×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Advertising Network Caught History Stealing

Soulskill posted more than 2 years ago | from the sunlight-is-the-best-disinfectant dept.

Privacy 143

jonathanmayer writes "Last week the Stanford Security Lab reported some surprising results on how advertising networks respond to opt outs and Do Not Track. This week we made a new discovery in the online advertising ecosystem: Epic Marketplace, a member of the self-regulatory Network Advertising Initiative, is history stealing with unprecedented scale and sophistication. And Epic is snooping some remarkably sensitive information, including pages from the FTC, IRS, NIH, Mayo Clinic, and more. Epic has written a response defending its practices."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

143 comments

Adsense (4, Insightful)

zget (2395308) | more than 2 years ago | (#36846538)

Google currently owns the largest advertising network, and it will only expand (both internet wise and datamining wise) with Google+. If others can't history steal, it will put them out of business. In practice, Googles monopoly demands others to play bad.. I'm not saying it's a good thing, it is bad. Just stating the facts.

Re:Adsense (0)

Anonymous Coward | more than 2 years ago | (#36846630)

The Google monopoly on information is pretty scary and there is really no end in sight unless some overreaching legislation comes in. That's hardly going to be effective even if it did actually happen.

I try to escape Google but GMail keeps pulling me back in. :(

Re:Adsense (0, Troll)

zget (2395308) | more than 2 years ago | (#36846700)

As someone else here commented, Google has been changing rapidly recently: http://linux.slashdot.org/comments.pl?sid=2339084&cid=36825878 [slashdot.org]

I also was able to meet with some (middle management) people at Google and their attitude reminded me very strongly of MS's behavior 15 years ago: They don't listen to what others say and what they say often implies: "We're the smartest people on the planet, the world revolves around us, if you don't want to work with us and use our stuff, you're just an idiot." So it think I can conclude that Google sees themselves as "winning" the way that MS saw themselves winning in the late 90's.

You can see the same change with all the "privacy is not important" and the recent Google+ product. I think we are really seeing a turning point here. Google has finally passed the point where it has, after a long time, accepted it's not the small geeky company it once was and is now just driving for profits. The scary thing is, they have got in a great position to exploit that now.

It is human tendency to abuse their position. It doesn't even have to be Google as large - there are stories of their employees going thru peoples emails and histories and pasting them to when IM'ing with them. That's why you have security in your own systems, so that people can't abuse it. That's why you also don't give everything to single entity. Google is starting to be the same monopoly that Microsoft was during the 90's, but this time it's also privacy losing.

Re:Adsense (4, Insightful)

_Sprocket_ (42527) | more than 2 years ago | (#36847108)

I thought it was more interesting when you did this post the first time [slashdot.org]. But I guess you can now copy and paste this in to anything Google related from here on out, right?

Now I'm wondering. Where does this copy-and-paste come from? When has an agent of Google said "privacy is not important"? And when does Google+, a "social network" service that not only features but stresses limiting communications to user-customizable groups and therefore controlling how public any given communications are, represent an example of privacy not being important?

Re:Adsense (2)

NeutronCowboy (896098) | more than 2 years ago | (#36847160)

Brand new account, copy-paste of some barely supported claims that are a little out there, to say the least.... my shill-o-meter is ringing.

Re:Adsense (1)

interkin3tic (1469267) | more than 2 years ago | (#36847528)

there are stories of their employees going thru peoples emails and histories and pasting them to when IM'ing with them

Stories? Anecdotal evidence?!? Good god, THE HUMANITY!!! That's it, I'm calling my senator right now and demanding that he introduce harsh legislation to keep google employees from looking at e-mail and.or from going on IM!

Re:Adsense (1)

Baloroth (2370816) | more than 2 years ago | (#36847800)

You can see the same change with all the "privacy is not important"

And which rock have you been living under, exactly? Google hasn't ever said "privacy is important". I'm getting a little sick of this idea that all your information, which you freely give to Google whenever you search/ sign of for G+/ whatever, should somehow be "private", i.e. Google shouldn't have it. Its one thing to complain if Google was sharing it freely with the world as Facebook tended/tends to do. But they're not: that would in fact undermine their business model. They don't want everyone having your data, they want your data themselves so that they can mine it and profit from it. Data you give to Google may be mined, and the results shared with advertising partners, but it is by no means made public for the world to see. Unless I'm completely wrong about how Adsense works, if so someone please enlighten me. (Seriously: I would love to be corrected on this if I'm wrong.)

Maybe some people at Google abuse it and look up the actual raw data themselves, but I have no reason to suspect the information I give to Google, whether on G+ or their search/ad network, is ever seen by anything besides a computer. (I had trouble parsing your sentence where you claimed otherwise: were these employees IM'ing with the people themselves or what?) And if you don't want a computer seeing that data, STOP USING THE INTERNET. Even using a darknet/VPN/Tor won't stop it completely.

And no offense, but I'll need a little more than someone's "meeting with middle managers" to show that Google is shifting its entire stance, especially when that stance happens to be their entire business model, namely providing free, pretty good quality services in return for being served targeted ads. Google is still funding Mozilla at least through this year, despite having their own web browser. They continue to develop and provide Android under a FOSS license, and built G+ at least partially on offering better and easier to use privacy controls than Facebook. None of that shows a company that is shifting to a "screw our consumers for money till we collapse" mindset that plagues many companies. Maybe its coming, but I just don't see it.

Re:Adsense (1)

interkin3tic (1469267) | more than 2 years ago | (#36847506)

They arguably have a monopoly on -advertising-. Information in general? No, that's absurd. There are dozens of competitors in search engines and in web mail.

There is a clear end in sight if you're concerned about google knowing too much about your browsing history: QUIT USING GOOGLE. Don't search using google, don't use gmail, don't use google+, run noscript and don't allow google analytics. It really is that simple, no legislation needed.

