Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy Your Rights Online

More Web Site User Data Gathering Revealed 239

Three days ago, a small group called Interhack was featured in an AP wire story about some curious data transmission they'd found. The company receiving the data, Coremetrics, tracks unique visitors through its clients' corporate websites, and promises those clients "seamless performance," because: "data tags load invisibly as small transparent gifs, and information is encrypted to appear invisible to your customer." The customer is you, the user. The GIFs are web bugs. The information can be personally identifying, which most of its clients' privacy policies fail to mention. But -- importantly -- the company promises that "Any data Coremetrics tracks and reports is owned solely by our customers and we are contractually precluded from reselling or using this data." Is that enough? Emmett and I talked both to Coremetrics and to the hackers who put the spotlight on them.

Emmett Interviews Interhack

Slashdot: For those uninitiated, what's interhack all about?

Basically, we're a firm of hackers interested in pushing technology forward through research, making computing apply to people by developing custom products and consulting for folks who want to put the technology to use, and helping people understand exactly what the ramifications of these systems are. That's a pretty broad way of saying that we're all about the Internet and making it work.

Slashdot: When did you start researching this story, and how long did it take to put the pieces together?

Sometime in May, someone sent us a tip about Coremetrics and what it's doing. We took a quick look over their web site to see their advertised services and then started to look at how the service is actually implemented on various client sites. We examined several sites, most of which very clearly stated in their privacy policies that they're using Coremetrics for site monitoring and provided links necessary for people who don't like it to opt out of the system. Most of the sites with clear, full disclosure policies weren't even sending Coremetrics personally-identifiable information like names and addresses.

The more interesting part of our find was in the sites that did send personal information to Coremetrics, particularly those that carried the TRUSTe privacy seal. Over the course of about three weeks, we performed an investigation of these sites, gathering as much information as possible from them. We reverse-engineered the system by reading the sites' code, reading through the obfuscation, and comparing logs of our network's activity with the activity that would be perceived by an end user.

What we found was a clear difference in user expectations and what was actually happening, as well as a clear difference between what Coremetrics says it offers and what its eLuminate service makes technically feasible. After writing drafts of our report and press release, we decided to take a wait-and-see approach to the release. Specifically, we wanted to ensure that sites that just started to use the Coremetrics service had adequate time to update their policies and to have an accurate idea of what was happening with the system after having been in production.

After waiting and watching for more than a month, we decided to release our findings. So, on Monday morning, we sent a pre-release copy of our report to Richard Smith and some folks at Zero Knowledge Systems. In addition, we contacted each of the firms named in our report and Coremetrics so that if the failure to disclose or the ability to profile people across web sites was unintentional, there would be time for some investigation and a decision about how to fix the problem. After the end of business Monday, we released our report.

Slashdot: What needs to change? In a perfect world, how do we deal with this?

This is a very interesting question. In my perfect world, detailed levels of profiling would not take place at all. There would be no such thing as persistent cookies. In general, I'm just not comfortable with the level of privacy that the industry as a whole has given up for the sake of a little convenience.

How big of a deal, really, is it to have to enter your password when you login to a web site? Don't forget that the reason why we have passwords in the first place is so that you'll have to do something at the beginning of the session to prove who you are.

Web browsers also need to be more intelligent. That is, they need to be able to identify things like dependencies on third parties so the user can know whether those images should be fetched or ignored. Right now, browsers -- for the most part at least -- just aren't very defensive. The model of parsing everything you're given worked fine in the Old Days for which some of us long so much but the fact of the matter is that you really can't blindly trust anyone on the Internet.

I'm not suggesting becoming a luddite. I'm suggesting that folks take a sort of "trust, but verify" approach a la Ronald Reagan. Right now, there's a lot of trust and almost no way to verify.

Slashdot: This all comes down to trust. How many policies are just there so people will shut up about personal information so they'll start buying stuff online?

I couldn't say. Policies are almost always written by lawyers. That probably speaks to the covering-one's-posterior-position value of privacy policies.

Slashdot: Since we can't trust written policies, what should people be doing before they start conducting business with these websites?

Verify everything. As I said earlier, though, we're severely lacking in tools that are accessible to most people that can help in that regard. I think Zero Knowledge Systems' Freedom network is a huge step in the right direction. Tools like Muffin (muffin.doit.org) also help, but it would be cooler for that kind of functionality to live right in the browser itself. There are opportunities for eager hackers on this front.

It's also important to stress that tools alone won't do it -- there is no silver bullet. People are going to have to have some understanding of what's happening in order to use these tools effectively.

Finally, where you see discrepancies, point them out. Most of the time, they're oversights. Look at how Lucy.com and Fusion.com dealt with this problem: they updated their sites. So although the problem shouldn't have happened in the first place, they did the right thing. Contrast that with Toys "R" Us, which issued a statement saying that what they're doing isn't a violation. And their privacy policy still doesn't say a word about Coremetrics. They still haven't said anything to address the issue of having information collected on children.

Companies that don't fix their problems don't take your privacy seriously, no matter how much lip service they pay. So don't go to their sites. Don't buy their stuff. Tell them why you're not buying their stuff. Tell their competitors why you shop where you do, lest the new places you shop get the bright idea to try to hide something.

Jamie Talks to Coremetrics

Here's the service Coremetrics provides to corporate websites:

Many companies demand accurate knowledge of how their sites are being used: what sections are popular, what paths visitors take through the site, where people click over from, and so on. It's like web log analysis but more specialized for large shopping sites.

Since these demands are very much the same, and the code to do the analysis is similar, outsourcing happens. From a CEO's viewpoint, Coremetrics fiddles with the website to do better-quality tracking than the company could do on its own, and then makes the resulting statistics available over SSL.

But from your viewpoint and mine, that "fiddling" results in cookie-carrying web bugs all over the sites we visit -- web bugs which usually send back to the Coremetrics servers a unique visitor tag, like any other cookie, but one that sometimes includes your name, email address or other personally identifying information.

Coremetrics promises that this information remains private. When DoubleClick collects data from <img> cookies across multiple websites, they do so with the stated intention of tracking you personally; this is part of their business plan.

According to Coremetrics, they do things very differently. Data is not cross-correlated between their client websites, they say, because their contracts with their clients prohibit this. In fact, their contract forbids them from doing much of anything with that data except statistical analysis.

I gave the Coremetrics PR person I talked to a chance to explain, using the example of their client Toys 'R' Us:

"Coremetrics is merely an agent that collects this data on behalf of an individual customer, for that individual's sole use only. We do not collect data, as was inferred very incorrectly by Interhack, across multiple unrelated websites, with any intention of selling it to third parties -- or even distribution to third parties. That's because we, as the agent, do not own that data, nor do we have any rights to that data. Toys 'R' Us, and Toys 'R' Us only, is the sole owner of that data. So legally, we cannot do any of the possibilities that Interhack had alluded to in their report."

But here's the interesting thing.

If I'm browsing my favorite website, Coremetrics is clearly a third party. They have a special contractual relationship to keep my data private, which we shouldn't ignore. But nevertheless -- a third party.

So why do some of their clients' privacy policies not mention this?

Toys 'R' Us is a good example. As Interhack made clear, they do send personal data to Coremetrics' servers. But their privacy policy reads, "We do not share any personally identifying data about our guests with anyone outside of Toysrus.com, its parent, affiliates, subsidiaries, operating companies and other related entities."

So is Coremetrics one of their affiliates or a related entity? I wouldn't think so, but I'm not a lawyer. One interesting thing is hidden in that privacy policy's HTML; after the closing </html> tag is the hidden message: "<!--CoreMetrics Information if enabled-->." Hmmmmmm.

Coremetrics lists twenty clients; I tried to contact seventeen of them for comment, with marginal success by press time. Three reported that they had not yet activated Coremetrics or had decided not to use the service at all. One (guru.com) reported not sending any personal information -- presumably, only tracking visitors with a non-identifying unique ID.

Two sites (lucy.com and fusion.com) began mentioning Coremetrics in their privacy policies on August 1, the day after the Interhack report. One site (thewest.com) did not even have a privacy policy until yesterday; they'd been working on it, and my email may have made it a priority because it was on their site three hours later.

According to Coremetrics, they encourages all their clients to disclose the use of their service in their privacy policy, and include a link for users to opt out. But some sites reported as using or planning to use Coremetrics' services have privacy policies that could use some clarification.

