[linux-elitists] The B Word, the P Word

Don Marti dmarti@zgp.org
Mon Jul 10 10:06:26 PDT 2000

Caldera won't say the "B" word: http://lwn.net/daily/cald-ircBX.php3

But Red Hat will: http://lwn.net/daily/rh-bitchx.php3

And the Internet Advertising Bureau came out with its "IAB
Privacy Guidelines".  These guidelines address only
"PII" (Personally Identifiable Information".

The IAB is coming to San Francisco for a seminar on ass-covering
for privacy violation: https://www.iab.net/forms/privacy_info.html

  Date: July 12, 2000
  Time: 8:00 AM
  Location: Nikko Hotel, San Francisco 

Somehow, the capabilities that Doubleclick is selling to its
clients don't exactly match up with what they're putting on
their "privacy" pages. Imagine that. For example, read this:

> The Power of Targeting the Individual, Not the Content
> Send your message to consumers based on where they live or access the Web. 
> By targeting based on exact location, you distinguish residents from
> tourists and segment messages for advertisers accordingly. Targeting by
> geography and user-defined content category enables you to reach a local
> audience with interests specifically attuned to your particular product
> or service. Geographic targeting offers the versatility to target by
> city, state or region.

If you can get the fact that someone has an uncommon interest, and the
fact that they're in a certain place, you've got them -- PII or no PII. 

Possible next level privacy measures ("Chaff"):

1. Read-only cookie file with a doubleclick.net "id" of "A" -- forcing 
them to issue a new "id" every session.  (My duplicate id mistake 
and Doubleclick's rapid response has helped convince me that issuing
a new "id" is relatively expensive for them, compared to just serving
a banner.)

2. Use a Junkbuster "wafer" to send id=A on every request, and trash
or store the cookie that comes with the response.  Could get a lot
of ids very quickly.

3. Generate a valid-looking "id" (they look like they're just 16-digit
hex numbers, in order) and visit a bunch of "erotic" sites that
Doubleclick tracks with Web Bugs.

Since the HTTP response from ad.doubleclick.net is a redirect (to
another server at doubleclick.net) you could still block the actual 
ad by blocking the destination of the redirect.

Don Marti                                No haiku patents
dmarti@zgp.org                           means I've no incentive to
whois DM683     Software patent reform now: http://burnallgifs.org/

More information about the linux-elitists mailing list