> This transaction breaks a core promise using the internet: just because I visit a website doesn’t mean I consent to getting spam from it.
No it doesn't. There is no core privacy premise of the internet, and certainly not one that everybody used it signed up for.
I'm not condoning this behavior, but we're in territory that we don't have prior art for. It used to be totally fine for one shopkeeper to mention to another that he saw a customer looking for a particular item. When you do it at scale, the old rules don't apply.
If you think it's spam, hit the spam button in gmail and get rid of it. Use an adblocker. Talk to your congressman about data privacy and sharing laws, because we don't have anything that's effective. Frankly, continue to write Medium posts, because it raises awareness :) But, I disagree with the notion that this is a solved problem with bad actors, because we're in unknown waters.
> It used to be totally fine for one shopkeeper to mention to another that he saw a customer looking for a particular item. When you do it at scale, the old rules don't apply.
The on-line equivalent of that would be e-commerce sites sharing their detailed analytics data with each other. What was described in the article is more alike to a shopkeeper saying to another, "Did you see that woman in red scarf? Her name is Jane Doe, she lives in the house over that hill. She seems to be interested in this particular item, so your best bet is to upsell her something similar."
"She's just received a big payout from her ex-husband so she'll be willing to pay more, and she likes cats, especially white ones. Also her sister's birthday is coming up and the sister is obsessed with horse racing so you might be able to sell her some memorabilia. Jack up the price so she'll think it's valuable."
This is really pushing the boundaries of the CAN-SPAM act. You're not allowed to send unsolicited emails. You shouldn't be allowed to pretend that visiting a site is a solicitation.
Edit: I misunderstood the mechanism of collecting the addresses. This isn't skirting "unsolicited mail", but it is circumventing the ban on harvested email addresses.
Actually, you ARE allowed to send unsolicited email, even commercial (UCE). It has to be clearly labeled, contain the postal address of the sender, and contain unsubscribe links. Also, CAN-SPAM only applies to senders in the U.S. (unfortunately).
It's pretty amazing the number of senders that do not obey the requirement for a minimal unsubscribe flow:
> Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list.
To me it seems more of an honor-based system rather than one there's any enforcement for. Much like the Do Not Call list.
Given that SMTP is a relay system, would the first US-soil SMTP gateway machine a message travels through be its legal "sender" (in the way that e.g. the importer of a foreign medical device is liable if it's not FDA-approved)? One would think this would legally force those gateways, when handling foreign-originated spam, to slap their own address on them with their own unsubscribe link, that would—if clicked—then block those messages from coming through that gateway.
> Also, CAN-SPAM only applies to senders in the U.S. (unfortunately).
We could always send gunboats to reduce cities whose citizens send unsolicited emails to the U.S. … /s
More seriously, this does seem like the sort of thing which could be addressed through bilateral or multilateral negotiations, including between the private firms who own the international Internet connexions.
I don't know if I would call it a "relationship" message, but maybe it's a "transactional" message, where serving the webpage counts as the transaction?
When I worked somewhere that did a decent amount of email marketing, we were told our abandoned cart emails were not transactional, as there were not actually a part of any kind of transaction (yet). Not sure on the actual status though.
First, CAN-SPAM doesn't outlaw the sending of unsolicited commercial messages - on the contrary, it lays out rules for sending them. Second, in this case, at some point this guy agreed to receive emails from Criteo when entering his email address somewhere. The fact that people don't read TOS before they agree to them does not invalidate them.
The question is not a legal one, but a moral one. Of course the TOS are agreed on by the user, but it's still not what they want, so I still consider it unsolicited from a moral POV.
California and New Jersey have laws that go above and beyond the protections outlined in CAN-SPAM. I used to work for a company that sent spam (I swear, I didn't know until after I'd already accepted the job), and we avoided sending to those states. If more states would adopt laws like this, we could dramatically curtail spam.
As for what constitutes solicitation, I wish it was that simple. In some instances, companies will buy your email address from another company, and they believe that constitutes consent. In other words, you did business with Company Foo, and I did business with Company Foo, so you consented to do business with me. It's insane.
Having been inside one of these businesses, I have three pieces of advice.
First: Mark spam emails as spam when you see them. You only have to get a few of your messages marked as spam to get your IP address blacklisted. You have far more power over spammers than you think. Not only that, but spammers fear this so much that they keep databases of complainers, and they'll leave you alone in the future. Sometimes they'll even share lists of complainers with other companies so they won't risk your wrath.
Spam companies love non-complainers. Even if you don't open the spam, not complaining helps their numbers with the email provider. By not complaining, you're sending a signal to your email provider that this is a good email, and other users would like to receive it. Not only that, they'll remember you as a person who can be relied upon to not complain, so you'll get more spam than other people.
Second: Read EULAs. We did business with some super-shady companies who sold us tons of really invasive user info. One company even sold us the contents of people's email. Not just meta data, we could actually read the content. They don't mention any of this on their site, but it's subtly stated in the EULA. Read them and check for references to sharing your data with business partners.
I've steered clear of some browsers and email clients as a result of vague EULAs that leave the potential for harvesting my data and selling it.
Third: This one is going to be unpopular on Hackernews, but the best way to avoid being fingerprinted by advertisers is to block JavaScript by default. There are bajillions of ways to uniquely identify your computer, right down to having your browser report which fonts you have installed. Almost every single technique relies on Flash, Java, or JavaScript. Ad-blockers help, but they don't catch everything.
I use NoScript to turn off JavaScript by default, and I only enable a site if it seems legitimate and the site is broken without it.
Here's a terrifying list of the things advertisers can do to uniquely identify you without consent and without a cookie. As the article says, disabling JavaScript by default is by far the most effective method for protecting yourself from fingerprinting: https://wiki.mozilla.org/Fingerprinting
It's a little inconvenient, but good security always is. The locks on your front door are inconvenient (what if you lose your key?), but hopefully they're even more inconvenient for would-be intruders.
> As a side effect disabling javascript also makes pages load faster
Ironically on our rather elderly laptops NoScript actually increases page loading times by a factor of two and that's with the out-of-the-box configuration. I haven't looked to see what pattern-matching algorithms it uses but they're very slow.
Because it is a browser extension which by itself is quite complicated application. I use builtin JS blocking options in Chromium and didn't notice any slowdown.
CAN-SPAM preempts more restrictive state laws with narrow exceptions, so generally the California and New Jersey laws are unenforceable. Those laws, and free m voting them, were a major reason that CAN-SPAM was lobbied for by industry, and that anti-spam activists labelled it a setback that told the industry that they can spam people's inboxes.
