> This transaction breaks a core promise using the internet: just because I visit a website doesn’t mean I consent to getting spam from it.<p>No it doesn't. There is no core privacy premise of the internet, and certainly not one that everybody used it signed up for.<p>I'm not condoning this behavior, but we're in territory that we don't have prior art for. It used to be totally fine for one shopkeeper to mention to another that he saw a customer looking for a particular item. When you do it at scale, the old rules don't apply.<p>If you think it's spam, hit the spam button in gmail and get rid of it. Use an adblocker. Talk to your congressman about data privacy and sharing laws, because we don't have anything that's effective. Frankly, continue to write Medium posts, because it raises awareness :) But, I disagree with the notion that this is a solved problem with bad actors, because we're in unknown waters.
I once had something similar, if not worse, happen.<p>I was researching some network equipment, looking at lots of websites and comparing products.<p>Then my desk phone rings. A call being passed from the switchboard - someone asking for the person responsible for IT purchasing.<p>It was a sales rep from a network equipment distributor, saying they noticed I was browsing their website and wanted to help me through the purchasing process.<p>I had never used their website in the past. No-one from my company had. I never signed up. I didn't login. I was bewildered.<p>I asked how they got my details. The rep said they pay a third party remarketing agency for contact details of people who visit their website.<p>We were a really small company, with no DNS PTR on our main (NAT'd) public IP. We did have an A-record for our mail domain pointing to this IP.<p>As the sales rep didn't know my name, all I can assume is that their remarketing agency was looking up our public IP addresses in some IP-to-business database, populated by email headers or sign ups at other user sites.<p>In any case, I wasn't pleased and was pretty surprised at the rather aggressive sales technique.
I've been getting more spam lately from "legitimate" companies. One of my email addresses leaked from a major open source project I corresponded with. Harvesters found it and now sell it to every small business and entrepreneur marketer you can think of. I get spam from CDNs, off-shoring companies, SEO/SEM, marketing, you name it.<p>Lots of them use sketchy services like reply.io to make it seem like a real person sent the email. And then another that looks like a reply to the first when you don't respond. And then another and another. Like Katie Malone at HawkSEM.com who 'personally' spammed me another 'reply' today. Essentially, folks like reply.io and similar automate the process of repeat spamming. Even their tag line is "Send Cold Emails That Feel Warm".<p>Here's a reality check for you: sending "cold emails" to a list of email addresses you bought makes you a spammer. Even if you try to make them appear personal. The giveaway is the tracking image (usually hidden or 1px by 1px white of course) and tracking links in every email so they can track whether you opened it and whether you clicked anything along with the unsubscribe link at the bottom. Except they don't label it as unsubscribe. It says "If you don't want to get any more emails from me, just let me know." with 'just let me know' as a link.<p>Be sure to mark every email like this you receive as spam so you don't get any more and so their reputation decreases enough to route all of this spam to everyone's spam folders.
I've had several companies ("data partners" they call themselves) approach us to add these scripts to our websites. All of the ones I've seen use MD5(email) for the "anonymous hashing". I mentioned our privacy policy doesn't allow us to give out user emails, and their marketing guys never seem to understand that MD5(email) is basically the same thing. I even made a video example <a href="https://www.youtube.com/watch?v=ViCjzJpEaJw" rel="nofollow">https://www.youtube.com/watch?v=ViCjzJpEaJw</a> that failed to convince them.
I am really beginning to hate browsing the web these days... Especially poop up dialogs asking for my email as soon as the mouse cursor leaves the active browser screen. With an average of 20 browser tabs open, while one is loading I often go to click on another to check on something, and this instantly triggers a flurry of popups begging me to stay/subscribe.<p>Also the retargeted ads that follow me everywhere now. MOST of them are for companies where I have ALREADY bought something, so they are wasting their ad spend on chasing an existing customer, not a likely prospect.<p>This has made me resolve to try and make the web a less shitty place, one web site at a time - and I have ensured that my web projects absolutely DO NOT have any popups or cross site tracking in there (aside from normal analytics that is only used in house).<p>[I accidentally mis-typed 'pop up' above but LOVE the Freudian slip so will leave it as-is].
