Feeds

Third-party ad servers can undermine Web-site security

And sell stuff you paid for, too

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

A Web site's privacy policies can be undermined easily and secretly by any third-party ad service provider, thus leaving site operators open to legal action on privacy issues over which they have no control, Realmedia Chief Technology Officer Gil Beyda warned at a London press conference today. An opportunity for "privacy leakage" to occur is created whenever a Web site directs visitors to a third-party ad server such as DoubleClick, Beyda said. Unless contracts between Web sites and ad service providers governing the use of data are very clear, user details may be moved from the Web site -- to which the information was originally entrusted -- to a less secure environment -- namely the ad server's database -- without the visitors' or the Webmasters' knowledge, Beyda said. In addition to creating this invisible privacy liability, which in itself ought to be bad enough, such third-party data mining can prove expensive for high-profile, branded sites which provide the bulk of the information potentially being abused. The third party can easily gather and correlate a user's details across numerous sites which it serves, and then target the user for ads on behalf of any of those sites. The way it works is this: a user registers his details on a high-profile branded site which offers good content, in exchange for which he is willing to fill in a registration form and reveal his details. The ad server collects that demographic data, compiles it, issues a cookie, and targets the user for the sort of ads he is likely to welcome. The cookie-identified user then visits some third-rate chickenshit site also served by the same ad server, where he receives an ad targeted at him according to the information he gave to the previous, branded site which he had trusted. If he clicks on the banner, the third-rate chickenshit site gets the commission which the branded site had earned. In any case it is always lucrative for the ad servers, which earn their cuts regardless of who clicks which banner where. It's no wonder, then, that they collect vast reams of user data on the pretext of returning detailed reports to their clients, when in fact they are re-marketing the data to other sites which contribute little or nothing to the database. A solution to both problems, Beyda, believes, is the use of privacy proxies between the Web site and the ad server, which can make it physically impossible for the ad server to relate demographic information to specific users. By forcing the ad server to fetch ads via a proxy, the site gains control over the amount and type of information the ad servers receive, and so prevents them from exploiting the site's data base for their own purposes. While Realmedia does offer such a proxy service, Beyda mused that the threat of regulatory action mandating it might in itself suffice to inspire the sorts of contracts between sites and ad servers which would prevent misunderstandings between them and the subsequent abuse of data. Whether or not that's ultimately true, it's nice to see someone refraining from the assumption that all business people are universally intent on screwing each other unless physically restrained from doing so. We'd like to think he's got a point. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
BT said to have pulled patent-infringing boxes from DSL network
Take your license demand and stick it in your ASSIA
Right to be forgotten should apply to Google.com too: EU
And hey - no need to tell the website you've de-listed. That'll make it easier ...
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.