Did You Hear? Paypal and DoubleClick in Bed

[Cluttermagnet]

Want to get paranoid? Does your supermarket have one of the little bar coded "membership cards" that gives you a discount on most items in the store? Guess what. Those cards not only track what was bought but WHO bought it. Want to ban those?

Yes! Yes! They're evil. They are further out along the curve (perhaps) than Google and Paypal and Doubleclick are at this point- but what do we really know? The original focus of this thread was to alert those who might care that Paypal is very probably now passing personally identifiable info about Paypal customers to DoubleClick. The camel has his nose in the tent. Throw him out, or soon the entire camel will be in the tent. Oh, and BTW I brought up the subject of those store cards previously in this thread. And there is still a pretty good supermarket chain in my area that does not cram those 'club cards' down your throat. Guess who gets the lion's share of my business? Yep. And those others, with the cards? I buy the 'loss leader' items, mainly produce, from them. Not a whole lot else. And anyway, guess what? That's right, their prices are more expensive. Wonder why? Could it have anything to do with the bumper crop of personally identifiable info they amass in huge numbers and use against their customers to edge prices up? Yep. So those guys have a little data on me. Yeah, I use a card to get the 'sale price'. Somebody else's card. They know that I- er, somebody buys their loss leaders, not much else. Heh! Passive resistance. Hoo-ah!!You say you "don't do links". I don't quite know how to parse your meaning. The entire focus of this thread originally hinges on Steve Gibson's assertion (in another forum) that the info being passed about people By PayPal to DoubleClick is personally identifiable. But if you are unwilling to read what Gibson said, how can you be on topic or really meaningfully participate in this thread? That's pretty hard headed, it seems to me, to engage LilBambi in a dialog yet to reject her links as "propaganda" at the same time. If you 'don't do links', how can you know what they contain? One man's 'propaganda' may well be another man's enlightenment. YMMV. I'm assuming that someone who participates in a thread has taken the trouble to read the entire thread, including links, so as to be 'up to speed' on the issues under discussion. Are you instead relying on some sort of premonition or ESP? That would be a rather novel approach...

[lewmur]

Yes! Yes! They're evil. They are further out along the curve (perhaps) than Google and Paypal and Doubleclick are at this point- but what do we really know? The original focus of this thread was to alert those who might care that Paypal is very probably now passing personally identifiable info about Paypal customers to DoubleClick. The camel has his nose in the tent. Throw him out, or soon the entire camel will be in the tent. Oh, and BTW I brought up the subject of those store cards previously in this thread. And there is still a pretty good supermarket chain in my area that does not cram those 'club cards' down your throat. Guess who gets the lion's share of my business? Yep. And those others, with the cards? I buy the 'loss leader' items, mainly produce, from them. Not a whole lot else. And anyway, guess what? That's right, their prices are more expensive. Wonder why? Could it have anything to do with the bumper crop of personally identifiable info they amass in huge numbers and use against their customers to edge prices up? Yep. So those guys have a little data on me. Yeah, I use a card to get the 'sale price'. Somebody else's card. They know that I- er, somebody buys their loss leaders, not much else. Heh! Passive resistance. Hoo-ah!!You say you "don't do links". I don't quite know how to parse your meaning. The entire focus of this thread originally hinges on Steve Gibson's assertion (in another forum) that the info being passed about people By PayPal to DoubleClick is personally identifiable. But if you are unwilling to read what Gibson said, how can you be on topic or really meaningfully participate in this thread? That's pretty hard headed, it seems to me, to engage LilBambi in a dialog yet to reject her links as "propaganda" at the same time. If you 'don't do links', how can you know what they contain? One man's 'propaganda' may well be another man's enlightenment. YMMV. I'm assuming that someone who participates in a thread has taken the trouble to read the entire thread, including links, so as to be 'up to speed' on the issues under discussion. Are you instead relying on some sort of premonition or ESP? That would be a rather novel approach...

When I say I don't do links it has nothing to do with security. It means I'm not going to chase around personal opinion pieces of people with an ax to grind. If you have any proof that Paypal is violating their posted Privacy Policy, then post it. But don't expect me to chase after other peoples opinion pieces. I've done my own research and have found no evidence to support your contention.

[Cluttermagnet]

Uh, OK. Well, either Steve Gibson is lying when he says that he saw links on his Paypal page which redirect through Doubleclick (then back to the target page on the Paypal site), or he is not. I believe he is a reliable and truthful person.Because I'm not a Paypal customer, I can't be privy to the page views Steve and Leo allude to. They are both Paypal customers. I'll very likely never be. I'll take their word for it, however, until the 'big expose' about Steve Gibson lying to his internet audience hits the net. And I'm not holding my breath waiting for that to happen, because I think the guy is basically honest.

