Do not track? I wish…
16 September 2016 | 0
I recently had a somewhat disturbing experience.
While working from home, I was looking for information for a feature and had occasion to peruse the web sites of a few vendors related.
I gathered what I needed, bar one or two instances, and carried on almost entirely forgetting the operation. That was until I got an unsolicited email from a sales representative of one of the vendors.
The email said that that “we”, meaning the company, had “noticed some recent activity on the [vendor in question] website”.
“The next line of the email was even more chilling, as the sales person said they had “attempted to call … but I could not get through” “
This “activity” had prompted them to contact me on my personal email account to see if they could offer any “help” on anything.
To say I was surprised by this missive is a bit of an understatement. As a journalist in the tech area, I am only too conscious of the need for security and as a regular citizen, I am conscious of the rules on privacy. As such, I use up to date operating systems, a local firewall and desktop security from well-known vendor. I’m not a browser loyalist in anyway really and I use Edge, Chrome and Firefox for different things, as befits their advantages. All are kept up to date and all are set for ‘do not track’. All are also set to accept only first party cookies. I do not use an ad blocker.
And yet, when this email arrived, I had quite clearly not only been tracked, but I had been identified and contacted.
The next line of the email was even more chilling, as the sales person said they had “attempted to call … but I could not get through”.
Worried, annoyed and downright affronted in equal measure I began a little investigating.
We have all had the experience of doing a search for something online, and then being targeted with ads related to the search for some time later. It happens with hotels, car hire and the like, but Stuart Heritage of the Guardian has a particularly good piece about being pursued about the Internet by garden sheds.
A cursory search turned up OpenTracker, an open source system that has a page on how it works, along with a widget that displays the information available to it about you.
It was able to display my IP address, OS type and version, browser version and screen resolution. That’s all fair enough, but it also showed my country, city and region, as well as my ISP, but that last detail was wildly inaccurate. However, none of it was my name, email address or telephone number.
Further research revealed that cookie tracking and interrogation, web bugs and clear gifs can all be used to track users, but again it tends to be in an anonymised format that doesn’t get into proper personally identifiable information (PII).
Looking further, I recalled another unsolicited mail that offered a means to recover lost sales from web sites. The maker of this software said they use the incomplete information from abandoned web site shopping carts to follow up with users and see if they can re-invigorate the sale. At the time I thought that sounded a bit creepy and might actually annoy the user to the point where they would actually take umbrage and refuse any kind of commercial interaction with the chasing company.
However, this follow up is based on information that has been actually entered by a user — this was not what I had done, I had merely browsed and searched.
Needless to say, I responded to the sales person in question from my work email not my personal one.
I outlined the circumstances under which I had interacted with their site and my dismay at the nature of the follow up and that my consequent disposition toward the company was that should it ever find itself in the position of being able to offer the meaning of life, as a service, I wouldn’t cross the road for it. Having expressed my displeasure with the intrusive nature of the actions, I indicated that I would not be following up with a sale.
I may be an old codger, but the idea of a vendor coming after users who have neither entered information, nor requested a call back, is just too intrusive.
Now, vendors might think it is useful to be able to make such determinations and follow ups, but I would argue as awareness of privacy grows, and particularly with so many organisations gearing up for the upcoming General Data Protection Regulation, these kinds of practices will be seen in an increasingly dim light, and hopefully will pressure vendors away from using them altogether.