
Ask HN: Question from a luddite re: cookies/web tracking, particularly by Criteo - corvallis
Hi there, hackers!
I experienced something very disturbing a few days ago that&#x27;s been eating at me. To preface, I completely accept that browsing free websites and free content comes with the trade-off of tracking and advertising attempts. I&#x27;m not particularly tech savvy but I am careful about my internet habits because privacy is a concern for me.<p>Here is what happened: I was searching google for a stock photo. I clicked on one, which took me to a site called tradesy. I clicked within the tradesy website to look at the photo, but it was not what I wanted, so I clicked out. Moments later, I got an advertising email at my personal (yahoo) address from tradesy. Feeling thoroughly violated (and not in a good way), I discovered that the email was sent by Criteo, a &quot;retargeting&quot; company.<p>Somehow they got an email address that I have not used on any website, ever. I use my “spam” address for anything internet&#x2F;app. The only people that have my personal address are, well, people. I am 100% certain that I did not give Tradesy my personal email address. I even checked my browser&#x27;s auto-fill log and confirmed that no website has my personal email address saved. I have ad blockers and ghostery.<p>1) How did this Criteo company get my personal&#x2F;private email address?<p>2) How is this okay? I don&#x27;t mind some degree of advertising, but my comfort level is limited to not getting my name&#x2F;address&#x2F;phone number&#x2F;email or other highly personal information that I should have control over, effectively stolen and used to spam me.<p>3) How can I block this company and similar ones from my online life? I already don&#x27;t use Facebook&#x2F;other social media.<p>I truly want to understand this phenomenon and the current internet advertising&#x2F;privacy landscape, so if someone out there is able to clue me in, I would be very interested to learn. If you live in SF, I will even buy you coffee if you want to enlighten me in person!
======
RobFrodella
That's awful, corvallis. I agree with you that it's super-sketchy.

I admit that I use tracking cookies on my website, but I looked to find a
company (RocketBolt) I was comfortable with. Gotta keep my customers' trust at
all cost, and the RocketBolt cookies I use end at the border of my site, don't
tap into any private databases, etc. I'm simply trying to find ways to offer
relevance to my customers. Honest question: does that level of tracking upset
you?

I've never heard of Criteo, but I appreciate the heads up.

------
r721
Found this article after some googling:

[http://www.independent.co.uk/life-style/gadgets-and-
tech/cri...](http://www.independent.co.uk/life-style/gadgets-and-tech/criteo-
and-the-dark-marketing-arts-that-are-growing-ever-more-
sophisticated-a6731106.html)

>Some light digging unearthed the fact that the company responsible for this
particular dark art is called Criteo, and the MD, John Buss, was happy to talk
me through this relatively new technique. It's all legal, all cookie-based,
but crucially its database – which learns about me and how I click around
websites – anonymously links up with databases of email addresses it has
licensed from other companies operating online. A match between the two, along
with an assessment that I might be likely to splash some cash, triggers an
email.

>How did my email address end up in the database in the first place? Well, at
some point – and goodness knows how, because I do my utmost not to – I opted
in to receive some communications "from selected third parties".

~~~
corvallis
I could swear up and down that I have never used my personal address on any
website/app ever. (I use my "spam" address for all internetting.) So if I had
accidentally opted in somewhere, it would have been with my "spam" address.
Even then, they should not be able to get my email address, period! My fear is
that they have other info that I am supposed to have control over, such as my
address/DOB/credit card/SSN. Can they mine all of those things just from
cookies/browsing or when I purchase something from amazon?

The reason I am fairly concerned about privacy is due to the nature of my work
and the fact that I have a unique name. As it is, you can find my whole family
and their address/phone number on a search's first page. I feel even less
secure knowing that my sensitive personal info is so easily mined and
distributed despite my best attempts to block ads/cookies/tracking and stay
away from clickbait/social media who I would assume to be the primary
offenders.

I am also a little surprised that no one else seems terribly bothered and a
company like Criteo is instead lauded for its innovative methods. Do we as
users just have to accept that a lack of control over personal info is the new
normal?

------
r721
I would recommend you to block third-party cookies in browser settings, that's
probably how you were tracked - the same cookie(s) were used on tradesy and
some another site which could connect you to your email address.

UPD A couple of relevant posts:

[https://freedom-to-tinker.com/blog/dreisman/cookies-that-
giv...](https://freedom-to-tinker.com/blog/dreisman/cookies-that-give-you-
away-the-surveillance-implications-of-web-tracking/)

[https://freedom-to-tinker.com/blog/englehardt/the-hidden-
per...](https://freedom-to-tinker.com/blog/englehardt/the-hidden-perils-of-
cookie-syncing/)

[https://freedom-to-tinker.com/blog/englehardt/how-cookies-
ca...](https://freedom-to-tinker.com/blog/englehardt/how-cookies-can-be-used-
for-global-surveillance/)