Is a company in New York bound by the laws of New Jersey or California? Do consumer protections for an individual in California extend to every company in the US?
the best way to avoid being fingerprinted by advertisers is to block JavaScript by default.
Leaving aside the sheer amount of stuff this will break, you're serving to identify yourself in another way, but perhaps not to an advertiser.
Given the average website, the number of people using a real web browser (i.e. not bots, curl, wget, etc) who don't run JS is going to be absolutely miniscule.
It's kind of like turning on Do Not Track - most people have it off, so you're highlighting yourself by turning it on.
This topic comes up a lot on HN and my response is always the same. Try NoScript again. Give it a day or two and whitelist the sites you use a lot and trust. You will have a stunningly faster browsing experience and the number of sites that don't work will be surprisingly small.
We have passed a tipping point where all the annoying bullshit that depends on JavaScript to function far outnumbers the random websites that NoScript breaks. LONG time user of it and I just don't have much trouble browsing. It makes the web insanely fast and eliminates most annoyances.
I've been using uMatrix for some time (I'm a control freak, I guess) and I support this - you end up whitelisting a few sites here and there (or even just some aspects of those sites, in case of uMatrix), and the Internet becomes overall a much better (and faster) place. The amount of useless JS bloat on-line is staggering, and it hurts me that developers are actually defending this practice. Engineers should know better.
Can't say much about DNT, but I think turning off javascript absolutely makes sense.
If you turn it off, they can put you into the "disabled javascript" pool of users. So what?
But if you keep it on, they can query half a dozen APIs and get a much more detailed configuration of your browser. Which lets them put you into a much smaller pool and identify you more confidently.
And what's more, the more of us that turn off the script, the more anonymizing the "disabled javascript" bucket becomes, as well as the increasing the pressure on web developers to stop the js bloat. Win win I say.
I've been surfing forever with noscript, only white listing those domains I need.
Exploding cookies (the add on, not the terrorist device), and an ad blocker, and the internet is quite usable.
State specific spam laws wouldn't matter unless the company has a physical nexus within that state. You'd have offshore subsidiaries doing the sending even if all 50 states passed such laws.
> § 17529.2. Notwithstanding any other provision of law, a person or entity may not do any of the following:
> (a) Initiate or advertise in an unsolicited commercial e-mail advertisement from California or advertise in an unsolicited commercial e-mail advertisement sent from California.
> (b) Initiate or advertise in an unsolicited commercial e-mail advertisement to a California electronic mail address, or advertise in an unsolicited commercial e-mail advertisement sent to a California electronic mail address.
> (c) The provisions of this section are severable. If any provision of this section or its application is held invalid, that invalidity shall not affect any other provision or application that can be given effect without the invalid provision or application.
tl;dr You may not send unsolicited commercial email to California residents. You are also barred from sending unsolicited commercial email from within the state of California, but this is independent of the first part.
> It used to be totally fine for one shopkeeper to mention to another that he saw a customer looking for a particular item.
Huh? Outside of some tiny village the shopkeeper would not know the name and address of customers that are just browsing. If a shopkeeper hired private investigators to stalk those customers, following them around everywhere gathering as much personal information as possible, it would probably run afoul of some law.
Not only that, in this example the shopkeeper is simply helping the customer find what they are most likely requesting simply to be helpful. A more accurate example would have shopkeepers buying customer data from each other using a 3rd party entirely for their own benefit. This really isn't the same thing at all.
At this point a plugin probably isn't enough. We need a better browser that gets back to the document viewing roots. Something better than NoScript that has a rough idea of the types of transforms a domain's JS performs so that it can serve me the "page" w/out running suspicious code. Although I suspect this would just start a new style arms race of obfuscation similar to adblock, etc.
hosts file blocking will never be as good and complete as add-on based blocking. You cannot block on DOM, you cannot block specific things from a host but let through others, etc. Not to mention that it is much harder to toggle if you need to.
They didn't share your contact information since technically the SPAM came from them (via a technology provider Criteo) so it's still Sears that's owning the communication and responsibility. It's different if let's say you were browsing Sears and then somehow got an ad for the Home Depot.
> It's different if let's say you were browsing Sears and then somehow got an ad for the Home Depot.
That's close to what happened.
OP got email from Sears, after browsing their site. But OP had never given an email address to Sears. OP had an account with (say) Home Depot. And then Criteo got OP's email address from Home Depot, and provided it to Sears.
> It used to be totally fine for one shopkeeper to mention to another that he saw a customer looking for a particular item. When you do it at scale, the old rules don't apply.
Right, because:
1) You're talking about a town so small that everybody knows everybody else's business anyway and fully expects this; 2) (yet paradoxically) I doubt the conversation would include much in the way of detailed personal info (unless it was gossip); 3) Regardless, in those days you probably saw both shopkeepers in church the following Sunday and could get any grievances resolved very quickly, and the shopkeeper is eager to resolve it rather than risk a bad reputation in a small tight-knit community.
It's quite similar to the me going to the store to buy a carton of milk. I have practically no knowledge of what's involved in the complex chain of interactions that gets the milk out of the cow and into my shopping basket. I don't need to know, and so long as the store always has milk I don't really care. If someone out there were to invent a way to track the exact milk I buy I wouldn't instantly know how it works or understand it. I don't think I'd like the idea though.
The details of what actually happens when you visit a website are known to a tiny number of highly technical people (a few tens of millions globally). Most people have no idea what sort of data can be gathered and used to track you across the internet. People don't understand that Amazon, Facebook, Apple, etc all use the same third parties to share information and build immense profiles about every aspect of who they are and what they do, nor do they understand the way statistical analyse can be used to glean even more insight from that information.
Nothing like the internet has really existed before. Although browsers have existed for 25 years most people didn't use one before about 15 years ago, and most people weren't tracked in the way they are now until 10 years ago. This is new ground. We can't expect non-technical people to grok this stuff quickly.
> No it doesn't. There is no core privacy premise of the internet, and certainly not one that everybody used it signed up for.
I agree that it doesn't break a core promise of the internet. It does, however, potentially break the law. To be clear, it doesn't necessarily break it. But if the author actually has never given his email address to anyone who explicitly stated that it could be resold or transferred to a partner, then this violates CAN-SPAM.
Much like RMS, I use a friend's discount card (and pay in cash) at the grocery store for this reason. Will a purchase of soda and cookies be linked to me and impact my health insurance cost down the road? Will targeted Mountain Dew ads make their way into every website I visit? Probably not, but I'd rather be sure.
