DoubleClick 'Web Bugs' On Porn, Medical Sites

The ever-vigilant Brill's Content sent a freebie to the ever-vigilant Politech that makes us long for vigilante justice. It seems the odds-on favorite for this century's Big Brother, DoubleClick, has contracted to put 1x1 pixel graphic Web bugs on porn and medical sites. Read all about it. But don't worry, we're assured by the porn sites that although "DoubleClick [secretly] collects the information [that you, John Q. Doe, personally spent 12.2 minutes at a girl-on-girl fetish page and then spent 19.7 minutes reading up on your prostate problems], it does not have the technical skill to understand it."

Re:Hmm..

For the articles, obviously.

Re:My 127.0.0.1 list

127.0.0.1 www.doubleclick.net
127.0.0.1 ad.preferances.com
127.0.0.1 ad.doubleclick.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.preferences.com
127.0.0.1 ad.washingtonpost.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.doubleclick.net
127.0.0.1 ads.i33.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 adforce.imgis.com
127.0.0.1 ads.enliven.com
127.0.0.1 Ogilvy.ngadcenter.net
127.0.0.1 oz.valueclick.com
127.0.0.1 doubleclick.net
127.0.0.1 ads.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad2.doubleclick.net
127.0.0.1 ad3.doubleclick.net
127.0.0.1 ad4.doubleclick.net
127.0.0.1 ad5.doubleclick.net
127.0.0.1 ad6.doubleclick.net
127.0.0.1 ad7.doubleclick.net
127.0.0.1 ad8.doubleclick.net
127.0.0.1 ad9.doubleclick.net
127.0.0.1 ad10.doubleclick.net
127.0.0.1 ad11.doubleclick.net
127.0.0.1 ad12.doubleclick.net
127.0.0.1 ad13.doubleclick.net
127.0.0.1 ad14.doubleclick.net
127.0.0.1 ad15.doubleclick.net
127.0.0.1 ad16.doubleclick.net
127.0.0.1 ad17.doubleclick.net
127.0.0.1 ad18.doubleclick.net
127.0.0.1 ad19.doubleclick.net
127.0.0.1 ad20.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.ch.doubleclick.net
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.linkexchange.com
127.0.0.1 banner.linkexchange.com
127.0.0.1 adcount.hollywood.com
127.0.0.1 ads*.focalink.com
127.0.0.1 ads.imdb.com
127.0.0.1 www.ad-up.com
127.0.0.1 bannerswap.com
127.0.0.1 commonwealth.riddler.com
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
127.0.0.1 nrsite.com
127.0.0.1 www.nrsite.com
127.0.0.1 ad-up.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.atlas.cz
127.0.0.1 ad.blm.net
127.0.0.1 ad.dogpile.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.net-service.de
127.0.0.1 ad.preferences.com
127.0.0.1 ad.vol.at
127.0.0.1 adbot.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adbureau.net
127.0.0.1 adcount.hollywood.com
127.0.0.1 add.yaho.com/
127.0.0.1 adex3.flycast.com
127.0.0.1 adforce.adtech.de
127.0.0.1 adforce.imgis.com
127.0.0.1 adimage.blm.net
127.0.0.1 adlink.deh.de
127.0.0.1 ads.criticalmass.com
127.0.0.1 ads.csi.emcweb.com
127.0.0.1 ads.filez.com
127.0.0.1 127.0.0.1 ads.i33.com
127.0.0.1 ads.i33.com
127.0.0.1 ads.imagine-inc.com
127.0.0.1 ads.imdb.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.mirrormedia.co.uk
127.0.0.1 ads.msn.com
127.0.0.1 ads.narrowline.com
127.0.0.1 ads.newcitynet.com
127.0.0.1 ads.realcities.com
127.0.0.1 ads.realmedia.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.tripod.com
127.0.0.1 ads.usatoday.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.web.de
127.0.0.1 ads.web21.com
127.0.0.1 adserv.newcentury.net
127.0.0.1 adservant.guj.de
127.0.0.1 adservant.mediapoint.de
127.0.0.1 adserver-espnet.sportszone.com
127.0.0.1 advert.heise.de
127.0.0.1 banners.internetextra.com
127.0.0.1 bannerswap.com
127.0.0.1 customad.cnn.com
127.0.0.1 dino.mainz.ibm.de
127.0.0.1 ganges.imagine-inc.com
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
___

Need something MORE than Junkbuster.

