> This transaction breaks a core promise using the internet: just because I visit a website doesn’t mean I consent to getting spam from it.
No it doesn't. There is no core privacy premise of the internet, and certainly not one that everybody used it signed up for.
I'm not condoning this behavior, but we're in territory that we don't have prior art for. It used to be totally fine for one shopkeeper to mention to another that he saw a customer looking for a particular item. When you do it at scale, the old rules don't apply.
If you think it's spam, hit the spam button in gmail and get rid of it. Use an adblocker. Talk to your congressman about data privacy and sharing laws, because we don't have anything that's effective. Frankly, continue to write Medium posts, because it raises awareness :) But, I disagree with the notion that this is a solved problem with bad actors, because we're in unknown waters.
> It used to be totally fine for one shopkeeper to mention to another that he saw a customer looking for a particular item. When you do it at scale, the old rules don't apply.
The on-line equivalent of that would be e-commerce sites sharing their detailed analytics data with each other. What was described in the article is more alike to a shopkeeper saying to another, "Did you see that woman in red scarf? Her name is Jane Doe, she lives in the house over that hill. She seems to be interested in this particular item, so your best bet is to upsell her something similar."
"She's just received a big payout from her ex-husband so she'll be willing to pay more, and she likes cats, especially white ones. Also her sister's birthday is coming up and the sister is obsessed with horse racing so you might be able to sell her some memorabilia. Jack up the price so she'll think it's valuable."
This is really pushing the boundaries of the CAN-SPAM act. You're not allowed to send unsolicited emails. You shouldn't be allowed to pretend that visiting a site is a solicitation.
Edit: I misunderstood the mechanism of collecting the addresses. This isn't skirting "unsolicited mail", but it is circumventing the ban on harvested email addresses.
Actually, you ARE allowed to send unsolicited email, even commercial (UCE). It has to be clearly labeled, contain the postal address of the sender, and contain unsubscribe links. Also, CAN-SPAM only applies to senders in the U.S. (unfortunately).
It's pretty amazing the number of senders that do not obey the requirement for a minimal unsubscribe flow:
> Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list.
To me it seems more of an honor-based system rather than one there's any enforcement for. Much like the Do Not Call list.
Given that SMTP is a relay system, would the first US-soil SMTP gateway machine a message travels through be its legal "sender" (in the way that e.g. the importer of a foreign medical device is liable if it's not FDA-approved)? One would think this would legally force those gateways, when handling foreign-originated spam, to slap their own address on them with their own unsubscribe link, that would—if clicked—then block those messages from coming through that gateway.
> Also, CAN-SPAM only applies to senders in the U.S. (unfortunately).
We could always send gunboats to reduce cities whose citizens send unsolicited emails to the U.S. … /s
More seriously, this does seem like the sort of thing which could be addressed through bilateral or multilateral negotiations, including between the private firms who own the international Internet connexions.
I don't know if I would call it a "relationship" message, but maybe it's a "transactional" message, where serving the webpage counts as the transaction?
When I worked somewhere that did a decent amount of email marketing, we were told our abandoned cart emails were not transactional, as there were not actually a part of any kind of transaction (yet). Not sure on the actual status though.
First, CAN-SPAM doesn't outlaw the sending of unsolicited commercial messages - on the contrary, it lays out rules for sending them. Second, in this case, at some point this guy agreed to receive emails from Criteo when entering his email address somewhere. The fact that people don't read TOS before they agree to them does not invalidate them.
The question is not a legal one, but a moral one. Of course the TOS are agreed on by the user, but it's still not what they want, so I still consider it unsolicited from a moral POV.
California and New Jersey have laws that go above and beyond the protections outlined in CAN-SPAM. I used to work for a company that sent spam (I swear, I didn't know until after I'd already accepted the job), and we avoided sending to those states. If more states would adopt laws like this, we could dramatically curtail spam.
As for what constitutes solicitation, I wish it was that simple. In some instances, companies will buy your email address from another company, and they believe that constitutes consent. In other words, you did business with Company Foo, and I did business with Company Foo, so you consented to do business with me. It's insane.
Having been inside one of these businesses, I have three pieces of advice.
First: Mark spam emails as spam when you see them. You only have to get a few of your messages marked as spam to get your IP address blacklisted. You have far more power over spammers than you think. Not only that, but spammers fear this so much that they keep databases of complainers, and they'll leave you alone in the future. Sometimes they'll even share lists of complainers with other companies so they won't risk your wrath.
Spam companies love non-complainers. Even if you don't open the spam, not complaining helps their numbers with the email provider. By not complaining, you're sending a signal to your email provider that this is a good email, and other users would like to receive it. Not only that, they'll remember you as a person who can be relied upon to not complain, so you'll get more spam than other people.
Second: Read EULAs. We did business with some super-shady companies who sold us tons of really invasive user info. One company even sold us the contents of people's email. Not just meta data, we could actually read the content. They don't mention any of this on their site, but it's subtly stated in the EULA. Read them and check for references to sharing your data with business partners.
I've steered clear of some browsers and email clients as a result of vague EULAs that leave the potential for harvesting my data and selling it.
Third: This one is going to be unpopular on Hackernews, but the best way to avoid being fingerprinted by advertisers is to block JavaScript by default. There are bajillions of ways to uniquely identify your computer, right down to having your browser report which fonts you have installed. Almost every single technique relies on Flash, Java, or JavaScript. Ad-blockers help, but they don't catch everything.
I use NoScript to turn off JavaScript by default, and I only enable a site if it seems legitimate and the site is broken without it.
Here's a terrifying list of the things advertisers can do to uniquely identify you without consent and without a cookie. As the article says, disabling JavaScript by default is by far the most effective method for protecting yourself from fingerprinting: https://wiki.mozilla.org/Fingerprinting
It's a little inconvenient, but good security always is. The locks on your front door are inconvenient (what if you lose your key?), but hopefully they're even more inconvenient for would-be intruders.
> As a side effect disabling javascript also makes pages load faster
Ironically on our rather elderly laptops NoScript actually increases page loading times by a factor of two and that's with the out-of-the-box configuration. I haven't looked to see what pattern-matching algorithms it uses but they're very slow.
Because it is a browser extension which by itself is quite complicated application. I use builtin JS blocking options in Chromium and didn't notice any slowdown.
CAN-SPAM preempts more restrictive state laws with narrow exceptions, so generally the California and New Jersey laws are unenforceable. Those laws, and free m voting them, were a major reason that CAN-SPAM was lobbied for by industry, and that anti-spam activists labelled it a setback that told the industry that they can spam people's inboxes.
Is a company in New York bound by the laws of New Jersey or California? Do consumer protections for an individual in California extend to every company in the US?
the best way to avoid being fingerprinted by advertisers is to block JavaScript by default.
Leaving aside the sheer amount of stuff this will break, you're serving to identify yourself in another way, but perhaps not to an advertiser.
Given the average website, the number of people using a real web browser (i.e. not bots, curl, wget, etc) who don't run JS is going to be absolutely miniscule.
It's kind of like turning on Do Not Track - most people have it off, so you're highlighting yourself by turning it on.
This topic comes up a lot on HN and my response is always the same. Try NoScript again. Give it a day or two and whitelist the sites you use a lot and trust. You will have a stunningly faster browsing experience and the number of sites that don't work will be surprisingly small.
We have passed a tipping point where all the annoying bullshit that depends on JavaScript to function far outnumbers the random websites that NoScript breaks. LONG time user of it and I just don't have much trouble browsing. It makes the web insanely fast and eliminates most annoyances.
I've been using uMatrix for some time (I'm a control freak, I guess) and I support this - you end up whitelisting a few sites here and there (or even just some aspects of those sites, in case of uMatrix), and the Internet becomes overall a much better (and faster) place. The amount of useless JS bloat on-line is staggering, and it hurts me that developers are actually defending this practice. Engineers should know better.
Can't say much about DNT, but I think turning off javascript absolutely makes sense.
If you turn it off, they can put you into the "disabled javascript" pool of users. So what?
But if you keep it on, they can query half a dozen APIs and get a much more detailed configuration of your browser. Which lets them put you into a much smaller pool and identify you more confidently.
And what's more, the more of us that turn off the script, the more anonymizing the "disabled javascript" bucket becomes, as well as the increasing the pressure on web developers to stop the js bloat. Win win I say.
I've been surfing forever with noscript, only white listing those domains I need.
Exploding cookies (the add on, not the terrorist device), and an ad blocker, and the internet is quite usable.
State specific spam laws wouldn't matter unless the company has a physical nexus within that state. You'd have offshore subsidiaries doing the sending even if all 50 states passed such laws.
> § 17529.2. Notwithstanding any other provision of law, a person or entity may not do any of the following:
> (a) Initiate or advertise in an unsolicited commercial e-mail advertisement from California or advertise in an unsolicited commercial e-mail advertisement sent from California.
> (b) Initiate or advertise in an unsolicited commercial e-mail advertisement to a California electronic mail address, or advertise in an unsolicited commercial e-mail advertisement sent to a California electronic mail address.
> (c) The provisions of this section are severable. If any provision of this section or its application is held invalid, that invalidity shall not affect any other provision or application that can be given effect without the invalid provision or application.
tl;dr You may not send unsolicited commercial email to California residents. You are also barred from sending unsolicited commercial email from within the state of California, but this is independent of the first part.