I've done my own research and have found no evidence to support your contention.

It would be fascinating to learn what you did to supposedly debunk Steve Gibson's story. Would you care to share hard data? If you really cared enough to try to clear up this matter, you might consider reading the 'opinion piece' by Steve and Leo, linked above. Security Now #119 Then you would know what they claimed about the Paypal site. You could then easily hover your mouse over the particular buttons on that page which Steve and Leo cite. Then you could report back to us as to whether or not you see a redirect to DoubleClick in your browser's address window as Steve claims he did. Why should Steve take the risk of lying about this? They'd sue him into oblivion. Have you read anything about a public retraction by Steve Gibson? Or a recently filed lawsuit against him? If so, please share the url. OTOH it looks to me like Paypal got caught with hands in cookie jar (pun intended) and might wish this all would just settle down and go away.

personal opinion pieces of people with an ax to grind.

This sounds like personal opinion on your part. Do you know specifically what ax Gibson might have to grind with any of these companies? If you had been following Steve and Leo's excellent, security- oriented series, you'd have seen Steve also praise some of these companies, as I remember- for some clever, security related stuff they do on the net. It's really a fairly collegial atmosphere, even when he is criticizing, as in this case. He tries to take the high road, IMO, but OTOH he is willing to call a spade a spade.My question is still on the table- do you own stock in any of the companies mentioned above, either directly or indirectly? Or perhaps some family member does?Personal disclosure: I have no financial interest whatsoever in any of these companies, or their competitors. But what Paypal is doing with Doubleclick is scummy IMO. Edited December 6, 2007 by Cluttermagnet

[lewmur]

Uh, OK. Well, either Steve Gibson is lying when he says that he saw links on his Paypal page which redirect through Doubleclick (then back to the target page on the Paypal site), or he is not. I believe he is a reliable and truthful person.

I don't doubt his honesty either. But the fact the PayPal links to DC proves nothing. Both PayPal and DC state that they do NOT collect data that identifies buyers. And Mr. Gibson has offered no proof otherwise. He merely speculates that it is possible for them to do so.However it should be plain to anyone that doing so would be down right stupid. If they got caught, which they surely would eventually, their businesses would go right down the tubes.

[Cluttermagnet]

I don't doubt his honesty either. But the fact the PayPal links to DC proves nothing.

Links? Heck, according to Steve, it does more than link- it actually hands off its subscribers to DoubleClick. Personal info is harvested, then the user gets handed back to Paypal and sees the page they believe they clicked on. All in the blink of an eye. In fact, the victims never know they were briefly on the DoubleClick site, thus establishing a first party relationship with them. Well, they did click on it, sort of, but they didn't (probably) sign on to getting handed over to Doubleclick! An interesting side note- the listener, who originally tipped Gibson off, initially believed something was broken on the Paypal site. Nope, nothing was broken, but he was running a HOSTS file and instead got redirected to home (127.0.0.1) He never reached DoubleClick, thus he could not be handed back to Paypal, thus the appearance of a 'broken link'. Heh!If you parse Gibson's writing carefully, some of what was written in that Episode #119 must indeed be considered speculative. OTOH ask any farmer who sees a fox go into his chicken coop, then hears lots of squawking, doesn't see the fox retreat, but does find dead and missing chickens, it is pretty obvious what has just happened. OK, maybe he should have gone in that coop straight away and whacked the fox with a hoe or something. But he wasted precious seconds going for his shotgun. Now, Farmer Brown could, of course, postulate some sort of hairbrained scenario where the chickens were killed by some psycho neighbor with an ax to gring, but Occam's Razor leads to the obvious- foxes like to eat chickens. Here, Doubleclick and Paypal are the fox, customers of Paypal are the chickens.That's my story and I'm sticking to it (unless Gibson recants). Edited December 6, 2007 by Cluttermagnet

[lewmur]

Links? Heck, according to Steve, it does more than link- it actually hands off its subscribers to DoubleClick. Personal info is harvested, then the user gets handed back to Paypal and sees the page they believe they clicked on. All in the blink of an eye. In fact, the victims never know they were briefly on the DoubleClick site, thus establishing a first party relationship with them. Well, they did click on it, sort of, but they didn't (probably) sign on to getting handed over to Doubleclick! An interesting side note- the listener, who originally tipped Gibson off, initially believed something was broken on the Paypal site. Nope, nothing was broken, but he was running a HOSTS file and instead got redirected to home (127.0.0.1) He never reached DoubleClick, thus he could not be handed back to Paypal, thus the appearance of a 'broken link'. Heh!

Big deal!!!! And others have stated that they block DC and have no problem still using PayPal. What sites are involved it totally irrelevant if the aren't using the sites to do anything other than what's stated in their Privacy Policies. Edited December 6, 2007 by lewmur

[Cluttermagnet]

We're still talking past each other. Siiiighhhhh!

What sites are involved it totally irrelevant

Sez you. Either Gibson is lying or he is telling the truth. Which sites (particular pages within sites) is very relevant indeed! Remember, depending on customer relationships, Paypal creates custom pages 'on the fly'. Each and every page served is to some extent unique- namely it contains personally identifiable info in those very long url's. And the specific behaviors of the two companies, working in tandem, is indeed very relevant to security for a lot of interested individuals!Has Gibson recanted?Have you read Gibson's remarks or not? They are germane and essential to this thread. If you're too busy to read Steve's 'propaganda' and address his claims openly and specifically, then where are you finding all the time to argue with me? Edited December 6, 2007 by Cluttermagnet

[lewmur]

We're still talking past each other. Siiiighhhhh!Sez you. Either Gibson is lying or he is telling the truth. Which sites (particular pages within sites) is very relevant indeed! And the specific behaviors of the two companies, working in tandem, is indeed very relevant to security for a lot of interested individuals!Has Gibson recanted?Have you read Gibson's remarks or not? They are germane and essential to this thread. If you're too busy to read Steve's 'propaganda' and address his claims openly and specifically, then where are you finding all the time to argue with me?

We'll just have to agree to disagree. Neither one of us is going to convince the other. You haven't shown me that there is any enough damage to my privacy to offset the benefits of PayPal. You, OTH, already refuse to use PayPal. So I feel your reading of Mr. Gibson's article is merely a reflection of your own bias.I have a question. Do you believe that the DC site can somehow retrieve info from you other than what was deliberately passed to it from the PayPal site? Is that your fear? Edited December 6, 2007 by lewmur

[Cluttermagnet]

I have a question. Do you believe that the DC site can somehow retrieve info from you other than what was deliberately passed to it from the PayPal site? Is that your fear?

Steve Gibson fears that Paypal is passing personally identifiable info to DoubleClick. He suspects that both companies share backend access, mutually, to each other's data bases. He speculates that the access might in some ways be limited, but nonetheless, it may be going on today. He can divine no other logical reason why Paypal would be actually passing customers through the DoubleClick site on the way to their destination elsewhere on the Paypal site. He believes that would be enough to allow Doubleclick to begin amassing personal files on users, very similar to what the supermarkets, with their 'club cards' do today. This is definitely possible, in theory, because customers have voluntarily given up a lot of personal info to Paypal in order to 'take advantage of' their services. We're talking about personally identifiable info on individuals, not just 'aggregated' info, as is claimed. It's a sort of 'leakage', per se, as Gibson speculates that the sharing might be limited, yet sufficient to identify individuals- i.e. the bank/ credit card info is not necessarily shared, but the identity info might be.If Paypal and DoubleClick are partnered, that business agreement alone would lead Paypal to plant DoubleClick cookies on custormers' browsers. Third party cookies. Lots and lots of companies have such agreements. But Steve says that Paypal is actually routing their customers who click on certain Paypal links through the DoubleClick site, then back to their target on the Paypal site. 'Deep' information sharing is the only logical explanation for this (says Steve), and it also tricks the customer into establishing a first party relationship with DoubleClick (unless they are blocking DoubleClick with a HOSTS file). This sounds deceptive and very sneaky to me. It is the passing from site to site and back again that arouses suspicion.But why don't you read it from the horse's mouth, rather than filtered through me? What's it going to hurt for you to investigate this first hand? I don't think that what Steve wrote constitutes "propaganda" in any case. And he is honest enough to identify what is speculation. Steve and Leo's audience is a reasonably well- educated and sophisticated readership. People who actively care about security. I don't think he'd either insult their intelligence or lie outright to them. It is usually pretty clear where he is expressing fact and where he moves into opinion. His writings contain both. Again, just to remind: a recent episode of Security Now has Steve praising Paypal for an innovative access test they perform to confirm they are dealing online with a real, legitimate customer, and not some hacker trying to con access. Steve is even more lavish with his praise than he was recently with this criticism. But you wouldn't know this, because you apparently won't visit this site. You've labeled this info source "propaganda" due to your own bias. There, I answered a question of yours. To date, I don't believe you have answered a single question of mine. Especially the most important of all- have you bothered to read the Security Now url referenced above. Because if you can't be bothered, you're just blowing smoke. Edited December 6, 2007 by Cluttermagnet