I don't just want to lock out the net trackers, I want to screw them up and make their life as difficult as they make mine. How about cookie MANGLERS that send back 100K cookies with lots of funky characters (maybe crash their server)? Or cookie swappers that send back cookies to make you look like you surf random sites. Puting in the spammers administrative and zone contact email addresses into other spam sites that ask for an email address (Get their ISP to TOS 'em for burdening their staff unduly). Turn the tables people. Turn the tables. The best defense is a good offense.

Slashdot uses "Web Bugs" as well.

But what are they used for? I'm not sure. But look at the source code of almost any page here, and you'll see them:

<IMG SRC='http://209.207.224.245/Slashdot/pc.gif?/comme nts.pl,962468080410' WIDTH=1 HEIGHT=1>

<IMG SRC='http://images.slashdot.org/pagecount.gif?/com ments.pl,962468080410' WIDTH=1 HEIGHT=1>

<IMG SRC='http://images.slashdot.org/banner/gate5002en. gif?962468081680' WIDTH=1 HEIGHT=1 BORDER=0>

Maybe one of the slashdot staffers could answer this.


Quidquid latine dictum sit, altum viditur.

DoubleClick's Fatal Error

I was waiting for that.

Most people don't understand the need for data privacy. Even social security numbers are presumed to be pretty public, since we're forced to give them out all the time.

But they started messing with medical sites. Wrong move.

People fear their medical records getting out for all sorts of reasons--not the least of which it the concept of ownership of one's own body. Medicine is probably the one of the least networked industry when it comes to end product status, simply because the end product isn't too comfortable with firewalls being trusted to keep their personal health data secure.

There's an entire host of psychological issues that come once your health status becomes a commodity to be traded; one of the scarier endgames of no health privacy is that, since what is unknown by everyone cannot be unreported to anyone, people will refuse to inform their doctors about their health nor search online for others who have been in their predicament.

DoubleClick's antics, then, will lead to more expensive and less effective medical treatment.

DoubleClick just entered the realm of Life and Death, and that was the biggest mistake they could have ever done. Death is the ultimate liability, and it's guaranteed to happen. Be found liable for a death, and as a company, you may die yourself.

Any physician who works with DoubleClick will violate Do No Harm; I fully expect the AMA to issue a statement to this effect and will be disappointed when they don't.

It truly boggles the mind as to what kind of idiot at DoubleClick came up with the idea of spreading to medicine; when you get email regarding buying a computer while going computer shopping, you might think it's a pleasant coincidence. When you start getting Viagra spam after asking Dr. Koop about Erectile Dysfunction, you feel violated, as well you should.

Have we reached the point where DoubleClick style cross-site spies need to be suppressed, by default, in the browser?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Hmm..

Only thing i can think of here, adding ad.doubleclick.net to /etc/hosts as 127.0.0.1 (or c:\windows\hosts for windows users), or disable image loading. I mean, I don't want some multibillionare patentfreak company to see what pr0n sites I go to, or if I go to any other site. This scares me, because what if they sold that information to other companies - wouldn't it be evasion of privacy?. We haven't agreed to let them spy on us - so let's fight it - either by the solution first, or use lynx ;)

Too Stupid, But Not For Long

Here's the meat of the article, and DoubleClick's defense:

"While DoubleClick does indeed record, [it] does not know that room 5 is equivalent to girls home alone." This explanation comes down to saying that while DoubleClick collects the information, it does not have the technical skill to understand it an assertion that Smith and others nd hard to believe.

The problem is, while they don't have the knowledge to link room 5 with girl-girl fetish porn, some *other* company would have no problem doing it. As we all remember, DoublClick has no problem "allying" itself with other companies; at least until their stock price plummets.

I just have to question whether these "web bugs" are really the work of DoubleClick, or just some crafty porn site administrator trying to get paid for posting ads, but keeping them at 1x1 pixels so nobody has to be bothered by them.

---

Once again...junkbuster to the rescue!

It's been said a million times, here on slashdot, but it bears repeating:

Junkbuster will not only allow cookies from specific sites you want, but can disable downloading anything from any site you don't want.

When we all use something like junkbuster, maybe someone will get a clue. Now it's only punishment for the uninformed.
----------

sick!

what kind of sicko goes to a pr0n site to read the html source? that's some fetish.

"errr... yes, i was doing research and stumbled across the site and noticed a web bug in the code."

Re:How I fight the great satan

The /. 1-pixel image is a weird one. It's right at the top of the page, in a 2-pixel wide table to the left of the banner ad (from doubleclick.net BTW). There are two single-pixel images in that table; one's the off-site "bug" and the other is images.slashdot.org/pagecount which you'd think would have a valid purpose. There's another 2-pixel wide table to the right of the banner ad, with a single pixel image referencing images.slashdot.org.