> It used to be totally fine for one shopkeeper to mention to another that he saw a customer looking for a particular item.
Huh? Outside of some tiny village the shopkeeper would not know the name and address of customers that are just browsing. If a shopkeeper hired private investigators to stalk those customers, following them around everywhere gathering as much personal information as possible, it would probably run afoul of some law.
Not only that, in this example the shopkeeper is simply helping the customer find what they are most likely requesting simply to be helpful. A more accurate example would have shopkeepers buying customer data from each other using a 3rd party entirely for their own benefit. This really isn't the same thing at all.
At this point a plugin probably isn't enough. We need a better browser that gets back to the document viewing roots. Something better than NoScript that has a rough idea of the types of transforms a domain's JS performs so that it can serve me the "page" w/out running suspicious code. Although I suspect this would just start a new style arms race of obfuscation similar to adblock, etc.
hosts file blocking will never be as good and complete as add-on based blocking. You cannot block on DOM, you cannot block specific things from a host but let through others, etc. Not to mention that it is much harder to toggle if you need to.
They didn't share your contact information since technically the SPAM came from them (via a technology provider Criteo) so it's still Sears that's owning the communication and responsibility. It's different if let's say you were browsing Sears and then somehow got an ad for the Home Depot.
> It's different if let's say you were browsing Sears and then somehow got an ad for the Home Depot.
That's close to what happened.
OP got email from Sears, after browsing their site. But OP had never given an email address to Sears. OP had an account with (say) Home Depot. And then Criteo got OP's email address from Home Depot, and provided it to Sears.
> It used to be totally fine for one shopkeeper to mention to another that he saw a customer looking for a particular item. When you do it at scale, the old rules don't apply.
Right, because:
1) You're talking about a town so small that everybody knows everybody else's business anyway and fully expects this; 2) (yet paradoxically) I doubt the conversation would include much in the way of detailed personal info (unless it was gossip); 3) Regardless, in those days you probably saw both shopkeepers in church the following Sunday and could get any grievances resolved very quickly, and the shopkeeper is eager to resolve it rather than risk a bad reputation in a small tight-knit community.
It's quite similar to the me going to the store to buy a carton of milk. I have practically no knowledge of what's involved in the complex chain of interactions that gets the milk out of the cow and into my shopping basket. I don't need to know, and so long as the store always has milk I don't really care. If someone out there were to invent a way to track the exact milk I buy I wouldn't instantly know how it works or understand it. I don't think I'd like the idea though.
The details of what actually happens when you visit a website are known to a tiny number of highly technical people (a few tens of millions globally). Most people have no idea what sort of data can be gathered and used to track you across the internet. People don't understand that Amazon, Facebook, Apple, etc all use the same third parties to share information and build immense profiles about every aspect of who they are and what they do, nor do they understand the way statistical analyse can be used to glean even more insight from that information.
Nothing like the internet has really existed before. Although browsers have existed for 25 years most people didn't use one before about 15 years ago, and most people weren't tracked in the way they are now until 10 years ago. This is new ground. We can't expect non-technical people to grok this stuff quickly.
> No it doesn't. There is no core privacy premise of the internet, and certainly not one that everybody used it signed up for.
I agree that it doesn't break a core promise of the internet. It does, however, potentially break the law. To be clear, it doesn't necessarily break it. But if the author actually has never given his email address to anyone who explicitly stated that it could be resold or transferred to a partner, then this violates CAN-SPAM.
Much like RMS, I use a friend's discount card (and pay in cash) at the grocery store for this reason. Will a purchase of soda and cookies be linked to me and impact my health insurance cost down the road? Will targeted Mountain Dew ads make their way into every website I visit? Probably not, but I'd rather be sure.
The self-checkout machines only ask for the phone number, with no id challenge. I get the discounts + no tracking, my friend gets more gas points, and the store is left wondering why he buys so much toilet paper.
I wonder how long it will be before they start cracking down on this somehow, and how far they'll take it.
Why is there no downvote button on this and other comments in this thread? I have the ability to downvote and many other comments have it available. Why are some unable to be downvoted?
No it doesn't. There is no core privacy premise of the internet, and certainly not one that everybody used it signed up for.
I'm not condoning this behavior, but we're in territory that we don't have prior art for. It used to be totally fine for one shopkeeper to mention to another that he saw a customer looking for a particular item. When you do it at scale, the old rules don't apply.
If you think it's spam, hit the spam button in gmail and get rid of it. Use an adblocker. Talk to your congressman about data privacy and sharing laws, because we don't have anything that's effective. Frankly, continue to write Medium posts, because it raises awareness :) But, I disagree with the notion that this is a solved problem with bad actors, because we're in unknown waters.