
Browsing your website does not mean I want your spam - davezatch
https://medium.com/art-marketing/browsing-your-website-does-not-mean-i-want-your-spam-3821267e902
======
trjordan
> This transaction breaks a core promise using the internet: just because I
> visit a website doesn’t mean I consent to getting spam from it.

No it doesn't. There is no core privacy premise of the internet, and certainly
not one that everybody used it signed up for.

I'm not condoning this behavior, but we're in territory that we don't have
prior art for. It used to be totally fine for one shopkeeper to mention to
another that he saw a customer looking for a particular item. When you do it
at scale, the old rules don't apply.

If you think it's spam, hit the spam button in gmail and get rid of it. Use an
adblocker. Talk to your congressman about data privacy and sharing laws,
because we don't have anything that's effective. Frankly, continue to write
Medium posts, because it raises awareness :) But, I disagree with the notion
that this is a solved problem with bad actors, because we're in unknown
waters.

~~~
sp332
This is really pushing the boundaries of the CAN-SPAM act. You're not allowed
to send unsolicited emails. You shouldn't be allowed to pretend that visiting
a site is a solicitation.

Edit: I misunderstood the mechanism of collecting the addresses. This isn't
skirting "unsolicited mail", but it is circumventing the ban on harvested
email addresses.

~~~
actsasbuffoon
California and New Jersey have laws that go above and beyond the protections
outlined in CAN-SPAM. I used to work for a company that sent spam (I swear, I
didn't know until after I'd already accepted the job), and we avoided sending
to those states. If more states would adopt laws like this, we could
dramatically curtail spam.

As for what constitutes solicitation, I wish it was that simple. In some
instances, companies will buy your email address from another company, and
they believe that constitutes consent. In other words, you did business with
Company Foo, and I did business with Company Foo, so you consented to do
business with me. It's insane.

Having been inside one of these businesses, I have three pieces of advice.

First: Mark spam emails as spam when you see them. You only have to get a few
of your messages marked as spam to get your IP address blacklisted. You have
far more power over spammers than you think. Not only that, but spammers fear
this so much that they keep databases of complainers, and they'll leave you
alone in the future. Sometimes they'll even share lists of complainers with
other companies so they won't risk your wrath.

Spam companies love non-complainers. Even if you don't open the spam, not
complaining helps their numbers with the email provider. By not complaining,
you're sending a signal to your email provider that this is a good email, and
other users would like to receive it. Not only that, they'll remember you as a
person who can be relied upon to not complain, so you'll get more spam than
other people.

Second: Read EULAs. We did business with some super-shady companies who sold
us tons of really invasive user info. One company even sold us the contents of
people's email. Not just meta data, we could actually read the content. They
don't mention any of this on their site, but it's subtly stated in the EULA.
Read them and check for references to sharing your data with business
partners.

I've steered clear of some browsers and email clients as a result of vague
EULAs that leave the potential for harvesting my data and selling it.

Third: This one is going to be unpopular on Hackernews, but the best way to
avoid being fingerprinted by advertisers is to block JavaScript by default.
There are bajillions of ways to uniquely identify your computer, right down to
having your browser report which fonts you have installed. Almost every single
technique relies on Flash, Java, or JavaScript. Ad-blockers help, but they
don't catch everything.

I use NoScript to turn off JavaScript by default, and I only enable a site if
it seems legitimate and the site is broken without it.

Here's a terrifying list of the things advertisers can do to uniquely identify
you without consent and without a cookie. As the article says, disabling
JavaScript by default is by far the most effective method for protecting
yourself from fingerprinting:
[https://wiki.mozilla.org/Fingerprinting](https://wiki.mozilla.org/Fingerprinting)

It's a little inconvenient, but good security always is. The locks on your
front door are inconvenient (what if you lose your key?), but hopefully
they're even more inconvenient for would-be intruders.

~~~
Karunamon
_the best way to avoid being fingerprinted by advertisers is to block
JavaScript by default._

Leaving aside the sheer amount of _stuff_ this will break, you're serving to
identify yourself in another way, but perhaps not to an advertiser.

Given the average website, the number of people using a real web browser (i.e.
not bots, curl, wget, etc) who don't run JS is going to be absolutely
miniscule.

It's kind of like turning on Do Not Track - most people have it off, so you're
highlighting yourself by turning it on.

~~~
tombrossman
This topic comes up a lot on HN and my response is always the same. Try
NoScript again. Give it a day or two and whitelist the sites you use a lot and
trust. You will have a stunningly faster browsing experience and the number of
sites that don't work will be surprisingly small.

We have passed a tipping point where all the annoying bullshit that depends on
JavaScript to function far outnumbers the random websites that NoScript
breaks. LONG time user of it and I just don't have much trouble browsing. It
makes the web insanely fast and eliminates most annoyances.

~~~
TeMPOraL
Hear, hear.

I've been using uMatrix for some time (I'm a control freak, I guess) and I
support this - you end up whitelisting a few sites here and there (or even
just some aspects of those sites, in case of uMatrix), and the Internet
becomes overall a much better (and faster) place. The amount of useless JS
bloat on-line is staggering, and it hurts me that _developers_ are actually
defending this practice. Engineers should know better.

------
davb
I once had something similar, if not worse, happen.

I was researching some network equipment, looking at lots of websites and
comparing products.

Then my desk phone rings. A call being passed from the switchboard - someone
asking for the person responsible for IT purchasing.

It was a sales rep from a network equipment distributor, saying they noticed I
was browsing their website and wanted to help me through the purchasing
process.

I had never used their website in the past. No-one from my company had. I
never signed up. I didn't login. I was bewildered.

I asked how they got my details. The rep said they pay a third party
remarketing agency for contact details of people who visit their website.

We were a really small company, with no DNS PTR on our main (NAT'd) public IP.
We did have an A-record for our mail domain pointing to this IP.

As the sales rep didn't know my name, all I can assume is that their
remarketing agency was looking up our public IP addresses in some IP-to-
business database, populated by email headers or sign ups at other user sites.

In any case, I wasn't pleased and was pretty surprised at the rather
aggressive sales technique.