~~~
corvallis
I already block third party cookies. I have it set to allow cookies "from
current website" only. I had once tried to set it to never but then I couldn't
log in anywhere so that was a bust. I really don't know how they would have
gotten my personal address if I never enter that one anywhere. I only use my
"spam" address for any/all internetting. That's what is most creepy to me.
Thanks for the links! Mostly over my head but maybe someone else reading this
thread will appreciate.

~~~
r721
Hmm, interesting! I assume you use Safari ("from sites I visit" is their
preferences language)? In the last link authors actually differentiate between
"Some 3p = Safari-style third-party cookie blocking" and "All 3p = Blocking
all third-party cookies", so I guess Safari's method of blocking is not the
strictest.

Another possibility is that you use some rare static IP, which Criteo could
somehow connect to email. But it's probably a stretch.

Keep in mind also that some of your correspondents could agree to share their
email list on some site or to some app, so that could leak the email itself
and real name (but still it's unclear how it was connected to your browser).

~~~
corvallis
Yes, I use Safari! I actually have cookies set as "from current website only"
\- I wrote the wrong one and edited. I suppose it's possible that one of my
contacts entered in my personal email in some new website/app referral and
that's how it was mined, but I clear out my cookies fairly often and don't
remember clicking on anything in the recent past.

Here is the note on the bottom of the email from Tradesy/Criteo:

To opt-out of receiving Tradesy emails, click here. This message is
personalized by Criteo Email based on your previous browsing behavior. To
understand why you received this email and access Criteo Email privacy policy,
click here. If you want to opt-out only from Criteo Email personalized emails,
click here.

When I went to their email privacy policy, it doesn't explain how they got my
email address.

I am very disturbed by this kind of stealth data mining. Is there a way to set
up my browser to become more anonymous on the internet? Clearly my ghostery
and ad block is not effective. I deleted my Facebook and Linked in after
Linked in somehow spammed me to link contacts that I sold random crap to on
craigslist (and probably spammed them too.) Somehow they both still deposit
cookies. I am willing to pay someone who is familiar with this landscape to
block trackers from invading my internetting. Or block websites that use
criteo and similar. Is this possible?

I'm not one of those people that wants to go "off the grid". I use credit
cards, I use amazon, I know what I'm getting into. It just seems like Criteo
has crossed a line.

~~~
r721
This all is actually puzzling, because ghostery should theoretically protect
you even if Safari doesn't block all third-party cookies. You can try to
switch to uBlock which is similar in functionality.

Are you sure you don't have some shady/little-known extension/plugin/app?
Those can share browsing history with advertisers. Some freeware
firewalls/antiviruses can too (just googled an example: "AVG, the Czech
antivirus company, has announced a new privacy policy in which it boldly and
openly admits it will collect user details and sell them to online advertisers
for the purpose of continuing to fund its freemium-based products. This new
privacy policy is slated to come into effect starting October 15.").

Maybe try to communicate with someone from Criteo (not support, but somebody
higher) and describe your weird case?

~~~
corvallis
I went to confirm that I only had the three extensions (ad block, ad block
plus, and ghostery) and when I clicked into the ghostery settings, it turns
out that none of the trackers were selected to be blocked!!! Not sure how long
it was like that, or how, but it's fixed now. Do you think this explains how
they got my personal email address? I am still not seeing the connection, but
there are obviously many things I don't understand about this space.

~~~
r721
I don't quite understand how Safari's third-party cookie blocking works :(
According to the link I posted it's more relaxed than Chrome/Firefox's third-
party cookie blocking, so some cookies are allowed. But how is that decided?

Theoretical possibility then:

You still use that personal email in the same browser? That means you visit
Yahoo website, which can set some cookies identifying you, including third-
party ones (advertising/tracking), if those are not blocked by Safari. The
same tracking cookies can be used by Tradesy, so that site can tie your visit
to your Yahoo identity.

~~~
corvallis
I think you solved this!

I actually use the Apple mail client, so I get my spam mail and my personal
mail in the same interface. My angry deleting of cookies and web history
following the Criteo email would have cleared any log ins, but I haven't used
the yahoo mail web interface for many years. However!! I remember going to
flickr briefly about a month ago, and since it is a yahoo service, it would
have been connected to my personal yahoo ID/email address (correct?). It's
possible that I never logged out, so could it have mined my address that way?
I am still incredulous and outraged that Criteo could use this to mine my
address and spam me, but this could be how they got my personal email/yahoo
ID.

Thank you so much for your insightful comments and for "investigating" with
me! Even though this is still somewhat mysterious, I've learned from this and
also discovered my ghostery settings were off which was very valuable. Now I
just have to figure out how to block Criteo and similar invasive species. I
may have to go off the grid after all.