Altrec.com informs me that "...in the near future ... we plan to add to our privacy statement our use of Coremetrics and the fact that Coremetrics neither owns, distributes, nor has rights to the data it sorts on Altrec.com's behalf." However, their current privacy policy states very simply: "Altrec.com will never sell or give your e-mail address (or any other information about you) to anyone else without your permission. Period."

(Last-minute update -- just before press time, Altrec.com clarified that they are "sending unique ID (unique to Altrec.com) and city, state and zip. No other personally identifiable information is being sent to Coremetrics.")

Bravanta.com bounced me between different people until I got to leave voicemail that wasn't returned by press time. Their policy says they "do not and will not sell, trade or rent the personal information of our customers or gift recipients to any third parties."

(Update two hours later: Bravanta reports that they also have decided not to use Coremetrics' service, and are not currently using it.)

Mall.com didn't get back to me either, and their policy reads "We will NEVER release your name and personal information to a third party..."

Getplugged.com has a rather confusing privacy statement that begins, "Any personally identifiable information GetPlugged.com collects will be used solely for the purposes stated within this Privacy Statement" and wanders around from there. I'm not sure what to make of it, frankly.

All these polices may indeed be correct, if the sites are stingy with personal data. Like guru.com (and altrec.com), they may be using the Coremetrics service only with non-personal IDs. But, as with Toys 'R' Us, that may also not be the case.

(fusion.com, getplugged.com, and altrec.com also happen to be TRUSTe licensees, but TRUSTe wasn't able to comment by press time. In the AP wire story on Monday, they had harsh words but were speaking hypothetically; no comment since then.)

It's hard enough to read privacy policies already. Most of them are designed to protect companies legally, and mostly manage to confuse users. The distinction between Coremetrics as a third party; or affiliate; or agent, is a little too fine for the average consumer, and needs to be spelled out in each policy, as Coremetrics itself recommends.

But is all this a tempest in a teapot? If a signed contract forbids a company from misusing data, is that all we need to know?

I don't think so. In the first place, at the very least, companies like Toys 'R' Us need to disclose such things in their privacy policies. That's just common sense.

In fact, according to Coremetrics privacy advisor Dave Farber, they plan contractually to require such disclosure with future clients. (The company could not confirm or deny this at this time.)

More importantly, we as consumers are being asked to trust a third party whose reputation we know nothing about. In fact, 99% of us will never even have heard of them and might not understand what they do. We're told that a contract protects us, but we're still being asked to trust something we can't see. And when evidence of policy violations is turned up by a group of hackers, that erodes our trust.

After speaking at length with Coremetrics' PR, I get a general feeling of trust from them. (Of course that's a large part of their PR staff's job, earning reporters' trust.) More importantly, Dave Farber is well-respected, and his confidence carries weight -- with me at least.

Still, as Interhack says, our motto should be "trust but verify." That's why I proposed, to Coremetrics, that they publicly post, on their website, the paragraphs from their clients' contracts which assure that our private data remains private. If the actual legal words that protect our data are up there for us to see, we don't have to trust anyone.

When I mentioned this to Coremetrics' PR person, he promised to consider it; Dave Farber thought it was "a very good idea." It's unusual for corporations to make contracts public, even in part, but in this case it would do a great deal to put everyone's fears to rest.

This discussion has been archived. No new comments can be posted.

More Stupid Privacy Shit

Comments Filter:
  • by Anonymous Coward
    they can do whatever they want ann they will, for most people thats invisible and they dont give a shit, they wont even notice. If you dont want to be tracked the solution is "DO NOT ACCEPT COOKIES! and clear your cache once in a while...
  • by Anonymous Coward
    If you run your own dns servers....
    Setup empty zones for the webmarketing companies.
    We haven't been seeing doubleclick data for about six months or so.
  • by Anonymous Coward
    Didn't they have some option to let you not load any image from a different server? It seems like that would accomplish the same thing and still allow for "page counter" gifs
  • by Anonymous Coward
    better yet, use junkbuster or some other cookie cutter.
  • by Anonymous Coward
    or, still simpler, just set the permissions of ~/.netscape/cookies to read-only. this is still better because you can keep exactly the cookies you want from one session to the next. adding new ones is trivial: enable writes to the file, fire up the browser, go to only the site you want, exit the browser, mark file read-only. this happens very rarely for me. harry truman capote
  • Shift the context maintenance from the cookie to the URL. If you don't want them to understand or mess with the context state, then use obfuscation and hashing liberally.

    My Web site uses themes; you can choose how the pages will be displayed. Most of the themes are based on (read: blatently stolen from) various operating systems, so the text shows up as if it were in a window, and that window can look like a Win95 window, a Mac OS window, an X window, etc. Each page is dynamically generated from a Perl script that takes two arguments in the query string (the end of the URL): "page" and "theme". Obviously, "page" indicates the name of the page to be viewed (except on the main home page, which is handled seperately), and "theme" indicates what theme you want to view it in. If "theme" is omitted, it chooses a default theme for you.

    The problem with this is that the URL looks somewhat ugly, and if you link to a particular page from somewhere, you'd be linking to the page with a particular theme. I want the theme to be chosen for you automatically the first time you get to the site, since certain themes are not appropriate for certain browsers. That's why I want to use cookies instead - make it a local preference in the browser, and make it persist between sessions (in case you're demented enough to actually go back to my home page someday).


  • they can do whatever they want ann they will, for most people thats invisible and they dont give a shit, they wont even notice. If you dont want to be tracked the solution is "DO NOT ACCEPT COOKIES! and clear your cache once in a while...

    You're aware, of course, that this breaks a lot of Web sites? Sure, Slashdot still works, although you lose any hope of customization, but most e-commerce sites break. I'm working on figuring out how to use cookies on my home page, just because they're so darned neat, and one of the hardest things to do is gonna be figuring out how to make the site still work if cookies are off. A lot of companies don't bother, and simply require cookies.


  • Single pixel spacing doe not have it's own good purposes. Design the logical layout and then apply style. I sure prefer simple sites to sites that are so obfusciated as to need one pixel spacing...

    If browsers weren't so buggy and annoying, we (Web designers) wouldn't need to work around them by using single-pixel GIFs for spacing and such. It is possible to create an attractive design that doesn't get in the way of the content, and easily run into a situation where you need a 1x1 spacer (or something even more annoying) to make it work in HTML.


  • Toysrus.com sells information even tho they say in the privacy statement they don't? Welp, add another place not to shop to my list. Does anyone publish a listing of companies that don't sell information to other public/private companies anywhere? I'm sure it would be very useful to some.

    I'm thinking the Better Business Bureau might not be a bad place to start.


  • The day-before-yesterday nightly build of Mozilla will load images from "images.site.tld" but not completely different domains if you turn on the "disable images from different domains" feature -- I assume it works similarly with cookies.

    The only problem with this is, if it becomes widespread, places like Doubleclick will quickly get domains like "dc.amazon.com" (or whatever) that all point to the same server.

  • I thought of that... looking at the yahoo and yimg stuff, www.yahoo.com resolves to,, whereas us.a1.yimg.com resolves to, So that's out, too.

    I don't think there's a good way around it, and I'm willing to put up with the odd site like Yahoo where I can't load the images.

  • Because the image is sent down by a CGI script (presumably perl), which would be less efficient the bigger the image got (relative to the webserver sucking it off the drive).

  • It's probably for statistical purposes, but how it copes with cache's I'm not sure (and I don't care enough to look at the HTTP header for a Pragma: no-cache statment).

    Actually, cache may be the reason they do it. If a cache caches the main page, there's no way for /. to track hits. The JavaScript generates a unique (time-based) request for the user, so there's no way it can be cached. The cache thinks it's a new URL.
  • Comment tags keep browsers from displaying JavaScript code. The code still runs.
  • First of all, amazon.com would be stupid to have another company take care of their counting.

    Second of all, eviladagency.com can't get a cooke for amazon.

    Thirdly, why would EVILADAGENCY.com relase said information to the president? If they do, this is an entirely different problem.

    I'm all for paranoia about the government, but if we don't look so paranoid about everything, people will take us more seriously about the things that really matter.
  • I cannot run cgi's from any reasonably stable/fast server, so I use digits.com to perform counting on a particular part of my personal web page. It's really neat to know how many people visit your page. However, because I think those counters are really ugly, I make it 1x1.