[lewmur]

Steve Gibson fears that Paypal is passing personally identifiable info to DoubleClick. He suspects that both companies share backend access, mutually, to each other's data bases. He speculates that the access might in some ways be limited, but nonetheless, it may be going on today. He can divine no other logical reason why Paypal would be actually passing customers through the DoubleClick site on the way to their destination elsewhere on the Paypal site. He believes that would be enough to allow Doubleclick to begin amassing personal files on users, very similar to what the supermarkets, with their 'club cards' do today. This is definitely possible, in theory, because customers have voluntarily given up a lot of personal info to Paypal in order to 'take advantage of' their services. We're talking about personally identifiable info on individuals, not just 'aggregated' info, as is claimed. It's a sort of 'leakage', per se, as Gibson speculates that the sharing might be limited, yet sufficient to identify individuals- i.e. the bank/ credit card info is not necessarily shared, but the identity info might be.If Paypal and DoubleClick are partnered, that business agreement alone would lead Paypal to plant DoubleClick cookies on custormers' browsers. Third party cookies. Lots and lots of companies have such agreements. But Steve says that Paypal is actually routing their customers who click on certain Paypal links through the DoubleClick site, then back to their target on the Paypal site. 'Deep' information sharing is the only logical explanation for this (says Steve), and it also tricks the customer into establishing a first party relationship with DoubleClick (unless they are blocking DoubleClick with a HOSTS file). This sounds deceptive and very sneaky to me. It is the passing from site to site and back again that arouses suspicion.But why don't you read it from the horse's mouth, rather than filtered through me? What's it going to hurt for you to investigate this first hand? I don't think that what Steve wrote constitutes "propaganda" in any case. And he is honest enough to identify what is speculation. Steve and Leo's audience is a reasonably well- educated and sophisticated readership. People who actively care about security. I don't think he'd either insult their intelligence or lie outright to them. It is usually pretty clear where he is expressing fact and where he moves into opinion. His writings contain both. Again, just to remind: a recent episode of Security Now has Steve praising Paypal for an innovative access test they perform to confirm they are dealing online with a real, legitimate customer, and not some hacker trying to con access. Steve is even more lavish with his praise than he was recently with this criticism. But you wouldn't know this, because you apparently won't visit this site. You've labeled this info source "propaganda" due to your own bias. There, I answered a question of yours. To date, I don't believe you have answered a single question of mine. Especially the most important of all- have you bothered to read the Security Now url referenced above. Because if you can't be bothered, you're just blowing smoke.

If they wanted to "share secrets" there are other ways to do it that wouldn't be as easily detected. That is the whole problem with your "conspiracy theory." BTW, I have read his piece but find his conclusions (not his facts) unsupportable. His fears, like yours, are irrational IMO. You didn't really answer my last question about DC being able to garner info not passed by PayPal. If they are passing it intentionally, it would violate their published Privacy Policy. And DC can't "plant cookies" on your PC if you can't click something on their site. I don't think you have a good technicla idea of how info is passed from one Web page to another.There is also a simple, non-threatening reason for the DC site. DC's business is to gather aggregate buying info and sell it to advertisers. This is the simplest way to pass that aggregate info. DC in turn shares those proceeds with PayPal. That's how PayPal makes a profit. I somehow get the impression that "profit" is a four letter word to you. Edited December 6, 2007 by lewmur

[Guest LilBambi]

This is the final warning:Either debate the TOPIC NOT EACH OTHER, or this topic will be closed.

[Cluttermagnet]

