Hacker News new | comments | ask | show | jobs | submit login

>I’d driven to meet a friend at an art gallery in Hollywood, my first visit to a gallery in years. The next morning, in my inbox, several spam e-mails urged me to invest in art. That was an easy one to figure out: I’d typed the name of the gallery into Google Maps.

I don't see how the author makes the connection here.

How does searching for an art gallery on Google Maps translate into spam emails? Is he accusing Google of selling your email address and search information to spammers?

You really have no idea how bad it is man. The shit I've seen through all of my data analysis contracts at different startups have showed me how the process (sorta) works.

The tech companies just need to connect one little "key" and they've got the query. The cost of being wrong is low, so there is almost no Type II error. Every consumer website out there has some sort of bloatware / spyware tracking pixel or ad network or analytics pack. They record the headers, the fonts, etc. They make a statistical fingerprint that is very tight.

For the Google Maps example I can think of 10 different ways that the user profile leaked ranging from a single installed key logger (virus), to a toolbar, to his clicking on the website.

"But how could they know it is him or his email?"

There are tons of tricks they use. Just log onto a single social network, bam. There was also a time that you could put down a LinkedIn iFrame to have:

    "Zach Aysan" has looked at your profile.
Sent to your inbox.

Sure the occasional hacker is smart enough to only install a select number of pluggins, and to watch downloaded programs very carefully, and to install HTTPS Everywhere, and to install an ad blocker, and Privacy Badger, and to reinstall the OS every couple months, etc. But there are tons of people running Windows XP which gets hacked so frequently you need to assume people on those systems have viruses.

My point is this: A discussion on whether Google is the one leaking information begs the question. It doesn't matter if it is Google or another party. The question is this:

"Is there a reasonable chance that a non-technical user will have his searches online leaked to a global network of advertisers and INT personal?"

The answer is a resounding yes. My parents were both programmers 30 years ago, and neither of them can trust the devices that they have to not phone home about them.

I don't think you need a spyware or something, nor need to inject something. You don't need to hack your way in, just buy the access to advertiser's trackers.

One day I posted on twitter a link to a movie. 10 minutes later the director's twitter account showed up as "recommended". Interesting..

Furthermore, spam is rarely targeted. If it was, spammers wouldn't need to send hundreds of millions of e-mails. And I doubt it works that fast. You visit some suspicious site one day and the very next you're bombarded with "several spam emails". Lastly, I don't see how legitimate art businesses would tolerate spam. I'm an amateur art collector visiting dozens of art sites for years and I've never received spam.

The guy is obviously talking out of his ass. Which is a shame because he's trying to make a good point.

What if he's using an Android phone? Most third party apps on the Google Play store have access to both your location and accounts.

I even remember seeing back in the day questions with valid answers on stackoverflow about how to get the email associated with a device without requesting the accounts permission, but some other close ones.

I also made the mistake of using a personal account with my first Android phone. I had zero spam on that account. 2 months later I was getting about 10 emails a day. (not targeted though since I didn't live in an very active area)

Successful spammers are absolutely targeting their emails. It's similar to when you search for something on Amazon and then see ads for it on Facebook -- the goal is to put an ad in your inbox (essentially for free) instead of paying for ad impressions.

That’s programmatic advertising. It’s a different beast while very relevant to the context of being continually monitored/profiled. If there's such a thing as targeted spam I've yet to witness it.

It's a fairly common practice now (not the spam, I've gotten spam email clearly triggered by a re-targeting campaign but as far as I know it is not a widespread thing).

The basic pattern is: Get user to trigger re-targeting campaign, use re-targeted ads to read a tracking cookie or browser fingerprint from the user, use that to look up user info in your customer profile database you bought (or bought API access to) from a data broker, send targeted email, package up your new piece of customer profile data (Walter Kirn went to an art gallery in Hollywood) for later resale/trade.

The specifics for each step change all the time.

The author wrote this piece in a style where he defaults to paranoia in the face of all coincidences to mirror the subject matter so it was not an accusation. But this one is actually feasible.

> But this one is actually feasible.

Does Google Maps even embed display ads? I don't think there's any way to get a cookie, pixel, etc etc in there for just a query.

It doesn't as far as I know, that's why re-targeting is such a boon to these types of practices. Google Maps searches can trigger re-targeting campaigns, and when they are somewhere else on the web and get a re-targeted ad you might have a change to get that fingerprint/drop that cookie.

Often it's not even the same group doing all these steps either, there are opportunities to buy your way in and/or cash out partway through.

There are no display ads on Google sites like Maps.

He's probably just misremembering.

What probably happened is that Gmail was showing targeted ads based on his searching and he was shocked to see this in his email client, when in fact the two are joined.

It's a very minor point in a big article. I'm not sure it's worth reading too much into.

That minor point has major implications if true, so I definitely think it's worth reading into, at least to decide whether it's correct or not. It's the difference of whether your Google map searches, and possibl\y web searches are contained within Google, or are accessible to others.

If you click a link on Google Maps or Google Search, doesn't the site get the query in their GA or something?

The fact that they are not is the whole basis of targeted advertising.