The self-checkout machines only ask for the phone number, with no id challenge. I get the discounts + no tracking, my friend gets more gas points, and the store is left wondering why he buys so much toilet paper.
I wonder how long it will be before they start cracking down on this somehow, and how far they'll take it.
Why is there no downvote button on this and other comments in this thread? I have the ability to downvote and many other comments have it available. Why are some unable to be downvoted?
I once had something similar, if not worse, happen.
I was researching some network equipment, looking at lots of websites and comparing products.
Then my desk phone rings. A call being passed from the switchboard - someone asking for the person responsible for IT purchasing.
It was a sales rep from a network equipment distributor, saying they noticed I was browsing their website and wanted to help me through the purchasing process.
I had never used their website in the past. No-one from my company had. I never signed up. I didn't login. I was bewildered.
I asked how they got my details. The rep said they pay a third party remarketing agency for contact details of people who visit their website.
We were a really small company, with no DNS PTR on our main (NAT'd) public IP. We did have an A-record for our mail domain pointing to this IP.
As the sales rep didn't know my name, all I can assume is that their remarketing agency was looking up our public IP addresses in some IP-to-business database, populated by email headers or sign ups at other user sites.
In any case, I wasn't pleased and was pretty surprised at the rather aggressive sales technique.
In early 2000's, as B2B Product Manager, I implemented a similar customer outreach program. We will reverse lookup the name associated with visitor IP address and then look into our own sales contact database for contacts in that company. Depending on contact quality, we will reach out to them using phone, email or personal visit from a sales rep in the area.
A few times, we decided to hold 'lunch-and-learn' type in-person events in a region based on the regional concentration of IP addresses from prospect companies and search queries from those regions to tailor our presentations.
Wow. Any vendor doing this to me goes on a perma-ban list. If they don't respect me before the sale, I'd have no reason to think they'd respect me after.
Why do you think the proactive customer outreach is "not respecting you"?
I view it as providing high level of customer service, before and after sales, in B2B space. It is no different than Amazon displaying related products that you might be interested in or Netflix showing you a queue based on your past viewings, in consumer space.
For example, if a visitor's company produces widgets and as a vendor we have previously helped other producers of same widget. It is in both our and visitors interest to share such and related information. Similarly, a visitor from an existing customer might be searching for a solution to her problem with the vendor's product and doesn't believe the problem is big enough to warrant a support/service call or it is a user and not administrator/manager of the product. A proactive engagement by vendor support group goes a long way in understanding the potential user issues with product, a valuable insight for future product enhancements.
In B2B settings, sales cycles are long and require lot of information exchange between various stakeholders within the potential customer. Both vendor and potential user of the product inside the company (who might become internal champion of solution) benefit by build the relationship early, quickly and efficiently.
IMO, this is the main reason for DropBox failure in penetrating the enterprise despite its high usage by individual users within enterprise. Delays in engaging enterprise users allowed Box to get in to enterprise accounts by targeting decision makers and overriding individual users' preference.
The part I find deeply disrespectful, even more than the hella creepy privacy violations, is your notion that I'm incompetent to decide for myself who I need to talk to.
It's not like your web site is hiding the phone number or lacking in other ways for me to contact you. If I look at your website and don't use them, I have decided not to talk to you. It's essentially disrespectful for you to say "Oh, you poor fool, you don't know what you're doing. Clicking once is too hard for you. I'd better call you right away."
And then once the phone rings, we're off to the races with a host of manipulative sales tactics. Whee! Just how I wanted to spend my afternoon.
You try to wrap this manipulation up in the language of helping. But when you sing the praises of "build[ing] the relationship early, quickly and efficiently", you ignore that only one relationship is going to get built; the rest is just a giant waste of time, the very opposite of efficiency. And your last paragraph really gives away the lie. The point of the techniques isn't to help the customer. It's to allow the vendor to dominate a market without respect to actual product quality.
Thanks. As a kid, I'd read my grandfather's real estate sales manuals and I always found them both fascinating and horrific. The hacker in me always appreciates good technique. But there was just no getting around the fact that it was all about manipulating other people into doing whatever got you paid.
In a way, I feel bad for akg_67 and people like him. Our morals too easily conform to our jobs. As Upton Sinclair says, "It is difficult to get a man to understand something when his salary depends upon his not understanding it." I was lucky enough to see the problem young, and lucky again that I could afford to make my living some other way. But there are a lot of people stuck in these ethical traps. I wish there were more ways out for them.
I look at sales and advertising as an arms race. If nobody did it, we would be fine, especially now when publishing is free and search is incredibly good. But if anybody does it, all their competitors are obliged to keep up.
The free-market equilibrium is obviously wasteful. I'm sure we could save a half-trillion dollars a year if we eliminated this sort of arms race. I'd expect free market advocates to be excited about this because it would also remove a great deal of market distortion, allowing market mechanisms to work better. Their lack of interest I take as a tell: what really motivates them is not free markets.
I'm doing some research on Edward Bernays again. Absolutely fascinating and revolting creature.
If you've not seen Adam Curtis's The Century of the Self, do.
I also think that Free Markets are a smokescreen, though I'm not sure all those using as such realise it. I'm fairly convinced the main propaganda ministers -- the Mont Pelerin Society, Atlas Network, Cato, etc., do. Johan Norberg is their currently annointed Prince of Darkness.
"It is no different than Amazon displaying related products that you might be interested in or Netflix showing you a queue based on your past viewings, in consumer space."
Is is very different imho. Looking up contact details of site's visitors by IP is much like following a person back home and try to sell him something just because he stopped by your shop's window briefly. That's just creepy, I would never deal with a company that does that.
It's disrespecting privacy. The examples you gave (Amazon and Netflix) know who you are. A better example might be looking at a product on the shelf at Best Buy, and an hour later the sales guy shows up at your house asking if you're still interested.
Browsing a website for the first time should never result in a phone call. I agree with the parent -- this behavior will result in a lifetime net of $0 from me to you.
I used to work for a company where a vendors first unsolicited sales call would get them on our grey list. That being a list of vendors we would only consider purchasing from as an absolute last resort.
A second unsolicited sales call would result in permanent blacklisting.
Our IVR system warned callers that unsolicited sales calls would result in this action.
In the IT department alone 90% of incoming calls were sales calls. After this rule was brought in the volume was much reduced.
Also, we learned a lot of new swear words from angry salespeople.
This has happened with me. I do Pardot implementations from time to time, and one time I forgot to delete a test record with my info out of a production system we were about to launch. Time goes by, and I end up hitting their site to check out a bug they wanted me to fix. This flagged my contact in their system as "warm", and no less than 15 minutes later my phone rings.