This is legal[1] in Europe if you consented to receive marketing emails from "partners" of a website you subscribed to (through an opt-in, not an opt-out checkbox).<p>You subscribe to website X, you opt-in to offers from third-parties, and this allows X to share your e-mail address with Criteo. Then Criteo sends you marketing e-mails for the account of Sears (<i>but</i> they surely don't share any PII with Sears - the e-mail is sent by Criteo).<p>The logic isn't that "browsing Sears is considered as having a preexisting business relationship with them". It's because users opted-in to third-party communications from a website they may have signed up with, back in 2008.<p>Other similar use cases include sending you an e-mail for website X when you browse website Y because they know you are in front of a computer/phone and this increases chances of opening e-mails.<p>Doesn't make it more or less "right" though and it's surely very surprising for users, myself included.<p>(On a tangent, what still looks like a legal gray area to me are the Data Management Platforms (DMP) - everyone shares user data in a big bucket/database provided by a common partner, all users are identified with IDs but not directly with PII, how much data can companies push/pull legally?)<p>[1] Not a lawyer but worked with legal teams on these topics. Laws still differ slightly depending on the European country you're talking about, but the GDPR will soon be unifying data privacy regulations. Right now the French and German Data Privacy regulations are some of the most restrictive ones.
I wrote myself a web application called Tamarind that runs on my web server for managing throwaway mail aliases.<p>"Tamarind" == "Throw-Away Mail Alias Randomization Is Not Defeatable"<p>:)<p><a href="http://www.kylheku.com/cgit/tamarind/tree/README" rel="nofollow">http://www.kylheku.com/cgit/tamarind/tree/README</a><p>I log in with my IMAP4 user name and password, and then get a simple UI with a table of my aliases, and attached memo strings (which can contain URL's that get converted to links). I can edit these, change their order (select multiple, move to top or bottom, etc) create new ones and delete. When I create an alias, it goes "live" instantly, and when I delete one, it goes dead. Dead means that the address is "unroutable" at the SMTP level; it bounces.<p>I keep a few aliases from Tamarind in my wallet, in case I have to hand out an e-mail address in "3D life" to some untrustworthy outfit to be eligible for some promo or whatever.
This is why I own my own domain and have a catch-all email address. When I give a company my email address, I use (companyname)@domain.com.<p>They all forward to gmail; where it is very easy to filter out (companyname)@domain.com once shenanigans like this happen. It's also easy to track down and shame companies for doing this, too.
I feel less paranoid now for my browsing process. Almost everything I search is in an incognito window, from shopping and research to programming and how-tos. And when I'm done with looking for a new dog leash or Python module, I close that window. Only things in my main browser are the regular sites I visit and am logged into (email, HN, reddit etc.)<p>I started this after learning about the filter bubble but I've noticed how helpful it is when searching on Amazon, Wayfair, or Sears. I get non-machine-learned results every time while my wife using her primary browser with cookies often cannot see the same results I do. If I find something on Amazon, I copy-paste the URL without the ?query-string and replace 'www' with 'smile'. It seems like a hassle but it's no different from cleaning your feet before stepping inside the house after playing in the park.<p>This post just highlights that my practice to avoid unpermitted-profile-building-and-linking is for a good reason. I also have my own @example.com domain that I use and have certainly caught companies selling my info. However, even without being emailed, I don't want algorithms the determine what is best for me based on criteria I choose not to share.
It's a little rich to write this complaint on Medium, a site that has been uniquely aggressive about tracking its readers' behavior (it has a script that phones home with your position on the page, and its URLs abuse the fragment identifier to track who you got the link from).<p>If you dislike surveillance capitalism enough to write an essay about it, think about where you're publishing it.