As far as the monopoly on advertising, the end in sight would be competitors, you know, COMPETING. Is google doing something shady to keep competitors down? Because if no, and they just happen to be worlds more effective then their competitors, that's not a "scary monopoly" that requires legislation. Monopolies created by one competitor dominating everyone on a fair playing field are not monopolies that need slapping down.

Re:unless some overreaching legislation comes in (1)

Shompol (1690084) | more than 2 years ago | (#36847562)

The legislature will never happen, because the government is starting to take advantage of all the private data amassed at corporate data centers, particularly through Patriot Act. We can expect more legislature that will make all your private info available to government "on demand".

Re:Adsense (0)

Anonymous Coward | more than 2 years ago | (#36846646)

Whatever excuse you come up with, this is forbidden by the EC privacy protection directive.

Re:Adsense (3, Interesting)

LWATCDR (28044) | more than 2 years ago | (#36846976)

What?
Google does not have a monopoly. Facebook which is a monster does not use Google ads. Google does not have a monopoly on search. Bing and Yahoo which now uses Bing both serve ads and provide search so we can toss out your monopoly idea right there. Google plus has fewer users than Facebook, Twitter, MySpace and until recently Slashdot, so that isn't a monopoly in social networks.
So now that we know that the facts you are stating is false we can just toss the rest of the comment out.
They don't have to cheat to compete. Microsoft, Facebook, and Apple all have ad networks now. Apple is making a big push in the mobile ad space I would hope they are not history harvesting.

Re:Adsense (0)

zget (2395308) | more than 2 years ago | (#36847144)

Yes, but they are the underplayers too. They cannot compete with Google just because of their massive size and datamining, that they again cannot do because they do not have Google's massive size and datamining.

And Google is only expanding that. Before they "only" read your email, had your previous searches, youtube videos and statistics of pretty much every site on the internet you visited EXCEPT FACEBOOK. Now with Google+ they will also have and know all of your friend connections, interests and personal sharing. Google+ is a much larger violator to privacy than facebook. Yes, it gives you closer circles, but all of that is still going to Google and even their sign up page says they will collect the data and use it internet wide to track you and serve you better advertisement.

This has the side effect of someone working at Google to see all of your searches, your friends, your emails, your personal messages, every site you visit on the internet and pretty much everything you do online (and offline, if you have android phone). Google will and does abuse that information according to their pretty open privacy policy. After that there are still Google employees that may or may not abuse those policies secretly. This is especially true with a geeky company, and it's just human tendency.

Re:Adsense (1)

maxume (22995) | more than 2 years ago | (#36847452)

All that may help Google sell more ads at higher prices, but the existence of dozens of other ad networks demonstrates that there is plenty of room in that market.

Re:Adsense (1)

LWATCDR (28044) | more than 2 years ago | (#36847680)

Interesting if really odd little rant.
What do you mean they can't compete there are many ad networks that fact that they exists proves that Google does not have a monoply.
As far as the rest goes I can fix all your problems for you.

"Before they "only" read your email," Use Hotmail, Yahoo mail AOL, Zoho mail, GMX mail, Gawab mail, or any of a number of free email systems sites, or use the POP account that cames with your ISP account, or run your own mail server.
"had your previous searches," Use Bing, Yahoo, and so on.
"youtube videos" Vimeo or any number of other video sites.
  I don't feel that Facebook steals my privacy because it only puts up what I give it.
"After that there are still Google employees that may or may not abuse those policies secretly. This is especially true with a geeky company, and it's just human tendency."
And I rally doubt that you are interesting enough for somebody a google to risk their fat paycheck dream job to spy one you. The paranoia level involved is just a bit in to Narcism at that point.

Re:Adsense (0)

Anonymous Coward | more than 2 years ago | (#36848044)

I stopped reading after your second sentence. Why do you people argue about semantics? Replace "Google has a monopoly" with "Google is halfway to being a monopoly". The point of OP was that there are a few huge companies like Google and Facebook that "own" online advertising and the smaller companies are "forced" to use bad practices or they will "never" be able to catch up. Well, they would be able to catch up just like an infinite number of monkeys with an infinite number of typewriters etc etc etc

So this is theft? but downloading music isn't? (-1, Troll)

BWS (104239) | more than 2 years ago | (#36846594)

I'm confused here, so according to Slashdot:

downloading music from say piratebay without approval of copy right holder is not theft

BUT

getting someone's browser history is theft?

Re:So this is theft? but downloading music isn't? (0)

Anonymous Coward | more than 2 years ago | (#36846670)

Let's see, in the first case someone has set up a server to share files intentionally, and in the second case everyday people are having files examined or copied from their personal computers without knowledge or permission. Yup, no difference.

Re:So this is theft? but downloading music isn't? (1)

smelch (1988698) | more than 2 years ago | (#36847554)

Oh, so if I share my information with google and google alone (per our agreement) and then google sets up a server to share all of it with anybody who wants it, that's ok?

Re:So this is theft? but downloading music isn't? (3, Insightful)

Anonymous Coward | more than 2 years ago | (#36846694)

Yes it's almost like slashdot is not in fact a homogeneous group of readers with a common opinion.

Re:So this is theft? but downloading music isn't? (0)

Anonymous Coward | more than 2 years ago | (#36846696)

No, getting a browser history is not theft.

It may be trespassing, or some other crime, but since the owner is not deprived use of his own browser history, it isn't theft.

It doesn't matter to me much, I have my browser set to delete history and cookies every time I close it.

Re:So this is theft? but downloading music isn't? (1, Insightful)

calmofthestorm (1344385) | more than 2 years ago | (#36846708)

The difference is that piracy costs the US 750 million jobs and over $30T each year, whereas "enhanced sharing" of "sensitive" information is good for the economy.