I suppose this speaks more to my competency level than to theirs, whoops!
Yep, this happened to me once when I was house hunting earlier this year. I was pretty livid, and the poor rep on the other end found that out pretty quickly.
I've been getting more spam lately from "legitimate" companies. One of my email addresses leaked from a major open source project I corresponded with. Harvesters found it and now sell it to every small business and entrepreneur marketer you can think of. I get spam from CDNs, off-shoring companies, SEO/SEM, marketing, you name it.
Lots of them use sketchy services like reply.io to make it seem like a real person sent the email. And then another that looks like a reply to the first when you don't respond. And then another and another. Like Katie Malone at HawkSEM.com who 'personally' spammed me another 'reply' today. Essentially, folks like reply.io and similar automate the process of repeat spamming. Even their tag line is "Send Cold Emails That Feel Warm".
Here's a reality check for you: sending "cold emails" to a list of email addresses you bought makes you a spammer. Even if you try to make them appear personal. The giveaway is the tracking image (usually hidden or 1px by 1px white of course) and tracking links in every email so they can track whether you opened it and whether you clicked anything along with the unsubscribe link at the bottom. Except they don't label it as unsubscribe. It says "If you don't want to get any more emails from me, just let me know." with 'just let me know' as a link.
Be sure to mark every email like this you receive as spam so you don't get any more and so their reputation decreases enough to route all of this spam to everyone's spam folders.
This has absolutely picked up recently! It doesn't help their brand in my case, as I put them into the "Overly Aggressive Vendor" folder for future reference when I'm actually looking at purchasing services.
Those reply.io emails that look like they're from a real person are a grey area of marketing. I think it's deceptive and places undue social pressure to reply. Sometimes I do reply, but only when I get annoyed. In such cases, I turn the tables and start trying to sell them adventure travel (G Adventures). Sadly, we also use Criteo; thankfully adblockers block Tealium tag manager by default anyway.
When I saw OPs article screenshots, I actually suspected that Criteo had harvested the email address from the Forgot Your Password screen. This isn't uncommon – VE Interactive (I've mentioned them before), reads forms for email address fields and onBlur, they capture it and send marketing emails later. I _think_ this type of behaviour is supposed to be limited to cart abandonment situations, but I'll bet an incorrectly configured tag would target all forms.
When I started getting these, I called out the companies that did it. Kisi (getkisi.com) spammed me a few times and I called them out on it on Twitter with this tweet: "Hey @KISI - Spamming harvested emails is going to get your startup the wrong kind of attention." Their response was to block me. And continue to spam me. I can't imagine doing business with a company like that.
> thankfully adblockers block Tealium tag manager by default anyway
Most ad blocker do not block Tealium by default. For blockers such as Adblock Plus or AdBlock, one must explicitly enable EasyPrivacy (which is enabled by default in uBlock Origin).
>Be sure to mark every email like this you receive as spam so you don't get any more and so their reputation decreases enough to route all of this spam to everyone's spam folders.
I've always pondered sending the following curt response to this type of not-quite-really-spammy (as in Viagra-ads) spam:
Fuck off.
...or something even more offensive for greater catharsis, but then I worry it will just cause them to send even more, knowing that the address is "live".
Since I run my own mailserver, I can put in filters to give errors out at the SMTP level (rather than bounces), so I have stuff like this in my access file for egregious spammers (from legit companies):
<some_email> ERROR:550 You've been banned from sending spam to this address, spamming bastard!!
There's a whole bunch and the swearing ramps up and down based on the egregiousness of the spamming. I have no idea if anyone has ever seen these messages (probably not), but I really hope some day someone does :-).
And yeah, swearing at spambots is oddly cathartic.
I do that but only with recruiters from LinkedIn. It's hilarious when they get really upset and either call to curse at me or send a bunch of angry emails. Emails of course just get forwarded to their main contact. That'll teach them.
The bad spam recruiters seem to have found GitHub in the last few weeks.
eg not the "normal" recruiters who have a clue, but the ones who just email everything through regardless "just in case".
I had a lengthy discussion with one of the managing directors (Nick Rapley) of such an organisation ("RBW Consulting LLP" here in the UK) recently. He goes out of his way to defend their approach, as if the anti-spam laws don't apply to his line of business. Just because some small % of people might actually be convinced to say Yes.
(that is literally the same justification every other spammer uses)
Ironically... he told me to stop wasting his time. Like... hello, pot calling kettle black. :/
I've had several companies ("data partners" they call themselves) approach us to add these scripts to our websites. All of the ones I've seen use MD5(email) for the "anonymous hashing". I mentioned our privacy policy doesn't allow us to give out user emails, and their marketing guys never seem to understand that MD5(email) is basically the same thing. I even made a video example https://www.youtube.com/watch?v=ViCjzJpEaJw that failed to convince them.
Computerphile recently did a similar example of cudahashcat using a variety of strategies to break passwords. Their goal is to scare people into using better passwords, but the principle is identical to de-anonymising emails. Maybe it can help convince stubborn people?
I am really beginning to hate browsing the web these days... Especially poop up dialogs asking for my email as soon as the mouse cursor leaves the active browser screen. With an average of 20 browser tabs open, while one is loading I often go to click on another to check on something, and this instantly triggers a flurry of popups begging me to stay/subscribe.
Also the retargeted ads that follow me everywhere now. MOST of them are for companies where I have ALREADY bought something, so they are wasting their ad spend on chasing an existing customer, not a likely prospect.
This has made me resolve to try and make the web a less shitty place, one web site at a time - and I have ensured that my web projects absolutely DO NOT have any popups or cross site tracking in there (aside from normal analytics that is only used in house).
[I accidentally mis-typed 'pop up' above but LOVE the Freudian slip so will leave it as-is].
Please do this. Anyone remember pop-up ads? Notice how every web browser has an integrated pop-up blocker? They were a thing of the past. So now, apparently advertisers think we somehow actually wanted pop-up ads all along and implemented them with CSS overlays.
We seriously need to band together and stop this shit. It is absolutely infuriating. Who in the world wants to visit a website and then be stopped with a huge ad to join your stupid fucking mailing list? And I'm sure they point to their 2% conversion rate as proof that it works. What they don't know is the other 98% of people cannot fucking STAND it.
They're not available for all browsers. Quite notably, Chrome on Android, and any application that incorporates the Chrome core for its web presentation.
It feels like ad-blockers are less and less effective at blocking ads these days, in particular I don't think any of them block these annoying JS popups.
This is legal[1] in Europe if you consented to receive marketing emails from "partners" of a website you subscribed to (through an opt-in, not an opt-out checkbox).
