priority because it was on their site three hours later.

According to Coremetrics, they encourages all their clients to disclose the use of their service in their privacy policy, and include a link for users to opt out. But some sites reported as using or planning to use Coremetrics' services have privacy policies that could use some clarification. informs me that " the near future ... we plan to add to our privacy statement our use of Coremetrics and the fact that Coremetrics neither owns, distributes, nor has rights to the data it sorts on's behalf." However, their current privacy policy states very simply: " will never sell or give your e-mail address (or any other information about you) to anyone else without your permission. Period."

(Last-minute update -- just before press time, clarified that they are "sending unique ID (unique to and city, state and zip. No other personally identifiable information is being sent to Coremetrics.") bounced me between different people until I got to leave voicemail that wasn't returned by press time. Their policy says they "do not and will not sell, trade or rent the personal information of our customers or gift recipients to any third parties."

(Update two hours later: Bravanta reports that they also have decided not to use Coremetrics' service, and are not currently using it.) didn't get back to me either, and their policy reads "We will NEVER release your name and personal information to a third party..." has a rather confusing privacy statement that begins, "Any personally identifiable information collects will be used solely for the purposes stated within this Privacy Statement" and wanders around from there. I'm not sure what to make of it, frankly.

All these polices may indeed be correct, if the sites are stingy with personal data. Like (and, they may be using the Coremetrics service only with non-personal IDs. But, as with Toys 'R' Us, that may also not be the case.

(,, and also happen to be TRUSTe licensees, but TRUSTe wasn't able to comment by press time. In the AP wire story on Monday, they had harsh words but were speaking hypothetically; no comment since then.)

It's hard enough to read privacy policies already. Most of them are designed to protect companies legally, and mostly manage to confuse users. The distinction between Coremetrics as a third party; or affiliate; or agent, is a little too fine for the average consumer, and needs to be spelled out in each policy, as Coremetrics itself recommends.

But is all this a tempest in a teapot? If a signed contract forbids a company from misusing data, is that all we need to know?

I don't think so. In the first place, at the very least, companies like Toys 'R' Us need to disclose such things in their privacy policies. That's just common sense.

In fact, according to Coremetrics privacy advisor Dave Farber, they plan contractually to require such disclosure with future clients. (The company could not confirm or deny this at this time.)

More importantly, we as consumers are being asked to trust a third party whose reputation we know nothing about. In fact, 99% of us will never even have heard of them and might not understand what they do. We're told that a contract protects us, but we're still being asked to trust something we can't see. And when evidence of policy violations is turned up by a group of hackers, that erodes our trust.

After speaking at length with Coremetrics' PR, I get a general feeling of trust from them. (Of course that's a large part of their PR staff's job, earning reporters' trust.) More importantly, Dave Farber is well-respected, and his confidence carries weight -- with me at least.

Still, as Interhack says, our motto should be "trust but verify." That's why I proposed, to Coremetrics, that they publicly post, on their website, the paragraphs from their clients' contracts which assure that our private data remains private. If the actual legal words that protect our data are up there for us to see, we don't have to trust anyone.

When I mentioned this to Coremetrics' PR person, he promised to consider it; Dave Farber thought it was "a very good idea." It's unusual for corporations to make contracts public, even in part, but in this case it would do a great deal to put everyone's fears to rest.

cancel ×


Sorry! There are no comments related to the filter you selected.

no more privacy (1)

Anonymous Coward | more than 14 years ago | (#882674)

they can do whatever they want ann they will, for most people thats invisible and they dont give a shit, they wont even notice. If you dont want to be tracked the solution is "DO NOT ACCEPT COOKIES! and clear your cache once in a while...

Re:Web Bugs (1)

Anonymous Coward | more than 14 years ago | (#882676)

Didn't they have some option to let you not load any image from a different server? It seems like that would accomplish the same thing and still allow for "page counter" gifs

Re:no more privacy (1)

Anonymous Coward | more than 14 years ago | (#882677)

better yet, use junkbuster or some other cookie cutter.

Re:Web bugs on Slashdot? (1)

Roast Beef (2298) | more than 14 years ago | (#882686)

It's probably for statistical purposes, but how it copes with cache's I'm not sure (and I don't care enough to look at the HTTP header for a Pragma: no-cache statment).

Actually, cache may be the reason they do it. If a cache caches the main page, there's no way for /. to track hits. The JavaScript generates a unique (time-based) request for the user, so there's no way it can be cached. The cache thinks it's a new URL.


Roast Beef (2298) | more than 14 years ago | (#882687)

Comment tags keep browsers from displaying JavaScript code. The code still runs.

Re:Web Bugs (1)

EMN13 (11493) | more than 14 years ago | (#882691)

You shouldn't be using 1x1 gifs for spacing anyway... In a decently designed website there is no need for them. Use CSS, or whatever else, but relying on 1x1 images for spacing isn't the brightest idea. It destroys the way HTML was indtended to function - structurally, with UI separated out. Why blame mozilla for having such difficulty making a browser work if the true culprits are the people abusing rendering implementations on specific browsers.

Apart from that, if anyone were to implement a 1x1 filterer, that obviously shouldn't effect layout, so it would still space things as before (to not break any web sites) but simply not load the images. Would only make your web server faster because of fewer requests.

Re:Web Bugs (1)

EMN13 (11493) | more than 14 years ago | (#882692)

Single pixel spacing doe not have it's own good purposes. Design the logical layout and then apply style. I sure prefer simple sites to sites that are so obfusciated as to need one pixel spacing...

Re:Protect Yourself (1)

Kyobu (12511) | more than 14 years ago | (#882694)

Admittedly, this isn't as convenient as having such preferences in the browser itself, but you can always use JunkBuster [] or Muffin [] . JunkBuster is great; I haven't tried Muffin, but the article mentioned it and it looks cool. Even does a couple things JunkBuster can't, like removing <BLINK> tags.

Emmett and Interhack (1)

Xerithane (13482) | more than 14 years ago | (#882699)

Emmett Plant, "journalist" on slashdot.
Emmett Plant, founder Time City Project.
D. Clyde W., very visible member Time City Project
D. Clyde W., member of interhack
Hm, can we same shameless plug.. considering slashdot uses bugs I can't believe that they are slamming coremetrics.
Slashdot used to get worse on a monthly basis, then weekly, now it's with every post. []


ethereal (13958) | more than 14 years ago | (#882701)

It may be incorrect, but it is not a troll.

add these tidbits to your junkbuster .block file.. (1)

Nickbot (15172) | more than 14 years ago | (#882704)

Add these to your Junkbuster .block file..

anybody want to ante up entries to block this coremetrics bull?

Re:Web Bugs (1)

Eimi Metamorphoumai (18738) | more than 14 years ago | (#882708)

What if it didn't load the image, but instead did the spacing anyway? Use its own hardcoded 1x1 transparent gif instead of yours. Seems it would be a lot faster for the client, and wouldn't break spacing on sites (unless that 1x1 is some color other than transparent, which I would imagine is pretty rare).

"contractually precluded" is not good enough. (1)

jheintz (21814) | more than 14 years ago | (#882709)

"Contractually precluded" might, perhaps, be good enough for us to trust that the company won't sell the gathered data, but it relies on trusting the individual people who have access to the system not selling out.

I'm sure that internet advertising agencies will pay big bucks for a list of identities with data. No corporate contract will keep some people from immorally stealing and selling that data.

John Heintz

Doesn't the term web bug (1)

Rombuu (22914) | more than 14 years ago | (#882711)

Seem like a really bad name for these things? I mean, they work exactly the way they are intended to. So why call them a bug?

Here ya go (1)

FascDot Killed My Pr (24021) | more than 14 years ago | (#882712)

In particular, check out 4b and 4c. "Potential conflicts" would presumably include "he's my friend's friend so I don't want to make him look back".

I just noticed the "joeshmoe" in that URL, but I don't feel like looking for a more reputable-seeming link.

It's polite to ask (1)

leftorium (32683) | more than 14 years ago | (#882716)

If a company has such a tracking system on their web site, they should at least have a welcome page that informs the visitor of what's happening. And give the option of going or staying. The info mentioned in this welcome page should include every piece of info that the page is collecting about the visitor. At the very least there should be some place to see what was sent about you.

Outsourcing != third party... (1)

heech (36526) | more than 14 years ago | (#882718)

First of all, I don't believe for a second this issue can be broken down into a simple analysis of right-wrong. There are definitely fuzzy boundaries here, and quite likely everyone will form their own opinions on whether Coremetrics or their clients are behaving in a moral and proper manner. That said, from the rough description given here, Coremetrics is providing an out-sourced service that seems completely legitimate. I'd also argue that Toysrus and others are completely within their rights to keep this out of their privacy policies, as long as they were not negligent in protecting the privacy they promised their users (and the contractual agreement on data-ownership would seem to suggest that they are not being negligent). If I call up customer service, there is a very high probability that the person answering the phone is provided by an out-sourced phone support agency. Do they need to explain to me that they aren't actually employeed by before taking my credit card order? As long as they're acting as agents of, and as long as has taken reasonable measures to protect my privacy (again, legal restrictions are the best you can ask for), I have no issues with this. Back in the online world... what if your pages are actually being served by Akamai? Are they also a 'third-party' that gets access to your private data? Most likely. What if the web-site is hosted by an ASP (like Loudcloud or Jamcracker)? Clearly they have complete access to your private information at all times as well. What if the databases your data were stored on are backed up using out-sourced storage servers? The privacy policy should clearly indicate all distribution of your personal data to other external parties. Firms that act as agents of a third company in handling your data should be aware that the privacy policy of the parent company (and any other promises made by the parent company) should be considered binding over their behavior as well, but it makes little sense that they must be disclosed to the user as well.

Re:Web bugs on Slashdot? (1)

Wedman (58748) | more than 14 years ago | (#882728)

But it's the whole "Ah HA! A conspiracy! Just like on the X-FILES! I knew it. I knew it!" appeal that makes that comment interesting

Re:Web bugs on Slashdot? (1)

Wedman (58748) | more than 14 years ago | (#882729)

If it's for AC tracking, they could just use the logs of the _page_ request

Yeah, you're right, but the Web Bug theory makes everything more interesting and 'l337. My theory appeals to the lowest common denominator, while your theory makes sense. :P

Coremetrics (1)

Ennslaver (63375) | more than 14 years ago | (#882732)

I think that web tracking is the next best thing in internet marketing, It is a great idea. How else are these big e-commerce based companys going to know who visits their sites and what their shopping patterns are? These so called 'web bugs' are used by slashdot even today, Interhack doesnt understand the technogoly and they are scared away from it. They call themselfs hackers yet do not understand the basic concept of what privacy really means, Coremetrics does not own the data, they just receive it and proccess it. They clearly state that they cannot sell the information to anyone. I dont see how I would even be effected by this, i know im not going to have marketers call me because of them. I hope that these .com companys will realize what great advantage using coremetrics has in the marketing world to be able to know your customers better.

Re:Coremetrics (1)

Ennslaver (63375) | more than 14 years ago | (#882733)

Your a moron if you think coremetrics sells your information or gives your information to anyone.

Firewall (1)

BorgDrone (64343) | more than 14 years ago | (#882734)

What are the IP('s) of the machine('s) used for tracking so I can block them in my firewall ?
Is there a website with lists of servers/IP's hosting webbugs ?

Re:no more privacy (1)

plague3106 (71849) | more than 14 years ago | (#882738)

If thats all they get, then so what?

Re:Coremetrics.. (1)

James_G (71902) | more than 14 years ago | (#882740)

Those that do not wish to be tracked can surely disable it

So you're saying that for every commercial website I go to, I have to work out how they're collecting information about me, who they're sending it to, and work out how to disable it?

Why is that up to me to work out? It's not like they make it easy to opt-out.

Of course, what should really happen is that the default is opt-out, not opt-in. This will never happen though. How many people are going to look at a box that says "Click here to have your privacy invaded" and think "Oooh, I'd better do that, sounds like a greate idea"? That's right, none.

As has been mentioned before, a good start would be more defensive measures on the part of the browser. Wait a while.. I'm sure it will happen..

Re:Spot the webbug (1)

rkent (73434) | more than 14 years ago | (#882742)

Well, rather than splitting semantic hairs, I think the point of bringing this up is to ask: what does Slashdot do with those invisible images? This has really nothing to do with whether or not they come from a foreign server. Let's not squabble about whether they're "technically" web bugs or not.

