Monday, December 14, 2020

Some wine industry websites track their visitors egregiously

Much fuss is made these days about the potential invasion of privacy involved in the act of tracking visitors to websites. In many cases, the visitors are not told about the extent to which they are being tracked by any given website, least of all by the website providers themselves. Indeed, this is so bad that the European Union has legislated against it, which prevents quite a number of US websites from serving EU visitors.

Most of this tracking is allegedly done in the name of "providing a helpful customer experience", but in actual fact this requires very little tracking, if any at all. In practice, most of the tracking is done in the name of advertising — tracking the potential customers' online behavior so that they can be served carefully targeted ads. (Note: this is quite a different thing from other forms of web privacy invasion, such as data security, and leaking of personal information.)

Ad tracking borders on the unethical in many cases, and clearly passes that border in some cases. So, the obvious question is: where does the wine industry stand on this matter, in practice? (What people say, is another matter entirely!) It turns out that we can actually find this out for ourselves.


This is because the topic has been the subject of some practical research, in the sense that there are now tools for you to find out what any given website is doing when you visit it. One of the most ambitious of these is the Blacklight Privacy Inspector. The public release of this tool a few months ago did attract some media attention (eg. 87 percent of websites are tracking you. This new tool will let you run a creepiness check). The Markup company itself ran its own checks on 80,000 of the most popular sites, which provides us with some useful comparison data. One of the most unexpected outcomes was that the site owners themselves often did not know that the homepage set-up tool they had used had inserted trackers into their website (The high privacy cost of a “free” website).

The Blacklight tool checks any web address that you give it, and looks for a number of potential privacy invasions that could be occurring:
  Number of ad trackers
  Number of third-party cookies
  Tracking that evades cookie blockers
  Session recording
  Keystroke capturing
  Facebook pixel
  Google Analytics internet tracking
These are described in detail in an online article (How we built a real-time privacy inspector), and I briefly discuss them below.

So, let's name names. The table at the bottom of this post presents a somewhat arbitrary collection of five dozen wine-related websites. I have tried to include all of the usual suspects, supplemented by a few sites that I sometimes read myself. I apologize in advance to those of you who have been left out, or if anyone finds releasing this information embarrassing. My ultimate aim is to make wine-industry websites as clean as possible, by pointing out where the dirt has accumulated.

Note, also, that I have excluded online stores selling wine and accessories, which are far and away the most likely sites to be tracking you (for their own purposes). They may appear in a future post (now online as: Ad Tracking by online wine shops is variable).

The columns of the table present each of the seven Blacklight criteria, evaluated by me during this past week, for each of the named sites (one per row). The first two criteria list the number of trackers encountered, while the other five columns indicate (Y=yes) that the site was detected carrying out the named tracking activity.


I am pleased to report that 11 / 60 (18%) of the sites were not detected doing any ad tracking at all. Kudos to those one-fifth of the website owners. Note that the Wine Gourd does have one cookie, as do all Blogger sites (owned by Google), and also Facebook sites.

Potentially the most invasive activity is Keystroke Capturing, which records every single time you press a keyboard key (such as when entering your personal details in a form). There were 2 sites apparently doing this, which Blacklight reports as an average percentage across the web. It is possible that this use is (or once was) actually legitimate, as it is sometimes used for auto-completion of forms. This would need to be checked.

Session Recording keeps a record of your on-site activity, including mouse movements, clicks and page scrolling. This is sometimes ostensibly done to optimize the layout of web pages, but it can also be used for ad tracking (see Advertisers can now tell if we're paying attention). There were 4 sites doing this, which is half the Blacklight average; but why do it at all? These sites definitely do not need to be doing this.

Evading Cookie Blockers (aka Canvas Fingerprinting) is the next most egregious action. There are browser add-ons or extensions that we can use to stop cookie tracking by any website that we visit (the one I use is Privacy Badger); and when we use them we mean: Don't Track Me! There were 5 websites found to be using fingerprinting, which is a bit above average, according to Blacklight. It is possible, but unlikely, that this activity was actually an attempt to protect those sites from botnet attacks.

Next, Ad Trackers try to identify and collate information about users, and send that information back to the tracker's website, to be used for ad targeting. The average number per website, as reported by Blacklight, is 7, and the wine sites had an average of 6. So, the wine industry is no worse than elsewhere, in this regard. However, you can see in the table that several wine websites currently exceed this number massively. This occurred in all four categories of website, although the Wine Professionals were the least egregious. But why on earth does anyone need to put 20 or 30 ad trackers on their website? Sadly, we all know the answer.

The same thing applies to Third Party Cookies. These have nothing to do with the running of the website itself (which legitimately uses cookies to keep a track of things like visited pages and log-in details). Instead, these other cookies are installed on behalf of external sites, and store information on your own device, to identify you when you visit other sites with the same cookie. Blacklight says that the web average is 3 per site (often associated with the ads displayed on the pages), but the wine industry apparently thinks that a better number is 11 per site. More to the point, you can see for yourselves that quite a number of sites massively exceed even this large average — and there are not that many ads displayed on their pages, so the cookies are covert. These sites are usually the same ones that have a large number of ad trackers, as well; so, we are left in no doubt about the attitude towards site visitors by these website owners.

Next is Facebook, which is monetized by serving personalized ads (and is currently embroiled in anti-trust lawsuits — Federal government and 46 states file antitrust suit seeking to split up Facebook). To serve these ads, Facebook wants to know which websites you visit, and it finds this out by getting the website owners to tell it. Blacklight says that about 30% of sites agree to do this, and 23% of the wine industry sites also currently do so. Did you know that a quarter of the websites you visit are telling Facebook that you are there? This explains why Facebook ads seem so directly relevant to your past web activity.

Finally, we come to Google, which is also monetized by ads, and whose web behavior has resulted in fines of tens of millions of dollars, especially in the European Union (eg. Google, Amazon fined $163 million as France takes hard line on privacy). Google wants to track you across all of the web, which it does by cross-collating every bit of information it can find about you, and especially your activity. In order to succeed, it helps if the website owners tell them about your activity, which Blacklight says about 50% of sites agree to do. In the wine industry, it is about 45% of the websites. So, Google must know a lot about you all, by now.


As I noted earlier, it is possible that some the website owners fingered here do not know what their own website is doing. If they used a "free" package to set up their sites, then the tracking activity could have been installed without their knowledge. Blacklight reports that a number of site owners immediately removed the trackers when they were informed about them. It would be nice if that happened here, as well.

For the rest of you site owners, please clean up your act. A cookie or two is one thing, but the table below indicates some seriously invasive activity. If a site really does need to do this sort of thing, then it should tell us about it when we first visit the site, rather than making us find out for ourselves. Indeed, this is actually mandatory in the EU — although I doubt that too many people read all of those Cookie Consent pop-ups (they are usually quite uninformative).

In the meantime, the rest of you can all try out Blacklight, and test your favorite websites for yourselves. Some people apparently don't mind having advertisers looking over their shoulders as they browse the web. Indeed, anyone who logs into a website using their Facebook or Google credentials is actually demanding that they be tracked (in exchange for saving a few seconds, or having to remember only one set of login details). However, we should all be given the option to opt into tracking if we want to, rather than being forced to opt out.

Wine industry website ad tracking.



8 comments:

  1. Over the past few years, I have exchanged e-mails with David Morrison Ph.D. and Lewis Perdue of Wine Industry Insight about the erosion of online privacy -- in and outside of the wine industry.

    Some selective articles from The Wall Street Journal (which can be subscribed to online for as little as U.S. $1.00 a month) . . .

    "Your Data Is Way More Exposed Than You Realize" | Wall Street Journal (May 24, 2017)

    URL: https://www.wsj.com/articles/your-data-is-way-more-exposed-than-you-realize-1495657390

    -- AND --

    "Don’t Expose Yourself: A Guide to Online Privacy" | Wall Street Journal (May 31, 2017)

    URL: https://www.wsj.com/articles/dont-expose-yourself-a-guide-to-online-privacy-1496249766

    Excerpt:

    "You wouldn’t walk naked through Times Square. Stop being naked online.