You subscribe to website X, you opt-in to offers from third-parties, and this allows X to share your e-mail address with Criteo. Then Criteo sends you marketing e-mails for the account of Sears (but they surely don't share any PII with Sears - the e-mail is sent by Criteo).
The logic isn't that "browsing Sears is considered as having a preexisting business relationship with them". It's because users opted-in to third-party communications from a website they may have signed up with, back in 2008.
Other similar use cases include sending you an e-mail for website X when you browse website Y because they know you are in front of a computer/phone and this increases chances of opening e-mails.
Doesn't make it more or less "right" though and it's surely very surprising for users, myself included.
(On a tangent, what still looks like a legal gray area to me are the Data Management Platforms (DMP) - everyone shares user data in a big bucket/database provided by a common partner, all users are identified with IDs but not directly with PII, how much data can companies push/pull legally?)
[1] Not a lawyer but worked with legal teams on these topics. Laws still differ slightly depending on the European country you're talking about, but the GDPR will soon be unifying data privacy regulations. Right now the French and German Data Privacy regulations are some of the most restrictive ones.
That is nothing so much against lawyers, the are essential in the real world where land is a finite resource.
But the better solution to problems in an environment when CPU ticks are not a finite resource, and bandwidth is nowhere near capacity are technical and educational problems, not legal ones.
I log in with my IMAP4 user name and password, and then get a simple UI with a table of my aliases, and attached memo strings (which can contain URL's that get converted to links). I can edit these, change their order (select multiple, move to top or bottom, etc) create new ones and delete. When I create an alias, it goes "live" instantly, and when I delete one, it goes dead. Dead means that the address is "unroutable" at the SMTP level; it bounces.
I keep a few aliases from Tamarind in my wallet, in case I have to hand out an e-mail address in "3D life" to some untrustworthy outfit to be eligible for some promo or whatever.
I made my own system: it's just a text file with a list of aliases, kept in a git repo. When I push it to my mail server, a git hook runs a very simple script that formats that list into a valid sieve[1] rule.
A public (which also means: no logins) service that offers similar one-time email addresses is http://wasteland.rfc822.org/
You can use any word @wasteland.rfc822.org as a an email address, and then look into the inbox of the same name, without any password. I tend to use it for services that want my email address, but from which I don't want any emails, and don't want to maintain permanent accounts with.
None of the inbox entries for "foo" are older than a few days; I take it that these inboxes are purged in a timely manner? [Edit] No; by probing some words I found inbox items as old as 2013.
This is why I own my own domain and have a catch-all email address. When I give a company my email address, I use (companyname)@domain.com.
They all forward to gmail; where it is very easy to filter out (companyname)@domain.com once shenanigans like this happen. It's also easy to track down and shame companies for doing this, too.
Even for Gmail users, the + notation will handle this well. foobar@gmail.com and foobar+SearsSoldMyEmail@gmail.com will both direct to the same location, and relatively few resellers have the sense to strip the extra data.
The problem with the + notation is twofold: First, not all places accept the + character; second, you've now revealed your actual e-mail address (since foobar@gmail.com is just as valid as foobar+dontspamme@gmail.com).
I use a subdomain with catch-all, like me.example.com. Everybody is fine with subdomains and then I can use companyname@me.example.com. Using that format doesn't expose my actual e-mail address and makes it easy to filter (if match companyname, immediately bin and never tell me).
Additionally you cannot send an email from foobar+dontspamme@gmail.com. If you aggressively use the + character for legitimate signups but need customer support they may not be able to find your account as easily (e.g. "we couldn't find an account associated with e-mail foobar@gmail.com").
For me, the actual email problem isn't huge - my first line of defense is giving out a burner email unless I want the primary site to be able to contact me. So I don't expect to get truly hammered with spam, and just want a way to know what happened if someone does sell the address.
The invalidation issue is a bigger one, and a subdomain is certainly a better solution for it. Disposable emails and the + notation are nice for people who either don't want to leave gmail, or are bound to it via college or company email system. They aren't the best cure, though.
I do this but note that '+' will invalidate your email on some sites and can't be used to begin with. Yay for poor email validation! Gmail ignores `.` in email addresses so you could also try `y.o.u.r.e.m.a.i.l@gmail.com` which will validate in more places - but then you can't pinpoint where exactly unless you start keeping track in a complex spreadsheet. But you will know that somewhere you signed up for sold your email address.
> unless you start keeping track in a complex spreadsheet
The spreadsheet doesn't have to be that complex. Just treat the spaces between letters as bits. Dot is 1, no dot is 0. Suddenly, an e-mail temporal@example.com has 128 different variants, and your spreadsheet may just be a numbered list of companies :).
If you run your own mail server you can set it to be any character you like. I have mine set to a dash, which tends to be accepted everywhere and less likely to be discovered as an alias (although certainly not impossible)
That does not work because anybody who has your email address knows to remove anything after '+'. The only case it can work is if you were to only use addresses where there was a + sign, and throw all other emails to the trash.
I have thought of a similar technique but this time using a period that would float between all the letters I have in my username. Any emails sent to an address without the period gets autodeleted.
Yahoo offers a similar service and is the only reason I use them still (though of course all yahoo emails then get forwarded to gmail).
Yahoo's implementation gives you a secondary email address of the form [fakeemail]-*@yahoo.com where you get to add in anything after the dash and only email addresses you create are valid and will be sent to you. You can also delete these email addresses at any time. Also you're able to respond to emails from using these temp accounts so you don't have to worry about revealing yourself.
I don't think you even need to bother with this. Do you use categories? I do, and stuff like this always ends up in the "Promotions" folder, which I look at approximately never because it's all spam.
I feel less paranoid now for my browsing process. Almost everything I search is in an incognito window, from shopping and research to programming and how-tos. And when I'm done with looking for a new dog leash or Python module, I close that window. Only things in my main browser are the regular sites I visit and am logged into (email, HN, reddit etc.)
I started this after learning about the filter bubble but I've noticed how helpful it is when searching on Amazon, Wayfair, or Sears. I get non-machine-learned results every time while my wife using her primary browser with cookies often cannot see the same results I do. If I find something on Amazon, I copy-paste the URL without the ?query-string and replace 'www' with 'smile'. It seems like a hassle but it's no different from cleaning your feet before stepping inside the house after playing in the park.
This post just highlights that my practice to avoid unpermitted-profile-building-and-linking is for a good reason. I also have my own @example.com domain that I use and have certainly caught companies selling my info. However, even without being emailed, I don't want algorithms the determine what is best for me based on criteria I choose not to share.