~~~
akg_67
In early 2000's, as B2B Product Manager, I implemented a similar customer
outreach program. We will reverse lookup the name associated with visitor IP
address and then look into our own sales contact database for contacts in that
company. Depending on contact quality, we will reach out to them using phone,
email or personal visit from a sales rep in the area.

A few times, we decided to hold 'lunch-and-learn' type in-person events in a
region based on the regional concentration of IP addresses from prospect
companies and search queries from those regions to tailor our presentations.

~~~
wpietri
Wow. Any vendor doing this to me goes on a perma-ban list. If they don't
respect me before the sale, I'd have no reason to think they'd respect me
after.

~~~
akg_67
Why do you think the proactive customer outreach is "not respecting you"?

I view it as providing high level of customer service, before and after sales,
in B2B space. It is no different than Amazon displaying related products that
you might be interested in or Netflix showing you a queue based on your past
viewings, in consumer space.

For example, if a visitor's company produces widgets and as a vendor we have
previously helped other producers of same widget. It is in both our and
visitors interest to share such and related information. Similarly, a visitor
from an existing customer might be searching for a solution to her problem
with the vendor's product and doesn't believe the problem is big enough to
warrant a support/service call or it is a user and not administrator/manager
of the product. A proactive engagement by vendor support group goes a long way
in understanding the potential user issues with product, a valuable insight
for future product enhancements.

In B2B settings, sales cycles are long and require lot of information exchange
between various stakeholders within the potential customer. Both vendor and
potential user of the product inside the company (who might become internal
champion of solution) benefit by build the relationship early, quickly and
efficiently.

IMO, this is the main reason for DropBox failure in penetrating the enterprise
despite its high usage by individual users within enterprise. Delays in
engaging enterprise users allowed Box to get in to enterprise accounts by
targeting decision makers and overriding individual users' preference.

~~~
wpietri
The part I find deeply disrespectful, even more than the hella creepy privacy
violations, is your notion that I'm incompetent to decide for myself who I
need to talk to.

It's not like your web site is hiding the phone number or lacking in other
ways for me to contact you. If I look at your website and don't use them, I
have decided not to talk to you. It's essentially disrespectful for you to say
"Oh, you poor fool, you don't know what you're doing. Clicking once is too
hard for you. I'd better call you right away."

And then once the phone rings, we're off to the races with a host of
manipulative sales tactics. Whee! Just how I wanted to spend my afternoon.

You try to wrap this manipulation up in the language of helping. But when you
sing the praises of "build[ing] the relationship early, quickly and
efficiently", you ignore that only one relationship is going to get built; the
rest is just a giant waste of time, the very opposite of efficiency. And your
last paragraph really gives away the lie. The point of the techniques isn't to
help the customer. It's to allow the vendor to dominate a market without
respect to actual product quality.

~~~
lunchables
Perfectly said. Thank you!

~~~
wpietri
Thanks. As a kid, I'd read my grandfather's real estate sales manuals and I
always found them both fascinating and horrific. The hacker in me always
appreciates good technique. But there was just no getting around the fact that
it was all about manipulating other people into doing whatever got you paid.

In a way, I feel bad for akg_67 and people like him. Our morals too easily
conform to our jobs. As Upton Sinclair says, "It is difficult to get a man to
understand something when his salary depends upon his not understanding it." I
was lucky enough to see the problem young, and lucky again that I could afford
to make my living some other way. But there are a lot of people stuck in these
ethical traps. I wish there were more ways out for them.

~~~
dredmorbius
Do you recall any details of those manuals? Company-specific stuff, or
National Association of Realtors (NAR) stuff?

What time period?

~~~
wpietri
This would be late 70s/early 80s. My memories are hazy, but I suspect it was
third-party stuff.

~~~
dredmorbius
Thanks. Sounds pretty bog standard for sales, but dovetails in with some
related stuff I'm looking at.

Sales is a very telling counterpoint to economic "free market" theory.

~~~
wpietri
Yes, definitely.

I look at sales and advertising as an arms race. If nobody did it, we would be
fine, especially now when publishing is free and search is incredibly good.
But if anybody does it, all their competitors are obliged to keep up.

The free-market equilibrium is obviously wasteful. I'm sure we could save a
half-trillion dollars a year if we eliminated this sort of arms race. I'd
expect free market advocates to be excited about this because it would also
remove a great deal of market distortion, allowing market mechanisms to work
better. Their lack of interest I take as a tell: what really motivates them is
not free markets.

~~~
dredmorbius
Quite.

I'm doing some research on Edward Bernays again. Absolutely fascinating and
revolting creature.

If you've not seen Adam Curtis's _The Century of the Self_ , do.

