Just found this…

How bad has privacy become on the World Wide Web? Really bad, a new audit shows.
At least 87 percent of the world’s most-popular Web domains engage in some form of digital tracking without you ever signing in, according to investigative journalism nonprofit the Markup. Many, it found, even covertly record the way you move your mouse or type. This is the hidden tech that lets companies learn who you are, what you like and even the secrets you look at online so they can tailor what you see, make ads follow you around — or even sell your information to others.
The good news: You can run a privacy check on any site yourself by using the free tool made for the audit, called Blacklight. Think of it, in the Markup’s words, as a “meat thermometer that you can stick into any website and get an instant reading on its level of creepiness.”

In for a penny:

Not worried to be honest but interesting.

28dayslater is quite creepy especially the asylum and hospital pages.

asylum and hospital pages

Jesus, if walls could talk…

…those ice creams Jimmy Savile bought would have quite a story to sell.

STW isn’t too bad compared to many

Indeed not. And I don’t use Ad-Blocker or owt yet still spend time here.
Nice to see stuff quantified.

DuckDuckGo browser does something similar as you use it – blocks things and gives the site a grade. This one gets a B+.

If you go to the daily express homepage and then click on an ‘article’, Ublock origin blocked 103 things, I kid you not.

Edit, 120 things, I left the browser open too long..

If you go to the daily express homepage

Quite a few papers are not far off. Remember reading one article saying how bad it is and the first comment was just a list of all the ad sellers. Think it was just over a hundred.

I kind of get the worry in a theoretical sort of way, but am I wrong for not being especially worried myself?

My forum has 0

No ad-tech companies were found on this website

It’s how creepy the websites find me that worries me more!

delete

Commercial sites either:

1) are funded by subscriptions,

2) are funded by advertising,

3) aren’t funded and rapidly cease to exist.

Pick one.

As the saying goes, if you’re not paying for it you’re the product.

That said, the extent of the metadata being collected is frankly ridiculous. If someone was doing that in the physical world they would have a restraining order so why is it okay in this case? Oh I consented did I? Did I? Really? Because unless they are explicit about what data they are collecting beyond a vague notion of ‘cookies’ they are not giving an informed choice.

Pick one.

Whilst snappy it doesnt really address the number of trackers or indeed the fact its trackers rather than just adverts.

It is mostly just adverts.
We track what you look at on the site because we need to know. We use Google analytics for that. We have a Facebook pixel on the site too that allows us to target facebook posts or see if the ads we are running on facebook actually result in a purchase on the site. That would be impossible to understand unless there is some connection between facebook and the site.

We are a media business so we need to know this stuff to be able to work.

If you are a full member then we don’t just deactivate the ad code on the page we actually remove it from your browser. It’s not just inactive – it’s not there at all. Analytics code is there for all users though.

It can get creepier. When Gmail started, they used to read your e-mails-was in user agreement, in order to get targeted adverts.

As far as the EU goes, all is far as long as it its part of the business practice/function.

Commercial sites either:

1) are funded by subscriptions,

2) are funded by advertising,

3) aren’t funded and rapidly cease to exist.

Pick one.

When this site started (~ 15 years ago?) what was the model? Because I’m old enough to remember when the WWW was a lot nicer than it is now. E.g. forums run by enthusiastic mod teams with perhaps one banner advert for a bike shop who paid a few hundred quid a year for a server. No one was spying on anyone.

Were those old sites all just loss makers?

FYI for those that are interested..

We use two suppliers of programmatic (trackable) ads. Liqwid and Google Adsense.

http://liqwid.com/
google.com/adsense

This is the single line of code that enables the ads from Liqwid..
script async=’async’ src=’https://www.liqwid.net/?key=C291-E3FB-27A9-AC6E’

This is what enables the Google supplied ads..

script async custom-element=”amp-ad” src=”https://cdn.ampproject.org/v0/amp-ad-0.1.js”
async src=”https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js”

That’s for the ads. There another few lines of code for Google Analytics and something similar for Facebook.