> It seems like a hassle but it's no different from cleaning your feet before stepping inside the house after playing in the park.
I mean, you can make that exact argument about every annoying thing you have to do that wastes 1-5 minutes of your time. But over time, especially as a software programmer, if you don't automate those away, it really hurts your productivity.
I wonder if there's a way to turn this into an extension, sandbox all browsing into unique sessions until you press a button to pass it to a mixed session, with whitelisting for websites you trust... Wait a sec, wasn't that chrome's initial premise? Sandboxed tabs, what happened to that?
Already use ublock (even in incognito mode) and block 3rd party cookies. But personally dealing with no-script is too much hassle. I would much prefer my activity remain anonymous and disconnected between sites, not JS gives me trouble everywhere.
It's a little rich to write this complaint on Medium, a site that has been uniquely aggressive about tracking its readers' behavior (it has a script that phones home with your position on the page, and its URLs abuse the fragment identifier to track who you got the link from).
If you dislike surveillance capitalism enough to write an essay about it, think about where you're publishing it.
The page position thing I totally get. They don't care about individual data there but they want to identify if content is being fully read. It is a big challenge for any publisher and very important in getting the most engaging content front and center.
I just love the amazing "Terms of Service" that all of these ad companies have, letting you know that by virtue of loading an HTML page you've consented to have your personal information of ANY caliber spread all over their ad network, their "partners" networks, and to anyone else with a buck and a server, and immediately absolve themselves of any responsibility for what that might mean in terms of information falling into the wrong hands.
I can't think of another business that has this kind of insane amount of easy-to-start interaction that results in so much activity and yet can claim zero culpability for any consequences. It's as if you purchased an airline ticket and the ticket came with a 17 page document attached where they spell out that by flying on this aircraft you agree to have tickets pre-planned in your name for 24 other flights, the plane may or may not make a stop off in 6 airports en route to your destination, the pilot occasionally likes to do barrel rolls and loops but he's real good at it so don't worry, and by the way occasionally the engines fall off but you don't get to sue us if anything goes wrong. ENJOY YOUR FLIGHT
Learning to stop worrying about messing up people's ability to deliver email and just liberally hammer the "REPORT SPAM" button for any email I didn't want to see anymore improved my email experience substantially. So much faster than messing with filters.
I also tell Twitter that every ad they show me is offensive. Because they are.
The problem with this is it's easy to start getting legitimate marketing emails that you signed up for filed as spam, because they look similar to the marketing emails that you've been reporting. For example, for a while SpamAssassin decided that every email from the PlayStation store (even receipt emails) was spam, primarily because they look similar to other emails I've marked.
Even worse - these filters appear to be global and I've spent a good amount of time trying to un-train some lazy person's "report this (entirely legitimate) email as spam".
Or ones from my bank that include a lovely advertisement at the bottom... But you know what, I just let them stay in my spam folder because they are spam (and important emails usually don't have advertisements attached).
Example that tripped up bogofilter:
Show them the love.Whether it's candy,flowers, or something extra special, shop through the Earn
More Mall® Site and watch your Bonus Rewards Currency add up.
Got the winter time blues? Pack your bags and plan your escape - your rewards can lead you to a
world of travel. Search from a wide variety of hotel, cruise or vacation packages.
This limited-time offer is available July 1, 2016 through September 30, 2016.
Gap, Old Navy and Banana Republic gift cards have no expiration or maintenance fees, and can be
used at the following Gap Inc. brand stores and websites: Gap, Old Navy, Banana Republic, and
Athleta. Limit 5 gift cards redeemable per online transaction. Gift cards are redeemable for
merchandise only, cannot be replaced if lost or stolen, and may not be redeemed with certain
promotional offers. Restricted to use in the USA, Canada and Puerto Rico.
That's strange. Specifically I have marked all of Sony/Playstation's marketing crap "spam" in Gmail, and I marked only one of my PS Store email as "not spam" and never had a problem since.
Gmail is most likely a combination of global and local filters, and most people probably consider the PS Store emails as not spam. I'm not using Gmail, I'm using FastMail, so I'm using a local SpamAssassin filter (once you mark enough emails it flips from the global to the local filter). SpamAssassin uses some global data (e.g. URI blacklists and whatnot), but AFAIK the bayesian classification for my incoming email is purely based on my local training.
The email is just a symptom of the actual problem - tracking. Rather than hit the report spam button, I'd recommend installing a browser add-on that limits tracking.
But does it? No matter how many times I click "Report Spam" Google is not going to wholesale block LinkedIn's E-mail operation. At least those E-mails will start showing up in my own spam folder, but that's hardly affecting "their entire operation".
This is like refraining from voting in an election because "my vote won't matter." If enough people "Report Spam" then even LinkedIn's email operation will start to be impacted.
LinkedIn may be a special case, and then Google may be a special case too. But it will definitely help for all the other countless sites that are not LinkedIn.
I just mark all this stuff as spam, including stuff from legit companies that might have tricked me into subscribing to some list.
The thing is, I am never, ever interested in receiving marketing emails. Every single time, without doubt, I opt out of marketing emails. So if I receive one it means that one of these things holds true:
1. It's just spam
2. The website used some dark pattern to trick me into subscribing to something I did not want to
3. The website assumed consent and didn't bother asking
Guess what -- I'm perfectly fine burning all of this crap with a spam filter. It's a waste of time, and time is my most precious asset.
> Only when we craft the email on behalf of our advertisers, we receive your name, surname and email address from our partners, should you have consented to receive their emails marketing.
> Let’s ignore the fact that they assume Sears had my consent (they didn’t).
Just a note: I think what Criteo is saying here is that you gave permission to some third party to use your email for marketing purposes and to share it with their "partners", not that you gave Sears permission to use it. But they shared it with Criteo and Criteo shared it with Sears (or sent the email on their behalf) so technically there is "consent". (Of course in practice it's often possible to supposedly give such consent without ever realizing what you're opting into.)
This is why I have the username part of my email address tailored to each site/service I register with. So I have a hackernews@example.org, amazon@example.org, etc. Human beings get my real email though (because it would be weird if I told John Smith to email me at johnsmith@example.org). If people start abusing this (politicians do this a lot), I can just block say timkaine@example.org, and never hear from them or people they've sold and traded my email to.
The big problem is when you give out your email address to a human who stores it in his contacts, and some malware app gets a hold of his contacts and sells/distributes it.
FWIW, I've been doing this for about 15 years and I've never had that trouble. I tend to keep the same system for customizing emails so I can guess my username in one or two tries. But using a password manager has completely eliminated even that.
Only if the site is renamed or asks for your username instead of your email to reset a password. `their.domain.com@example.org` means as long as they use `their.domain.com` you'll know which email to check: `their.domain.com@example.org`
> If people start abusing this (politicians do this a lot)
I wish I had set something like this up before falling in for the Ron Paul hype in 2008 (sue me, I was 19). Got untold heaps of junk from those jerks for years before I got it under control.
Great extension. The only annoyance is that when I run ccleaner it wipes the list of sites I want to keep cookies for, so I have to re-add them. But those extra clicks are definitely worth it.
I used to do that, but it would sometimes break functionality on certain sites, and the whitelist is a bit of a pain to manage. I've had good success with http://disconnect.me
I was thinking whether or not sending these emails actually helps companies like Sears by bringing in customers, and whether or not (to an extreme) they might depend on them to survive as a profitable enterprise. What came to me as a revelation is that it's irrelevant. If their income relies on bothering everyone who comes across their website, tricking them into clickbaits or spamming them with (possibly malicious) ads, it might mean their services are not enough to justify their existence. As such, I decide not to pity them, and happily continue loving my adblocker.
There would definitely be some level of revenue being driven off these. It is an interesting case where apart from the software it didn't cost them anything to get the email address, so getting a higher unsubscribe rate doesn't seem so bad. (As opposed to discounts/ deals/ competitions) you might normally run to get someone onto a mailing list.
I'm not going to wait for legislation to fix problems I can fix myself. You don't want this to happen? Make sure you have ad-blocking and third party tracker blocking on. I go a step further and use 'Quick JS Switcher' for chrome. By default JS is off and I only turn it on for sites I want. The percentage of sites that I turn it on for is minuscule. I'm seriously starting to question why this isn't the default setup for any freshly downloaded browser.
I'm just checking out that plugin now (awesome plugin btw) and turning on JS remembers that hostname for the future. I haven't dug into the code yet though so can't vouch for its safety..
Yeah, I whitelist things like github, gmail, etc. But it's a very short list. Everything else loads without JS by default. I can turn it on with a click if I want to so it's a minor inconvenience when I reach a site and I need it. Also, the extension will remember which sites I have turned it on for. I have < 100 sites whitelisted. YMMV.
I personally switched to the following policy a year or two ago to avoid all this crap:
1) NoScript extension filtering everything except the base domain => no third party scripts are allowed except when I explicitly allow them
2) Cookie Whitelist extension to allow cookies only from domains I choose, only when I need => no third party cookies allowed, ever
3) µBlock incase the webpage tries to load iframe ads
4) a unique email address per service (like amazon.[5 random chars]@mydomain.com) so if all else fail and your address gets in the hands of somebody who should not have it, you know where it came from and can expose them
>>> But until legislation catches up to regulating the negative consequences of retargeting, there may not be much you can do about this besides blocking cookies, ads, and opting out of Criteo’s entire system by submitting your email address here.
No no no. Handing over your email address to an online advertiser is a horrible idea. Do not engage them. Blacklist their content, their cookies, via whatever means you want (I use adblock) and be done with them.
An article that discusses tracking via online advertising but doesn’t discuss blocking is very suspicious. The most powerful tool against the problem isn't worth even a mention?
"Dear Criteo: You opted in to this box of dead rats we just sent you because you once visited a site that partners with our dead rat promotion service."
Yesterday, after many years, my curiosity finally got better of me - I started playing World of Warcraft. Since my head is now full of thoughts about MMO, excuse me for saying this:
There should be a new class - or race - added to fantasy worlds. The Marketers. More evil than demons, undeader than the Lich King. Their gameplay mechanics would be based around earning gold by draining their own souls, as well as the souls of characters around them. Their primary combat role would be casting annoying debuff spells at everyone around, friend and foe alike.
Seriously though, this article basically says that someone out there has reached another level in insidiousness. If it was an MMO, we could at least form a raiding party and get rid of the problem once and for all.
tl;dr: related: Amazon sold (or gave) my secret Amazon email address to third parties without my express consent rather than using their remailers.
I have exactly one email address that I use for Amazon, and I've never used it elsewhere for anything else.
I occasionally receive emails from vendors (through the vendors' mail servers themselves, not remailed through Amazon per mail headers) at Amazon that I have bought things from (via one-click) as gifts and I am 100% sure I never gave them my email address or replied to any email from them.
An example vendor is a large outdoor clothing store that I bought a North Face jacket for a relative from. I'm now on their mailing list. In the ultimate irony, I could just click unsubscribe but it's actually good stuff ;)
This is why I use my entire domain as my email address (i.e. *@example.com is routed to my inbox). This makes it trivial to hand out a unique address every time I fill out a form.
If any spam arrives that is addressed to "vendor.com@example.com", it's obvious who sold their email db. Bonus: it's easy to filter out spam when the spammer is sending to a unique address.
I don't understand why everybody does not block third-party cookies by default. I took a stab at my cookie list and found 300 cookies from advertisers and intel gatherers. I deleted them selectively, but I did not want go through that again, so I blocked the third-party ones.
Some have been explicitly aloud because I trust them, like google analytics. But other google cookies are prohibited, like plus.google.com. Facebook is explicitly blocked. Doubleclick is blocked. some websites will not work if certain third parties are blocked, so i have to explicitly allow them once i realize the problem.
I am signed up to some platform which is a Criteo partner. It’s entirely unclear
who this partner is. While Criteo boasts a “close partnership” with Facebook,
Facebook claims that they do not share personally identifying information such as
your email address with ad partners. Regardless, a platform with my email address
gave it to Criteo.
This issue is exactly why I use specific email addresses for each website. I tend to follow the pattern <websitename>@mydomain.com. That way if a site leaks my email address to spammers (either intentionally or accidently) I know which site it was, and immediately boycott them in future and move that email address into a blacklist.
For big sites I cannot boycott, I simply register a new email address with them (i.e. <website><number>@mydomain.com), and move the original into the blacklist.
As I run my own on-premises email system, I can't benefit from crowd-managed spam systems, so keeping a lid on the incoming spam is very much a pro-active action for me.
>The CAN SPAM act actually allows direct marketing email messages to be sent to anyone, without permission, until the recipient explicitly requests that they cease (opt-out).
Isn't this the root problem here? It is hard to see how you could even start to fix this sort of thing without fixing the spam law first.
I've been using a catch-all email domain for years where anytime I give out an email address, the local part is a description of the party receiving the address (e.g. bestbuy.com@mydomain.com).
If I receive spam at a particular address, it's easily blocked and I know who leaked it.
An interesting side effect of receiving email from so many different addresses to the same inbox is that I often receive the same spam to multiple addresses simultaneously. This is easily caught by spam filters and so I never have Spam in my inbox. It also makes identifying false positives in my Spam box easy because they usually stand out against the repeated subject lines so it's a simple game of which one of these is not like the others.
My wife's cousin had something like this happen to her two years ago when she was planning her wedding.
She browsed a few specialist wedding sites for inspiration and when she went to to some well known retail sites to start pricing things they seemed to know she was getting married and promoted wedding goods and services on their front page to her.
It freaked her out no end. I suggested a few plugins that seemed to put a stop to it. But a few weeks later she did start getting wedding related snail mail spam.
Its very creepy, especially after the whole Target teenage pregnancy thing.
Yup...with my ex-wife is was first time we got pregnant. Browse a couple of specialty sites and suddenly everyone and their mother is spamming us with new-parent ads.
Let me tell you how much fun it was to still be getting "free Enfamil baby formula" spam for a year after she had a miscarriage.
On a somewhat related note and what I thought the article was going to be about, what is going on with the phenomenon of a HTML 5 light boxes loading when you are barely a few seconds into reading a page asking you to "sign up for the newsletter." This trend is out of control. If you were browsing shelves in a grocery and someone came and stood between you and the book you would want to punch them.
Does annoying people into something actually work? I feel like it must since its so prolific.
Privacy Badger is pretty good at blocking things like this -- it watches out for domains that are third-party for more than one site, and blocks requests to them. Does require some tweaking for genuine CDNs (and indeed comes with a yellow-list of common domains that will receive requests but not cookies) but generally very useful.
Am I paranoid in assuming their "opt out" system is basically probably an "opt in"?
Related: I know that it's possible to "opt out" via the Direct Marketing Association communications (https://dmachoice.thedma.org/), but have thus far not done this as I assume I'll just get more junk mail.
I think it depends on what companies agree to not send you emails if you opt out. I'm betting if a company agrees to the dma opt out then they will stop and you will get a little less. But I think most advertisers don't care if you opt out or not. It's in their best interest to not care
I talk a lot about this stuff with a friend doing sales operations at a hyper-growth startup in SF. With Criteo, tools like Reply.io and others he thinks we're going to see an event horizon where recipients of spam say enough is enough and online privacy finally becomes 'cool'.
I know there are a couple of solutions out there, but what exactly stopping the main email providers to offer on demand proxy addresses for one's main account? I think there is a legitimate demand for it, but not enough to actually sign up for yet another service.
He talks about tge legality of sending the spam, but what about the legality of the partner he is really subscribed to that shared his information with a 3rd party? IANAL but AFAIK that wouldn't be legal in most countries
what i usually do is reply to their spam e-mail on a support mail address and ask them to stop sending me spam: waste their time the same way they waste my time... if everyone would do that the problem would be solved.
1) There's no way to know the site's terms when you're coming to it for the first time from google.
2) He isn't complaining about retargeting, he's complaining that his email address was shared through it.
We've banned this account for repeatedly posting uncivil and/or unsubstantive comments and ignoring our requests to stop.
If you don't want to be banned, you're welcome to email hn@ycombinator.com. We're happy to unban accounts when people give us reason to believe that they'll abide by the site guidelines in the future.
> If they shove it in your face, it's YOUR job to ignore it, not their job to somehow pre-determine who wants to see it and who doesn't.
No, it's exactly their job. It's the difference between pushing and pulling. If you want to show your content to people, start a webpage and put it there. No one gets the right to be offended by the content of a website they're browsing voluntarily. But conversely, no one gives you the right to shove the content in my face.
You have no right to be heard. If you try and force it, be prepared to get shunned by society. Just because it's legal to violate social norms does not mean that people will hate you any less for doing it.
See when I get mail from inconsiderate assholes, and it didn't get filtered, I look up the abuse contact of their provider. Then I forward the mail to them with a note that it was unsolicited. (In most cases I will CC their upstream abuse contact too because I'm nice like that.) With responsible senders, this works wonders. The irresponsible senders end up on blacklists and their asshole customers get terrible reach.
The real problem here is not the chain of marketing tech that allowed this, the issue is that the marketing message itself sucked. If the message was valuable, many people wouldn't have been bothered by receiving it.
As for the message itself, if their intent is to sell you that specific item you searched for, they should say so. Of course, they need to avoid the creepy-factor, which, along with laziness are the two reasons they may have ended up with the junky message you received.
> The real problem here is not the chain of marketing tech that allowed this, the issue is that the marketing message itself sucked. If the message was valuable, many people wouldn't have been bothered by receiving it.
I disagree. This sounds like the rationalization marketing folks put forward, namely that they're actually helping people. No, they are not. At best, they're shoving messages into peoples' faces. At worst, they're shoving poisonous radioactive garbage messages full of lies into peoples's faces. The range of behaviour here is from mildly annoying to outright malicious. Very rare is the case when unsolicited marketing messages are something people are actually happy about.
I agree with you that the lazy/poisonous methods are far too common, and was exaggerating to some extent. In this case the chain of tech may be too sullied for a good message to be well-received.
I'd also like to add that as punishment for insulting the Sears marketing team, I got a piece of spam from them 20 minutes after my comment.
Please. There is no core privacy premise of the internet. The core premise of the internet is one protocol to deliver meshed knowledge to any computer. And the commercial possibilities of the internet are what have underwritten the growth of the network.
Reaction like this one make me think: entitled.
But they also make me think: unrealistic. How much should hypertargeted ads really bother us? Call me when they are using my bank account and medical records to show me ads. Not my browsing history, over whose exposure I have complete control, and which doesn't really expose very much about me or my family.
There is no core privacy promise _built in_ to the core of the internet in the same way that there is nothing in the laws of physics which prevent murder. We have laws and cultural norms for this sort of thing, and it's not at all entitled or unrealistic to suggest that those tools be used to curtail a rather parasitic situation such as this.
No it doesn't. There is no core privacy premise of the internet, and certainly not one that everybody used it signed up for.
I'm not condoning this behavior, but we're in territory that we don't have prior art for. It used to be totally fine for one shopkeeper to mention to another that he saw a customer looking for a particular item. When you do it at scale, the old rules don't apply.
If you think it's spam, hit the spam button in gmail and get rid of it. Use an adblocker. Talk to your congressman about data privacy and sharing laws, because we don't have anything that's effective. Frankly, continue to write Medium posts, because it raises awareness :) But, I disagree with the notion that this is a solved problem with bad actors, because we're in unknown waters.