I also think that Free Markets are a smokescreen, though I'm not sure all
those using as such realise it. I'm fairly convinced the main propaganda
ministers -- the Mont Pelerin Society, Atlas Network, Cato, etc., do. Johan
Norberg is their currently annointed Prince of Darkness.

------
JohnTHaller
I've been getting more spam lately from "legitimate" companies. One of my
email addresses leaked from a major open source project I corresponded with.
Harvesters found it and now sell it to every small business and entrepreneur
marketer you can think of. I get spam from CDNs, off-shoring companies,
SEO/SEM, marketing, you name it.

Lots of them use sketchy services like reply.io to make it seem like a real
person sent the email. And then another that looks like a reply to the first
when you don't respond. And then another and another. Like Katie Malone at
HawkSEM.com who 'personally' spammed me another 'reply' today. Essentially,
folks like reply.io and similar automate the process of repeat spamming. Even
their tag line is "Send Cold Emails That Feel Warm".

Here's a reality check for you: sending "cold emails" to a list of email
addresses you bought makes you a spammer. Even if you try to make them appear
personal. The giveaway is the tracking image (usually hidden or 1px by 1px
white of course) and tracking links in every email so they can track whether
you opened it and whether you clicked anything along with the unsubscribe link
at the bottom. Except they don't label it as unsubscribe. It says "If you
don't want to get any more emails from me, just let me know." with 'just let
me know' as a link.

Be sure to mark every email like this you receive as spam so you don't get any
more and so their reputation decreases enough to route all of this spam to
everyone's spam folders.

~~~
Nagyman
This has absolutely picked up recently! It doesn't help their brand in my
case, as I put them into the "Overly Aggressive Vendor" folder for future
reference when I'm actually looking at purchasing services.

Those reply.io emails that look like they're from a real person are a grey
area of marketing. I think it's deceptive and places undue social pressure to
reply. Sometimes I do reply, but only when I get annoyed. In such cases, I
turn the tables and start trying to sell them adventure travel (G Adventures).
Sadly, we also use Criteo; thankfully adblockers block Tealium tag manager by
default anyway.

When I saw OPs article screenshots, I actually suspected that Criteo had
harvested the email address from the Forgot Your Password screen. This isn't
uncommon – VE Interactive (I've mentioned them before), reads forms for email
address fields and onBlur, they capture it and send marketing emails later. I
_think_ this type of behaviour is supposed to be limited to cart abandonment
situations, but I'll bet an incorrectly configured tag would target all forms.

~~~
JohnTHaller
When I started getting these, I called out the companies that did it. Kisi
(getkisi.com) spammed me a few times and I called them out on it on Twitter
with this tweet: "Hey @KISI - Spamming harvested emails is going to get your
startup the wrong kind of attention." Their response was to block me. And
continue to spam me. I can't imagine doing business with a company like that.

------
r1ch
I've had several companies ("data partners" they call themselves) approach us
to add these scripts to our websites. All of the ones I've seen use MD5(email)
for the "anonymous hashing". I mentioned our privacy policy doesn't allow us
to give out user emails, and their marketing guys never seem to understand
that MD5(email) is basically the same thing. I even made a video example
[https://www.youtube.com/watch?v=ViCjzJpEaJw](https://www.youtube.com/watch?v=ViCjzJpEaJw)
that failed to convince them.

~~~
pdkl95
> video example

Computerphile recently did a similar example of cudahashcat using a variety of
strategies to break passwords. Their goal is to scare people into using better
passwords, but the principle is identical to de-anonymising emails. Maybe it
can help convince stubborn people?

[https://www.youtube.com/watch?v=7U-RbOKanYs](https://www.youtube.com/watch?v=7U-RbOKanYs)

If nothing convinces the marketing guys, maybe it's time to pull rank and ask
to see the CS degree they are basing their opinion on?

~~~
throwanem
I would be surprised to learn that a CS degree outranks a marketing role in a
lot of organizations responsible for this kind of nonsense.

------
cyberferret
I am really beginning to hate browsing the web these days... Especially poop
up dialogs asking for my email as soon as the mouse cursor leaves the active
browser screen. With an average of 20 browser tabs open, while one is loading
I often go to click on another to check on something, and this instantly
triggers a flurry of popups begging me to stay/subscribe.

Also the retargeted ads that follow me everywhere now. MOST of them are for
companies where I have ALREADY bought something, so they are wasting their ad
spend on chasing an existing customer, not a likely prospect.

This has made me resolve to try and make the web a less shitty place, one web
site at a time - and I have ensured that my web projects absolutely DO NOT
have any popups or cross site tracking in there (aside from normal analytics
that is only used in house).

[I accidentally mis-typed 'pop up' above but LOVE the Freudian slip so will
leave it as-is].

~~~
yAnonymous
>Especially poop up dialogs asking for my email as soon as the mouse cursor
leaves the active browser screen

I've been thinking of creating a public uBlock filter list for websites with
newsletter overlays/popups...

~~~
lunchables
Please do this. Anyone remember pop-up ads? Notice how every web browser has
an integrated pop-up blocker? They were a thing of the past. So now,
apparently advertisers think we somehow actually wanted pop-up ads all along
and implemented them with CSS overlays.

We seriously need to band together and stop this shit. It is absolutely
infuriating. Who in the world wants to visit a website and then be stopped
with a huge ad to join your stupid fucking mailing list? And I'm sure they
point to their 2% conversion rate as proof that it works. What they don't know
is the other 98% of people cannot fucking STAND it.

------
arnaudlaudwein
This is legal[1] in Europe if you consented to receive marketing emails from
"partners" of a website you subscribed to (through an opt-in, not an opt-out
checkbox).

You subscribe to website X, you opt-in to offers from third-parties, and this
allows X to share your e-mail address with Criteo. Then Criteo sends you
marketing e-mails for the account of Sears ( _but_ they surely don't share any
PII with Sears - the e-mail is sent by Criteo).

The logic isn't that "browsing Sears is considered as having a preexisting
business relationship with them". It's because users opted-in to third-party
communications from a website they may have signed up with, back in 2008.

Other similar use cases include sending you an e-mail for website X when you
browse website Y because they know you are in front of a computer/phone and
this increases chances of opening e-mails.

Doesn't make it more or less "right" though and it's surely very surprising
for users, myself included.

(On a tangent, what still looks like a legal gray area to me are the Data
Management Platforms (DMP) - everyone shares user data in a big
bucket/database provided by a common partner, all users are identified with
IDs but not directly with PII, how much data can companies push/pull legally?)

[1] Not a lawyer but worked with legal teams on these topics. Laws still
differ slightly depending on the European country you're talking about, but
the GDPR will soon be unifying data privacy regulations. Right now the French
and German Data Privacy regulations are some of the most restrictive ones.

~~~
mSparks
Quick vent.

I'd much rather lawyers just kept of the internet entirely.

~~~
mSparks
And for the avoidance of doubt.

That is nothing so much against lawyers, the are essential in the real world
where land is a finite resource.

But the better solution to problems in an environment when CPU ticks are not a
finite resource, and bandwidth is nowhere near capacity are technical and
educational problems, not legal ones.

------
kazinator
I wrote myself a web application called Tamarind that runs on my web server
for managing throwaway mail aliases.

"Tamarind" == "Throw-Away Mail Alias Randomization Is Not Defeatable"

:)

[http://www.kylheku.com/cgit/tamarind/tree/README](http://www.kylheku.com/cgit/tamarind/tree/README)

I log in with my IMAP4 user name and password, and then get a simple UI with a
table of my aliases, and attached memo strings (which can contain URL's that
get converted to links). I can edit these, change their order (select
multiple, move to top or bottom, etc) create new ones and delete. When I
create an alias, it goes "live" instantly, and when I delete one, it goes
dead. Dead means that the address is "unroutable" at the SMTP level; it
bounces.

I keep a few aliases from Tamarind in my wallet, in case I have to hand out an
e-mail address in "3D life" to some untrustworthy outfit to be eligible for
some promo or whatever.

~~~
perlgeek
A public (which also means: no logins) service that offers similar one-time
email addresses is
[http://wasteland.rfc822.org/](http://wasteland.rfc822.org/)

You can use any word @wasteland.rfc822.org as a an email address, and then
look into the inbox of the same name, without any password. I tend to use it
for services that want my email address, but from which I don't want any
emails, and don't want to maintain permanent accounts with.

Looking at a mostly random example, [http://wasteland.rfc822.org/cgi-
bin/inbox?inbox=foo](http://wasteland.rfc822.org/cgi-bin/inbox?inbox=foo) it
seems to have received about 20 spam mails and one or at most two legitimate
signup mails.

~~~
kazinator
None of the inbox entries for "foo" are older than a few days; I take it that
these inboxes are purged in a timely manner? [Edit] No; by probing some words
I found inbox items as old as 2013.

------
gwbas1c
This is why I own my own domain and have a catch-all email address. When I
give a company my email address, I use (companyname)@domain.com.

They all forward to gmail; where it is very easy to filter out
(companyname)@domain.com once shenanigans like this happen. It's also easy to
track down and shame companies for doing this, too.

~~~
Bartweiss
Even for Gmail users, the + notation will handle this well. foobar@gmail.com
and foobar+SearsSoldMyEmail@gmail.com will both direct to the same location,
and relatively few resellers have the sense to strip the extra data.

~~~
techsupporter
The problem with the + notation is twofold: First, not all places accept the +
character; second, you've now revealed your _actual_ e-mail address (since
foobar@gmail.com is just as valid as foobar+dontspamme@gmail.com).

I use a subdomain with catch-all, like me.example.com. Everybody is fine with
subdomains and then I can use companyname@me.example.com. Using that format
doesn't expose my actual e-mail address and makes it easy to filter (if match
_companyname_ , immediately bin and never tell me).

~~~
ellisv
> First, not all places accept the + character

Additionally you cannot send an email from foobar+dontspamme@gmail.com. If you
aggressively use the + character for legitimate signups but need customer
support they may not be able to find your account as easily (e.g. "we couldn't
find an account associated with e-mail foobar@gmail.com").

~~~
mnw21cam
> Additionally you cannot send an email from foobar+dontspamme@gmail.com

Um. Why not?

------
chime
I feel less paranoid now for my browsing process. Almost everything I search
is in an incognito window, from shopping and research to programming and how-
tos. And when I'm done with looking for a new dog leash or Python module, I
close that window. Only things in my main browser are the regular sites I
visit and am logged into (email, HN, reddit etc.)

I started this after learning about the filter bubble but I've noticed how
helpful it is when searching on Amazon, Wayfair, or Sears. I get non-machine-
learned results every time while my wife using her primary browser with
cookies often cannot see the same results I do. If I find something on Amazon,
I copy-paste the URL without the ?query-string and replace 'www' with 'smile'.
It seems like a hassle but it's no different from cleaning your feet before
stepping inside the house after playing in the park.