I'll be generous and suggest that these images are there to count doubleclick banner impressions, and that the third-party off-site bug is a third-party offsite counter of banner impressions. But who knows? It doesn't resolve any reverse DNS. Traceroute has it going through Verio. It could be anything.

Andover has a privacy policy linked from every page which reads in part: "If you choose to give us personal information via the Internet that we or our business partners may need -- to correspond with you, process an order or provide you with a subscription, for example -- it is our intent to let you know how we will use such information. If you tell us that you do not wish to have this information used as a basis for further contact with you, we will respect your wishes."

I'll give them the benefit of doubt and not block it, but it is curious.
--

Re:Slashdot uses "Web Bugs" as well.

But what are they used for? I'm not sure. But look at the source code of almost any page here, and you'll see them:
<IMG SRC='http://209.207.224.245/Slashdot/pc.gif?/comme nts.pl,962468080410' WIDTH=1 HEIGHT=1>
<IMG SRC='http://images.slashdot.org/pagecount.gif?/com ments.pl,962468080410' WIDTH=1 HEIGHT=1>
<IMG SRC='http://images.slashdot.org/banner/gate5002en. gif?962468081680' WIDTH=1 HEIGHT=1 BORDER=0>

Maybe one of the slashdot staffers could answer this.

The first one is a page-counter graphic that's apparently on a machine at Slashdot's old hosting location, Digital Nation (since the traceroute to it goes through dn.net). I'm not that familiar with the technical end of Slashdot and so I can't speculate why it's loaded from dn.net instead of from our main servers.

The second one is a page-counter graphic (obviously) on our main servers.

The third one I'm not sure about. Like I say, I know little about the tech end of Slashdot and even less about the ad system.

In short, these guys are harmless. "Web bugs" allow a site other than the one you're currently reading to check up on your behavior. Obviously you're leaving footprints all over slashdot.org's logs every time you load our homepage!

Jamie McCarthy

[OT] Annoying /. policy no. 638

I agree. This is silly. If Signal 11 has pissed everyone off so bad that mod points a used against him and him alone, then maybe something's wrong with Signal 11.

Never mind, we're the problem.

Doubleclick is no worse than hitbox.com

Try surfing a few porn sites, and then look at your cookies from hitbox.com. You will discover that hitbox.com saves the URLs and/or titles of some of the pages you surfed in plain text in your cookie.

So you can end up with plain text such as "Wild_Bondage" in your cookies.

I asked the general counsel and chief privacy officer of hitbox.com's parent company to at least start encrypting this info in the cookie, on the grounds that cross-domain cookie reading is possible for anyone (86 percent of the online population) who uses Explorer. That was a month ago. They checked out the demo I recommended, according to the logs, but never answered my e-mail. The demo is at http://www.pir.org/nocookie.html (toward the bottom of the page).

Create a censoware-type hack?

OK, we at /. all know how to edit our HOSTS files to take care of this. But what about John Q. User, who would be hard pressed to save a file in a text editor? What we need here is a piece of software similar to, dare I say it, CyberPatrol, that maintains a list of privacy-encroaching hosts and edits the HOSTS file(s) for you. Hell, there could be a central repository of host names that routinely track peoples' habits online, and the software could run periodic updates. Of course, there would have to be some way to allow the user to disable certain hosts, but I don't think this would be too tough to write.

Need a Data Protection Act

The UK has something called the Data Protection Act. It utterly frustrates strategems like the one described here: all subjects of electronic data have the right to see what is being stored about them, and there are penalties for holding inaccurate data and for transferring the data to separate organisations.

The DPA has many flaws too, of course (e.g., effectively banning fingerd and log files), but that is a separate issue.

Re:Hmm..

either by the solution first, or use lynx ;)

why would I want to visit a porn site using lynx??? ;)

1x1 is a 'counting' gif

The 1x1 pixel gif is used by many adserving products. They normally deliver it with every ad, and the cookie that the adserver sets is normally attached to this gif. This gif is used to count how many ads are delivered. Clicking on the main image / flash feature will then count the click, by having an href that normally looks something like :
A Href="http://bad.evil.adserver.com/Software/ads/cl ick_an_ad.cgi/SITENAME/PAGENAME/CAMPAIGN NAME?_REDIRCT_TO="http://theadvertiserssite.com""

The sitename, pagename and campaignname are normally variables in whatever ad tag code you are putting on your page. These are then parsed by the adserver when it serves the ad and filled in with data that is meaningful to the server. This data can normally be completely meaningless to the web server that is serving it. The pagename doesn't have to match the pagename on the webserver, but merely the commonly agreed upon name. So I could lable a page as www.mysite.com/apage and schedule ads to that. But the site itself, would actually be www.mysite.co.uk/anotherpage.html and would just ask the server for an ad for www.mysite.com/apage

When you click on an ad, that data is sent back to the adserver so that it knows what ad you are trying to click through on, and what campaign to assign the click-through to.