That said, it looks to me like it keeps track of which comments you've read, or what your comment preferences are, or something. If you don't want this tracked, don't accept cookies from slashdot! The site can be viewed perfectly without them, you just have to post as AC. Or, you can accept one lousy cookie when you log in and never ever accept another one.

Slashdot is not out to get you. Or if it, is, it's not trying very hard :)

Self-important web bugs that talk to themselves (1)

Rares Marian (83629) | more than 14 years ago | (#882743)

Are you talking to you?
Am I talking to me?

Mozilla to the rescue? (1)

101010 (84878) | more than 14 years ago | (#882745)

Wouldn't this be a good nitch opportunity for Mozilla? They could focus on privacy and security in the browser, maybe watching for traffic going off to third party websites. What about a blacklist of websites that could be listed right in the browser settings?

Re:Web Bugs (1)

passion (84900) | more than 14 years ago | (#882746)

So - who's to stop the use of 1x2 or 2x1, or 2x2 images...?

Re:difference? (1)

Aerolith_alpha (85503) | more than 14 years ago | (#882751)

I agree... we use webtrends on the apache logs here... Its scary but one of the best forms of anonyimity a user has is to be an AOL user. New IP each time?, plus having the webcache keeping some of your http requests from showing up on the server.

Re:Its not surprising this is happening (1)

Aerolith_alpha (85503) | more than 14 years ago | (#882752)

I would be more worried about corporate america at this point, just because we can actually stop them... I don't know if that is true for all of the recent news about carnivore... I just HOPE we can stop it.

Re:Coremetrics.. (1)

Aerolith_alpha (85503) | more than 14 years ago | (#882757)

Its actually more detremental to give them fake information than to turn it off... For example, with double click across site tracking, if you enable cookies, then go to a bunch of completely unrelated sites that you would normally never go to, THEN disable cookies, you have built a user profile that is nothing like what you actually do. This is one very small anomaly in a large pool of statistics, but if enough people do it, it could really mess up their data...

Re:I have a real problem with this (1)

Aerolith_alpha (85503) | more than 14 years ago | (#882758)

It bothers me the most when they have a 'Privacy Policy' that they don't actually follow. If the privacy policy actually states what they do, then there isn't a big issue in my opinion. I recently had to add a privacy policy to a site that I do updates for, and it was complete crap in terms of keeping your stuff private. But they blatantly said that on the site: unless you tell us otherwise, we will call you, send you crap in the mail, and otherwise market the heck out of you... Ya gotta respect honesty

Re:Web Bugs (1)

Aerolith_alpha (85503) | more than 14 years ago | (#882763)

As a web designer I am totally against this idea, because I use 1x1 gifs all the time for spacing purposes. I think a better option would be to limit all images on a page to a single server. That way stuff from other server's wouldn't load. This would be a problem when you have as well to load balance, but the solution to this would be having all of the images come from a consistent server, so if all the images came from, they would be allowed, but the little bug from statmarket would show up as broken... :)

Re:(OT) Use of 1x1 invisi-images (1)

Aerolith_alpha (85503) | more than 14 years ago | (#882765)

part of my personal style is to make a table that has an extra cell around the right edge that is only 1 pixel wide to add a border effect. I use a 1px image as a spacer to keep this open. If you don't have anything there, it will show up as blank in netscape, IE handles it okay, but netscape gets all wierd about tables. Yes 'gets all wierd' is a technical industry term... or something. I was a hobbyist myself until I decided to put my resume out there... I am doing compE in school right now though, so this is more or less a temporary thing.

Re:Web Bugs (1)

Aerolith_alpha (85503) | more than 14 years ago | (#882766)

rooooiiiiight. So when a netscape user comes to the site, it looks like it got mauled by a script kiddie... Once they fix the way netscape handles CSS i will start using it. I already use it on my personal site, but the industry is another matter.

Re:He has a point (1)

graniteMonkey (87619) | more than 14 years ago | (#882768)

Take the disclaimers from the previous post, and add this to have mine: I also, not having done any journalism, don't know anything about journalistic integrity, except that it exists.

Could someone add a little commentary about FascDot's suggestion that someone else do the interview? It does sound good to me intuitively, but I don't have the background to say anything more about it.

Re:He has a point (1)

graniteMonkey (87619) | more than 14 years ago | (#882769)

Oh yeah, another disclaimer: I have no idea who any of the people in this thread are. So no offense to anyone, I just want to know what the issues are.

Remove foot from mouth, mr. clueless. (1)

rakslice (90330) | more than 14 years ago | (#882773)

I assume that, since you appear to have left a valid e-mail address, that post wasn't a troll, so:

It's javascript, not HTML. See the script tags? Next time, get a clue before posting.

Re:Spot the webbug (1)

cybercuzco (100904) | more than 14 years ago | (#882780)

Youll note however, that that little snippet of code is commented out, and therefore is not run when you load a page.
Heres what it really looks like:
now = new Date();
tail = now.getTime();
document.write("<IMG SRC=',");
document.write("' WIDTH=1 HEIGHT=1>");
document.write("<IMG SRC=',");
document.write("' WIDTH=1 HEIGHT=1><BR>");

I don't think this is a bad thing (1)

vapour (102049) | more than 14 years ago | (#882781)

So what. Someone knows that you might be interested in their page. Does any one really care about this kind of stuff ? I mean, big deal.

I think sometimes that people care more about the theory of online privacy than the practice.
Okay, we need secure transactions for ob line banking that kind of thing, but as for if someone knows that I like to look at news site, what do they have. An IP. big deal.

Re:Spot the webbug (1)

mat catastrophe (105256) | more than 14 years ago | (#882787)

I've seen that, as well. I've always wondered just how innocent those things are....

Re:Emmett and Interhack (1)

Machina (110989) | more than 14 years ago | (#882789)

Read the article again. It's not slamming Coremetrics for using web bugs, it's slamming them and their clients for unclear privacy statements.

Just because they are associates, doesn't mean it's a shameless plug. If your trying to trash slashdot's image, your gonna have to try harder than that.

Re:DoubleClick Ads on Slashdot (1)

fridgepimp (136338) | more than 14 years ago | (#882798)

The only reply I could find was here [] .