    "Your laptop and that smartphone grafted to your hand are double agents. What you look at, where you go and even what you say can be used to paint a portrait of you leaving you as exposed as the day you were born. Much of Silicon Valley wants you to think the price of using the internet is letting them data-mine your life.

    "This is a beginner’s guide to fighting back.

    "It starts with a [Silicon Valley] golden rule: When the product is free, that means YOU are the product. Your privacy is the cost of a free social network, free tax prep or free photo storage."

    -- AND --

    "Why Free Is Too High a Price for Facebook and Google" | Wall Street Journal (June 8, 2019)

    URL: https://www.wsj.com/articles/why-free-is-too-high-a-price-for-facebook-and-google-11559966411

    Excerpt:

    "Over the past two years, Facebook and Google have taken fire for their roles in everything from eroding democratic institutions to damaging mental health to undermining our collective immunity to preventable diseases.

    "Those flaws could be seen as the reckless mistakes of callow disrupters. But here’s another way to look at them: They’re the price of free.

    "As U.S. antitrust regulators and lawmakers gear up for a probe into Alphabet Inc.’s Google and divvy up responsibility for investigating Facebook Inc. and other tech giants, one issue they might assess is how to weigh consumer harm. By traditional measures, Facebook and Google have been a boon to consumers, going from one service to another -- search, email, messaging, maps, photo sharing -- and serving up easy-to-use, zero-cost offerings.

    "In reality, these services are anything but free. We just don’t pay for them in the way we’re used to.

    "In fact, most of the ills traced to these companies are a direct consequence of their 'free' business models, which compel them to suck up our personal data and prioritize user growth over the health and privacy of individuals and society, all so they can sell more advertisements. They make money from the attention and in some cases the hard work -- all those status updates, videos and likes are also a kind of uncompensated labor, if you think about it -- of their most devoted users."

    ReplyDelete
  2. The Wall Street Journal investigative series "What They Know" was collated into a single online document by Cornell University.

    URL: http://www.cs.cornell.edu/~shmat/courses/cs5436/whattheyknow.pdf

    Table of Contents

    Introduction ...3
    Contributors ...6
    The Web's New Gold Mine: Your Secrets ...7
    Explore the Data ...14
    Sites Feed Personal Details To New Tracking Industry ...15
    How to Avoid the Prying Eyes ...17
    What They Know About You ...20
    Microsoft Quashed Effort To Boost Online Privacy ...22
    On the Web's Cutting Edge, Anonymity in Name Only ...27
    Stalking by Cellphone ...33
    Google Agonizes on Privacy as Ad World Vaults Ahead ...39
    On the Web, Children Face Intensive Tracking ...45
    Explore the Data ...50
    How to Protect Your Child’s Privacy Online ...51
    'Scrapers' Dig Deep For Data on Web ...53
    Facebook in Privacy Breach...58
    A Web Pioneer Profiles Users by Name ...62
    Politicians Tap Sophisticated Online Tracking Tools ...68
    Insurers Test Data Profiles To Identify Risky Clients ...70
    Inside Deloitte's Life-Insurance Assessment Technology ...75
    Shunned Profiling Method On the Verge of Comeback ...76
    Race Is On To ‘Fingerprint’ Phones, PCs ...81
    How To Prevent Device Fingerprinting ...86
    Your Apps Are Watching You ...88
    Explore the Data ...94
    What Can You Do? Not Much ...95
    What Settings to Look For in Apps ...96
    Methodology ...98
    Tracking the Trackers: Our Method ...99
    How the Analysis of Children's Websites Was Conducted ...101
    The Journal's Cellphone Testing Methodology ...103
    Glossary ...104

    ReplyDelete
  3. Yikes! Mine are really high! Really dumb question, but how do I know what to remove to get these numbers down? I'm not sure what I have on my site that would make the numbers high.