Re:So this is theft? but downloading music isn't? (3, Insightful)

JMJimmy (2036122) | more than 2 years ago | (#36846808)

ooo - can I have some of this magic money that appears out of thin air?

Re:So this is theft? but downloading music isn't? (1)

Anonymous Coward | more than 2 years ago | (#36846862)

Sure...use BitCoin

Re:So this is theft? but downloading music isn't? (0)

Anonymous Coward | more than 2 years ago | (#36848172)

Zzzzing!

Re:So this is theft? but downloading music isn't? (0)

Anonymous Coward | more than 2 years ago | (#36846838)

The difference is that piracy costs the US 750 million jobs and over $30T each year, whereas "enhanced sharing" of "sensitive" information is good for the economy.

BULL. SHIT. Every pirated song or movie does not = a lost sale.

Re:So this is theft? but downloading music isn't? (1)

NatasRevol (731260) | more than 2 years ago | (#36846844)

Those numbers seem a bit low. But you have a good argument!

Perhaps you should run for Congress.

*This post does not follow your rule.*

Re:So this is theft? but downloading music isn't? (1)

crashumbc (1221174) | more than 2 years ago | (#36846866)

ROFL, please tell me your joking about those numbers? Please?

You can't ACTUALLY be saying stopping half of the current "piracy" and we would could pay off the ENTIRE national debt?

Re:So this is theft? but downloading music isn't? (0)

Anonymous Coward | more than 2 years ago | (#36846916)

ROFL, please tell me your joking about those numbers? Please?

HINT: What is the population of the USA?

Re:So this is theft? but downloading music isn't? (0)

Anonymous Coward | more than 2 years ago | (#36846900)

The difference is that piracy costs the US 750 million jobs and over $30T

Well, someone needs to say it:

You're a moron.

HERP DERP OVER TWICE THE NATIONAL DEBT EACH YEAR DURR.

Oh, by the way, it's called 'copyright infringement'. Piracy is when a motherfucker with an AK boards your ship, puts it to your head and says, "Hey, what's up, fucker? Oh, were you watching Game of Thrones while sailing the high seas? You've got a first world problem now, motherfucker."

Re:So this is theft? but downloading music isn't? (0)

Anonymous Coward | more than 2 years ago | (#36847274)

WWOOOOOOOOOOSH

Re:So this is theft? but downloading music isn't? (1)

Midnight Thunder (17205) | more than 2 years ago | (#36847186)

Does not compute. How can it be costing the USA of twice the population of the country (hint: USA has a population of 300 million), in term of jobs? Add to that the percentage of people impacted by this is far smaller than the real population. I am guessing that it is even below 5% (I don't have figures to validate that estimate)?

Clearly from the Master of Bullshit Arts line of education?

Re:So this is theft? but downloading music isn't? (1)

NeutronCowboy (896098) | more than 2 years ago | (#36846720)

Who is this "Slashdot" you are referring to?

Your comment is particularly ironic given your sig.

Re:So this is theft? but downloading music isn't? (0)

Anonymous Coward | more than 2 years ago | (#36846754)

In the first case, the taking is from "someone else" so that's OK. In the second case, the "someone else" is you, so that's not OK.

Re:So this is theft? but downloading music isn't? (1)

Riceballsan (816702) | more than 2 years ago | (#36846926)

In neither case is anything "taken", things are being duplicated with no loss of physical or digital property. This case is spying, wiretapping or something along those lines. It is taking potentially intimate details of the users life that never were intended to be seen or heard by anyone, and selling them to the highest bidder for personal profit. This is closer to the category of filming someone in a shower, then stealing their wallets.

Re:So this is theft? but downloading music isn't? (-1)

Anonymous Coward | more than 2 years ago | (#36847188)

This is closer to the category of filming someone in a shower, then stealing their wallets.

It's "than", not "then". 'Than' is a comparative (e.g., A is greater than B); 'then' is sequential (e.g., A happened, then B happened). According to this sentence the perpetrator is first filming them in the shower then proceeding to steal their wallets. That's one kinky cat burglar!

Gah, sorry, I'm not usually a grammar nazi, but this sentence is an ideal example of how one little misspelling can change the intended meaning entirely. Still modding you up, though, cause your argument does makes sense ;)

-CCarrot

Re:So this is theft? but downloading music isn't? (1)

interkin3tic (1469267) | more than 2 years ago | (#36847532)

This is closer to the category of filming someone in a shower, then stealing their wallets.

Incidentally, that's my favorite type of voyeur porn...

Re:So this is theft? but downloading music isn't? (1)

Overzeetop (214511) | more than 2 years ago | (#36846768)

It can be argued that both sides use hyperbole and rhetorical speech to enflame the masses.

If you want to be pedantic, you could say that file sharing has the consent of both parties in the sharing (but excludes the third party of the content creation side). The content was, at some point, legally purchased from the creator.
The collecting of history data by the advertiser is non-consensual. They're not claiming the third parties who purchase this information are stealing data, but rather the actual collector who has not received the consent at the initial "transaction" point of your browser.

You're not claiming copyright or intellectual property rights on your history data (you cant' - it's not copyrightable) - but someone is nonetheless forcibly retrieving otherwise private data without your permission.

Re:So this is theft? but downloading music isn't? (4, Informative)

gurps_npc (621217) | more than 2 years ago | (#36846810)

Not quite. According to Slashdot: Downloading music is a copyright violation, as per the law. Not theft. We then proclaim that the copyright laws are unethical. Often the issue in question is a contract violation with civil, not criminal penalties. BUT Getting someone's browser history is an invasion of privacy (Felony)

Re:So this is theft? but downloading music isn't? (1)

Riceballsan (816702) | more than 2 years ago | (#36846856)

I have to agree that theft is a stupid label here, this would fall into spying or illegal wiretapping, it is an intensive surveying of what you are doing in your own home or on sites that the company gathering the information has no right to monitor. Applying theft to terms it doesn't have anything to do with is silly and stupid in all cases. This IMO is a much greater crime then piracy, but neither should fall into the category of "theft".