But that's still Google providing the advertising. In what way is your search history not contained to Google when an advertiser asks Google to display text ads with your content to people that are interested in X, Y and Z?

I can think of a few very expensive ways, but those are also ways in which Google is allowing erosion of their competitive advantage by allowing that information to leak. That, by the way, is why I don't feel particularly paranoid about Google sharing my information everywhere. Google is strongly incentivized to keep it closely guarded so other people can't monetize it in ways that cause Google to lose out.

Google runs display ads, which are bid on by third parties who can use that data to target emails.

So your hypothesis is that Google took the knowledge of the search query and attached some sort of indicator that the user was interested in AA onto the user's personal data (in violation of its own policies for interest-based advertising on sensitive topics). Then, it mapped that user to a cookie (in violation of its own policy towards cookie-user matching). Then it gave a list of cookies associated with alcohol rehab to a 3rd party (also not how any Google systems work, this would be in violation of many internal policies). Then, someone was able to match cookies to email addresses (available, unfortunately, in the shadier black markets of the marketing world, but totally in violation of Google remarketing standards such that the 3rd party would be likely barred, if caught, from all Google systems). Then, the spammer bought the email addresses and sent the emails.

Alternate theory: someone at AA sold an email list to a shady marketer.

You're misremembering the article. The spam emails were claimed to be because of a Google Maps search. The AA link was because an app on the phone (probably Facebook) was mining the address book.

> (in violation of its own policies for interest-based advertising on sensitive topics).

Art galleries are not typically considered sensitive topics.

You'll have to explain how that's supposed to work. Are you saying that google is selling email addresses, that they are allowing people to supply content that they then send, or that the people running the ads are selling the email addresses? The first two I find extremely unlikely, and the third should not be possible, since running an ad does not give you info on who it was delivered to.

How does a display ad allow you to target emails without asking anyone for an email address?

It gets elaborate but you can essentially buy email address -> cookie mappings or make your own. You then sync those cookies with the ad exchange and then they're returned to you with every ad auction for that user.

Please elaborate. What can I read or search for to find out how this works? Is there anywhere I can go buy such data to see it myself?

I used to work for an ad retargeting company. Our advertisers gave us a ton of data that we didn't necessarily want along with pixel data that we did, including email addresses. So if you're logged in to some retailers website and they were retargeting with us, they might either accidentally or deliberately passing us your email address, which would allow us (if we wanted to) to map your email address to your cookie. We see your cookie look at galleries, bam.

Or, more legally, the advertisers could be part of a specific email retargeting campaign where they give us your email addresses, and then we can establish the mapping in a more direct way.

Obviously there must have been more shading goings on in this case, but the principle is the same.

Right, but how did the cookie get associated with a Google search query and then get to the 3rd party who did the shady mapping? That's what wouldn't have happened.

If they clicked through to the art gallery website (from maps/search) and the art gallery was running an ad/tracker network that already knew the user's email from elsewhere, they could put two and two together.

Cookie onboarding services are nothing new. To start, look at a company like LiveRamp. They ask sites that get users to authenticate to login, then you provide them with an anonymous hashed email address of the user which they match with they then use to match against a larger cookie pool. If there's a match, they set another cookie.

This helps solve the issue for advertisers using retargeting where cookies don't have a long shelf life. So they leverage 2nd party data sources to basically set those cookies again for them so they can continue retargeting.

They can also work with vendors to upload their hashed email lists from their CRMs and gain access to the relevant cookies in the pool to market to them.

Onboarding vendors like this tend to pay a CPM rate based on the number of matches they can make with their cookie pool, so really all that matters is that you have a massive number of people authenticating with email addresses.

Here's the other piece of the puzzle. http://marketingland.com/google-email-address-audiences-cust...

Once you have the email addresses(see unshift's comment above) you upload them to Google and then target the addresses with specific ads.

While unsettling, that still doesn't explain the data flow out of Google. Google wants your customized list of email targeting, sure. But they don't want to leak anything proprietary to others to use, such as search history.

Malware/spyware can easily explain that. That's all I can think of.

Yeah, but if you've got that on your computer, you have much more to worry about then your search history being used for marketing, and they've got much more lucrative ways of making money from you. It's a "It rather involved being on the other side of this airtight hatchway"[1] type situation.

1: http://blogs.msdn.com/b/oldnewthing/archive/2006/05/08/59235...

Oh I don't disagree with you at all. I was just thinking of a case where google maps search leads to email spam related to your google maps search and that's all I could think of.

It's just the "Post hoc ergo propter hoc" fallacy. (Possibly also overactive pattern recognition; how many spams does he get about art at times unrelated to gallery visits?) Google does not sell such personal information to spammers (or anyone else).

If you visit non-Google websites, it's technically possible for people to discover relationships and target e-mails (e.g. if you entered your email address on website A and then visited website B, cookies can correlate the visits and, among other things, trigger e-mail; also malware and other privacy leakages), but Google does not use its information in the way alleged.

Disclaimer: I work for Google in privacy engineering, but I'm only speaking for myself based on information Google releases: https://privacy.google.com/#google-information.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact