Browsing your website does not mean I want your spam (2016)
artplusmarketing.comDiscussed previously:
https://news.ycombinator.com/item?id=12335168 (615 points, 184 days ago)
Best comment, IMO: https://news.ycombinator.com/item?id=12339338
> They are able to do this because sears.com loads Criteo code and uses a criteo.com cookie
> there may not be much you can do about this besides blocking cookies
Most browsers let you block 3rd-party cookies without blocking all cookies (in this case, blocking the the criteo.com cookie but not the sears.com cookie, when on sears.com): https://www.maketecheasier.com/disable-third-party-cookies-c...
There are also addons like uMatrix (https://github.com/gorhill/uMatrix) which allow you to selectively block cookies by domain. By default it loads a bunch of ad blocking stuff too but you can turn that off if you really want.
I use Firefox. I always use private browsing mode. I accept third-party cookies, but I delete all cookies and history when Firefox closes.
Does this actually count as a third-party cookie if the sears page loads criteo in an iframe (which may be 1px by 1px, and tell criteo that it was invoked by sears)?
"Third-party" is based on the domain shown in your browser's address bar. If that shows sears.com, then domains which aren't sears.com are third-party.
Yes, it does. criteo.com is a third-party domain when on sears.com.
> The CAN SPAM act actually allows direct marketing email messages to be sent to anyone, without permission, until the recipient explicitly requests that they cease (opt-out).
Ladies and gentlemen, let's get this fixed. Spam is not only a waste of resources (bandwidth, time, and money) but it also contributes to malware distribution.
What will it take to accomplish this?
Overturning the first amendment.
Unfortunately, it protects lots of speech, good and bad.
Restrictions on commercial solicitation don't generally have First Amendment problems.
Yeah, this probably isn't going to encounter first amendment issues. It's much more likely that corporate lobbying will be the cause of any resistance to changing the law.
It routinely restricts the amount of restriction.
That and the fact that any app you download now adds you to their newsletter list. Just because I wanted to try your app, it doesn't mean I want to get tons e-mails from your company. It's so frustrating I stopped trying apps, and instead only download what I really need and/or trust.
Have you ever tried to make a business out of selling an app online or in an app store? How did you get users?
I definitely don't agree with "tons" of e-mails but a few promotional emails is understandable. I also don't agree with the tactics used in the article, to be clear.
Why is the company's inability to get users my problem? Those emails get flagged and placed in spam, where they belong? Spam is never "understandable". Get an (explicit, non-dark-pattern) opt in or you're spam.
Do you consider signing up to use an app with your email opt-in?
Absolutely not. I flag those as spam.
Unless it's an email notification from the service because of an action someone took... those are okay but I'd prefer them to be off-by-default.
I just use a spare domain as a catchall in the form of "servicename@domain.com" then ban that address if it gets too chatty.
The App Store doesn't share the customer's email with the app developer, how does this happen?
Android.
Until Marshmallow it had no permission system at all - every app gets access to everything it wants. That's every contact's full details, your full details, all your SMS messages, your location at all times, your email address (you could see a list of what they access, at least, but couldn't stop them).
It finally became more iOS-like in Marshmallow, but first your phone has to actually get the update, then the app has to actually update to target Marshmallow or above. It doesn't retroactively apply to older apps, and Google didn't enforce that apps start supporting it - they only have to if they want to use Marshmallow specific features.
(You do have the option of manually blocking access in Settings, but you have to actively do it for every app before the app ever runs, and you'll get warnings that the app might simply break).
It's something I've frequently pointed to when Android users said that "Android gets everything first". I was enjoying my permission system back in 2008.
It's the main reason I use an iPhone, it's actually why I switched back after some time using Android (after the iPhone finally got custom keyboards). Finally, as more and more apps update, Android will become viable for me again. However, I still take issue with having to put my real name on app reviews on Android.
Android pre-M had a permission system, it's just that the permissions had to be granted by the user when the app was installed (or updated, if there was a change). Many or most users didn't read the warnings or didn't care. I'd wager most users don't read the new permission dialogs, either, but what're ya gonna do.
It had a "permission system" that in effect did not provide the user with any practical choice. The non-choice was between "install this app and give everything it wants (even in the background)" and "piss off".
I did include that in my comment. The "system" was the list of things the app got access to if you installed it. And that's it. You couldn't grant or not grant permissions, it was just a warning of what was going to happen either way if you installed it. And essential apps like Facebook would ask for absurd permissions like phone.
The only choice you had was "install the app anyway" or "don't install".
A lot of apps require email to sign up...
How would an app you download get your email or get any personally identifiable information that you didn't explicitly allow it to have?
Amazon seems to be annoying in this area.
I look at a product out of curiosity.
Get stuck seeing the same product ads for days everywhere including FB, etc.
and yes I use Ublock, Ghostery etc.
Not 100% sure it was Amazon, but a month or two ago I actually got a physical junk mail letter after looking up a brand of dog treat online. (I don't have a dog, it was a random question I had about it.). I'm surprised it doesn't happen more often. You have to expect that nowadays every time you get online there's basically an AI sitting on the other side taking notes.
Amazon uses your Amazon history to target Amazon ads to your interests. That's not the same thing as giving your Amazon account information to a third party.
I wasn't even logged in Amazon.
Maybe I added it at some point, but "criteo.com" is blocked by uBlock on my machine.
Anyway, it's baffling to me that people still defend web advertising. That "industry" is far sleazier and shadier than spammers, but for some reason people here will defend web ads.
I think most people here are defending "web ads qua web ads" (i.e. a picture in a box on a page that doesn't track you or start dancing around your screen), not the realities of most web advertising today. I think it's sad that business models that are based on non-intrusive web ads are becoming increasingly infeasible, but I certainly don't blame users for the current state of affairs.
Probably more evil than the practice described in the article is at the very end. In order to get them to stop, or not start in the first place, you have to give them your email address. So you have to trust them with the very thing you want them to stop abusing. No thanks. The real answer is a very strict ad blocker. On all your devices. Every time you browse.
The only way to keep your personal information safe is to not share it in the first place. Pass all the laws you want and require all the layers of security you can imagine but your data is still not safe; it will eventually get leaked. Either through the actions of hackers, intentional or unintentional leaks, security bugs, or utter incompetence of some human that has legal access to it.
> So you have to trust them with the very thing you want them to stop abusing.
"Fun" fact: I register on sites with addresses like "address-suffix@domain", with a different suffix for different sites. I won't name names, but I now receive viagra-level spam to several of them, which reasonable people would expect to be able to trust. haveibeenpwned.com confirms that one of them, off the top of my head, was part of a breach.
Why not name names? Let's name and shame companies that are either selling your info or hiding breaches.
So in my inbox currently:
* dbox@mydomain.com (Dropbox) - first received spam two years ago.
* (Greenheart Games/Game Dev Tycoon) - highest quatity of spam after contact/info/admin
Although I just checked and the Greenheart Games address is in a mod's package.json so probably not their fault
I got spam to a email registered with Microsoft.
A company I worked for got its email list leaked when the email service they used was breached. The email service posted a "we're investigating" in a blog post on a blog that was soon mysteriously deprecated/taken down.
Microsoft sells the shit out of your email address. If you sign up for Dev Essentials you can't even opt out of emails from "partners" unless you leave the Dev Essentials program (and I'm sure leaving it wouldn't actually stop the emails). The only spam I get at my work email (with spam filtering turned off) is tied to that program.
I wonder if this is a case for a side project.
A website showing which sign ups put you at risk, by exploiting a similar email naming convention.
So everyone ends up on level pegging.
I have a catchall mailbox on my personal domain, and always sign up with unique email addresses for everything.
"Browsing your website does not mean I want your spam"
"Never miss a story from ART + marketing, when you sign up for Medium. Learn more"
Really wish Medium didn't allow custom domains so I could filter them out properly.
Doesn't Privacy Badger take care of this by blocking third-party cookies?
Not to justify this behavior, but to explain: retargeting (a.k.a. remarketing) has very good conversion rates. As long as people keep "converting" based on retargeted ads, they will live on.
Perhaps it should be noted that Criteo can send the email on the behalf of Sears, without necessarily giving Sears your email address? Small distinction, maybe, but more squarely within the terms and conditions.
I completely agree that this is an abhorrent practice, but I don't believe that legislation is the answer. Just because someone annoys you, does not mean you need to involve legal precedent.
What is the answer then?
Privacy. Email considerably lacks it. So does web-browsing in general. I don't have an answer on how to get it, but it needs pointing out that this is the real underlying issue.
I just got one of these exact same emails. It may not be illegal in the U.S., but it makes me extremely dislike the company using the tactic.
Could you post the headers or the ip the email came from? I want to block that range from my email server.
I would almost prefer this to all the web sites that harass me to sign up for their newsletter with a modal popover on every page I visit.
Almost.
I wish uBlock knew how to block those. Sadly, I'm not sure you could write software that could blocking those without blocking useful things like a login prompt that pops up if you leave your session idle.
I suppose it could be done via whitelist or blacklist.
That's really clever and disgusting.