    ReplyDelete
    Replies
    1. It's probably a similar problem as others in that it's additional services that have been plugged in that are throwing up flags. Pretty typical when talking about Wordpress.

      Getting rid of the plugins for Shareaholic would probably be a good start and maybe Mailchimp.

      And there may be something in your theme that's calling back to something else.

      Unfortunately this is all the trade off for easier site building...

      Delete
    2. With David's indulgence, I am uploading the entire text of this Wall Street Journal article in three parts (as it exceeds the maximum 4,096 characters).  MailChimp is cited.

      [Part One of Three]

      From The Wall Street Journal "Technology" Section(January 19-20, 2019, Page B4):

      "The Latest Hot Tech Secret: Your Email;
      Frustrated by social media, businesses and others looking for an audience [now] turn to an old standby."

      URL: https://www.wsj.com/articles/the-hot-new-channel-for-reaching-real-people-email-11547874005?ns=prod/accounts-wsj

      By Christopher Mims
      "Key Words" Column

      Kids think it’s fussy and archaic, but for brands, creators and businesses of every kind the emerging medium of choice to reach audiences is the only guaranteed-delivery option the internet has left: email.

      Consumer email services have been around for almost three decades, but to hear email’s most ardent fans talk about it now, it’s an undiscovered country too long neglected by those who could benefit from it the most. In the #deletefacebook era, it’s become a way to fight back against the algorithms that try to dictate what people see. Unlike on Facebook , readers receive everything they signed up to receive, in neat chronological order, alongside missives from friends, family and their various communities.

      For marketers great and small, the algorithms that power social media represent the ever-rising cost of doing business on the platforms owned by the duopoly of Google and Facebook. Email allows authors to intimately connect with readers, lets brands address their most loyal customers and budding startups develop armies of influencers.

      Readers’ ready access to the “unsubscribe” button is largely a good thing for all involved, since it nudges email content creators to produce authentic, high-quality experiences rather than superficially engaging ones, and to connect in ways that are deeper than what advertising-first mediums like Facebook generally allow.

      Delete
    3. [Part Two of Three]

      From The Wall Street Journal "Technology" Section(January 19-20, 2019, Page B4):

      "The Latest Hot Tech Secret: Your Email;
      Frustrated by social media, businesses and others looking for an audience [now] turn to an old standby."

      URL: https://www.wsj.com/articles/the-hot-new-channel-for-reaching-real-people-email-11547874005?ns=prod/accounts-wsj

      By Christopher Mims
      "Key Words" Column  

      He’s Got Mail

      Seven years ago, Wales-based jeans company Hiut Denim was on the brink of collapse. Co-founder David Hieatt -- who sold another clothing firm to the Timberland Co. in 2006 -- got the idea to start a thoughtful email newsletter full of content people would like whether they were buying his jeans or not.

      Today, these emails include tastefully curated roundups of the articles, videos, products and quotations that Hiut employees found fascinating that week, plus yearly features such as “100+ Makers and Mavericks” and this monster gift guide which features exactly none of the company’s own products.

      “If you ask me, would I want a mailing list with 1,000 people on it or 100,000 followers on Twitter, I’d take the 1,000 emails all day long, because the business you get from 1,000 emails will be much more than you get from 100,000 people on Twitter or Instagram,” says Mr. Hieatt.

      Hiut has become a thriving boutique fashion brand (Exhibit A: Meghan Markle), and Mr. Hieatt has written a book about the power of email newsletters for business.

      Email still has the highest return on investment per marketing dollar spent, according to the Data & Marketing Association. And while Facebook, especially, has whipsawed marketers with ever-changing rules about how to reach customers -- and how much Facebook will charge for the privilege -- with email, a company owns its own lists.

      What’s happening isn’t really an email resurgence -- it just never stopped growing in scale and importance, says Sara Radicati, chief executive of the Radicati Group, a tech-industry analyst firm.

      Unlike tweets or Facebook posts, no one company controls or even sees all the world’s email, but estimates from Ms. Radicati’s firm show steady 4% growth a year in the number of emails sent, with a record 281 billion emails a day sent in 2018.