I just love the amazing "Terms of Service" that all of these ad companies have, letting you know that by virtue of loading an HTML page you've consented to have your personal information of ANY caliber spread all over their ad network, their "partners" networks, and to anyone else with a buck and a server, and immediately absolve themselves of any responsibility for what that might mean in terms of information falling into the wrong hands.<p>I can't think of another business that has this kind of insane amount of easy-to-start interaction that results in so much activity and yet can claim zero culpability for any consequences. It's as if you purchased an airline ticket and the ticket came with a 17 page document attached where they spell out that by flying on this aircraft you agree to have tickets pre-planned in your name for 24 other flights, the plane may or may not make a stop off in 6 airports en route to your destination, the pilot occasionally likes to do barrel rolls and loops but he's real good at it so don't worry, and by the way occasionally the engines fall off but you don't get to sue us if anything goes wrong. ENJOY YOUR FLIGHT
You still have third-party cookies enabled?<p>Go to Options in Firefox under Privacy, and set "Accept Third Party Cookies" to "Never".
I just mark all this stuff as spam, including stuff from legit companies that might have tricked me into subscribing to some list.<p>The thing is, I am never, ever interested in receiving marketing emails. Every single time, without doubt, I opt out of marketing emails. So if I receive one it means that one of these things holds true:<p>1. It's just spam<p>2. The website used some dark pattern to trick me into subscribing to something I did not want to<p>3. The website assumed consent and didn't bother asking<p>Guess what -- I'm perfectly fine burning all of this crap with a spam filter. It's a waste of time, and time is my most precious asset.
> Only when we craft the email on behalf of our advertisers, we receive your name, surname and email address from our partners, should you have consented to receive their emails marketing.<p>> Let’s ignore the fact that they assume Sears had my consent (they didn’t).<p>Just a note: I think what Criteo is saying here is that you gave permission to some third party to use your email for marketing purposes and to share it with their "partners", not that you gave Sears permission to use it. But they shared it with Criteo and Criteo shared it with Sears (or sent the email on their behalf) so technically there is "consent". (Of course in practice it's often possible to supposedly give such consent without ever realizing what you're opting into.)
This is why I have the username part of my email address tailored to each site/service I register with. So I have a hackernews@example.org, amazon@example.org, etc. Human beings get my real email though (because it would be weird if I told John Smith to email me at johnsmith@example.org). If people start abusing this (politicians do this a lot), I can just block say timkaine@example.org, and never hear from them or people they've sold and traded my email to.
I was thinking whether or not sending these emails actually helps companies like Sears by bringing in customers, and whether or not (to an extreme) they might depend on them to survive as a profitable enterprise. What came to me as a revelation is that it's irrelevant. If their income relies on bothering everyone who comes across their website, tricking them into clickbaits or spamming them with (possibly malicious) ads, it might mean their services are not enough to justify their existence. As such, I decide not to pity them, and happily continue loving my adblocker.
I'm not going to wait for legislation to fix problems I can fix myself. You don't want this to happen? Make sure you have ad-blocking and third party tracker blocking on. I go a step further and use 'Quick JS Switcher' for chrome. By default JS is off and I only turn it on for sites I want. The percentage of sites that I turn it on for is minuscule. I'm seriously starting to question why this isn't the default setup for any freshly downloaded browser.
I personally switched to the following policy a year or two ago to avoid all this crap:
1) NoScript extension filtering everything except the base domain => no third party scripts are allowed except when I explicitly allow them
2) Cookie Whitelist extension to allow cookies only from domains I choose, only when I need => no third party cookies allowed, ever
3) µBlock incase the webpage tries to load iframe ads
4) a unique email address per service (like amazon.[5 random chars]@mydomain.com) so if all else fail and your address gets in the hands of somebody who should not have it, you know where it came from and can expose them
>>> But until legislation catches up to regulating the negative consequences of retargeting, there may not be much you can do about this besides blocking cookies, ads, and opting out of Criteo’s entire system by submitting your email address here.<p>No no no. Handing over your email address to an online advertiser is a horrible idea. Do not engage them. Blacklist their content, their cookies, via whatever means you want (I use adblock) and be done with them.<p>An article that discusses tracking via online advertising but doesn’t discuss blocking is very suspicious. The most powerful tool against the problem isn't worth even a mention?
"Dear Criteo: You opted in to this box of dead rats we just sent you because you once visited a site that partners with our dead rat promotion service."