The first Liqwid line of code (or tag) is responsible for that “14 advertising trackers” result that Eddiebaby reported. Think of it as a gateway to the ads that come in from multiple sources in the programmatic advertising networks. It doesn’t mean we have done deals with 14 separate entities and installed so called ‘tracking code’ on the site. depending on the state of the advertising market, demand for our site or even the time of year, that number will go up and down as more markets get involved in the auction process for the ad space.

The other thing to bear in mind, and this can either reassure or make it more scary, is that there’s no direct human interaction in this process. The connections and ad auctions happen almost instantly on the load of the page. No human is looking down a list of your browser history with your name at the top.

Thats not to say that someone, somewhere at Google say, couldn’t look into some files stored somewhere and try and work out exactly who you are. I’m not so casual as to think that isn’t possible. But on a day to day basis billions of ads get served to billions of people based on internet behaviour and other trackable factors that no human has any knowledge of or any interest in.

Again, I’m not trying to trivialise the privacy implications or the dangers of this whole system but, I know in a day to day and very detailed way how it works and I’m not overly concerned personally.

However!

In 2021 the use of third party cookies to store and track information about you as you move from place to place on the internet will be phased out. In a nutshell that means that no third parties (Advertisers or programmatic networks) will be able to find out if you’ve been looking at another website before choosing to serve you and ad. This will break the whole way the current system of tracking works.

On the face of it, this looks bad for us as media as we get paid more per thousand impressions for ads that are targeted to individuals than for those that are not. But my expectation is actually that it will be better for us.

The upshot will be that advertisers can’t target individuals directly. However, they will be able to target demographics and general groups of users. For example our website has a particular marketing demographic of mid to high income earning, outdoor, cycling, tech interested, males. (broadly speaking). This information will be and already is, available to the advertising markets. In effect an advertiser will be able to target this website rather than individuals using the website.

I’m very much looking forward to that change. I think it will result in less creepy ads. You come here because of a shared interest in mountain biking. I’m hopeful that means you will see more ads relating to that subject rather than ads offering you a 10% discount on that thing you were looking at on John Lewis yesterday.

I’m hopeful that means you will see more ads relating to that subject rather than ads offering you a 10% discount on that thing you were looking at on John Lewis yesterday.

Or Love Honey 😂

But in all seriousness thanks for the insight, useful for those of us that don’t love and breathe advertising on the internet.

For example our website has a particular marketing demographic of mid to high income earning, outdoor, cycling, tech interested, males. (broadly speaking).

Shit, they’ve found me….

I’m hoping that the love Honey ads stay as we are getting a decent commission on sales from you guys 🙂

I find the whole subject fascinating, this whole online auction for the user, is that just for a ‘browser of STW’ or do they see more info about the actual user on STW?

I’m hoping that the love Honey ads stay as we are getting a decent commission on sales from you guys

Fresh Goods Friday opportunity?

The auction process is based on your browsing history at the most personal level. Not all auction opportunities win on that basis though. Some bids in the millisecond bidding war will be from advertisers who are already just looking to get their ad on our website no matter who you are. Some will be looking for a certain pattern of activity – say Someone who is in the UK and has recently visited the John Lewis page for coffee machines and lingered there for more than 10 seconds. That’s a pattern that would indicate some genuine interest. The ad buyer at John Lewis may tick that combination of boxes in their Google Ad account and put a budget of £1000 behind it with a specific ad that is for that particular coffee machine – but since it’s for people who didn’t actually buy it when they visited they may include a 10% discount code in the ad.

They let the ad fly. Google checks it to make sure it follows their rules and once out there Google’s knowledge of where you have recently been will mean that in the super rapid auction process Google’s ad system will bid high for your impression. It may win the auction or it may not. Some other campaign may have also targeted people like you and they may win that impression.

It’s a third party cookie on your device that contains the record of where you’ve been recently, although it’s not the only way that you can be ‘tracked’. This cookie gets read by the ad providers when you visit a page and it’s the content of that cookie that feeds back into the auction. This is why you can switch to an incognito window on a website and the ads suddenly become rather random instead of ‘creepy’. In incognito mode the cookie with your history data in isn’t accessible.