While I DO appreciate the response, It still doesn't answer my basic question which was likely unclear in my initial post(s).

Can we expect these DoubleClick Ads to behave similarly to the ads and DoubleClick systems described in any of these [] stories?

While the answer may be a resounding maybe, I want to clarify again that my goal is not to "expose" this or anything like that. I really did try to go about it the right way (or I thought so anyway) by emailing the member of the Slashdot Team that appears to be the most concerned about these type of issues. I got some response, but never an answer. I'm a full disclosure kind of guy, and I believe wild speculation is a waste of my time. Notice that I never accused anyone of anything underhanded, I just asked a question. Sometimes, as we've all read, posting in a public forum is the only way to get an answer.



Re:DoubleClick Ads on Slashdot (1)

fridgepimp (136338) | more than 14 years ago | (#882799)

So I'm a troll? Why? Because I'm curious about this?

Jaime and I exchanged like 4 e-mails on the subject, and then, all of a sudden, he wouldn't get back to me. I realize that people are busy, but it seems odd when they can respond as quickly as he initially did, and then just stop all at once.

My e-mail address is valid, so if anybody wants to shed some light on this, it'd be great.

My respect for slashdot diminishes daily.


Re:Web Bugs (1)

homer_ca (144738) | more than 14 years ago | (#882802)

Mozilla already tried it in an earlier version, but they abandoned it because it breaks so many sites. Many sites serve out images from akamaitech for load balancing purposes, and Yahoo loads images, both ads and content, from their domain.

Oh well, back to playing whack-a-mole with my junkbuster blockfile.

I have a real problem with this (1)

Docrates (148350) | more than 14 years ago | (#882803)

First off, even if ToysRus discloses in their privacy policy that they use coremetrics, and even if ToysRus has a contract with coremetrics that prohibits coremetrics to use my information, if they actually do use it in some illegal form (or in any way that affects me), i haven't signed or approved any kind of contract between myself and coremetrics, meaning that the use of my information is regulated only by a contract between two parties, leaving me out of the picture. so coremetrics sells my info to a terrorist group. i sue ToysRUs (with whom i have an agreement) and they state that I agreed to a policy that allows them to give the info to coremetrics. then i sue coremetrics and they can just claim that they i never agreed to anything with them so... (this probably won't work in the US, but if it's a web server hosted in a country where laws in these issues aren'good enough...)

Also, if i've signed one privacy policy on a web site (and thus agree to use the site on their terms), and suddenly they "add" the fact that coremetrics is now involved, and i never get to re-sign the agreement, just by visiting the website my personal information would be compromised without me ever knowing.

i don't like it one bit.

Re:Web Bugs (1)

beebware (149208) | more than 14 years ago | (#882804)

But what about 'single pixel spacers' - usually used just to enable tables to render correctly. Sometimes height=1 width=600 (or whatever) is used for 'drawing lines', but single's do have their own good purposes...
Richy C. []

Re:Web bugs on Slashdot? (1)

beebware (149208) | more than 14 years ago | (#882805)

If it's for AC tracking, they could just use the logs of the _page_ request which would be a lot more honest than image requests (ie 'no graphics' people will also be tracked).
It's probably for statistical purposes, but how it copes with cache's I'm not sure (and I don't care enough to look at the HTTP header for a Pragma: no-cache statment).

Richy C. []

Re:Web Bugs (1)

BloodyStupidJohnson (150956) | more than 14 years ago | (#882806)

In iCab for the macintosh you can filter images by size and by server. If an ad gets through, just right-click on it and tell iCab to filter images of that size or from that server or both. It is VERY handy. All web browsers should have that feature.

preventing tracking and the benefits of tracking (1)

twistedfuck (166668) | more than 14 years ago | (#882812)

Not downloading images of certain size is a stupid suggestion and would make lots of web designers and monkeys look incompetent. Another browser feature that might work, would be to only allow the components of a page to be downloaded from the same domain. That way only the people that publish the site get the data, what they do with it from then on is another story. But this would help put DoubleClick out of business. It would also fuck with people in the media buy business as most banners send stats to the people who are paying for the space, which brings me to my next point. The statistics collected on the web help pay for the web and its development. Statisitcs are used to decide on budgets, gathering investment and understanding where a site is doing things right and where its not. These are necessary evils if we want to encourage the development of the web. Server logs often don't provide enough of this information, unless you have extended your logging to be able track users across multiple visits.

Re:Spot the webbug (1)

ZoneGray (168419) | more than 14 years ago | (#882815)

Seems like it would be easy enough for a browser to implement a feature that warns if a page is loading content from multiple domains.

If they wanted to get really fancy, they'd let the user accumulate an "okay" list and a "don't load from multiple domains" list.

fame, of a sort, I suppose (1)

streetlawyer (169828) | more than 14 years ago | (#882817)

I posted that troll, to a thread about Napster-alikes, yesterday. In context, it was quite funny and satirical, I thought. In a completely irrelevant thread, it becomes spam.

Stop using my copyrighted material. Slashdot is not an anonymous network, the content provided above is very clearly owned by me, and you're misusing it.

Re:Web Bugs (1)

PollMastah (174649) | more than 14 years ago | (#882822)

Let's find out what people think about the various alternatives:

Poll: which of the following is the best solution?

  1. Filter out all 1x1 gif's!
  2. No, filter out all gif's 2x2 or smaller!
  3. No, filter out completely transparent images!
  4. Only allow images from the same domain as the page
  5. Disable cookies attached to graphic files
  6. Cookies are evil, don't use them
  7. Who cares if they track my personal info?? They're the ones wasting money and resources sending me junk mail which *plonk*s into the killfile anyway!
  8. I only read Slashdot, so what's this gotta do with me?

Re:DoubleClick Ads on Slashdot (1)

java_sucks (197921) | more than 14 years ago | (#882831)

Amen to that my brother

I'm guessing that the sales department might be seperate from the geek department at slashdot. Once you are part of a larger company these type of thigs can happen. It's kind of sad really... maybe they just need to get together and have a big ol meeting so they can discuss why they don't want to sell ads to anyone who uses doubleclick..

Bun in the meantime just make sure you have your junkbuster proxy configured and running. The sad thing is that /. is only hurting themseves by running the doubleclick ads as many of there readers are pretty vocal about the fact that they block those from there machines.

... (1)

Fist Prost (198535) | more than 14 years ago | (#882832)

time to use that Mosaic emulator! At any rate Someone ought to put this one feature into mosaic:block any images below certain size.

Re:Web Bugs (1)

Ranalou (200662) | more than 14 years ago | (#882834)

Someone should write an option into Mozilla or it's ilk to NOT LOAD any image with a height and width of 1. That would stop the web bugging industry at least for a little while, don't you think?

Or, more to the point, since a 1x2 transparent image would do the job just as well- examine the image. If the entire image is transparent (possibly, even if it's all the same color) then drop it.

By the time you've examined the image, however, you've already downloaded it. Part of the damage, at least, is already done.

You could, however, highlight the web bug and bring it to the attention of the user, where they might be able to in their browser, in their favorite proxy, or even in their firewall establish that either this particular bug, or bugs with similar URLs should never be downloaded again. This would help to defeat some data correlation, helping to minimize the damage.

For extra credit, one might set up an RBS-like database that could be trusted to serve as a source of web bugs that exist, and a plugin or modification to browsers to help keep others from downloading them. That's a full-scale effort, however, and probably far less practical.

Coremetrics Clientelle (1)

Lechter (205925) | more than 14 years ago | (#882837)

Has anyone gotten a hold of a list of Coremetrics clients, and checked to see what they're doing with this service? It would be nice to see a general site with information listing of e-businesses that take this sort of private info, highlighting those business that don't disclose the fact that they are doing so. That way we would know perhaps to boycott them, since legislating, and catching this sort of thing is probably really difficult. Does anyone know of such a site?

OSU rulz!! (1)

skinnymofo (211149) | more than 14 years ago | (#882839)

Matt Curtin representin' the big 'O' !!

Re:Web Bugs (1)

skoda (211470) | more than 14 years ago | (#882840)

I was going to say that might not be a good idea since it would destroy the layout of many web sites and negatively affect others. Then I realized that the use of 1x1 images is probably pretty low (since they're normally 'stretched' when used as page layout devices) So, yeah, you've got a decent idea there :)

But I wonder if there's a way to filter on the the contents of the SRC tag value, and avoiding the minor risk of upsetting someone's page layout.

(OT) Use of 1x1 invisi-images (1)

skoda (211470) | more than 14 years ago | (#882841)

As an amateur (hobbyist) web designer, I'm wondering what you use 1x1 images for. In my very limited experience, they're handy when stretched to various sizes, but I haven't seen a need (yet) for a one pixel offset. So can you give a pointer or two on the secrets of web design? :) My attempts at HTML coding can be seen at [] .

Re:Web Bugs (1)

Expecting Rain (217620) | more than 14 years ago | (#882846)

Someone should write an option into Mozilla to get it to load web pages without crashing my computer in the process. They could put a little checkbox in the Preferences that says "Crash Computer Frequently." If you don't want it to do that, you could simply uncheck the box. *That* would be a useful feature.

Re:Did anyone say... (1)

ackthpt (218170) | more than 14 years ago | (#882847)

Let's see... My marketing research on this thread reveals:

One with an interest in fishing.

One probable catholic

One mind raped and pilaged by Madison Ave.

I wonder how much this data is worth to the right bidder...

Re:Coremetrics (1)

ackthpt (218170) | more than 14 years ago | (#882848)

Oh, please... I'm being target left and right because I spend money online (too much, actually!) and that sets me up for all sorts of harassment.

Consider for a moment what is required to send a solicitor to my door or have one phone me. Paying someone for time to pester me, plus the unproductive time between pestering the next victim. Not very efficient. Now, run your data through a few filters and just send your spiffy spam to 20,000 people within one city in the blink of an eye.

It's not so much where it is, but where it's going. I'm already cleaning out 30+ spams a day, and the number from actual businesses is growing.

I'm not about to stop shopping online, but I'd like to not be tracked when I buy plane tickets, theater tickets, Dust Puppy T-shirts, etc. via the net.

It's also a drag to sift through spam when I get home from a trip.

got rights? (1)

ackthpt (218170) | more than 14 years ago | (#882849)

The fact that I'm receiving spam targetted at me suggests the tip of the iceberg begins with the lifting of my email address. The bottom of the ice berg is the buying and selling of info about me among enterprises. I've had a number of pre-approved credit card apps appear in the mail for the last 20 years and a congress which refuses to pass progressive legislation utterly barring solicitors from phoning me (free speech my a**).

I prefer to exercise the right to privacy. Before *anyone* may solicit me, or share info on me, they *must* seek my permission first. Without it, they are tresspassing.

Similarities (1)

TJamieson (218336) | more than 14 years ago | (#882851)

The whole webbug thing seems similar to software cracking to me, in a way.
Here's what I mean:

A program comes out, has a "Enter Serial to Register" function. Someone dupes it. Author learns of this, fixes it, releases new version. Sure enough, new version is defeated as well.

Now the Webbug side of it:
It was proposed to make browsers more defensive. But would that really solve anything? Just as the developer tried to make his software more defensive it was still defeated.

My point is this:
No matter what, some 'webbugging' is always going to find a way to track (or try and track) everyone and what they do.

Yet another reason.... (1)

droma (218615) | more than 14 years ago | (#882853)

Yet another reason to use programs like Junkbuster [] . It's not everything you should use for secure surfing, but it's a start.

Re:Emmett and Interhack (2)

Emmett Plant (8) | more than 14 years ago | (#882858)

Emmett Plant, "journalist" on slashdot.

Feeling bitter, Jay?

You've got all the right in the world to question my journalistic integrity. As a matter of fact, I welcome it. But unless you've got a problem the facts or the way I present them, chill out. If I've said something untrue in my work, you've got a responsibility as a reader to point it out. You haven't done that, though.

Stories are not created in a vacuum. As a reporter, I rely on relationships with people to get my job done. As a writer, I rely on the English language to convey facts to the audience.

The worst part is that you can't see beyond your own personal problems and outright bitterness to understand that Interhack does some very important work, and that this story is important to anyone who does business online.