I happened to take a look at a 'start page' site which sets up custom pages for users. A free service, ad supported, etc. I heard about it here, from PCMag.com. The site is Pageflakes.com. Although this is not my cup of tea, I was interested- curious really. Well, they invited me to 'take a tour', and I did. A pretty short tour actually, but I did have to temporarily allow them to run javascript on my browser to do that. So I did. Well, the spooky thing is, right after doing that, the little window titled "What do you want on your page?", which has a data entry box labeled "Your location"- it had now been populated with my correct town name. I never gave them that data. At least not intentionally. So obviously I'm 'leaking' personal info in some way. My best guess- they can simply decode enough info from my unique ISP address to narrow it down to the town, and I'm simply seeing the work of an automated form filler. Still, it's spooky. In the past, I've seen remote servers determine nearby town names where my dialup ISP number was registered to (not my town), but now being on broadband, this thing can guess pretty well where I am, down to a few zip codes, I imagine. Or maybe they pulled it out of my browser or more likely, from cookies, if they have any agreements with other companies which have planted cookies on my machine. BTW I deauthorized javascript and the data box was empty once again. No harm done, I'm sure, but it's just spooky. I think it's more like my browser session presently held that info; if I proceeded with signup, that info would have then been transmitted to them.On topic? I'm not sure, but then I started this topic. Heh! This info harvesting stuff creeps me out. I don't want those guys to be able to know me better than I know myself. Pageflakes does a lot of automated stuff very cleverly in order to set up these 'start page' conglomerations for customers. A number of reviewers have been impressed, saying that they do a better job at it than Google and Yahoo, etc. I suppose most folks would just be impressed. "Wow, this little servo robot knows what my town is. Neato!" Personally, I'm just creeped out by it. I'm ever selective as to what I sign up for these days.Note to Fran:Thanks for your excellent work as moderator- it's truly appreciated. BTW it's been over a week, and I've gotten nearly all of the tar off of me. I'll be good. I know Santa is coming... I have got to work on those New Year's resolutions...

[Ed_P]

Isn't this whole thread a water cooler topic. Nothing technical is being discussed or resolved.

[Cluttermagnet]

Thanks for sharing that.This thread had been about applications of PC and web tech, for good or not so good. The discussion centers on certain specific applications of technology. Implications of technology for individuals and society are in and of themselves 'technical'- they're at once technical and sociological. The thread fits both topics, being a discussion of the Security ramifications of Networking.

[ross549]

My best guess- they can simply decode enough info from my unique ISP address to narrow it down to the town, and I'm simply seeing the work of an automated form filler.

You are on the right track. Based off your IP address, a website can easily determine your general location. That is one of the ways the internet works. Every major router has a fixed IP address, and their location is generally known, so that the packets of data can take the [generally] shortest route to ease congestion. another way it may be figuring you out is via your hostname. For example, my home computer could show up on the internet as adam@dchp-68-45-23-115.hr.hr.cox.net Now, from this hostname, you can easily deduce where my traffic is coming from. you can also tell the IP address, but that is the way Cox does host names. For the record, that is not my current IP address. I made it up for the purposes of this discussion.The Internet was never designed with full anonimity in mind. It was to be an open market of shared ideas.Adam

[redmaledeer]

More on anonymous search engines (my post #6 and #16): It is now claimed that the Ask.com search engine offers anonymous searching. Sort of, anyway. There are a lot of loopholes -- http://www.infopackets.com/channels/en/win...t_searching.htm

[Guest LilBambi]

Ah, we now finally get to the heart of the matter, eh?

User Centric Internet (UCI) is a new ISOC Public Policy program designed to reassert, in debates and discussions related to the future of the Internet, the importance of the design values and fundamental principles that have underpinned the Internet's success.The Internet Society believes that principles such as openness, user choice and control, edge based intelligence, etc., are central to a thriving Internet and, we believe, will be so for the foreseeable future. In focusing on user-centricity the Internet Society is seeking to ensure that the primacy of the user is not forgotten when it comes to new architectures, commercial offerings and policy making.

What is Network Neutrality? (Some definitions, from among many) * Network neutrality is simple. It is simply content and application agnosticism.[1] * Net neutrality means simply that all like Internet content must be treated alike and move at the same speed over the network. The owners of the Internet's wires cannot discriminate. This is the simple but brilliant "end-to-end" design of the Internet that has made it such a powerful force for economic and social good: All of the intelligence and control is held by producers and users, not the networks that connect them." [2] * Network neutrality relates to the various kinds of distortions that analog and digital networks of any kind impose on the traffic they carry, either due to design, to management practices, or to meet business objectives. [3]

SaveTheInternet.org outlines the ThreatBasically, think about cable and satellite TV. All the tiers of 'channels'? You pay for commercial television (that was as alien an idea as any I have ever heard by the way), and non-commercial television alike based on your tier. That's what they want/envision for the Internet as well.They are not just trying to do this with bandwidth either, but with our personal and aggregate data as well.They don't care anymore about yours or my privacy than they do about your right to roam the 'public' entity known as the Internet.Their propaganda has gotten so pervasive that I see way too many just giving up their rights to their privacy based on the false assumption that there is no privacy anymore anyway, so why bother. I see the same thing in our country about our rights, liberties and freedoms as well - these two areas should be of major concern and they seem to be riding on parallel trains. Eventually there will be a major train wreck at some crossroads and I don't look forward to it. IMHO.