    Sure, Digits might be gathering more stats about you than I know, but what are they going to do with it? We're not talking about the FBI who is going to track you. We're not talking about someone who has access to your credit card information or home address - it's just your IP address, and browser info. So they link it between multiple sites. They know you look at my web page and the Sarah Michelle Gellar fan page (their #7 most active site) or the Irritable Bowel Syndrome Help Group (#1 site). IT DOESN'T MATTER!

    The point is there are lots of things for us to be paranoid about, but whether someone is tracking your usage habits to send you more directed spam is pretty irrelavant in the scheme of things. Besides, use a proxy server hosted by someone you know/trust. Then they get less info on your page. problem solved.


  • This thread is silly and I hate to continue it further, but... i know doubleclick gets all sort of info about you, but your credit card numbr?!? how? This is a big deal if the do....

  • You shouldn't be using 1x1 gifs for spacing anyway... In a decently designed website there is no need for them. Use CSS, or whatever else, but relying on 1x1 images for spacing isn't the brightest idea. It destroys the way HTML was indtended to function - structurally, with UI separated out. Why blame mozilla for having such difficulty making a browser work if the true culprits are the people abusing rendering implementations on specific browsers.

    Apart from that, if anyone were to implement a 1x1 filterer, that obviously shouldn't effect layout, so it would still space things as before (to not break any web sites) but simply not load the images. Would only make your web server faster because of fewer requests.
  • Single pixel spacing doe not have it's own good purposes. Design the logical layout and then apply style. I sure prefer simple sites to sites that are so obfusciated as to need one pixel spacing...
  • Who says you can't write a little robot to visit select websites, meandering from page to page at various intervals, all while YOU are nowhere to be found. What they have, then, is purely fictitious data. And it serves them right.
  • Admittedly, this isn't as convenient as having such preferences in the browser itself, but you can always use JunkBuster [junkbusters.com] or Muffin [doit.org]. JunkBuster is great; I haven't tried Muffin, but the article mentioned it and it looks cool. Even does a couple things JunkBuster can't, like removing <BLINK> tags.
  • That would be an inference. It's more logical to say "slashdot used to be hosted at this colo center, images2 is AT this colo center, images2 is probably run by slashdot staff" than it would be to say "images2.slashdot.org used to be hosted at this colo center, therefore doubleclick staff have flown in a tigerteam in a silent black helicopter to run images2.slashdot.org"...

    Or maybe I'm just not paranoid enough anymore.
  • Well, (images2.slashdot.org) *IS* far removed from and, www and images.slashdot.org respectively. is owned by DigitalNation while the others are Exodus. Exodus is the current hosting company for slashdot, DigitalNation is the OLD hosting company. So images2.slashdot.org, while not sitting right next to images.slashdot.org, IS under their control, DNS does not point to doubleclick. So there we are.

    This is actually the way user tracking SHOULD work, internally, for internal use. Not with crap bounced halfway around the net to some company who may/may not sell it to someone.

  • I don't find where you work and post things about the quality of your work.
    Hm, well lets see here. People get criticized all the time, especially /. posters. If you can't take it - than don't be in the public eye.

    I work with Clyde on Time City. ...Matter of fact, I don't even know if Clyde is involved with Interhack.
    I'm sure his interhack email address that goes to the time city mailing list *never* meant anything to you. Oops, caught again.
    Emmett, it's really sad that I'm a damned programmer and I know more about jouranlistic integrity than yourself.
    As for /., it's good for laughs, and links.

    nerdfarm.org [nerdfarm.org]

  • Never questioned the integrity of Interhack.
    I questioned Emmett's ability to competently research and provide journalism unbiased to the public. You, nor members of Interhack (I'm assuming, very well could be wrong with this) are not journalists (nor pretend to be). Because of this, you merely were posting your findings, because Emmett's involvement both personally and professionaly with you outside of Slashdot he has comprised the whole premise behind journalism.
    Which I've seen him do time and time again.

    nerdfarm.org [nerdfarm.org]
  • Emmett Plant, "journalist" on slashdot.
    Emmett Plant, founder Time City Project.
    D. Clyde W., very visible member Time City Project
    D. Clyde W., member of interhack
    Hm, can we same shameless plug.. considering slashdot uses bugs I can't believe that they are slamming coremetrics.
    Slashdot used to get worse on a monthly basis, then weekly, now it's with every post.

    nerdfarm.org [nerdfarm.org]
  • a) learn about interhack, find out if they give out email addresses.
    b) there are other documents and also I have witnessed conversations with emmett present where clyde has stated his affiliations with interhack.

    nerdfarm.org [nerdfarm.org]
  • It may be incorrect, but it is not a troll.

  • Hi Jay,

    Haven't seen you in eons...

    BTW- I was in no way involved with this particular project. If you'd care to read the Interhack information, my name is not listed on any of the "cookie" investigations.

    Have a Good Day.

    D Clyde Williamson
  • Well, other than calling into question the integrity of Interhack, myself and the entire story... I gues you little joke was harmless. Right??
  • Add these to your Junkbuster .block file..


    anybody want to ante up entries to block this coremetrics bull?

  • So images2.slashdot.org, while not sitting right next to images.slashdot.org, IS under their control, DNS does not point to doubleclick.

    I'd like to know how one concludes from an IP number who the administrator *really* is.
  • 1. Set Netscape to warn on cookie transaction and poke around slashdot until you get a doubleclick cookie.
    Clear your cookie file, click like crazy on slashdot links, and then examine it.

    2. Post your results to this forum

    3. Get modded up and possibly an answer. :)
  • There has been some discussion here about how to fix this problem, and I don't think some of the people here "get it".

    Mozilla has already implimented some of these features (at least for rejecting cookies) and being open sourced, Mozilla should be easy enough to change to allow for an exclution list for images, etc.

    My guess is that, once Mozilla arrives at an initial final release (read complete and stable), one of the many anti-spam groups (like JunkBuster) will release a version of Mozilla (or even an add-on) focused toward ad filtering. A few options are ALREADY available, most in the form of proxies that can be installed locally or by an ISP.

    But, until then, here's the link to JunkBusters.

    JunkBuster Proxy - GPLed Ad Filtering Proxy

    Just my $.02 worth, I could be wrong.
  • What if it didn't load the image, but instead did the spacing anyway? Use its own hardcoded 1x1 transparent gif instead of yours. Seems it would be a lot faster for the client, and wouldn't break spacing on sites (unless that 1x1 is some color other than transparent, which I would imagine is pretty rare).
  • "Contractually precluded" might, perhaps, be good enough for us to trust that the company won't sell the gathered data, but it relies on trusting the individual people who have access to the system not selling out.

    I'm sure that internet advertising agencies will pay big bucks for a list of identities with data. No corporate contract will keep some people from immorally stealing and selling that data.

    John Heintz
  • It's not so dumb if the user's IP changes with every request (a side effect from the proxies used by numerous ISPs, including AOL) or they refuse cookies (like most of us do). In fact, even my IP info isn't accurate, since I'm behind a firewall and every in my office accesses the web from the same IP address.

    Remember kids, always be sure to learn a little something about how modern http browsing environments work before you call someone's web application dumb!

    Just a little friendly advice,


  • Seem like a really bad name for these things? I mean, they work exactly the way they are intended to. So why call them a bug?
  • http://world.std.com/~joeshmoe/sj/spj.ethics

    In particular, check out 4b and 4c. "Potential conflicts" would presumably include "he's my friend's friend so I don't want to make him look back".

    I just noticed the "joeshmoe" in that URL, but I don't feel like looking for a more reputable-seeming link.
  • Only allowing images from one site won't help. It is trivial to set up a proxy from /. (for example) to doubleclick, or anyone else. Doubleclick would still get the info, and to the browser it would look like /.

    I agree with the current high scoring comment, if web sites are merely outsourcing their traffic analysis, there is no problem. You don't demand that sites that use WebTrends to analyse their logs say so in their privacy policy, do you? It only becomes a problem when the 3rd party trackers are allowed to aggregate the information they collect for their clients, and can resell that information. I would say that it is in the best interests of the collectors to NOT do this if they just want to sell a traffic analysis service.

  • Not mentioning third parties who have access to data in privacy policies is old hat. As this CNET Article [cnet.com] notes, this is not uncommon. According to the article of August 1999, privacy policies of major sites often fail to mention third party cookies and that this data is available to third parties.
  • dude, try this:
    ipchains -A output -D doubleclick.net -j REJECT
    Actually, the -d is supposed to be lowercase. Uppercase -D means delete and can't be used in conjunction with -A.