Yesterday, after many years, my curiosity finally got better of me - I started playing World of Warcraft. Since my head is now full of thoughts about MMO, excuse me for saying this:<p>There should be a new class - or race - added to fantasy worlds. The Marketers. More evil than demons, undeader than the Lich King. Their gameplay mechanics would be based around earning gold by draining their own souls, as well as the souls of characters around them. Their primary combat role would be casting annoying debuff spells at everyone around, friend and foe alike.<p>Seriously though, this article basically says that someone out there has reached another level in insidiousness. If it was an MMO, we could at least form a raiding party and get rid of the problem once and for all.
Everyone should use this:<p><a href="http://someonewhocares.org/hosts/hosts" rel="nofollow">http://someonewhocares.org/hosts/hosts</a>
tl;dr: related: Amazon sold (or gave) my secret Amazon email address to third parties without my express consent rather than using their remailers.<p>I have exactly one email address that I use for Amazon, and I've never used it elsewhere for anything else.<p>I occasionally receive emails from vendors (through the vendors' mail servers themselves, not remailed through Amazon per mail headers) at Amazon that I have bought things from (via one-click) as gifts and I am 100% sure I never gave them my email address or replied to any email from them.<p>An example vendor is a large outdoor clothing store that I bought a North Face jacket for a relative from. I'm now on their mailing list. In the ultimate irony, I could just click unsubscribe but it's actually good stuff ;)<p>Thanks, Amazon.
I don't understand why everybody does not block third-party cookies by default. I took a stab at my cookie list and found 300 cookies from advertisers and intel gatherers. I deleted them selectively, but I did not want go through that again, so I blocked the third-party ones.<p>Some have been explicitly aloud because I trust them, like google analytics. But other google cookies are prohibited, like plus.google.com. Facebook is explicitly blocked. Doubleclick is blocked. some websites will not work if certain third parties are blocked, so i have to explicitly allow them once i realize the problem.
I've mentioned putting the Winhelp2002 hosts file on my dd-wrt router a few times. I just checked to see if I need to add any specific entries.<p><pre><code> root@router:/tmp# grep criteo hosts0
0.0.0.0 cas.criteo.com
0.0.0.0 dis.criteo.com
0.0.0.0 dis.eu.criteo.com
0.0.0.0 dis.ny.us.criteo.com
0.0.0.0 dis.sv.us.criteo.com
0.0.0.0 dis.us.criteo.com
0.0.0.0 ld2.criteo.com
0.0.0.0 rta.criteo.com
0.0.0.0 rtax.criteo.com
0.0.0.0 sapatoru.widget.criteo.com
0.0.0.0 sslwidget.criteo.com
0.0.0.0 static.criteo.net
0.0.0.0 static.eu.criteo.net
0.0.0.0 widget.criteo.com
0.0.0.0 www.criteo.com
</code></pre>
Apparently not.<p>Deets: <a href="https://ello.co/dredmorbius/post/v9l7zvlyynvl1pskbwssmq" rel="nofollow">https://ello.co/dredmorbius/post/v9l7zvlyynvl1pskbwssmq</a><p><a href="https://www.dd-wrt.com/wiki/index.php/Ad_blocking" rel="nofollow">https://www.dd-wrt.com/wiki/index.php/Ad_blocking</a>
From the Article:<p><pre><code> I am signed up to some platform which is a Criteo partner. It’s entirely unclear
who this partner is. While Criteo boasts a “close partnership” with Facebook,
Facebook claims that they do not share personally identifying information such as
your email address with ad partners. Regardless, a platform with my email address
gave it to Criteo.
</code></pre>
This issue is <i>exactly</i> why I use specific email addresses for each website. I tend to follow the pattern <websitename>@mydomain.com. That way if a site leaks my email address to spammers (either intentionally or accidently) I know which site it was, and immediately boycott them in future and move that email address into a blacklist.<p>For big sites I cannot boycott, I simply register a new email address with them (i.e. <website><number>@mydomain.com), and move the original into the blacklist.<p>As I run my own on-premises email system, I can't benefit from crowd-managed spam systems, so keeping a lid on the incoming spam is very much a pro-active action for me.
>The CAN SPAM act actually allows direct marketing email messages to be sent to anyone, without permission, until the recipient explicitly requests that they cease (opt-out).<p>Isn't this the root problem here? It is hard to see how you could even start to fix this sort of thing without fixing the spam law first.