This post just highlights that my practice to avoid unpermitted-profile-
building-and-linking is for a good reason. I also have my own @example.com
domain that I use and have certainly caught companies selling my info.
However, even without being emailed, I don't want algorithms the determine
what is best for me based on criteria I choose not to share.

~~~
softawre
> It seems like a hassle but it's no different from cleaning your feet before
> stepping inside the house after playing in the park.

I mean, you can make that exact argument about every annoying thing you have
to do that wastes 1-5 minutes of your time. But over time, especially as a
software programmer, if you don't automate those away, it really hurts your
productivity.

~~~
chime
The more annoying buying on Amazon is, the more I reduce spending. Win-win in
this specific case.

------
idlewords
It's a little rich to write this complaint on Medium, a site that has been
uniquely aggressive about tracking its readers' behavior (it has a script that
phones home with your position on the page, and its URLs abuse the fragment
identifier to track who you got the link from).

If you dislike surveillance capitalism enough to write an essay about it,
think about where you're publishing it.

~~~
shostack
The page position thing I totally get. They don't care about individual data
there but they want to identify if content is being fully read. It is a big
challenge for any publisher and very important in getting the most engaging
content front and center.

------
FussyZeus
I just love the amazing "Terms of Service" that all of these ad companies
have, letting you know that by virtue of loading an HTML page you've consented
to have your personal information of ANY caliber spread all over their ad
network, their "partners" networks, and to anyone else with a buck and a
server, and immediately absolve themselves of any responsibility for what that
might mean in terms of information falling into the wrong hands.

I can't think of another business that has this kind of insane amount of easy-
to-start interaction that results in so much activity and yet can claim zero
culpability for any consequences. It's as if you purchased an airline ticket
and the ticket came with a 17 page document attached where they spell out that
by flying on this aircraft you agree to have tickets pre-planned in your name
for 24 other flights, the plane may or may not make a stop off in 6 airports
en route to your destination, the pilot occasionally likes to do barrel rolls
and loops but he's real good at it so don't worry, and by the way occasionally
the engines fall off but you don't get to sue us if anything goes wrong. ENJOY
YOUR FLIGHT

~~~
jimsug
The legal enforceability of browsewrap is questionable. Certainly if it's not
prominent enough, it would be a weak argument.

~~~
FussyZeus
The problem is while our metaphorical airline is still able to get away with
this, luggage is getting lost and people are getting killed.

I legitimately would love to see how much identity theft can be traced back to
these fly-by-night companies and their shady ass practices.

------
Animats
You still have third-party cookies enabled?

Go to Options in Firefox under Privacy, and set "Accept Third Party Cookies"
to "Never".

~~~
desdiv
I couldn't find that options under the Privacy menu. Turns out they made it
slightly more complicated now:

[https://support.mozilla.org/en-US/kb/enable-and-disable-
cook...](https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-
website-preferences)

------
gwbas1c
This is why gmail has a big fat "REPORT SPAM" button. Shenanigans like this
are SPAM, and should be reported accordingly.

~~~
ashark
Learning to stop worrying about messing up people's ability to deliver email
and just liberally hammer the "REPORT SPAM" button for any email I didn't want
to see anymore improved my email experience substantially. So much faster than
messing with filters.

I also tell Twitter that _every_ ad they show me is offensive. Because they
are.

~~~
eridius
The problem with this is it's easy to start getting legitimate marketing
emails that you signed up for filed as spam, because they look similar to the
marketing emails that you've been reporting. For example, for a while
SpamAssassin decided that every email from the PlayStation store (even receipt
emails) was spam, primarily because they look similar to other emails I've
marked.

~~~
chadgeidel
Even worse - these filters appear to be _global_ and I've spent a good amount
of time trying to un-train some lazy person's "report this (entirely
legitimate) email as spam".

Yes, I am aware this is a fool's errand.

~~~
sib
Agreed - I've recently had a bunch of Amazon _transactional_ emails get spam-
filtered by Google, and I've never marked them as such.

------
sklivvz1971
I just mark all this stuff as spam, including stuff from legit companies that
might have tricked me into subscribing to some list.

The thing is, I am never, ever interested in receiving marketing emails. Every
single time, without doubt, I opt out of marketing emails. So if I receive one
it means that one of these things holds true:

1\. It's just spam

2\. The website used some dark pattern to trick me into subscribing to
something I did not want to

3\. The website assumed consent and didn't bother asking

Guess what -- I'm perfectly fine burning all of this crap with a spam filter.
It's a waste of time, and time is my most precious asset.

~~~
mirimir
Resources like [https://sneakemail.com/](https://sneakemail.com/) are useful
:)

------
tempestn
> Only when we craft the email on behalf of our advertisers, we receive your
> name, surname and email address from our partners, should you have consented
> to receive their emails marketing.

> Let’s ignore the fact that they assume Sears had my consent (they didn’t).

Just a note: I think what Criteo is saying here is that you gave permission to
some third party to use your email for marketing purposes and to share it with
their "partners", not that you gave Sears permission to use it. But they
shared it with Criteo and Criteo shared it with Sears (or sent the email on
their behalf) so technically there is "consent". (Of course in practice it's
often possible to supposedly give such consent without ever realizing what
you're opting into.)

------
jdavis703
This is why I have the username part of my email address tailored to each
site/service I register with. So I have a hackernews@example.org,
amazon@example.org, etc. Human beings get my real email though (because it
would be weird if I told John Smith to email me at johnsmith@example.org). If
people start abusing this (politicians do this a lot), I can just block say
timkaine@example.org, and never hear from them or people they've sold and
traded my email to.

~~~
sneak
This breaks "i forgot my password" links years later when you forget what tag
you used to sign up at some rarely-used service. I stopped doing it.

~~~
robin_reala
Luckily your password manager has remembered which email address you used with
which domain.

------
r721
This is the reason I keep "Block third-party cookies and site data" option
checked in Chrome.

~~~
Sir_Substance
I'm a big fan of "self-destructing cookies" for firefox. It automatically
clears your cookie cache when you leave websites, unless you add exceptions.

~~~
bitchypat
Great extension. The only annoyance is that when I run ccleaner it wipes the
list of sites I want to keep cookies for, so I have to re-add them. But those
extra clicks are definitely worth it.

------
rootlocus
I was thinking whether or not sending these emails actually helps companies
like Sears by bringing in customers, and whether or not (to an extreme) they
might depend on them to survive as a profitable enterprise. What came to me as
a revelation is that it's irrelevant. If their income relies on bothering
everyone who comes across their website, tricking them into clickbaits or
spamming them with (possibly malicious) ads, it might mean their services are
not enough to justify their existence. As such, I decide not to pity them, and
happily continue loving my adblocker.

~~~
robryan
There would definitely be some level of revenue being driven off these. It is
an interesting case where apart from the software it didn't cost them anything
to get the email address, so getting a higher unsubscribe rate doesn't seem so
bad. (As opposed to discounts/ deals/ competitions) you might normally run to
get someone onto a mailing list.

------
joesmo
I'm not going to wait for legislation to fix problems I can fix myself. You
don't want this to happen? Make sure you have ad-blocking and third party
tracker blocking on. I go a step further and use 'Quick JS Switcher' for
chrome. By default JS is off and I only turn it on for sites I want. The
percentage of sites that I turn it on for is minuscule. I'm seriously starting
to question why this isn't the default setup for any freshly downloaded
browser.

~~~
danjc
Surely you must use some SaaS?

~~~
joesmo
Yeah, I whitelist things like github, gmail, etc. But it's a very short list.
Everything else loads without JS by default. I can turn it on with a click if
I want to so it's a minor inconvenience when I reach a site and I need it.
Also, the extension will remember which sites I have turned it on for. I have
< 100 sites whitelisted. YMMV.

~~~
danjc
I haven't really considered how short that whitelist might be but you make a
good point and I'll likely adopt your approach!

------
rapht
I personally switched to the following policy a year or two ago to avoid all
this crap: 1) NoScript extension filtering everything except the base domain
=> no third party scripts are allowed except when I explicitly allow them 2)
Cookie Whitelist extension to allow cookies only from domains I choose, only
when I need => no third party cookies allowed, ever 3) µBlock incase the
webpage tries to load iframe ads 4) a unique email address per service (like
amazon.[5 random chars]@mydomain.com) so if all else fail and your address
gets in the hands of somebody who should not have it, you know where it came
from and can expose them

------
sandworm101
>>> But until legislation catches up to regulating the negative consequences
of retargeting, there may not be much you can do about this besides blocking
cookies, ads, and opting out of Criteo’s entire system by submitting your
email address here.

No no no. Handing over your email address to an online advertiser is a
horrible idea. Do not engage them. Blacklist their content, their cookies, via
whatever means you want (I use adblock) and be done with them.

An article that discusses tracking via online advertising but doesn’t discuss
blocking is very suspicious. The most powerful tool against the problem isn't
worth even a mention?

------
davidgerard
"Dear Criteo: You opted in to this box of dead rats we just sent you because
you once visited a site that partners with our dead rat promotion service."

------
TeMPOraL
Yesterday, after many years, my curiosity finally got better of me - I started
playing World of Warcraft. Since my head is now full of thoughts about MMO,
excuse me for saying this:

There should be a new class - or race - added to fantasy worlds. The
Marketers. More evil than demons, undeader than the Lich King. Their gameplay
mechanics would be based around earning gold by draining their own souls, as
well as the souls of characters around them. Their primary combat role would
be casting annoying debuff spells at everyone around, friend and foe alike.

Seriously though, this article basically says that someone out there has
reached another level in insidiousness. If it was an MMO, we could at least
form a raiding party and get rid of the problem once and for all.

------
dnh44
Everyone should use this:

[http://someonewhocares.org/hosts/hosts](http://someonewhocares.org/hosts/hosts)

~~~
LoSboccacc
nah it slows windows brutally

~~~
dredmorbius
Park it on your router.

DD-WRT: [https://www.dd-wrt.com/wiki/index.php/Ad_blocking](https://www.dd-
wrt.com/wiki/index.php/Ad_blocking)

[https://ello.co/dredmorbius/post/v9l7zvlyynvl1pskbwssmq](https://ello.co/dredmorbius/post/v9l7zvlyynvl1pskbwssmq)

Uses dnsmasq for instant query caching.

------
jamiesonbecker
tl;dr: related: Amazon sold (or gave) my secret Amazon email address to third
parties without my express consent rather than using their remailers.

I have exactly one email address that I use for Amazon, and I've never used it
elsewhere for anything else.

I occasionally receive emails from vendors (through the vendors' mail servers
themselves, not remailed through Amazon per mail headers) at Amazon that I
have bought things from (via one-click) as gifts and I am 100% sure I never
gave them my email address or replied to any email from them.

An example vendor is a large outdoor clothing store that I bought a North Face
jacket for a relative from. I'm now on their mailing list. In the ultimate
irony, I could just click unsubscribe but it's actually good stuff ;)

Thanks, Amazon.

~~~
pdkl95
> exactly one email address that I use for Amazon

This is why I use my entire domain as my email address (i.e. *@example.com is
routed to my inbox). This makes it trivial to hand out a unique address every
time I fill out a form.

If any spam arrives that is addressed to "vendor.com@example.com", it's
obvious who sold their email db. Bonus: it's easy to filter out spam when the
spammer is sending to a unique address.

------
jimsug
And this is why I use uMatrix, despite the little bits of extra hassle I go
through when visiting sites for the first time.

------
nashashmi
I don't understand why everybody does not block third-party cookies by
default. I took a stab at my cookie list and found 300 cookies from
advertisers and intel gatherers. I deleted them selectively, but I did not
want go through that again, so I blocked the third-party ones.

Some have been explicitly aloud because I trust them, like google analytics.
But other google cookies are prohibited, like plus.google.com. Facebook is
explicitly blocked. Doubleclick is blocked. some websites will not work if
certain third parties are blocked, so i have to explicitly allow them once i
realize the problem.

------
loup-vaillant
How fitting. I have just received a mail from Medium with no "unsubscribe"
button because I commented on it.

------
dredmorbius
I've mentioned putting the Winhelp2002 hosts file on my dd-wrt router a few
times. I just checked to see if I need to add any specific entries.

    
    
        root@router:/tmp# grep criteo hosts0
        0.0.0.0     cas.criteo.com
        0.0.0.0     dis.criteo.com
        0.0.0.0     dis.eu.criteo.com
        0.0.0.0     dis.ny.us.criteo.com
        0.0.0.0     dis.sv.us.criteo.com
        0.0.0.0     dis.us.criteo.com
        0.0.0.0     ld2.criteo.com
        0.0.0.0     rta.criteo.com
        0.0.0.0     rtax.criteo.com
        0.0.0.0     sapatoru.widget.criteo.com
        0.0.0.0     sslwidget.criteo.com
        0.0.0.0     static.criteo.net
        0.0.0.0     static.eu.criteo.net
        0.0.0.0     widget.criteo.com
        0.0.0.0     www.criteo.com
    
    

Apparently not.

Deets:
[https://ello.co/dredmorbius/post/v9l7zvlyynvl1pskbwssmq](https://ello.co/dredmorbius/post/v9l7zvlyynvl1pskbwssmq)

[https://www.dd-wrt.com/wiki/index.php/Ad_blocking](https://www.dd-
wrt.com/wiki/index.php/Ad_blocking)

------
Jaruzel
From the Article:

    
    
      I am signed up to some platform which is a Criteo partner. It’s entirely unclear
      who this partner is. While Criteo boasts a “close partnership” with Facebook,
      Facebook claims that they do not share personally identifying information such as
      your email address with ad partners. Regardless, a platform with my email address
      gave it to Criteo.
    

This issue is _exactly_ why I use specific email addresses for each website. I
tend to follow the pattern <websitename>@mydomain.com. That way if a site
leaks my email address to spammers (either intentionally or accidently) I know
which site it was, and immediately boycott them in future and move that email
address into a blacklist.

For big sites I cannot boycott, I simply register a new email address with
them (i.e. <website><number>@mydomain.com), and move the original into the
blacklist.

As I run my own on-premises email system, I can't benefit from crowd-managed
spam systems, so keeping a lid on the incoming spam is very much a pro-active
action for me.

------
upofadown
>The CAN SPAM act actually allows direct marketing email messages to be sent
to anyone, without permission, until the recipient explicitly requests that
they cease (opt-out).

Isn't this the root problem here? It is hard to see how you could even start
to fix this sort of thing without fixing the spam law first.

------
cptskippy
I've been using a catch-all email domain for years where anytime I give out an
email address, the local part is a description of the party receiving the
address (e.g. bestbuy.com@mydomain.com).

If I receive spam at a particular address, it's easily blocked and I know who
leaked it.

An interesting side effect of receiving email from so many different addresses
to the same inbox is that I often receive the same spam to multiple addresses
simultaneously. This is easily caught by spam filters and so I never have Spam
in my inbox. It also makes identifying false positives in my Spam box easy
because they usually stand out against the repeated subject lines so it's a
simple game of which one of these is not like the others.

------
sneak
uBlock origin plugin. Globally disable 3p resources for all pages. Manually
greylist CDNs only for sites.

Browsing the web any other way is for schnooks.

------
DoubleGlazing
My wife's cousin had something like this happen to her two years ago when she
was planning her wedding.

She browsed a few specialist wedding sites for inspiration and when she went
to to some well known retail sites to start pricing things they seemed to know
she was getting married and promoted wedding goods and services on their front
page to her.

It freaked her out no end. I suggested a few plugins that seemed to put a stop
to it. But a few weeks later she did start getting wedding related snail mail
spam.

Its very creepy, especially after the whole Target teenage pregnancy thing.

~~~
kjs3
Yup...with my ex-wife is was first time we got pregnant. Browse a couple of
specialty sites and suddenly everyone and their mother is spamming us with
new-parent ads.

Let me tell you how much fun it was to still be getting "free Enfamil baby
formula" spam for a year after she had a miscarriage.

------
bogomipz
On a somewhat related note and what I thought the article was going to be
about, what is going on with the phenomenon of a HTML 5 light boxes loading
when you are barely a few seconds into reading a page asking you to "sign up
for the newsletter." This trend is out of control. If you were browsing
shelves in a grocery and someone came and stood between you and the book you
would want to punch them.

Does annoying people into something actually work? I feel like it must since
its so prolific.

I wish there was a way to block these.

------
andrewaylett
Privacy Badger is pretty good at blocking things like this -- it watches out
for domains that are third-party for more than one site, and blocks requests
to them. Does require some tweaking for genuine CDNs (and indeed comes with a
yellow-list of common domains that will receive requests but not cookies) but
generally very useful.

[https://www.eff.org/privacybadger](https://www.eff.org/privacybadger)

------
chadgeidel
Am I paranoid in assuming their "opt out" system is basically probably an "opt
in"?

Related: I know that it's possible to "opt out" via the Direct Marketing
Association communications
([https://dmachoice.thedma.org/](https://dmachoice.thedma.org/)), but have
thus far not done this as I assume I'll just get more junk mail.

~~~
mungoid
I think it depends on what companies agree to not send you emails if you opt
out. I'm betting if a company agrees to the dma opt out then they will stop
and you will get a little less. But I think most advertisers don't care if you
opt out or not. It's in their best interest to not care

------
anilgulecha
More directly - if you want your precious content/resources to make you money,
make sure you send the bits over an authenticated & paid account.

Not behind an overlay, or with a adblock redirector or when the user-agent has
'googlebot' in it.

If you send the bits over, then I may consume them with no additional payment,
whether via ads or mailing-list or account signups.

------
__jal
I think it is about time to build a one-click opt-out to preemptively opt-out
of all of these scumbags' systems.

~~~
rocqua
Opt outs require giving out emails though. If you think they are scummy
enough, that might be a bad proposition.

That said, someone in the comments stated how these companies actively avoid
those who might click 'report spam', so this might work.

------
justrossthings
I talk a lot about this stuff with a friend doing sales operations at a hyper-
growth startup in SF. With Criteo, tools like Reply.io and others he thinks
we're going to see an event horizon where recipients of spam say enough is
enough and online privacy finally becomes 'cool'.

------
a_imho
I know there are a couple of solutions out there, but what exactly stopping
the main email providers to offer on demand proxy addresses for one's main
account? I think there is a legitimate demand for it, but not enough to
actually sign up for yet another service.

------
singold
He talks about tge legality of sending the spam, but what about the legality
of the partner he is really subscribed to that shared his information with a
3rd party? IANAL but AFAIK that wouldn't be legal in most countries

------
DavideNL
what i usually do is reply to their spam e-mail on a support mail address and
ask them to stop sending me spam: waste their time the same way they waste my
time... if everyone would do that the problem would be solved.

------
walrus01
... and I just created a new spamassassin rule for criteo. Done and done.

------
imron
And people wonder why adblockers are so popular...

------
ChuckMcM
Set privacy badger to block all Criteo cookies.

------
ahm750
Faced a similar situation recently. It was both surprising and frustrating.

------
astdb
Would disabling third party cookies have prevented this?

~~~
zymhan
Yes, it should have. Unless the ad tracker placed some other cookie-like file
that would evade your browser's cookie settings.

------
saltyhiker
The real problem here is not the chain of marketing tech that allowed this,
the issue is that the marketing message itself sucked. If the message was
valuable, many people wouldn't have been bothered by receiving it.

As for the message itself, if their intent is to sell you that specific item
you searched for, they should say so. Of course, they need to avoid the
creepy-factor, which, along with laziness are the two reasons they may have
ended up with the junky message you received.

~~~
TeMPOraL
> _The real problem here is not the chain of marketing tech that allowed this,
> the issue is that the marketing message itself sucked. If the message was
> valuable, many people wouldn 't have been bothered by receiving it._

I disagree. This sounds like the rationalization marketing folks put forward,
namely that they're actually _helping people_. No, they are not. At best,
they're shoving messages into peoples' faces. At worst, they're shoving
_poisonous radioactive garbage messages full of lies_ into peoples's faces.
The range of behaviour here is from mildly annoying to outright malicious.
Very rare is the case when unsolicited marketing messages are something people
are actually happy about.

~~~
saltyhiker
I agree with you that the lazy/poisonous methods are far too common, and was
exaggerating to some extent. In this case the chain of tech may be too sullied
for a good message to be well-received.

I'd also like to add that as punishment for insulting the Sears marketing
team, I got a piece of spam from them 20 minutes after my comment.

------
malchow
Please. There is no core privacy premise of the internet. The core premise of
the internet is one protocol to deliver meshed knowledge to any computer. And
the commercial possibilities of the internet are what have underwritten the
growth of the network.

Reaction like this one make me think: _entitled._

But they also make me think: _unrealistic._ How much should hypertargeted ads
really bother us? Call me when they are using my bank account and medical
records to show me ads. Not my browsing history, over whose exposure I have
complete control, and which doesn't really expose very much about me or my
family.

~~~
benjamincburns
There is no core privacy promise _built in_ to the core of the internet in the
same way that there is nothing in the laws of physics which prevent murder. We
have laws and cultural norms for this sort of thing, and it's not at all
entitled or unrealistic to suggest that those tools be used to curtail a
rather parasitic situation such as this.