What do you want me to say, Jay? Clyde clued me in to the Interhack press release. I work with Clyde on Time City. Clyde pointed me to it because he thought it was newsworthy. It was. I did some research, got together with Jamie, and we wrote the piece. I didn't write the piece as a favor to Clyde. Matter of fact, I don't even know if Clyde is involved with Interhack. I think he's related to Matt, though. Actually, I think you'd be amazed how many stories are submitted to me and Slashdot by personal friends that I reject. What do you want from me?

I don't find where you work and post things about the quality of your work. I don't question your professional integrity, because I really don't understand or know what you do for a living. At this point, I don't care. You just seem like someone who was really burned and you're working out your 'angry ex-girlfriend' mojo on me for some unknown reason.

I'm sorry you didn't like the article.

Slashdot used to get worse on a monthly basis, then weekly, now it's with every post.

Then don't read it. Apparently it's causing you undue stress.


Re:DoubleClick Ads on Slashdot (2)

Clifton Wood (213) | more than 14 years ago | (#882859)

This MAY be because of the fact that Jamie (please not the PROPER spelling, guy) is busy as hell working on other projects in addition to Slashdot. But that may not have occured to you, did it?

BTW - Several people have answered your question in this SID, please read them and quit thinking that everything is a personal attack against you. People will take you more seriously that way.

- Cliff

Re:no more privacy (2)

Roast Beef (2298) | more than 14 years ago | (#882861)

The problem is that with web bugs and your IP address, it's just as easy to track you. They've got the pages you go to with times and your IP.

Re:Web Bugs (2)

arivanov (12034) | more than 14 years ago | (#882862)

No it will not. They will simply use transparent gifs. Which is just the same. And it is not just gif as PNG also has transparency channel.

Re:How many? (2)

arivanov (12034) | more than 14 years ago | (#882863)

First: you are referring to the Slashdot crowd. For example I am sufficiently paranoid to put my old address or my company address on warranty cards and other stuff like this when I buy personal kit so my snail mail address does not get out. But this is me. Joe average random luser puts his personal information. Both in a conventional store and online

Second: correlation analysis is a great thing and statistics is a great science. If there is enough information and the criteria for filtering bogus data are well defined it can be filtered and your real you to show up.

Re:Web Bugs (2)

Sloppy (14984) | more than 14 years ago | (#882865)

As a web designer I am totally against this idea, because I use 1x1 gifs all the time for spacing purposes.

That doesn't make sense. The web uses HTML, and HTML is a logical markup language where the client (not the server) makes formatting decisions. Why would a "web designer" ever need to micromanage such detailed issues as spacing?


Re:Spot the webbug (2)

jfrisby (21563) | more than 14 years ago | (#882866)

That's an HTML comment, not a JavaScript comment. It is there for browsers that don't understand JavaScript, so they wont display it to users. This is a very common practice.

The JavaScript is still executed.


He has a point (2)

FascDot Killed My Pr (24021) | more than 14 years ago | (#882867)

I have no issues with Mr Plant--I don't know him at all. Nor do I know anything about Time City.

However, I do know that doctors don't operate on their friends (or family of friends) or families (or friends of family). Same goes for journalism. From the facts presented by "Jay" and you, it seems as though you've interviewed a friend of a friend for your article. That's a no-no, regardless of newsworthiness. Why not just have roblimo or someone interview the friend?

Re:Mozilla to the rescue? (2)

British (51765) | more than 14 years ago | (#882869)

Good idea but..

1. It's already behind schedule

2. Blacklisting certain companies could get you all sorts of legal harassment from said companies. Look at the whole Cyber Patrol/peacefire thing.

Re:How many? (2)

British (51765) | more than 14 years ago | (#882870)

What about if you consistenly use the same bogus info to several websites? perhaps some company is compiling info about "Hugh Jass" someday hoping to get his/her real info and send them TONS of junk mail.

Can junkbuster filter out useless 1x1 images completely? I mean, I can live without a 1 pixel image or three on a web page.

Re:Web bugs on Slashdot? (2)

Wedman (58748) | more than 14 years ago | (#882872)

I'd like to hear an explanation.

I figure it's so that Anonymous Cowards are not so anonymous. If need be, Slashdot can check the page and time, then cross reference it with their logs to determine who from where was doing what when. No?

Anonymous Cowards are not anonymous anymore.

Slashdot's justification is probably that they're using it to track 'trouble makers' on Slashdot.

Oh yeah, and to turn in Anonymous Cowards to mega corporations and goverment agencies for bounty

Protect Yourself (2)

rkent (73434) | more than 14 years ago | (#882876)

You know, even with "old" Netscape 4.x, you can just click on "refuse all cookies" or at least "warn me before accepting cookies." With mozilla, it's even better; it remembers your cookie preferences for each server.

Granted, this is not the easiest thing to use ever. I'd really like a list of servers I could manually update, whose cookies would always be rejected. *, * ... you get the picture.

Point is, though, you do have recourse. You don't have to "blindly trust" all those baddies trying to set cookies on your harddrive. Now I think the priority should be making this easier for newbies to pick up, and educating them about it.

Re:How many? (2)

brunes69 (86786) | more than 14 years ago | (#882877)

Yeah really. Someone should Mod this up, and maybe some marketing braindead's will see it. No one I know EVER puts in their real information, real email, or anything, unless they absolutely have to. And I'm not just talking about us l33t hackers, I'm talking about joe average Internet user. In schools around where I live, they actually teach you not to ever give your real information (including email) unless its someone you absolutely trust.

So what I would liek to know is, what good is all this tracking, when your'e tracking fake people? It's just a huge waste of time. Not that I reallly care, I added all banner ads to my hosts file being redirected to a LONG time ago

Re:Spot the webbug (2)

graniteMonkey (87619) | more than 14 years ago | (#882879)

Okay, Jamie, so now we've established that Richard M. Smith himeself says the code on this web-page is not a "web bug". Now that I know it's there, what does Slashdot/Andover with this "non-web bug" to differentiate it from a genuine web bug? Just curious, really. Does the information reach some corporate entity outside Is the information for the sole non-resellable use of

DoubleClick Ads on Slashdot (2)

fridgepimp (136338) | more than 14 years ago | (#882884)


I sent e-mail to Jaime almost 2 weeks ago asking about the use of doubleclick served adds (from doubleclick servers) on Slashdot. He promised to get back to me. He never did.

Would anyone on the Slashdot Team like to comment on whether or not these adds perform functions similar to DoubleClick ads on other sites? I've seen posts about this in some discussions, but this seems like the good place to post it.

I have noticed a STEADY increase in the number of DoubleClick served adds since I initally contacted Jaime. All the SuSE ads, the Genuity add, and now some IBM (and I'm sure others) ads are all DoubleClick served. This is true on other Andover sites like freshmeat as well. Many adds are served from Slashdot's addserver, but often DoubleClick ads load.

I can provide links to any and all ads that I've seen if I need to, but I think that it would be overkill.

Just curious


Re:Spot the webbug (2)

_xeno_ (155264) | more than 14 years ago | (#882886)

Hemos tried to explain this in this post [] .

For the truely lazy:

RE: Doubleclick.

Believe me, if I had my way, we wouldn't be using it. But DoubleClick is what many of the advertisers use as their service, because DoubleClick does a good job of tracking click-thrus and such for them. That, and the honest truth, most big companies don't know how to run their own web server for ad serving, and so outsource. So - unfortunantely, a necessary evil of serving banner ads.

As for the webbug - I've never called it bad or evil. I think it's stupid, but Andover uses it to track traffic. I think caches fuck it up, but...c'est la vie. It doesn't do anything, so I don't particularly care about. I'm more concerned with stopping advertisers from using Java in banner ads, or sound,or shockwave, or...

It's all about choosing your battles.

Re:What's wrong with user profiling? (2)

albamuth (166801) | more than 14 years ago | (#882887)

You bring up a good point - that as much information as they are gathering it really doesn't amount to anything if you don't buy into their bullshit. I mean, we're bombarded with advertising every waking moment of our lives (which is why I don't have a TV at home) but I think most of us have learned how to tune it out. People doing market research are working for the same soul-less corporations that you or I are working for, they're just people after all. The young, hip adults designing advertisements aren't publishing propaganda for some ideological purpose; they're using their imagination and creativity to drive capitalism - that's their job.

So who really gives a damn? I usually buy books that have been recommended through word-of-mouth, anyway, who cares what Amazon's computer cooks up for you? Hell, I really don't care about the cookies on my computer - if someone steals my credit card number then it'll show up on the statement and I can get my money back. So what if Maxim ads always always pop up on yahoo sites for me? So I clicked on one, once.

Spam is pointless - I'm immune to it. I'm sure everyone who's grown up with television is, too. I'd rather go outside and sit in the sun anyway (but I'm stuck here at work).

Hmm, actually now does feel like a good time for a smoke break...

Illegal in the UK. (2)

AndrewD (202050) | more than 14 years ago | (#882891)

Anyone thinking of using this service in the UK (or anywhere in the EU for that matter) should think again. It's (potentially) a criminal offence to collect any data on a person without telling them you're doing it (Data Protection Act 1998, generally [] and Schedule 1 part I [] in particular). The fact that you're using a third party based abroad to dig the dirt on your site visitors will avail you nothing with the Data Protection Commissioner [] if she decides to land on you with both hobnailed boots.

Those privacy statements, whose status in the US I cannot comment on (IAAL but NAUSQL) are binding in the UK and breach of them potentially sounds in damages (section 13 of the Act [] isn't in force yet, but soon, soon) as well as criminal liability and all manner of interesting and exciting regulatory action.

For the rights of data subjects generally, see Part II of the Act [] generally and the register of Data Controllers is maintaned at the Data Protection Commissioner's site and is fully searchable. Go on, look up your favourite corporation and dob them in if they aren't playing by the rules. (Non-UK readers may be amused to know that an assortment of pranksters make a point of doing this with political party membership lists when they use them for mailshotting purposes.)

How many? (2)

Jon Shaft (208648) | more than 14 years ago | (#882892)

How many of us actually put in proper information into websites? Usually the only time I ever put in proper information is when I'm going to purchase something, and being a poor college kid, that is very rare. I can see being extremely worried about it if I were making more money and able to spend it on things, but that's far off.

Right now there is probably a lot of junk mail and phone calls going to 1642 Slackware Ave, Retro, CA (111)222-3334...

I can't remember putting in real information in a long time... actually the last time I put in that information was when I bought a DeCSS TShirt. sells information even tho they say in the privacy statement they don't? Welp, add another place not to shop to my list. Does anyone publish a listing of companies that don't sell information to other public/private companies anywhere? I'm sure it would be very useful to some.

difference? (2)

closedpegasus (212610) | more than 14 years ago | (#882893)

I'm not sure how web bugs are any different than conventional methods of gathering information...Isn't most of the same kind of information about users kept in such mundane tracking systems as the apache access logs? Why do you need a gif image to get the same information you can get at the time of a page request, like IP address and info about cookies? Granted, the 1x1 pixel gif is deceiveing, but can't they get that information without it?

Tracking proliferation (2)

blues.mongrel (215338) | more than 14 years ago | (#882894)

Naviant [] is another company that purports to track customers across the web. They say they have a database that correlates online personas with physical addresses [] (like Double-Click was trying to do) "with over 17.5 million records and hundreds of thousands more coming on file each month." [] Their customers [] include some pretty big names. I guess I'd be interested in what Interhack could dig up on these guys, too.

Spot the webbug (3)

FascDot Killed My Pr (24021) | more than 14 years ago | (#882897)

Do they look anything like this:

now = new Date();
tail = now.getTime();
document.write("<IMG SRC=' comments. pl,");
document.write("' WIDTH=1 HEIGHT=1>");
document.write("<IMG SRC=', ");
document.write("' WIDTH=1 HEIGHT=1>

Web Bugs (3)

AlexZander (33064) | more than 14 years ago | (#882898)

Someone should write an option into Mozilla or it's ilk to NOT LOAD any image with a height and width of 1. That would stop the web bugging industry at least for a little while, don't you think?
(web bugs are EVIL)

Evil never dies -- It just comes back in reruns

Re:Emmett and Interhack (3)

cwhicks (62623) | more than 14 years ago | (#882899)

First, personal shit should be kept off /., especially by it's authors. Really unprofessional. Secondly, at the very least you should have disclosed your relationships with both people (relatives) and companies (Time City). I know that you must have friends all over the industry, but if you state that at the top of the article, then your girlfriends old boyfriend, would have little to say, and you wouldn't have had to respond.
And lastly, I hear she liked him better.;)

Re:Spot the webbug (3)

cwhicks (62623) | more than 14 years ago | (#882900)

Bad Moderation Alert: What classifies this as a troll? Is it such comman knowledge what these "webbugs" on /. are?
Is the person saying something inflametory that they know to be false to get a response? Just because you are satisfied with the explanation, doesn't mean everyone has to be. Or is it that /. is somehow holy and never should be questioned?
Personally, I've seen these images at the top and was suspicious, and now from the informative responses, I know what they are.