I've been using a catch-all email domain for years where anytime I give out an email address, the local part is a description of the party receiving the address (e.g. bestbuy.com@mydomain.com).<p>If I receive spam at a particular address, it's easily blocked and I know who leaked it.<p>An interesting side effect of receiving email from so many different addresses to the same inbox is that I often receive the same spam to multiple addresses simultaneously. This is easily caught by spam filters and so I never have Spam in my inbox. It also makes identifying false positives in my Spam box easy because they usually stand out against the repeated subject lines so it's a simple game of which one of these is not like the others.
uBlock origin plugin. Globally disable 3p resources for all pages. Manually greylist CDNs only for sites.<p>Browsing the web any other way is for schnooks.
My wife's cousin had something like this happen to her two years ago when she was planning her wedding.<p>She browsed a few specialist wedding sites for inspiration and when she went to to some well known retail sites to start pricing things they seemed to know she was getting married and promoted wedding goods and services on their front page to her.<p>It freaked her out no end. I suggested a few plugins that seemed to put a stop to it. But a few weeks later she did start getting wedding related snail mail spam.<p>Its very creepy, especially after the whole Target teenage pregnancy thing.
On a somewhat related note and what I thought the article was going to be about, what is going on with the phenomenon of a HTML 5 light boxes loading when you are barely a few seconds into reading a page asking you to "sign up for the newsletter." This trend is out of control. If you were browsing shelves in a grocery and someone came and stood between you and the book you would want to punch them.<p>Does annoying people into something actually work? I feel like it must since its so prolific.<p>I wish there was a way to block these.
Privacy Badger is pretty good at blocking things like this -- it watches out for domains that are third-party for more than one site, and blocks requests to them. Does require some tweaking for genuine CDNs (and indeed comes with a yellow-list of common domains that will receive requests but not cookies) but generally very useful.<p><a href="https://www.eff.org/privacybadger" rel="nofollow">https://www.eff.org/privacybadger</a>
Am I paranoid in assuming their "opt out" system is basically probably an "opt in"?<p>Related: I know that it's possible to "opt out" via the Direct Marketing Association communications (<a href="https://dmachoice.thedma.org/" rel="nofollow">https://dmachoice.thedma.org/</a>), but have thus far not done this as I assume I'll just get more junk mail.
More directly - if you want your precious content/resources to make you money, make sure you send the bits over an authenticated & paid account.<p>Not behind an overlay, or with a adblock redirector or when the user-agent has 'googlebot' in it.<p>If you send the bits over, then I may consume them with no additional payment, whether via ads or mailing-list or account signups.
I talk a lot about this stuff with a friend doing sales operations at a hyper-growth startup in SF. With Criteo, tools like Reply.io and others he thinks we're going to see an event horizon where recipients of spam say enough is enough and online privacy finally becomes 'cool'.
I know there are a couple of solutions out there, but what exactly stopping the main email providers to offer on demand proxy addresses for one's main account? I think there is a legitimate demand for it, but not enough to actually sign up for yet another service.
He talks about tge legality of sending the spam, but what about the legality of the partner he is really subscribed to that shared his information with a 3rd party? IANAL but AFAIK that wouldn't be legal in most countries
what i usually do is reply to their spam e-mail on a support mail address and ask them to stop sending me spam: waste their time the same way they waste my time... if everyone would do that the problem would be solved.
The real problem here is not the chain of marketing tech that allowed this, the issue is that the marketing message itself sucked. If the message was valuable, many people wouldn't have been bothered by receiving it.<p>As for the message itself, if their intent is to sell you that specific item you searched for, they should say so. Of course, they need to avoid the creepy-factor, which, along with laziness are the two reasons they may have ended up with the junky message you received.
Please. There is no core privacy premise of the internet. The core premise of the internet is one protocol to deliver meshed knowledge to any computer. And the commercial possibilities of the internet are what have underwritten the growth of the network.<p>Reaction like this one make me think: <i>entitled.</i><p>But they also make me think: <i>unrealistic.</i> How much should hypertargeted ads really bother us? Call me when they are using my bank account and medical records to show me ads. Not my browsing history, over whose exposure I have complete control, and which doesn't really expose very much about me or my family.