      Many companies help firms handle marketing and related email communications -- Adobe , IBM and Oracle are some of the biggest -- but even medium-size tech companies specializing in email handle mind-boggling volumes. SendGrid delivers 45 billion emails a month for more than 74,000 customers, including Airbnb, Spotify, Uber and Hertz. The company processed 2.8 billion emails on Black Friday 2018 alone, an increase of more than 1 billion emails from the previous year, a company spokeswoman says.

      Delete
    4. [Part Three of Three]
      From The Wall Street Journal "Technology" Section(January 19-20, 2019, Page B4):

      "The Latest Hot Tech Secret: Your Email;
      Frustrated by social media, businesses and others looking for an audience [now] turn to an old standby."

      URL: https://www.wsj.com/articles/the-hot-new-channel-for-reaching-real-people-email-11547874005?ns=prod/accounts-wsj

      By Christopher Mims
      "Key Words" Column  

      Read Me

      Email’s success is due to a handful of factors. The first is that, like the web, it’s one of the few open standards we have left. No one controls it, and no company can get between a sender and its recipient.

      Another factor is a dawning awareness that social media may not be particularly good for our mental health or our democracy, leading to a wave of users scaling back and even opting out entirely. The things that drive people to subscribe to and actually open emails are very different from the things that motivate them on social media. Email, by contrast, can feel healthy, says Robin Sloan, a writer who started an email newsletter -- like a blog delivered to the inbox -- almost 10 years ago.

      Other creators, particularly journalists, are also turning to email as a creative outlet. “What other technology do we use everyday that doesn’t require a terms-of-service?” says Craig Mod, a writer and essayist who recently argued that one future of the book could be serialization as an email newsletter.

      TheSkimm, a daily news digest started by two former news producers, has 7 million subscribers and recently raised $12 million from Google Ventures and other backers.

      On Substack, a subscription-based email newsletter startup launched in October 2017, journalist Judd Legum publishes a daily politics email. While he says over 37,000 subscribers receive the free version, a small percentage pays $5 a month for a premium version. After Substack takes its cut, Mr. Legum still makes what he calls a comfortable full-time income.

      The underlying technology of email hasn’t changed in decades, which is both a blessing and a curse. The average email client is like a “preweb 1.0 browser,” says Substack CEO Christopher Best. This means, for example, that it’s impossible to embed a video that would play on all of the major email apps. Not only are emails blissfully free of annoying autoplaying videos, they’re also relatively light on privacy-vandalizing trackers common to webpages and apps.

      A continued and growing love of email isn’t about to upend the cash machine that is search and social media. “The whole world is just spread thin across devices and apps, so you also have to be on social, video, on paid search -- everything all at once,” says Ben Chestnut, co-founder and CEO of MailChimp.

      But marketers and anyone else trying to reach people would be remiss in ignoring it. When faced with a decision of going with a newsletter or a chatbot, for instance, consider this: Chat apps are a guaranteed way to get people’s attention on mobile, but they demand an immediate response. Meanwhile, we’re more likely to consume email on mobile devices than anywhere else, but at our leisure. This makes it the perfect slow-read companion for a device that is otherwise demanding constant attention.
      “[Our smartphones] might as well be a brain implant, so the question is, what’s the right way to wield that to talk to other people?” says Mr. Best. “If the answer is, anyone you’ve ever known and people you don’t know should be able to interrupt you at any time, that is obviously dystopian.”

      Write to Christopher Mims at christopher.mims@wsj.com

      Delete
  4. Woo hoo!

    I've always taken tracking and excess intrusion to users quite seriously and my background as a web developer has allowed me to look under the hood probably a bit more than others. Also, refusing to run any ads helps.

    Still, I was quite surprised to see that my site just came back with ONE tracker on your list and that's only due to using Google Analytics which sadly, one needs some kind of statistic system for their site...

    Good to see that the efforts paid off though.

    Decanter and Vinepair have some serious cleaning up to do.

    Cheers,

    Miquel
    www.hudin.com

    ReplyDelete