Re:So this is theft? but downloading music isn't? (4, Insightful)

nedlohs (1335013) | more than 2 years ago | (#36846880)

I realise this is going to be confusing for you, but just try and stay with me:

Slashdot is not an individual. Slashdot is a collection of people of differing views and opinions.

Some people who read and post on slashdot think that downloading music without approval of the copright is not theft. Some people who read and post on slashdot think that downloading music without approval of the copyright holder is theft. Some people who read and post on slashdot think that getting someone's browser history is not theft. Some people who read and post on slashdot think that getting someone's browser history is theft.

Some people who read and post on slashdot think that there's a difference between private data and public data. Some people who read and post on slashdot think that there is no difference between private and public data and that "all information wants to be free".

Some people who read and post on slashdot think that Obama is the best President in all of history. Some people who read and post on slashdot think that Bush was the best President in all of history. Some people who read and post on slashdot think that Bush and Obama are both reptilian aliens in disguise.

Thus you can't expect to get a consistent opinion. Slashdot itself has no opinion, the people involved in it have opinions.

You might seem to get a majority opinion shining through, but you can't compare them across areas. "Majority" may really just mean "loudest", the point remains the same.

For your example, a perfectly reasonable explanation would be that the "majority opnion" of people on slashdot who care enough about downloading music to be involved in a discussion about that topic is that it is not theft. And the "majority opinion" of the people on slashdot who care enough about data snooping by web based advertising networks to be involved in a discussion about that topic is that such snooping is theft of private data. This makes perfect sense, because *they are not the same people*. Or alternatively the "theft" being referred to in the data snooping case is that of privacy. In the music distribution case if someone downloads a copy of a song the original owner of the song has lost nothing - they still have their copy. In the data snooping case the original owner of the history has lost something - they no longer their privacy.

So there's two reasonable explanations of our observation, and there will be plenty more. So why are you confused by such a simple phenomenon?

Re:So this is theft? but downloading music isn't? (0)

interkin3tic (1469267) | more than 2 years ago | (#36847682)

Slashdot is not an individual. Slashdot is a collection of people of differing views and opinions. Thus you can't expect to get a consistent opinion.

You can't get a consensus opinion. The slashdot crowd does have consistent opinions on things, despite the dynamic nature of the population. It is not nonsense to talk about usual slasdotter opinions. Nearly any parameter you can measure of nearly any natural population has a distribution, but you can still make statements about the mean. Most clovers in a field have 3 leaves. Yes, some have 4 and some have less, but 3 is the usual number. Most slashdotters are opposed to the RIAA's crackdown on music sharing. Yes, some people probably really like the RIAA, but most don't.

Re:So this is theft? but downloading music isn't? (1)

nedlohs (1335013) | more than 2 years ago | (#36848038)

Why not try reading what I wrote?

You know the bit which talked about exactly that point and how you can't compare them because not everybody cares about the same things equally.

Most slashdotters are opposed to the RIAA's crackdown on music sharing

Please show the evidence for that. All I see is that "most slashdotters who comment on articles about the RIAA's craskdown on music sharing are opposed to it", which is a very different claim.

Yes in articles about the RIAA cracking down on music sharing the most popular opinion on slashdot is that copyright infringement is not theft.

Yes in articles about snooping browser histories the most popular opniion on slashdot is that such browser snooping if theft.

There is no inconsistancy or strangeness in both those things being true*. It isn't the same people. Some people are more interested in sharing music and hence make up the bulk of the opinion in articles about that. Different people (with overlap of course) are more interest in privacy and hence make up the bulk of the opinion in articles about that.

* Note: I'm not arguing one way or the other about those actually being "the slashdot opinion", I'm just taking the original claim.

Re:So this is theft? but downloading music isn't? (0)

Anonymous Coward | more than 2 years ago | (#36846890)

Here's the deal...

The advertising business is a crap hole. I treat ads like SPAM. I will take any measure to block ads, whether they come through the TV or the Internet. I will gladly help friends and family with setting up blocking software. To people crying "but how are we going to finance our 'free' business if we can't show ads?" I reply "not my problem".

Regarding music, if I want to share music that I purchased with my friends, I'll do that. I see nothing morally wrong with that. Fine, sharing it with the rest of the world is more problematic, but I really can't see the current system go on. In five years I expect that something like Spotify will exist completely free without ads, decentralized and supported by the public - unstoppable. The music industry has to change. Artist might get paid for performing or recording time but they won't get royalties. And labels are completely doomed as they work today.

So no, I'm not "stealing" music when I download it. According to the law I'm doing infringement of a fantasy copyright law. And no, I'm definitely not stealing when I block ads. If someone gets stuff from my hard drive, it's likely not theft (I really don't know), but maybe unauthorized computer access? The laws must first protect the citizens, then the corporations. I know that the US cares more about its corporations than about its citizens, but I really don't care much about the US.

Just my 5 Euro cents.

Re:So this is theft? but downloading music isn't? (1)

Kenja (541830) | more than 2 years ago | (#36846960)

Theft is when it happens to me, unauthorized sharing is when it happens to you.

Re:So this is theft? but downloading music isn't? (1)

MozeeToby (1163751) | more than 2 years ago | (#36847004)

The good readers of Slashdot got caught up in their own rhetoric when it comes to the "data as property" debate. Here's how it works in reality: data in my possession is my property. I can edit it, delete it, share it, or horde it; because it belongs to me. If I give you a copy of that data, that copy is now your property. You can edit it, delete it, share it, or horde it; I have no say over what you do. That doesn't imply that you can take a copy from me without my permission, it means that by giving you a copy I give you the rights to use that copy in any way you wish.

Re:So this is theft? but downloading music isn't? (4, Insightful)

Midnight Thunder (17205) | more than 2 years ago | (#36847068)

It is isn't theft. What it is is invasion of privacy and ignoring 'contractual' requirements of 'do not track'. This is why sometimes we need regulation. It is also why the best privacy protection is for the browser to protect itself.

The analogy here is asking the server not to put tomato sauce in in your hamburger and instead they decide to spit in it, with a big "f*@k you" attitude.

Re:So this is theft? but downloading music isn't? (1)

Hatta (162192) | more than 2 years ago | (#36847094)

Unauthorized access to a computer system is a much more serious offense than copyright violation. There are good arguments that copyright itself is unethical and counterproductive, but none to suggest that unauthorized computer access is.

Re:So this is theft? but downloading music isn't? (0)

Anonymous Coward | more than 2 years ago | (#36847340)

I'm confused here, so according to Slashdot:

downloading music from say piratebay without approval of copy right holder is not theft

BUT

getting someone's browser history is theft?

Taking someone's browser history is theft. It's theft of privacy. If I go into a store should I expect to have to tell them every place I stopped on my way there so they can sell that info. I would think not. Are stores allowed to put tracking devices on my car to see the other places I visit or other stores I go to? No.

This shows the efficacy of (1)

Reverand Dave (1959652) | more than 2 years ago | (#36846596)

a self-regulatory network. Just like the wall street bankers want to be self-regulatory or allow the market to be self-regulatory. It's all the same bullshit.

Re:This shows the efficacy of (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#36846690)

"Self-Regulation" is extremely efficacious. It's just that it's a tactic for avoiding actual regulation, not a tactic for providing it...

...Actually Complying? Maybe, but Probably Not. (4, Interesting)

Lance Dearnis (1184983) | more than 2 years ago | (#36846676)

Alright, I read the article on this one, and, there's a divergence of evidence here. Mainly..

"We applied the methodology from last week's study to examine Epic Marketplace's opt-out practices. (Epic Marketplace was one of the eleven NAI members not included in that study.) We found that Epic Marketplace leaves its tracking cookies in place after both opting out with the NAI mechanism and enabling Do Not Track. We also found that history stealing continues after using either choice mechanism." - This one's from the study.

"Furthermore, when the user opts out, all data collection efforts cease. The student erroneously concludes that users are unable to avoid participating in segment verification because the opt-out mechanism does not delete the cookie that exists on the user’s computer. Like many other networks have pointed out already in their responses, this is misleading and inaccurate. When a user opts-out, all further collection of behavioral data from that user stops and existing profile data is deleted, even though the cookie itself is not deleted. The reason for this is simple: these cookies provide important operational information necessary for the delivery of any ad, not just targeted ads. For example, Epic Marketplace needs this data to determine how many times a particular ad has been shown to a user, and to analyze whether fraudulent activity is taking place. Ironically, in order to give effect to a consumer’s decision to avoid data collection, the cookie has to remain, otherwise advertisers have no way of knowing that that particular consumer has elected to opt-out of that advertiser’s data collection practices." - and here's Epic's counter.

These two statements seem strictly at-odds to me; the study states that the History Stealing continues to run, not just that a cookie remains as Epic sems to be saying. Epic claims the data collection stops - straight conflict here. Someone either screwed up their study, or Epic is lying, or Epic is unaware that their 'stop stealing' code doesn't actually work. It looks like they're not gathering personally identifiable or geographical location, and so are in the clear there - but now you've got a pure 'He said, she said' in terms of continuing collection after opt-out. Anyone interested in trying to duplicate this study and add some more evidence to if it continues or not?

Re:...Actually Complying? Maybe, but Probably Not. (2)

gurps_npc (621217) | more than 2 years ago | (#36846738)

As per the article, web histories count as identifiable information. So collecting them counts as gathering personally identifiable information.

Re:...Actually Complying? Maybe, but Probably Not. (1)

NoSleepDemon (1521253) | more than 2 years ago | (#36846774)

I was going to comment on the spin applied to the headline "...caught stealing" that seems to make the debate a foregone conclusion, and mention Epic's rebuttle, but after reading the articles I had the same issue as you - who exactly is correct here? It would still be nice to not see such inflammatory headlines though.

Re:...Actually Complying? Maybe, but Probably Not. (1)

Anonymous Coward | more than 2 years ago | (#36846944)

rebuttle

Rebuttle is what happens when you watch Brazil twice in a row.

Rebuttal is the word you are looking for.

Re:...Actually Complying? Maybe, but Probably Not. (1)

Anonymous Coward | more than 2 years ago | (#36847104)

I've read the articles too, and it does seem rather difficult to disentangle. Epic says the data collection stops once the user opts-out. What they claim may be true, but I notice that they admit that the cookie established for tracking purposes remains after the user opts-out. Why? Why not delete the cookie too? They offer some seemingly-legitimate reasons, but if *anything* is left from the data collection/tracking process they aren't being thorough about implementing the "opt-out". There's a big failure of creativity here, because if they wanted to, they could delete the original tracking cookie and then create a new cookie solely to track the fact that the user wanted to opt-out. That would break the connection between "pre-opt-out" data collection and "post-opt-out" user activity.

Re:...Actually Complying? Maybe, but Probably Not. (1)

JMJimmy (2036122) | more than 2 years ago | (#36846886)

I also find a couple other things curious:

1) Epic starts by attacking the person not the argument

2) Epic goes on a random rant about there being no definition of "tracking"

Re:...Actually Complying? Maybe, but Probably Not. (2)

Lance Dearnis (1184983) | more than 2 years ago | (#36846970)

Well, to summarize responses to all there of these:

Epic was certainly caught 'history stealing' - the contention is if they continue this practice even if you opt out, not that the practice occurs in the first place.