Automatically polute their data (3)

dsplat (73054) | more than 14 years ago | (#882901)

I just had a look at Muffin (mentioned in the article). It seems to me that the way to get rid of these invasive tactics is to attack them. Instead of filtering out all cookies and WebBugs, build a filter that returns a standard response. When you are probed for a cookie, return one that contains the GNU Manifesto or a randomly selected file from the Mozilla source.

Its not surprising this is happening (3)

wrenling (99679) | more than 14 years ago | (#882902)

I dont think these companies are even paying attenion to their own policies. In a way, that has to do with the corporate structure as it exists today. These companies are so used to using subcontractors and counting them as part of the 'workforce' that they consider affliates in much the same light.

It is up to us, the geek consumers, to push back at these companies, voice our concerns, refuse to buy products from them or use their web services. Since they understand best off of their pocketbooks, that is what will get their attention. This is also something that my mom and dad can understand. If I tell them 'the following websites are collecting private information about you' they wont use those sites. They are finally convinced its not the hackers out there that are going to be taking away their privacy, but instead, the government and corporate america.

Just my two... sleepy thursday cents

DoubleClick Ads on Slashdot (3)

fridgepimp (136338) | more than 14 years ago | (#882903)

Slashdot has run numerous stories about the questionable behaivior of DoubleClick and its affiliate sites. In fact, this article aludes to it.

However, slashdot has been serving DoubleClick ads with increasing frequency of late. NOW, I am NOT suggesting that Slashdot is corrupt or evil. I'm just curious to know whether or not we can expect these adds to behave similarly to the DoubleClick ads that have been described in previous stories.

If so, doesn't that fall into the "web bug" catagory. Why hide it in a 1x 1 GIF when it's right there in a DoubleClick ad?

Anyway, I'm just curious. I posted this on the root level of the story and have already been modded down to -1. So moderators, do your worst. I'm just looking for an answer, not a flame war.


Re:DoubleClick Ads on Slashdot (4)

Hemos (2) | more than 14 years ago | (#882905)

Please see my reply above, in which I answered the same questions.

The basic problem is that a huge percentage of advertisers outsource their advertising operations to DoubleClick. To have them advertise, you grab images off of DoubleClick. That's not anything we have control, unfortunantely, as that's the advertisers choice to go through DBL. I wish it were otherwise.

class action suit filed against Toys R Us (4)

Jeremi (14640) | more than 14 years ago | (#882906)

article here []

What's wrong with user profiling? (4)

JohnZed (20191) | more than 14 years ago | (#882907)

Profiling is an incredibly important tool to promote good customer service! We shouldn't do away with it because it COULD constitute a violation of privacy. That's like saying that we should do away with telephones just because they allow telemarketers to invade our privacy (try caller id).
Amazon, for instance, tracks all of my purchases, and, in return, gives me the only useful product recommendations I've seen on any commercial web site. Other sites could track my reading patterns (within their own site, not across others!) to figure out what types of articles actually interest me so that they can provide better content in the future. They need to plant a cookie on my browser to do that tracking, and they may even benefit from demographic information from me (to see what 20 year-old white males like to read), but they never need to know my real name, address, or phone number.
For me, the biggest privacy concern is spam and telemarketing. I WANT people to get enough data about me to serve banner targetted ads, because those are more likely to be interesting to me (I might buy a boxed copy of Enhydra, but I probably won't buy a copy of Cosmopolitan), as long as they don't invade my Inbox with those ads.

Re:Spot the webbug (5)

jamiemccarthy (4847) | more than 14 years ago | (#882909)

I knew someone would bring this up (trolls have been spamming our comments with it). I'll just post the same info I posted to another thread yesterday:

Please note that all these images come from slashdot's own servers. They're pagecounter images. I'll just forward along the email I got from Richard M. Smith, the guy who coined the term "web bug" [] , when I asked him about it:

Date: 7/2/00 3:00 PM
Received: 7/2/00 11:59 AM
From: (Richard M. Smith)
To: (Jamie McCarthy)

Yep, to really be a Web Bug, the IMG tag must come from
another domain. I'll need to make this clearer in the
next revision of the FAQ. Now, if I can just find the time to
keep my Web site up to date...... ;-)

Jamie McCarthy

The can is open, and there is no going back. (5)

FPhlyer (14433) | more than 14 years ago | (#882910)

Let's face it. The days of the Internet being a free-for-all are over. Corporations are going to find ways to collect demographic and personal data. Trying to legislate this out of existance is like trying to legislate Napster and Gnutella out of existance: It isn't going to happen.

The best you can do is write a browser plug-in that will reject such data and prevent the corporation from gaining any valuable data from your visit.

No amount of legislation can stop this kind of thing. If you ban companies from collecting data like this in the United States, they will simply move their servers outside the border and continue to do business as usual.

In the information age, it is no longer the job of government to protect our privacy - they can't, it's an insermountable job. The only way to protect online privacy is to do it yourself.

Coremetrics.. (5)

(-)erd of (ats (218158) | more than 14 years ago | (#882912)

I don't see a big deal; These companies decided to outsource their traffic analysis. While the capability surely exists for Coremetrics to track users across websites, a'la Doubleclick, their customers would be terribly pissed.

Personally, I don't see the issue of online tracking as being more than 'a tempest in a teapot'. Those that do not wish to be tracked can surely disable it, and the tracking companies and user data mining companies will continue to make money off the mindless drones that populate the net.

It's always been 'buyer beware'. What is so special about the net that it no longer applies? So the tracking is easier to do, and easier to analyze, and there is more of it, and it is more meaningful; Do you honestly think your bank, the telephone company, and the credit agencies aren't selling your spending habits to marketers?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>