This is all from memory and may be slightly flawed. But if you can read passed my garbled wording and see the idea, you'll have the picture.

DISCLAIMER: I used to work with web adverting but I'm just an (ab)normal sysadmin now.
/* Wayne Pascoe

Junkbusterize it!

Just drop *.doubleclick.net into junkbuster's blockfile, and doubleclick cannot track you any longer.

Now, what I'm really waiting for is for someone to write a proxy that can dynamically rewrite pages as they come through an http tunnel. Then, we can block ads, the associated javacrap, and other stuff - like pages containing the string "MAKE MONEY FAST!" I prefer not to get involved with the ethical side of business - business long ago proved to me they have no real ethics, hence I focus on creating technical solutions which either force them to be ethical, or force them away from me.

I think the technical community should make a stand and say we will not tolerate this, and then proceed to distribute easy-to-use software which blocks companies money-grabbing attempts. Remember: no company can survive without people. If a company is being unethical, solve the problem via technical means. If you work for the company, stall, drag your feet, and if you have to engineer the privacy-invading feature, remember these words "Yes, it's possible, but it would cost too much to do it".. and if they try anyway, make sure you're very well paid and that the product develops all kinds of bugs.. like suspicious dialog boxes in spyware that give your company's URL along with a "please report this error: Error collecting data on ${USER}, please contact sales@mycompany.com".

Civil disobedience.

How I fight the great satan

I have been maintaining a junkbuster proxy for long enough that I haven't noticed how commercialized the web has become, because I never see it. Maybe once a week, usually when visiting a new web site, a blinking banner ad gets through, and my innocence has made me very sensitive to them, so I immediately block it.

Lately, I've gone to reading the HTML source, because often the image's URL comes from a redirector which does the actual logging, and I want to block it before access to the redirector.

(By the way, do you know that slashdot has a web bug [209.207.224.245] on its pages? I have it blocked. You should, too.)

Anyway, a while ago I noticed that doubleclick.net was getting some ads past my filters, despite the fact that their domain (and various IP addresses) are at the top of my blockfile.

The sneaky bastards were using https. Proxies generally ignore than and pass it straight through. With 128-bit encryption, too; better than most of the e-commerce sites. (I would have noticed; I have everything 56 bits and below turned off.) I had to admire their ingenuity.

However, I still had to put an end to this. I told my DNS server that it was now authoritative for doubleclick.net, and that the zone was empty, so any address lookup attempt will fail. And I fetched the zone from their servers and added it to the firewall rules. Each was tested as adequate independently. Both is backup.

As I've been reading over that last year what a bunch of nosy bastards they are at doubleclick, I'm more and more glad that my computer hasn't deigned to send a packet to them for a very long time.

Although it'll probably make them change tactics again, I thought I'd share the DNS trick. It works pretty well. (And it gives you reason to learn about DNS zone files - I carefully haven't given an example, even though it is trivial.)

Re:Can't this be turned off at the browser?

Like, if I request a URL from www.flibbertygibbit.com, can't the browser be smart enough not to request further resources from, say, ad.doubleclick.net (but be smart enough to request resources from pix.flibbertygibbit.com)?

Yes; the trouble is that many sites have offsite images load from a perfectly normal and harmless third-party server. Akamai [akamai.com] is the best example; companies from Altavista to Apple to Andover store their graphics on Akamai's distributed servers for faster load times. If you prohibit all third-party graphics, you prevent these graphics from loading, thus breaking many pages.

Wasn't this capability in Mozilla until recently? How hard is it to put back in?

Yes, it was; see this older slashdot story [slashdot.org] for details. The good news is that Mozilla retains the capability to block off-site cookies, which doesn't totally eliminate the web bug problem but does take a huge bite out of it (along with the whole DoubleClick-privacy problem in general).

Personally I suspect that the offsite image problem could be 99% solved with a little special-casing and some creative DNS work. But I don't know that for certain.

The bottom line is that, because of this one incredibly simple feature, Mozilla [mozilla.org] is currently the most privacy-friendly off-the-shelf browser that I know of. Of course, if you are really concerned about privacy, you could try add-ons like Junkbusters [junkbusters.com] or IDcide [slashdot.org].

Jamie McCarthy

Re:Once again...junkbuster to the rescue!

Of course, a link [waldherr.org] is often helpful.