While it goes through your web history, it separates out into 'interest segments' rather than directly pulling URLs; in other words, while directly collecting them WOULD count as personally identifiable information, Epic isn't doing that. They don't read 'You went to groupon!', they read 'You went to a site about mass-consumer deals, of which there are 37 sites in this segment.'

Hey, they're fighting over the definitions of it. It's the typical PR spin move - redefine the words of the pratice to something better for you (Changing 'Copyright Infringement' to 'Intellectual Property Theft/Piracy' for example, to associate with things already known and considered criminal by most people rather than having to convince each person over again that this is bad.) If this practice gets labelled as 'History Stealing', then Epic's considered automatically guilty. If they manage to change the name to 'Historical Data Collection', it sounds pretty harmless now, don't it. And that matters to the Congresscritters who would hold a healing on that. Everyone wants to hear about 'History Stealing', but the latter? People gonna fall asleep.

Re:...Actually Complying? Maybe, but Probably Not. (0)

Anonymous Coward | more than 2 years ago | (#36847050)

It looks like they're not gathering personally identifiable or geographical location, and so are in the clear there

Are they? How does the gathered information make its way back to the spy-hq? Through a network of anonymous relay proxies?

I would be willing (1)

Anonymous Coward | more than 2 years ago | (#36846764)

to pay each advertiser one bitcoin EACH just to not target my IP address with advertisements.

There should be a no tracking extension (0)

Anonymous Coward | more than 2 years ago | (#36846846)

There should be a no tracking extension. It should make it so that the style for the link does not change unless you are accessing it from the same domain name (or same page the link was clicked on, for the paranoid). Additionally, it should make all users have the same information presented. The EFF's panopticlick [eff.org] shows the types information that should be made the same across all browsers. In addition, it should make sure information reported is the same with javascript on or off. As more information is used to identify, the extension can be upgraded to include it as well.

Copyright personal information (0)

Anonymous Coward | more than 2 years ago | (#36846848)

Easy solution: pass a new new law that I own perpetual, non-transferable copyright on all information about me or my activities. Certain specific implicit licenses will exist to allow people to use information as I intended. However, bottom line is that collecting personal information is a copyright violation, and is actionable.

Problem solved.

Re:Copyright personal information (1)

nedlohs (1335013) | more than 2 years ago | (#36847022)

What a great idea! Let's make facts copyrightable. What could possibly go wrong?

Re:Copyright personal information (0)

Anonymous Coward | more than 2 years ago | (#36847502)

"Let's make facts copyrightable"

Nice bit of rhetorical sleight-of-hand there (Reductio ad absurdum)

I did not say all facts, just facts about an individual. Train schedules can continue to be free of copyright.

If you want to give it a bit more thought, maybe you can explain how to solve the abuse problem we have now.

Grow up and learn how to have a reasoned discourse.

Re:Copyright personal information (1)

nedlohs (1335013) | more than 2 years ago | (#36847924)

I also didn't say all facts.

Please explain how the great plan is consititutional in the first place. Given the consitutional basis of copyright law how does the copyrighting of some subset of facts come under the powers of the Government?

I don't need to have a solution to a problem in order to point out that some proposed solution is stupid.

"We should fix the problem of not being able to travel faster than the speed of light by murdering all the blue eyed people" - are you going to argue that in order to disagree with that statement you would have to have some other solution to the faster than light travel to propose?

"Surprising Results?" Really? (1)

The Moof (859402) | more than 2 years ago | (#36846852)

I don't think anyone but the most naive users were surprised at last weeks results, or at this. Even "Average Joe Internet User" knows that, in general, Internet advertisers and their practices are shady.

is this true? I'm not sure it is (2)

TheGratefulNet (143330) | more than 2 years ago | (#36846872)

TFA:

When a user opts-out, all further collection of behavioral data from that user stops and existing profile data is deleted, even though the cookie itself is not deleted. The reason for this is simple: these cookies provide important operational information necessary for the delivery of any ad, not just targeted ads. For example, Epic Marketplace needs this data to determine how many times a particular ad has been shown to a user, and to analyze whether fraudulent activity is taking place. Ironically, in order to give effect to a consumer’s decision to avoid data collection, the cookie has to remain, otherwise advertisers have no way of knowing that that particular consumer has elected to opt-out of that advertiser’s data collection practices.

its been a while since I did web programming, but isn't an opt-out better implemented as data stored on THEIR systems and not mine? am I missing something here?

"we can't be sure you dont' want our shit, so we send you a cookie so we can know you don't want our shit."

WHAT???

do they expect technical people to say 'oh, ok, you are right' ?

so, unless I'm missing something, they should look at their LOCAL database of do-not-track ip addrs and users and not even TRY to write data to their disks (cookies). and if the user denies cookies (as I do on all sites that are not already whitelisted)? their 'design' doesn't allow for THAT case, does it?

these guys should be sued into negative oblivion. bottom feeding fuckwads.

Re:is this true? I'm not sure it is (1)

Skapare (16644) | more than 2 years ago | (#36847038)

If any of their tracking actually works in the case of user cookies being denied or not kept, then yes. If they choose to still do tracking for such users, they also need to honor do-not-track for those users.

Re:is this true? I'm not sure it is (1)

aitan (948581) | more than 2 years ago | (#36847162)

So you have a permanent IP assigned to you, and you want that the advertisers always know and keep track (no matter if you clear cookies, or if you enter Private browsing) that it's you the one visiting some pages?

Well, that might work for you, but the rest of the world doesn't have such luxuries and the IP is temporary so in order for them to keep such preferences, they must store the preferences in your computer.

Re:is this true? I'm not sure it is (1)

Sloppy (14984) | more than 2 years ago | (#36847174)

they should look at their LOCAL database of do-not-track ip addrs

IP addresses don't opt out of things; people do. There has to be some way of associating a request that they want to track, with an earlier opt-out request. Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).

Re:is this true? I'm not sure it is (1)

Marc Madness (2205586) | more than 2 years ago | (#36847350)

Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).

Not to mention that a do-not-track cookie and a do-not-track HTTP header member essentially have the same effect from a practical perspective (in that they both modify the HTTP header). However, an HTTP header would work across all domains, not just the domain that set it which might be a disadvantage to those who want to pick and choose who can and cannot track them.

Re:is this true? I'm not sure it is (0)

Anonymous Coward | more than 2 years ago | (#36847446)

Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).

Or perhaps a simple "fuck off and don't track me" [mozilla.org] HTML header?

It doesn't actually have to identify you for them to get the message. If they'd honor it, that is.

-CCarrot (posting AC due to mods in this topic)

Re:is this true? I'm not sure it is (1)

FSWKU (551325) | more than 2 years ago | (#36847880)

they should look at their LOCAL database of do-not-track ip addrs

IP addresses don't opt out of things; people do. There has to be some way of associating a request that they want to track, with an earlier opt-out request. Cookies are the implementation that people have come up with so far, at least until you start sending some kind of global user id in all http headers (an idea that people would hate even more).

All fine and good, but why should I HAVE to opt out of something like this just to protect my privacy? What makes these marketing troglodytes think they have a right to track my browsing habits by default?

Re:is this true? I'm not sure it is (1)

Midnight Thunder (17205) | more than 2 years ago | (#36847238)

The right solution is probably the browser ignoring actions based on domain. Another solution is to ignore sending cookies based on domain and also ensuring JS from that domain can't read certain data. It would require a black list, but if they aren't going to play ball, then we can play hard ball.

Re:is this true? I'm not sure it is (1)

Aladrin (926209) | more than 2 years ago | (#36847248)

They can't be sure it's you without a cookie to verify it. IP addresses change, and so do browser agents.

If they stored they data on their side, you'd have to re-opt-in every time your ISP gave you a new IP, or you upgraded your browser.

It sounds like they're storing additional data on it, however, and that's not acceptable.

Re:is this true? I'm not sure it is (1)

LordArgon (1683588) | more than 2 years ago | (#36847360)

Yes, you're missing something. Imagine you opt out of tracking and the company erases all information about you (including their cookies). What happens the next time you hit their system? You look like somebody they've never seen before. In most systems, that means they give you a cookie and start tracking you. But you just asked them not to track you...

The only way they can comply is to know that you fall into the group of people who don't want to be tracked. In general, they can do this with a generic "do-not-track" cookie value they drop (like an ID with all zeros, e.g.). Then you and everybody else who doesn't want to be tracked looks identical, but you all still have a cookie from them.

You mentioned IP address as a way to track users, but that's really unreliable. So you want to go opt out again every time you restart your modem or connect to another network? If you're behind a NAT, your opt out would affect everybody behind the NAT (but only until the external address changed, at which point it would affect nobody).

As a side note: If you clear all your cookies every time you close your browser, your tracking starts fresh with every browsing session. It doesn't mean you aren't tracked - it just means the scope of the tracking matches the scope the cookie lifetime. I leave my browser up for days/weeks at a time, so deleting cookies on close would actually make me more trackable than an opt-out. A whitelist of sites you accept cookies from is the best way to minimize tracking, but most people won't understand or bother with that. Storing an opt-out cookie is a really simple next-best-thing.

Re:is this true? I'm not sure it is (1)

jank1887 (815982) | more than 2 years ago | (#36847370)

good point. my work pc has firefox set to clear cookies and history at shutdown. so, my do not track request can't be respected after a reboot?

Re:is this true? I'm not sure it is (0)

Anonymous Coward | more than 2 years ago | (#36847894)

well there are ways. one way is to come up with a browser plugin that creates a opt out cookie on open of browser from a list of sites that creates them. or some how create a do not track users agent... so plugins or browsers could when making requests from these users agent be ignored... those would be my sugestion I think user agent would be the better of the two ways a more permanent solution. in that is in the optout user agent and they start setting cookies ect flags can be triggers and the hammer of the web will com down.

Re:is this true? I'm not sure it is (3)

VortexCortex (1117377) | more than 2 years ago | (#36847774)

You're over thinking things. What if you were allowed to tick a checkbox in your browser, and thereafter it would state clearly in every HTTP request header DO NOT TRACK ME. This enables notification that we do not want any tracking to be performed, and is delivered in the same set of headers that they are already parsing to read the "Cookies" they set. [donottrack.us]

It looks like this:
DNT: 1
Firefox4 and IE9 Support this, last I heard Chrome didn't (I hear there is a 3rd party plugin now). All those advertising bastards need do is not track people with those settings. Additionally, use a plugin like CookieMonster [mozilla.org] to manage your cookie settings.

Them: "Without cookies how will we know if you want to opt out?!"
Us: "Problem Solved. Read the DNT header fool."
Them: "We need cookies to makes sure people aren't fraudulently clicking ads, and to count clicks"
Us: "Not our problem; Besides, Cookies can be cleared -- Store your clicks & hits in YOUR OWN damn database!"
Them: "... [under breath] But we don't have to, and we won't comply sanely without mandatory regulation."

They'll cry us a river when it comes down to strict regulations -- The only bad thing is that the law writers don't understand technology enough to just say: "Advertisers must honor the 'DNT: 1' (do not track header) as if the user had followed the advertiser's opt-out procedure, and [insert other shit they should do like delete user records and not set cookies -- though I can manage my own damn cookies, but thanks]."

Re:is this true? I'm not sure it is (1)

tokul (682258) | more than 2 years ago | (#36847786)

am I missing something here?

Web users are anonymous. You can't identify them, if you don't store something unique on their machine.

Re:is this true? I'm not sure it is (1)

jvkjvk (102057) | more than 2 years ago | (#36848264)

Yes, of course they have to track you to know that you have opted out of tracking.

How else do think it would work?

This pattern is depressingly similar to how the whole legal system is going.

This is why you should always adblock (1)

Anonymous Coward | more than 2 years ago | (#36846938)

I don't care if that hits a site renevue stream enough that they will require paid registration (I will just register and pay). You either do something to block all ad network-supplied crap, or you are at a much increased risk of damage.

ad networks have, in the past:

1. distributed viruses and trojans (PNG exploits, for example)
2. distributed criminal matter (hate speech, k1dd13 p0rn, etc)
3. distributed content to mislead the user into visiting damaging sites
4. attacked the user browser to mine information

Exactly why do we tolerate that kind of crap, really? We should sabotage ad networks as much as we possibly can.

Re:This is why you should always adblock (2)

jank1887 (815982) | more than 2 years ago | (#36847392)

if only there was a loosely associated group of computer hackers sometimes following the activist mindset and settling on particular targets of interest...

Welcome back AdBlock (0)

Anonymous Coward | more than 2 years ago | (#36847010)

I removed AdBlocker about 2 years ago out of pity for ad supported websites. I'll be turning it back on now until I see some satisfactory government regulation.

Re:Welcome back AdBlock (1)

Pliny (12671) | more than 2 years ago | (#36847234)

If you have moral compunctions about blocking ads in general, Noscript is the way to go. Normal ads will get right through while flash and javascript ads won't be executed unless you whitelist it.

Ok. (1)

LWATCDR (28044) | more than 2 years ago | (#36847024)

Well they claim that what they are doing is not an issue. So I simply want to know what sites use them and what advertisers use them along with the name of the script.
That way I can have the freedom to choose if I want to go to those sites or not and let the site owners and advertisers that I don't like it. Not that it is ilegal or not but I don't like and don't want it to happen to me. That is all they have to do.

Stanford "biased", Epic "analyzing fraud" (1)

Swave An deBwoner (907414) | more than 2 years ago | (#36847072)

From Epic Marketing's Fine Rebuttal:

The Stanford studentâ(TM)s blog purports to examine a practice described as âoehistory stealingâ. The use of such a pejorative term obviously reveals a bias ..

followed by

.. Epic Marketplace needs this data .. to analyze whether fraudulent activity is taking place.

Hmmmm ...

Re:Stanford "biased", Epic "analyzing fraud" (0)

Anonymous Coward | more than 2 years ago | (#36847596)

Stanford student runs donottrack.us A project determined to stop all cookies and tracking no matter want their use. That bias immediately skews any reports/studies to support his cause

Computer fraud? (4, Insightful)

gstrickler (920733) | more than 2 years ago | (#36847090)

Epic has no contract, expressed or implied, with the end user to run software on their computer. They have only an agreement with the website operator, who has no authority to grant Epic the right to execute any software on the end user's computer. That said software actually examines the users browsing history to determine if they have visited specific pages, should be considered illegal, even if they only send back a de-identified list of segments represented by those links. Until Epic has received user consent, their actions should be considered computer fraud [wikipedia.org].

Re:Computer fraud? (1)

Karellen (104380) | more than 2 years ago | (#36847590)

Huh? The user's browser has, on behalf of the user, explicitly contacted Epic's webserver, requested a copy of the javascript from their site, and run it. It's not like Epic's servers attempted to connect to the user's computer, hacked a firewall, cracked a password or anything. The user (via their browser) has initiated the entire thing here.

If the user does not want their browser to retrieve and run javascript from every third-party server mentioned by websites they choose to visit, maybe they should get a browser that allows them to whitelist sites to run javascript from. They've been available, with Firefox+NoScript, for at least 5 years now.

Re:Computer fraud? (3, Interesting)

gstrickler (920733) | more than 2 years ago | (#36847966)

No. The end user requested information from the web site they were visiting. That a third party is running software on their computer is not an implied or expressed condition of that request.

While it's common for sites to display ads from ad networks, and the simply displaying of an ad could be considered an implied contract of using most web sites, displaying an ad and running software (even javascript) is not an implied contract. In this case, the software goes out of it's way to ensure that it runs without any indication to the user, thus the user is completely unaware that there is even anything to which he should have be asked to consent.

Re:Computer fraud? (1)

maxume (22995) | more than 2 years ago | (#36848168)

Man, the user is running the browser and the browser is executing the software. That it happens as a result of the default configuration is irrelevant.

Re:Computer fraud? (1)

maxwell demon (590494) | more than 2 years ago | (#36848254)

Actually, the problem is not that it runs some JavaScript, the problem is that it sends back information to the ad network.
I definitely don't agree to send data to a third person when I visit a web page, neither expressed nor implied.

Re:Computer fraud? (1)

Trepidity (597) | more than 2 years ago | (#36847678)

Wouldn't that theory criminalize any Javascript that: 1) the user did not explicitly consent to execute; and 2) did anything the user found objectionable? I don't like this practice, but that cure seems worse than the disease.

MadMan's Response (1)

ObsessiveMathsFreak (773371) | more than 2 years ago | (#36847140)

Read a response from a professional advertisement and marketing agency? Why don't we just throw the idea of objective assessment out the window altogether.

Link to opt-out (0)

Anonymous Coward | more than 2 years ago | (#36847922)

Epic's statement refers repeatedly to the ease of opting out and how firmly they obey it when you do, but neglects to provide an opt-out link.

For your convenience: http://www.epicmarketplace.com/optout.php

Interestingly, I had (according to Epic) "not opted out" previously and had therefore given them permission to do whatever they like.

Disclaimer on page:
"Note that if you change or delete the Traffic Marketplace opt-out cookie, change browsers, or get a new computer, you may need to opt out again."
In other words, if you catch us it's probably your fault.

There's also a link to Network Advertising Initiative control panel for opting out of multiple ad networks. There's no way to sort it to show what networks you're active in (the message is actually a .gif, I suspect to inhibit searching).

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...