    "The people. Could you patent the sun?"
  • If a company has such a tracking system on their web site, they should at least have a welcome page that informs the visitor of what's happening. And give the option of going or staying. The info mentioned in this welcome page should include every piece of info that the page is collecting about the visitor. At the very least there should be some place to see what was sent about you.
  • Webcache notwithstanding, just about ANY user of a dial-up network is immune to tracking by IP address just as soon as they disconnect and reconnect. Similarly, some cable modems use DHCP and do not assign static IP addresses. I feel more secure on a dial-up than I do when my computer is left on a high-speed network connection with a static IP. However, the huge speed boost I get from my Ethernet hook-up makes it easy to install things like portsentry and sshd, not to mention ad-blocking software that some Slashdot readers' love so very much.
  • by Anonymous Coward
    I've been using a 1x1 transparent GIF for 18 months, but not for spacing. I use it to trigger a CGI program when the index.html home page is loaded. The purpose of this CGI program is to rotate the cartoon and other eye candy on the page, so that a reload gives a new look. After its work is done, the CGI program spits out a one-pixel transparent GIF just to keep the http server and the browser from being too disappointed at not getting what it is expecting.

    Yes, caches do screw up the system. To fool the caches, the next index.html page that is written by the CGI program puts in the IMG SRC for the GIF with a PATH_INFO after the name of the program that spits out the GIF. This PATH_INFO consists solely of the process ID number. Cache servers think it's an entirely new link and go out to fetch it, but our http server ignores the extra path info and loads the same program. You also need all the standard NO-CACHE headers in the html page, of course.

    You can do all sorts of things in this CGI program. The point is that in order to get a straight html page to also activate a program automatically whenever it is loaded, you have to use something like a IMG SRC. Otherwise you have to resort to Java or something similar, which has a huge amount of overhead associated with it.
  • Emmett Plant, "journalist" on slashdot.

    Feeling bitter, Jay?

    You've got all the right in the world to question my journalistic integrity. As a matter of fact, I welcome it. But unless you've got a problem the facts or the way I present them, chill out. If I've said something untrue in my work, you've got a responsibility as a reader to point it out. You haven't done that, though.

    Stories are not created in a vacuum. As a reporter, I rely on relationships with people to get my job done. As a writer, I rely on the English language to convey facts to the audience.

    The worst part is that you can't see beyond your own personal problems and outright bitterness to understand that Interhack does some very important work, and that this story is important to anyone who does business online.

    What do you want me to say, Jay? Clyde clued me in to the Interhack press release. I work with Clyde on Time City. Clyde pointed me to it because he thought it was newsworthy. It was. I did some research, got together with Jamie, and we wrote the piece. I didn't write the piece as a favor to Clyde. Matter of fact, I don't even know if Clyde is involved with Interhack. I think he's related to Matt, though. Actually, I think you'd be amazed how many stories are submitted to me and Slashdot by personal friends that I reject. What do you want from me?

    I don't find where you work and post things about the quality of your work. I don't question your professional integrity, because I really don't understand or know what you do for a living. At this point, I don't care. You just seem like someone who was really burned and you're working out your 'angry ex-girlfriend' mojo on me for some unknown reason.

    I'm sorry you didn't like the article.

    Slashdot used to get worse on a monthly basis, then weekly, now it's with every post.

    Then don't read it. Apparently it's causing you undue stress.


  • This MAY be because of the fact that Jamie (please not the PROPER spelling, guy) is busy as hell working on other projects in addition to Slashdot. But that may not have occured to you, did it?

    BTW - Several people have answered your question in this SID, please read them and quit thinking that everything is a personal attack against you. People will take you more seriously that way.

    - Cliff

  • I was going to say that might not be a good idea since it would destroy the layout of many web sites and negatively affect others. Then I realized that the use of 1x1 images is probably pretty low (since they're normally 'stretched' when used as page layout devices) So, yeah, you've got a decent idea there :)

    You'd be surprised. One of the reasons I use 1x1 transparent GIFs is, say I've got a table, and one cell has a background, but no foreground text or graphics - just a background color, or repeating background pattern, and I'm using this cell (probably not very big) for layout and design purposes, because there's no other way to do it. Well, if I don't include that 1x1 GIF, then the browser thinks the table cell is empty and won't render it at all (so I don't get my background). This is remarkably annoying. I used to use &nbsp; instead, but then I started doing these with really small areas where a whole &nbsp; wouldn't fit, so I've switched to 1x1 GIFs. For an example of what I'm talking about, check out my home page [phroggy.com].


  • The problem is that with web bugs and your IP address, it's just as easy to track you. They've got the pages you go to with times and your IP.
  • No it will not. They will simply use transparent gifs. Which is just the same. And it is not just gif as PNG also has transparency channel.
  • First: you are referring to the Slashdot crowd. For example I am sufficiently paranoid to put my old address or my company address on warranty cards and other stuff like this when I buy personal kit so my snail mail address does not get out. But this is me. Joe average random luser puts his personal information. Both in a conventional store and online

    Second: correlation analysis is a great thing and statistics is a great science. If there is enough information and the criteria for filtering bogus data are well defined it can be filtered and your real you to show up.

  • Okay. But how many supermarkets are willing to sell information about you to product manufacturers? "The holder of Credit Card 4000500060007000 purchased your product five times over the course of four months."

    You won't be sending a little robot to the local store anytime soon, and it is a lot easier to track you down that way then it is via the web.

    But you are right. Writing your little robot would be the /correct/ response to this invasion of privacy. Writing a browser plug-in to reject such bits of information would be another.

    Legislating it out of existance or banning it /would not/ be the correct form of action. I see way too many people who would look at this type of thing as "something that should be regulated" and yet those same person's take offense at the government regulating Napster.

    The internet has a way of policing itself. If we keep the government from interfering, than this kind of intrusion will meet it's own extinction at the hands of people like you. People who will write software that makes their software obsolete.
  • As a web designer I am totally against this idea, because I use 1x1 gifs all the time for spacing purposes.

    That doesn't make sense. The web uses HTML, and HTML is a logical markup language where the client (not the server) makes formatting decisions. Why would a "web designer" ever need to micromanage such detailed issues as spacing?

  • That's an HTML comment, not a JavaScript comment. It is there for browsers that don't understand JavaScript, so they wont display it to users. This is a very common practice.

    The JavaScript is still executed.

  • I have no issues with Mr Plant--I don't know him at all. Nor do I know anything about Time City.

    However, I do know that doctors don't operate on their friends (or family of friends) or families (or friends of family). Same goes for journalism. From the facts presented by "Jay" and you, it seems as though you've interviewed a friend of a friend for your article. That's a no-no, regardless of newsworthiness. Why not just have roblimo or someone interview the friend?
  • "Coremetrics is merely an agent that collects this data on behalf of an individual customer, for that individual's sole use only. We do not collect data, as was inferred very incorrectly by Interhack, across multiple unrelated websites, with any intention of selling it to third parties -- or even distribution to third parties. That's because we, as the agent, do not own that data, nor do we have any rights to that data. Toys 'R' Us, and Toys 'R' Us only, is the sole owner of that data. So legally, we cannot do any of the possibilities that Interhack had alluded to in their report."

    I'd have to agree that Corematics doesn't have a right to that data, but do the companies they're collecting it for have a right to it?

    What rights do I have to it? It it is being sold, that means it has value. Where's might cut of the proceeds? If you and I own a peice of property, and you sell it without my knowledge or consent, and I find out about it, can't I sue for my share?

    The corps can't have it both ways can they? If it is intellectual 'property', then aren't I half owner?

  • Good idea but..

    1. It's already behind schedule

    2. Blacklisting certain companies could get you all sorts of legal harassment from said companies. Look at the whole Cyber Patrol/peacefire thing.
  • What about if you consistenly use the same bogus info to several websites? perhaps some company is compiling info about "Hugh Jass" someday hoping to get his/her real info and send them TONS of junk mail.

    Can junkbuster filter out useless 1x1 images completely? I mean, I can live without a 1 pixel image or three on a web page.
  • I wish I had some mod points.

    Hey moderators: This post, #170 is HIGHLY deserving of being modded right up to +5.

    Sorry for abusing my +1.
  • I'd like to hear an explanation.