If you try that bear in mind that not all the ads you see on here are delivered in this way. The ads you may see at first visit are often specifically MTB ads that we display under a direct relationship with the brand. This is what we call a direct campaign. Direct campaigns don’t track you. That’s the equivalent of what I said above about targeting the website rather than the individual.

I can do certain things with direct campaigns, like set them so they only appear to you as an individual say 4 times a day. They are also capped in terms of how many impressions a day they will deliver in total so some people may not see them more than once, or even at all, if the capped number is small. I can also target devices – so certain ads will only be delivered to mobiles. Or target certain countries and even districts. But what I can’t do is get them to target and individual. I can’t find out if a particular ad has been displayed to an individual or not.

Fresh Goods Friday

Flesh Goods Friday

Don’t be surprised if Charlie negotiates a members discount soon 🙂

Don’t be surprised if Charlie negotiates a members discount soon

Fnarr

If you aren’t paying, you are the product.

Just found our website has one tracker and a keylogger. Hmm. I shall be checking why,

@mark that’s a really thorough explaination, thanks. I know I’ve not been the most supportive of the ads in the past (to say the least) but that’s a decent insight into how it actually works for the layperson.

There’s interesting sub-point to be had there too. If you’re of a mind to aggressively block cookies, the system can’t work as intended and (not just here but generally) you could potentially be served more adverts / repetitive adverts / irrelevant adverts because there’s no means of controlling what you’ve already seen.

To be fair half the tracking is fine. Does anyone really care about:

Performance and optimisation: e.g Google analytics or the hundred other services sites use to tell them where their traffic comes from and how a site is used. Not me.

Tracking Cookies and affiliate networks – e.g I click a chain reaction link, then 15 days later go blank and end up buying something. The referring website gets a commission. Cool with me.

Half the things that people jump up and down about are harmless.

Even at scale where data is sold networks creat cohorts e.g 10k Cycle lovers rather than a single person.

Now what will happen when Cookies are killed? Sites will skirt around the laws doing much worse such as tracking you via device fingerprinting / IP and much worse the average user won’t be able to hide from so easily.

To me it’s a bit like artificial sweeteners being worse for your health than the sugar they replace.

To this date I still haven’t been targeted with an Evil the Wreckoning 😂

Right there with you aside from the nonsense about sweeteners.

There’s interesting sub-point to be had there too. If you’re of a mind to aggressively block cookies, the system can’t work as intended and (not just here but generally) you could potentially be served more adverts / repetitive adverts / irrelevant adverts because there’s no means of controlling what you’ve already seen.

unless you run an adblocker or use a browser that blocks

there is clearly a war going on with facebook ads. I go weeks without a single ad on facebook presumably because of my browser or settings, then I get a flurry of them for a week or so then they dry up again

Right there with you aside from the nonsense about clicking on an advert.

FTFY 😉 😊

There must be tools which can analyse the cookies on your machine and tell you what the 3rd party servers know about you, unless their content is encrypted?

There must be tools which can analyse the cookies on your machine and tell you what the 3rd party servers know about you, unless their content is encrypted?

Doesn’t have to be encrypted, cookies are limited* in the number of characters they can store – it’s 4096 bytes but that includes the cookie name and the expiration date so the effective maximum is around 4000 bytes. Because of that limit data just gets munged together in a way known by both ends but don’t have text to say what they are, so the first characters might be “1602263847” which is a timestamp but unless you knew that format you wouldn’t be any the wiser. So adding some more data, let’s say a browser identifier plus version, I’ll use 2 for chrome along with the version data for what I’m running plus the above timestamp:

“285041831211602263847”

So that’s three bits of information, no encryption but unless you knew how to split it apart you’d be at a loss to figure everything out. Add another thirty or forty bits of info and …

*Actually the relevant RFC doesn’t place a maximum size but since every cookie on a page is sent as part of the initial handshake between browser and server most browsers limit the size.