    I figure it's so that Anonymous Cowards are not so anonymous. If need be, Slashdot can check the page and time, then cross reference it with their logs to determine who from where was doing what when. No?

    Anonymous Cowards are not anonymous anymore.

    Slashdot's justification is probably that they're using it to track 'trouble makers' on Slashdot.

    Oh yeah, and to turn in Anonymous Cowards to mega corporations and goverment agencies for bounty

  • Are we concerned about what Coremetrics DOES, or about what they CAN DO? There is a wide gulf between posession of power and abuse of power.

    It would appear from the article that the problem is not what they do, but how their customers inform the public about the arrangement.

    And if we are to attack them because they COULD do something bad, isn't that unfair, or at least prior restraint?
  • # Death to banner ads!
    # This is a ad-blocking hosts file compiled by Mike Skallas (user245@hotmail.com)
    # Just add ' ADSERVER' to the bottom to continue the list.
    # The rest are instructions from MS:
    # The IP address and the host name should be separated by at least one
    # space.
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    # For example:
    # rhino.acme.com # source server
    # x.acme.com # x client host localhost #this is not an ad server, this is your PC www.doubleclick.net ad.preferances.com ad.doubleclick.com ads.web.aol.com ad.doubleclick.net ad.preferences.com ad.washingtonpost.com adbot.theonion.com adpick.switchboard.com ads.doubleclick.com ads.doubleclick.net ads.i33.com ads.infospace.com ads.msn.com ads.switchboard.com ads.washingtonpost.com adforce.imgis.com ads.enliven.com Ogilvy.ngadcenter.net oz.valueclick.com doubleclick.net ads.doubleclick.net ad.doubleclick.net ad2.doubleclick.net ad3.doubleclick.net ad4.doubleclick.net ad5.doubleclick.net ad6.doubleclick.net ad7.doubleclick.net ad8.doubleclick.net ad9.doubleclick.net ad10.doubleclick.net ad11.doubleclick.net ad12.doubleclick.net ad13.doubleclick.net ad14.doubleclick.net ad15.doubleclick.net ad16.doubleclick.net ad17.doubleclick.net ad18.doubleclick.net ad19.doubleclick.net ad20.doubleclick.net ad.doubleclick.net ad.ch.doubleclick.net ad.infoseek.com ad.linkexchange.com banner.linkexchange.com adcount.hollywood.com ads*.focalink.com ads.imdb.com www.ad-up.com bannerswap.com commonwealth.riddler.com globaltrack.com globaltrak.net nrsite.com www.nrsite.com ad-up.com ad.adsmart.net ad.atlas.cz ad.blm.net ad.dogpile.com ad.doubleclick.net ad.infoseek.com ad.linkexchange.com ad.net-service.de ad.preferences.com ad.vol.at adbot.com adbot.theonion.com adbureau.net adcount.hollywood.com add.yaho.com/ adex3.flycast.com adforce.adtech.de adforce.imgis.com adimage.blm.net adlink.deh.de ads.criticalmass.com ads.csi.emcweb.com ads.filez.com ads.i33.com ads.imagine-inc.com ads.imdb.com ads.infospace.com ads.jwtt3.com ads.lycos.com ads.mirrormedia.co.uk ads.msn.com ads.narrowline.com ads.newcitynet.com ads.realcities.com ads.realmedia.com ads.smartclicks.com ads.switchboard.com ads.tripod.com ads.usatoday.com ads.washingtonpost.com ads.web.aol.com ads.web.de ads.web21.com adserv.newcentury.net adservant.guj.de adservant.mediapoint.de adserver-espnet.sportszone.com advert.heise.de banners.internetextra.com bannerswap.com customad.cnn.com dino.mainz.ibm.de ganges.imagine-inc.com globaltrack.com globaltrak.net 207-87-18-203.wsmg.digex.net Garden.ngadcenter.net Ogilvy.ngadcenter.net ResponseMedia-ad.flycast.com Suissa-ad.flycast.com UGO.eu-adcenter.net VNU.eu-adcenter.net a32.g.a.yimg.com ad-adex3.flycast.com ad.adsmart.net ad.ca.doubleclick.net ad.de.doubleclick.net ad.doubleclick.net ad.fr.doubleclick.net ad.jp.doubleclick.net ad.linkexchange.com ad.linksynergy.com ad.nl.doubleclick.net ad.no.doubleclick.net ad.preferences.com ad.sma.punto.net ad.uk.doubleclick.net ad.webprovider.com ad08.focalink.com adcontroller.unicast.com adcreatives.imaginemedia.com adex3.flycast.com adforce.ads.imgis.com adforce.imgis.com adfu.blockstackers.com adimage.blm.net adimages.earthweb.com adimg.egroups.com admedia.xoom.com adpick.switchboard.com adremote.pathfinder.com ads.admaximize.com ads.bfast.com ads.clickhouse.com ads.enliven.com ads.fairfax.com.au ads.fool.com ads.freshmeat.net ads.hollywood.com ads.i33.com ads.infi.net ads.jwtt3.com ads.link4ads.com ads.lycos.com ads.madison.com ads.mediaodyssey.com ads.msn.com ads.ninemsn.com.au ads.seattletimes.com ads.smartclicks.com ads.smartclicks.net ads.sptimes.com ads.tripod.com ads.web.aol.com ads.x10.com ads.xtra.co.nz ads.zdnet.com ads01.focalink.com ads02.focalink.com ads03.focalink.com ads04.focalink.com ads05.focalink.com ads06.focalink.com ads08.focalink.com ads09.focalink.com ads1.activeagent.at ads10.focalink.com ads11.focalink.com ads12.focalink.com ads14.focalink.com ads16.focalink.com ads17.focalink.com ads18.focalink.com ads19.focalink.com ads2.zdnet.com ads20.focalink.com ads21.focalink.com ads22.focalink.com ads23.focalink.com ads24.focalink.com ads25.focalink.com ads3.zdnet.com ads3.zdnet.com ads5.gamecity.net adserv.iafrica.com adserv.quality-channel.de adserver.dbusiness.com adserver.garden.com adserver.janes.com adserver.merc.com adserver.monster.com adserver.track-star.com adserver1.ogilvy-interactive.de adtegrity.spinbox.net antfarm-ad.flycast.com au.ads.link4ads.com banner.media-system.de banner.orb.net banner.relcom.ru banners.easydns.com banners.looksmart.com banners.wunderground.com barnesandnoble.bfast.com beseenad.looksmart.com bizad.nikkeibp.co.jp bn.bfast.com c3.xxxcounter.com califia.imaginemedia.com cds.mediaplex.com click.avenuea.com click.go2net.com click.linksynergy.com cookies.cmpnet.com cornflakes.pathfinder.com counter.hitbox.com crux.songline.com erie.smartage.com etad.telegraph.co.uk fp.valueclick.com gadgeteer.pdamart.com gm.preferences.com gp.dejanews.com hg1.hitbox.com image.click2net.com image.eimg.com images2.nytimes.com jobkeys.ngadcenter.net kansas.valueclick.com leader.linkexchange.com liquidad.narrowcastmedia.com ln.doubleclick.net m.doubleclick.net macaddictads.snv.futurenet.com maximumpcads.imaginemedia.com media.preferences.com mercury.rmuk.co.uk mojofarm.sjc.mediaplex.com nbc.adbureau.net newads.cmpnet.com ng3.ads.warnerbros.com ngads.smartage.com nsads.hotwired.com ntbanner.digitalriver.com ph-ad05.focalink.com ph-ad07.focalink.com ph-ad16.focalink.com ph-ad17.focalink.com ph-ad18.focalink.com realads.realmedia.com redherring.ngadcenter.net redirect.click2net.com regio.adlink.de retaildirect.realmedia.com s2.focalink.com sh4sure-images.adbureau.net spin.spinbox.net static.admaximize.com stats.superstats.com sview.avenuea.com thinknyc.eu-adcenter.net tracker.clicktrade.com tsms-ad.tsms.com v0.extreme-dm.com v1.extreme-dm.com van.ads.link4ads.com view.accendo.com view.avenuea.com w113.hitbox.com w25.hitbox.com web2.deja.com webads.bizservers.com www.PostMasterBannerNet.com www.ad-up.com www.admex.com www.alladvantage.com www.burstnet.com www.commission-junction.com www.eads.com www.freestats.com www.imaginemedia.com www.netdirect.nl www.oneandonlynetwork.com www.targetshop.com www.teknosurf2.com www.teknosurf3.com www.valueclick.com www.websitefinancing.com www2.burstnet.com www4.trix.net www80.valueclick.com z.extreme-dm.com z0.extreme-dm.com z1.extreme-dm.com ads.forbes.net ads.newcity.com ads.ign.com adserver.ign.com ads.scifi.com adbot.theonion.com adengine.theglobe.com ads.tucows.com adcontent.gamespy.com
  • And my crosswinds.net address forced you to believe I am an employee there? They do host on Linux boxes! In the last few years, I've had addresses at a .gov, newcourt.com, citgroup.com, att.com, ibm.com, yahoo.com, dynip.com, and excite.com. You can't tell shit about where I have worked or do work from them, however.

    Email addresses are given out like candy.
  • You know, even with "old" Netscape 4.x, you can just click on "refuse all cookies" or at least "warn me before accepting cookies." With mozilla, it's even better; it remembers your cookie preferences for each server.

    Granted, this is not the easiest thing to use ever. I'd really like a list of servers I could manually update, whose cookies would always be rejected. *.doubleclick.net, *.adforce.com ... you get the picture.

    Point is, though, you do have recourse. You don't have to "blindly trust" all those baddies trying to set cookies on your harddrive. Now I think the priority should be making this easier for newbies to pick up, and educating them about it.

  • Yeah really. Someone should Mod this up, and maybe some marketing braindead's will see it. No one I know EVER puts in their real information, real email, or anything, unless they absolutely have to. And I'm not just talking about us l33t hackers, I'm talking about joe average Internet user. In schools around where I live, they actually teach you not to ever give your real information (including email) unless its someone you absolutely trust.

    So what I would liek to know is, what good is all this tracking, when your'e tracking fake people? It's just a huge waste of time. Not that I reallly care, I added all banner ads to my hosts file being redirected to a LONG time ago

  • Doesn't this break the web-wide caching system being implemented by companies such as "akamai"? I thought they provided load-balanced web services for those web services which were expecting high peaks of service requests.
  • Okay, Jamie, so now we've established that Richard M. Smith himeself says the code on this web-page is not a "web bug". Now that I know it's there, what does Slashdot/Andover with this "non-web bug" to differentiate it from a genuine web bug? Just curious, really. Does the information reach some corporate entity outside Slashdot.org? Andover.net? Is the information for the sole non-resellable use of Slashdot.org? Andover.net?
  • You could also send back data that they are expecting, just corrupt it to be totally wrong, e.g. $address="18459 nowhere lane, nullville, OH 00000" ;-)
  • After all, the server providing the main page already knows the IP address and cookie information. All that's needed is to ship the server log info to Big Brother Central for correlation. "Web bugs" are just a way of offloading the intercommunication job onto the client. If somebody isn't already marketing a complete server-side solution for this, they probably will be soon.
  • Although the ad might not come from an outside source, my question is...Why is the number associated with the pagecounter image also associated with the advertising image?

    I'm going to have to go diving through the ad code (assuming the slashdot guys use the one from sourceforge) to see exactly what the number is used for.

    My guess is that the number is used to see how many eyeballs saw that particular ad, but what they do with the number beyond that is unknown.

    <IMG SRC="http://images.slashdot.org/pagecount.gif?/art icle.pl,965319456" WIDTH=1 HEIGHT=1>
    <IMG SRC="http://images.slashdot.org/banner/tkgk0082en. gif?965319456" WIDTH=468 HEIGHT=60 ALT="Click Here!"></A><BR>
  • Of course, what should really happen is that the default is opt-out, not opt-in. This will never happen though. How many people are going to look at a box that says "Click here to have your privacy invaded" and think "Oooh, I'd better do that, sounds like a greate idea"? That's right, none.

    Of course no site would put up a box saying "click here to have your privacy invaded." Instead, they'd set up a system so that the user gained some small benefit from having their privacy invaded- like not having to re-enter their password every time they visited the site or having customized content- and ask customers if that's what they wanted. If they worded it right, you'd be surprised at how many people would opt in.

    Actually, the well known grocery card business is a good example of this. People are willing to give supermarkets personally identifying information on an opt-in system in order to get marginal price benefits. They're even willing to swipe their card when they don't have anything in their cart that actually gets a price break based on minute chances of winning a car or something. Don't overestimate people's desire for privacy.

  • Ok,

    I sent e-mail to Jaime almost 2 weeks ago asking about the use of doubleclick served adds (from doubleclick servers) on Slashdot. He promised to get back to me. He never did.

    Would anyone on the Slashdot Team like to comment on whether or not these adds perform functions similar to DoubleClick ads on other sites? I've seen posts about this in some discussions, but this seems like the good place to post it.

    I have noticed a STEADY increase in the number of DoubleClick served adds since I initally contacted Jaime. All the SuSE ads, the Genuity add, and now some IBM (and I'm sure others) ads are all DoubleClick served. This is true on other Andover sites like freshmeat as well. Many adds are served from Slashdot's addserver, but often DoubleClick ads load.

    I can provide links to any and all ads that I've seen if I need to, but I think that it would be overkill.

    Just curious

  • I've been using a 1x1 transparent GIF for 18 months, but not for spacing. I use it to trigger a CGI program when the index.html home page is loaded. The purpose of this CGI program is to rotate the cartoon and other eye candy on the page, so that a reload gives a new look. After its work is done, the CGI program spits out a one-pixel transparent GIF just to keep the http server and the browser from being too disappointed at not getting what it is expecting.
    The point is that in order to get a straight html page to also activate a program automatically whenever it is loaded, you have to use something like a IMG SRC.

    Wouldn't you be better off in that case just executing your maintenance script via SSI, rather than relying on a seperate web request from the client?
    Something like
    <!--#include virtual="updatemainpage.cgi" -->
    would do the same thing, and not rely on the client. Assuming, of course, your server can do SSI. If not, you could use an index.cgi instead of index.html, just have it dump out the page, then do the maintenance as part of that request. It'd save you on network traffic too.

    Using a 1x1 IMG to do it is one solution, but it's not by any means, the only solution.
  • Hemos tried to explain this in this post [slashdot.org].

    For the truely lazy:

    RE: Doubleclick.

    Believe me, if I had my way, we wouldn't be using it. But DoubleClick is what many of the advertisers use as their service, because DoubleClick does a good job of tracking click-thrus and such for them. That, and the honest truth, most big companies don't know how to run their own web server for ad serving, and so outsource. So - unfortunantely, a necessary evil of serving banner ads.

    As for the webbug - I've never called it bad or evil. I think it's stupid, but Andover uses it to track traffic. I think caches fuck it up, but...c'est la vie. It doesn't do anything, so I don't particularly care about. I'm more concerned with stopping advertisers from using Java in banner ads, or sound,or shockwave, or...

    It's all about choosing your battles.

  • You bring up a good point - that as much information as they are gathering it really doesn't amount to anything if you don't buy into their bullshit. I mean, we're bombarded with advertising every waking moment of our lives (which is why I don't have a TV at home) but I think most of us have learned how to tune it out. People doing market research are working for the same soul-less corporations that you or I are working for, they're just people after all. The young, hip adults designing advertisements aren't publishing propaganda for some ideological purpose; they're using their imagination and creativity to drive capitalism - that's their job.

    So who really gives a damn? I usually buy books that have been recommended through word-of-mouth, anyway, who cares what Amazon's computer cooks up for you? Hell, I really don't care about the cookies on my computer - if someone steals my credit card number then it'll show up on the statement and I can get my money back. So what if Maxim ads always always pop up on yahoo sites for me? So I clicked on one, once.

    Spam is pointless - I'm immune to it. I'm sure everyone who's grown up with television is, too. I'd rather go outside and sit in the sun anyway (but I'm stuck here at work).

    Hmm, actually now does feel like a good time for a smoke break...

  • Your friend,

    See, well fucking done! You just achieved something that "your friend", Emmett "hung like Robert" Plant couldn't quite get it up for! You just gave us .... a "disclaimer". So now, we can take with, shall we say, a grain of shit, your comment that "I think that attacking Emmett's journalistic integrity is immature" ("immature"!, ye fucking gods! Why not just say that you think it's "gay" or "spastic" if you don't have any arguments!). We can tell that, whatever your views on journalistic ethics, you're probably prepared to prostitute them in order to help out your friend.

    Now, if you'd dropped in and said "Hi, I'm Nitrozac, I have no connection to Emmett or anything, I'm just a stuck-up internet loudmouth and censorship advocate with a wholly unrealistic view of "geek" culture. I just took time off from simultaneously patronising and demeaning women by calling them "Techno-Talking Babes in my ludicrously unfunny comic to drop over here and tell the world that, in my considered opinion, "freaking out" over a journalist providing free publicity to his cronies without disclosure is "kinda dumb. Now kiss my ass, and tell me how great you think my boots are." --- then that would be kind of dishonest.

    And indeed, given that the context is a story about Internet privacy and "Your Rights Online", am I the only one to think that there is something supremely fucking hypocritical about you daring to raise your square head above the parapet, given that you're the proprietor of a bulletin board which is notorious for censoring contrary opinions and logging IP numbers of anyone who sails by? Though, I doubt that either Slashdot or Interhack will be doing an article on that any time soon.

    Please feel free to reply here, or contact me by email, or indeed to do anything that will distract you from drawing another episode of that godawful comic, User [goatse.cx] Friendly [aftery2k.com]. Before you make the obvious response, I'll point out that I don't read the fucking thing, I just think that you have far to many preteen dittoheads, and anything that reduces their numbers makes the world a less shit place. Not necessarily better, just less horribly shit.

    In conclusion, fuck yourself.

  • *Disclosure* There's nothing wrong with interviewing friends, writing about companies affliated with friends, etc---as long as you tell the reader about the connection.

    Really, it's a simple as that. You don't even have to clutter your copy with parenthetical disclaimers, just a link to the relevent information about the connection for those readers who care.

    C'mon guys. Like it or not, you're journalists now, so play the game properly.
  • Any contract-drafting bottom-feeding lawshark can present a retail site such that it's accessed "with a view to entering into a contract".

    Hey! I resemble that remark!.

    Seriously, folks. I think that the above analysis of the DPA is a little pessimistic. The Act does in fact define gross invasions of privacy in a roundabout way: there is a list of items of "Sensitive Personal Data" which are subject to much stronger regulation.

    The Act provides for civil and criminal penalties for breach of the provisions as to fair processing; it is not toothless.

    As to the "taking of steps" point, that provision is also governed by the requirement that the processing be proportional to the need and transparent to the data subject, and the Data Protection Commissioner has power to rule on what is and is not within that requirement of fairness. For example, she has stated that those "opt out of our spam list" checkboxes are not fair on the data subject: they should be "opt-in" boxes.

    As to "presenting a retail site such that it's accessed 'with a view to entering into a contract'", that has to be done with an eye on the remainder of the Act, which limits what you can and cannot do, the various dicta of the Data Protection Commissioner, one's own liability if one colludes in the commission of a criminal offence or advises a client to commit one and, in the UK, the Unfair Contract Terms Act 1977, which is a prize pain in the backside for those in the business of ripping off consumers.

    The whole point of the DPA, you see, is to make it easier and more cost-effective for the lawyer to advise the client to comply than to infringe. Being a naturally conservative crowd, that is exactly what we do.

  • Anyone thinking of using this service in the UK (or anywhere in the EU for that matter) should think again. It's (potentially) a criminal offence to collect any data on a person without telling them you're doing it (Data Protection Act 1998, generally [hmso.gov.uk] and Schedule 1 part I [hmso.gov.uk] in particular). The fact that you're using a third party based abroad to dig the dirt on your site visitors will avail you nothing with the Data Protection Commissioner [dpr.gov.uk] if she decides to land on you with both hobnailed boots.

    Those privacy statements, whose status in the US I cannot comment on (IAAL but NAUSQL) are binding in the UK and breach of them potentially sounds in damages (section 13 of the Act [hmso.gov.uk] isn't in force yet, but soon, soon) as well as criminal liability and all manner of interesting and exciting regulatory action.

    For the rights of data subjects generally, see Part II of the Act [hmso.gov.uk] generally and the register of Data Controllers is maintaned at the Data Protection Commissioner's site and is fully searchable. Go on, look up your favourite corporation and dob them in if they aren't playing by the rules. (Non-UK readers may be amused to know that an assortment of pranksters make a point of doing this with political party membership lists when they use them for mailshotting purposes.)

  • How many of us actually put in proper information into websites? Usually the only time I ever put in proper information is when I'm going to purchase something, and being a poor college kid, that is very rare. I can see being extremely worried about it if I were making more money and able to spend it on things, but that's far off.

    Right now there is probably a lot of junk mail and phone calls going to 1642 Slackware Ave, Retro, CA (111)222-3334...

    I can't remember putting in real information in a long time... actually the last time I put in that information was when I bought a DeCSS TShirt.

    Toysrus.com sells information even tho they say in the privacy statement they don't? Welp, add another place not to shop to my list. Does anyone publish a listing of companies that don't sell information to other public/private companies anywhere? I'm sure it would be very useful to some.

  • I'm not sure how web bugs are any different than conventional methods of gathering information...Isn't most of the same kind of information about users kept in such mundane tracking systems as the apache access logs? Why do you need a gif image to get the same information you can get at the time of a page request, like IP address and info about cookies? Granted, the 1x1 pixel gif is deceiveing, but can't they get that information without it?
  • Naviant [naviant.com] is another company that purports to track customers across the web. They say they have a database that correlates online personas with physical addresses [naviant.com] (like Double-Click was trying to do) "with over 17.5 million records and hundreds of thousands more coming on file each month." [naviant.com] Their customers [naviant.com] include some pretty big names. I guess I'd be interested in what Interhack could dig up on these guys, too.
  • WebWasher is a personal proxy server that filters out most banner ads and more importantly, 1x1 images. No more web bugs! www.webwasher.com
  • by Jerf ( 17166 ) on Thursday August 03, 2000 @08:31AM (#882896) Journal
    You have an interesting point, but it's backwards.

    In the end, it comes down to "What information can the advertiser extract from the HTTP request to identify me?" This is why things like Junkbuster obfuscate as much of the request as technically possible, including User-Agent.

    When it boils down to it, we don't have to send them anything more then "send me this page". The only other identifiers we must leave behind are the IP address we are recieving at, obfuscatable with a proxy server.

    At this point, the only choice the advertisers will have is to either grant us service, or deny us service, despite the inability to tell who are. If we feed them nothing, they can't pull the information out of the air.

    Denying us service is not likely, either; advertising knowlege is nothing compared to actual profit obtained from a purchased item.

    We don't have to put up with this. When Mozilla comes out, there's a few patches I want to make (like completely blocking the "onclose" event from firing)... maybe a few other hackers making a few other security patches can nail down that browser well enough for actual use. (Block 3rd party cookies, strip out some useless HTTP header information, and put some sandbox-style warnings into other parts of Javascript (like form submission) and you're a lot of the way there... it'd mostly be a matter of selectively removing features, which is usually not so hard :-) )

  • by FascDot Killed My Pr ( 24021 ) on Thursday August 03, 2000 @07:07AM (#882897)
    Do they look anything like this:

    now = new Date();
    tail = now.getTime();
    document.write("<IMG SRC='http://images2.slashdot.org/Slashdot/pc.gif?/ comments. pl,");
    document.write("' WIDTH=1 HEIGHT=1>");
    document.write("<IMG SRC='http://images.slashdot.org/pagecount.gif?/com ments.pl, ");
    document.write("' WIDTH=1 HEIGHT=1>
  • by AlexZander ( 33064 ) on Thursday August 03, 2000 @07:07AM (#882898)
    Someone should write an option into Mozilla or it's ilk to NOT LOAD any image with a height and width of 1. That would stop the web bugging industry at least for a little while, don't you think?
    (web bugs are EVIL)

    Evil never dies -- It just comes back in reruns
  • by cwhicks ( 62623 ) on Thursday August 03, 2000 @08:02AM (#882899)
    First, personal shit should be kept off /., especially by it's authors. Really unprofessional. Secondly, at the very least you should have disclosed your relationships with both people (relatives) and companies (Time City). I know that you must have friends all over the industry, but if you state that at the top of the article, then your girlfriends old boyfriend, would have little to say, and you wouldn't have had to respond.
    And lastly, I hear she liked him better.;)
  • by cwhicks ( 62623 ) on Thursday August 03, 2000 @07:44AM (#882900)
    Bad Moderation Alert: What classifies this as a troll? Is it such comman knowledge what these "webbugs" on /. are?
    Is the person saying something inflametory that they know to be false to get a response? Just because you are satisfied with the explanation, doesn't mean everyone has to be. Or is it that /. is somehow holy and never should be questioned?
    Personally, I've seen these images at the top and was suspicious, and now from the informative responses, I know what they are.
  • by dsplat ( 73054 ) on Thursday August 03, 2000 @07:36AM (#882901)
    I just had a look at Muffin (mentioned in the article). It seems to me that the way to get rid of these invasive tactics is to attack them. Instead of filtering out all cookies and WebBugs, build a filter that returns a standard response. When you are probed for a cookie, return one that contains the GNU Manifesto or a randomly selected file from the Mozilla source.
  • by wrenling ( 99679 ) on Thursday August 03, 2000 @07:15AM (#882902)
    I dont think these companies are even paying attenion to their own policies. In a way, that has to do with the corporate structure as it exists today. These companies are so used to using subcontractors and counting them as part of the 'workforce' that they consider affliates in much the same light.

    It is up to us, the geek consumers, to push back at these companies, voice our concerns, refuse to buy products from them or use their web services. Since they understand best off of their pocketbooks, that is what will get their attention. This is also something that my mom and dad can understand. If I tell them 'the following websites are collecting private information about you' they wont use those sites. They are finally convinced its not the hackers out there that are going to be taking away their privacy, but instead, the government and corporate america.

    Just my two... sleepy thursday cents
  • by fridgepimp ( 136338 ) on Thursday August 03, 2000 @07:32AM (#882903) Homepage
    Slashdot has run numerous stories about the questionable behaivior of DoubleClick and its affiliate sites. In fact, this article aludes to it.

    However, slashdot has been serving DoubleClick ads with increasing frequency of late. NOW, I am NOT suggesting that Slashdot is corrupt or evil. I'm just curious to know whether or not we can expect these adds to behave similarly to the DoubleClick ads that have been described in previous stories.

    If so, doesn't that fall into the "web bug" catagory. Why hide it in a 1x 1 GIF when it's right there in a DoubleClick ad?

    Anyway, I'm just curious. I posted this on the root level of the story and have already been modded down to -1. So moderators, do your worst. I'm just looking for an answer, not a flame war.

  • by Anonymous Coward on Thursday August 03, 2000 @08:23AM (#882904)
    You're aware, of course, that this breaks a lot of Web sites?

    Simple fix:
    ln -sf /dev/null ~/.netscape/cookies
    Your cookies will all be accepted and valid while they remain in memory (that is, as long as you keep the web browser open), but will be flushed every time you close netscape -- giving you the best of both worlds.


  • by Hemos ( 2 ) on Thursday August 03, 2000 @07:25AM (#882905) Homepage Journal
    Please see my reply above, in which I answered the same questions.

    The basic problem is that a huge percentage of advertisers outsource their advertising operations to DoubleClick. To have them advertise, you grab images off of DoubleClick. That's not anything we have control, unfortunantely, as that's the advertisers choice to go through DBL. I wish it were otherwise.
  • by JohnZed ( 20191 ) on Thursday August 03, 2000 @07:27AM (#882907)
    Profiling is an incredibly important tool to promote good customer service! We shouldn't do away with it because it COULD constitute a violation of privacy. That's like saying that we should do away with telephones just because they allow telemarketers to invade our privacy (try caller id).
    Amazon, for instance, tracks all of my purchases, and, in return, gives me the only useful product recommendations I've seen on any commercial web site. Other sites could track my reading patterns (within their own site, not across others!) to figure out what types of articles actually interest me so that they can provide better content in the future. They need to plant a cookie on my browser to do that tracking, and they may even benefit from demographic information from me (to see what 20 year-old white males like to read), but they never need to know my real name, address, or phone number.
    For me, the biggest privacy concern is spam and telemarketing. I WANT people to get enough data about me to serve banner targetted ads, because those are more likely to be interesting to me (I might buy a boxed copy of Enhydra, but I probably won't buy a copy of Cosmopolitan), as long as they don't invade my Inbox with those ads.
  • by juniorbird ( 74686 ) on Thursday August 03, 2000 @08:07AM (#882908) Homepage
    Not only does this Web designer use one-pixel gifs... pretty much every Web designer does. The reason is that browsers suck. Theoretically, by using CSS, visual presentation of information can be managed. But CSS support is horrible -- only IE 5 for Mac really has it (among released browsers at this point).

    So Web designers are forced to use HTML for visual presentation of information (no, just putting it in a simple list isn't good enough -- 400 years of learning how to effectively present information says otherwise. See Edward Tufte's works FMI). And the only way to do that is to micromanage detailed issues like spacing.

    But all that's moot. The worst part about this whole article is that the companies are lying to their customers about how their information is being used. There is almost no way an educated user, without the benefit of infinite time and tools, could have known to protect him- or herself from this information theft. That's why Truste needs to sue and the FTC needs to get involved. Personally, I think that the companies who did this need to be permanently banned from having a Web presence in order to set an example, but I don't know how that could be done legally.

    You can do something: opt out
    http://www.coremetrics.com/opt_out_ options.html [coremetrics.com]
  • by jamiemccarthy ( 4847 ) on Thursday August 03, 2000 @07:14AM (#882909) Homepage Journal
    I knew someone would bring this up (trolls have been spamming our comments with it). I'll just post the same info I posted to another thread yesterday:

    Please note that all these images come from slashdot's own servers. They're pagecounter images. I'll just forward along the email I got from Richard M. Smith, the guy who coined the term "web bug" [tiac.net], when I asked him about it:

    Date: 7/2/00 3:00 PM
    Received: 7/2/00 11:59 AM
    From: rms2000@bellatlantic.net (Richard M. Smith)
    To: jamie@mccarthy.org (Jamie McCarthy)

    Yep, to really be a Web Bug, the IMG tag must come from
    another domain. I'll need to make this clearer in the
    next revision of the FAQ. Now, if I can just find the time to
    keep my Web site up to date...... ;-)

    Jamie McCarthy

  • by FPhlyer ( 14433 ) on Thursday August 03, 2000 @07:20AM (#882910) Homepage
    Let's face it. The days of the Internet being a free-for-all are over. Corporations are going to find ways to collect demographic and personal data. Trying to legislate this out of existance is like trying to legislate Napster and Gnutella out of existance: It isn't going to happen.

    The best you can do is write a browser plug-in that will reject such data and prevent the corporation from gaining any valuable data from your visit.

    No amount of legislation can stop this kind of thing. If you ban companies from collecting data like this in the United States, they will simply move their servers outside the border and continue to do business as usual.

    In the information age, it is no longer the job of government to protect our privacy - they can't, it's an insermountable job. The only way to protect online privacy is to do it yourself.
  • by AJWM ( 19027 ) on Thursday August 03, 2000 @08:40AM (#882911) Homepage
    Mostly I avoid the problem by using a filtering proxy (eg Internet Junkbuster), but just for kicks sometimes I'll skip that, collect a few cookies then go and edit my cookies.txt file.

    Interesting things to do with entries in the cookies file:
    - randomly change some of the ID numbers -- let them think you're somebody else (or nobody)
    - if there's a timestamp, change the date to something bogus -- 1956, or 1842, or 2003. Maybe somebody's database will break.
    - insert really really long strings of random characters (or numbers if numeric) into the cookie values -- maybe it'll overflow a buffer somewhere.
    - add a few hundred or thousand bogus cookie entries for some domains, maybe the cookie eater will choke.

    How much of this actually adversely affects the cookie server I don't know -- not my area of expertise -- but it at least screws up their tracking somewhat. You want cookies? Here, I'll give you cookies....

  • by (-)erd of (ats ( 218158 ) on Thursday August 03, 2000 @07:17AM (#882912) Homepage
    I don't see a big deal; These companies decided to outsource their traffic analysis. While the capability surely exists for Coremetrics to track users across websites, a'la Doubleclick, their customers would be terribly pissed.

    Personally, I don't see the issue of online tracking as being more than 'a tempest in a teapot'. Those that do not wish to be tracked can surely disable it, and the tracking companies and user data mining companies will continue to make money off the mindless drones that populate the net.

    It's always been 'buyer beware'. What is so special about the net that it no longer applies? So the tracking is easier to do, and easier to analyze, and there is more of it, and it is more meaningful; Do you honestly think your bank, the telephone company, and the credit agencies aren't selling your spending habits to marketers?

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol