Home Depot sent my email, details of stuff I bought to Meta, customer complains Canada's Home Depot has stopped using Meta's "Offline Conversions" tool, it confirmed to a regulator dealing with a man's complaint after he discovered his visits to the home improvement shop had been recorded. According to an investigation by the nation's privacy commissioner (OPC), it received a complaint from the customer …
'The commissioner said Home Depot claimed it had customers' "implied consent"'
Here in the UK, despite 'implied consent' being (at least currently) unlawful, you'll never get the regulator (ICO) to act on any complaint of this kind, despite the (also unlawful) surreptitious sharing of customer information with the big data slurpers being extremely widespread.
The correct way to refuse cookies is to browse in incognito / private mode (maybe with browser completion to autofill your logins). Otherwise you're depending on the buggy implementation of a website instead of a much more well-tested browser. The European lawmakers might have got a better result if they've gone after the browser makers instead of insisting on a pop-up on every single commercial website (which I always accept because if I don't want to keep the cookies I'll be in incognito mode)
that's why, no matter what kind of looks I get for assuming that I'm just being a Luddite, I only buy with cash and never use those offerings of an e-receipt.
No. Thank. You.
------------------------------------------
Privacy for yourself is a personal responsibility. It always has been. Don't assume that others are doing it for you because they have vested interests not to.
Thanks to *both* our corporatist governments - both the U.S. and the U.K., and DON'T even attempt to claim that your government is any better than the U.S. in this regard - always assume some corporation is collecting your information for to enhance their profit motives. Always. To believe otherwise is complete naivete.
So damn it, stop using your credit cards for every £3 latte yet expecting that no one is looking over your shoulder at your purchase activities.
So damn it, stop using your credit cards for every £3 latte yet expecting that no one is looking over your shoulder at your purchase activities.
Ah, you poor innocent creature. You have yet to learn the ways of the wise.
I "give" them what they want, because I control the pattern they so develop. It suggests I have no idea, am an innocent citizen etc etc. It's less suspicious than a full blackout.
"No officer, I buy everything with my card and as you can see there are no quicklime and carpet purchases there"
Rule one of intercept is that the subject should not be aware of it or what you pick up may just be played for your benefit.
You want my data and try to do this surrepticiously? Beware what you ask for.
I'm the same way - I pay with cash. It's not only about privacy, it's about not having my credit card slurped. It's also about sticking to a budget.
But even when I pay with cash, many retailers will ask for a mobile phone number. Well, they don't really ask, while staring at the register they intone "What's your mobile number?" in a demanding tone of voice that assumes compliance. I've noticed that people automatically comply. But when I respond "No", there's usually a bit of comic relief when they hesitate, frown at me, and say it's for their rewards program or something like that. After a brief argument they give up.
When it comes to privacy and data security, most people are frogs and let themselves be slowly boiled.
"But even when I pay with cash, many retailers will ask for a mobile phone number. Well, they don't really ask, while staring at the register they intone "What's your mobile number?" in a demanding tone of voice that assumes compliance. I've noticed that people automatically comply. But when I respond "No", there's usually a bit of comic relief when they hesitate, frown at me, and say it's for their rewards program or something like that. After a brief argument they give up.?"
They want a number? Give them a number ... any old number you can make up on the spot: yours, varied by a single digit, or a completely unrelated string of the appropriate number of digits, or anything in between. There: request satisfied with no need for argument or raised blood pressure. No privacy violation either. And it's not as if they're going to immediately call or text the number to test it. The cashiers are given their script and have to follow it -- but feel free to salt their data. I've done it for years.
At least now I know why Decathlon (in France, at least) tries to grab your email address rather than printing out a receipt at the tills.
It had puzzled me until now. If I don't want or need a receipt, which is possible, then I might appreciate the possibility of them not spraying tar and carbon on to dead tree. Though why, if that's an option, they continue to place hefty security staff next to the exit from the megashed is non-obvious. If I do want or need a receipt then I'd like a receipt. Not some trivially easily forged collection of bits sent to some random email address that I happen to chuck in their direction.
Naturally I have thusfar declined, just because of suspicion of things that I don't immediately understand. I need to recalibrate my naivety-cynicism balance again. I just don't have the imagination to compete with people who think up this kind of shit.
-A.
Generally if some fuckwit corporation insists on me giving them an email address, and if a moment's reflection reveals that there's no way they can validate it (e.g. airport WiFi where you have to provide an email address before you can access, but there is no way that they could email you an authorisation code because you don't yet have access to the WiFi) then I make up something in the domain <example.org>. It could be <example.com> or <example.net> with the same result. Don't quote me on this, but I believe that *.invalid works much the same.
I'm not sure where your 320 character limit came from. So far as I'm aware any combination of <user-name>@<domain>.<tld> is valid, and <user-name> can contain any otherwise reserved characters so long as it is quoted.
But sure, feed the fuckers really long garbage in the hope that it might break their suppositions about maximum length.
-A.
Due to having a poor credit score I only paid cash for around 15 years. Then I got a credit card with a $300 limit, used it a lot each month, paid most of it each month, and the bank liked that. They kept raising my credit limit at regular intervals, and my credit score rose to the point that I easily qualified for a second card, then a thid one, each one with higher limits, which I started using for everything thing, including $3 purchases. I paid all of them off each month. Before I knew it I had a $20k limit on that first card, and my credit score had risen to the point that I easily qualified for a mortgage for the house I bought last year. All my cards have low balances, I still use them for nearly everything and pay 90% of the balance each month, so my interest is minimal. Long story short, by using those cards for virtually everything and paying them off like I do, I quickly took myself from a score of +/- 500 to +/- 800, and improved my life situation dramatically. So I can see why people use their cards for everything, if done the way I did it it can really pay off.
I am fatigued at all these corporations that assume that I consent to their slurping and sharing my data.
The one that currently annoys me most is how many web sites have www.googletagmanager.com in them and do not ask if I consent to that. OK: my /etc/hosts maps that to 127.1.1.1 but most people do not know how to do that.
Oh: El Reg - you have googletagmanager ... when are you going to ask us if we want that ? To see how it should be done go to https://ico.org.uk/
Oh: El Reg - you have googletagmanager
Perhaps, the parent Company is to blame? https://situationpublishing.com/ If I go there with my extensions enabled and the Pi-Hole removing garbage, this site doesn't load?!! I get the green circle chasing it's ass... Thanks NoScript!!
You know you can download a host file which blocks a lot more, correct?
https://winhelp2002.mvps.org/hosts.htm
It's too bad I don't have a way of editing /etc/hosts on my phone.
You can also of course use a Pi-Hole and set that to your DNS server. Works for phones too, but only when they are connected to your wi-fi.
Until recently you are correct. But I just saw this on the Pi-Hole website yesterday...
4. Block ads everywhere, even on the go
By pairing your Pi-hole with a VPN, you can have ad blocking on your cellular devices, helping with limited bandwidth data plans.
PI-HOLE + VPN
>"Home Depot forwards the customer's hashed email address and offline purchase details to Meta when the customer provides their email address to Home Depot, at checkout, to obtain an e-receipt."
Probably need to do some research, but would not be surprised if this mode of operation is normal amount those high street stores that provide e-receipts if you supply an email address...
Just off the top of my head: Screwfix, B&Q, Dunelm, Toolstation, PCWorld, ...
It is absolutely common.
Thousands of Companies Send Your Data to Facebook Without Your Knowledge
Yes, and exactly that "implied" is what is illegal here in Europe under GDPR. You can't bury it under the TB of Terms you normally have to agree to just to boil water these days (although I just filled out a 86 page contract bundle which needed 10 signatures and about 25 pages initialled which tried to do just that too, so the contracting entity is now facing some interesting questions).
> Home Depot asking if you want an email receipt implies permission to use the email address.
The majority of the public will take that to mean the email address will be used for the sole purpose of sending you an e-receipt.
I’m not sure if “use to send offers and marketing materials” really covers both the handing over to FB and FB’s usage of the email address.
The big change they are working on is a new name so it does not identify itself as a criminal activity.
Doesn't even get into how both the iOS and Facebook apps use exploits to turn your mic and camera on WITHOUT notifying you.
Then recording the audio AND video, which is illegally pumped to Facebook (Outside the US and EU where it can't be the subject of data laws) for later analysis.
Cambridge Analytica was just the tip of a very nasty Big brother network, and now the FB app spies on users 24/7.
A third party app cannot access mic or camera
The same is true for Apple's apps, if you open the camera app the little green dot appears just like it does for third party apps.
Now someone may point out "what about stuff like Pegasus" and sure if something built with the resources of a nation state p0wns the entire device down to the microkernel level then all bets are off. But Facebook isn't going to be doing stuff like that, because something that bad would be the first time that the government does something more than hauling CEOs before congress to testify for political posturing. Much, much more.
Yes, but what happens if they open the camera?
As an aside the camera module in a brand name computer that we supplied some components for, had the LED directly across the chip power. If the camera chip was powered, the LED was on.
The prototypes had a plastic shutter you could slide across which was even better, but never made it into the production units.
The next generation returned to firmware controlled LED on a port pin, so the camera could be used for facial unlock, without the camera appearing to be on all the time. i.e. the camera on led meant whatever you wanted it to mean.
Yes, but what happens if they open the camera?
Who is "they"? The Facebook app can't open the camera unless you give it permission to do so. The end user can sure, but the Facebook app can't access what the camera is seeing or any pictures you might take without, again, permission to do so.
Physical shutters sound great in theory but that's something that can break, or get grit on and scratch the lens, adds weight and thickness, etc. A better alternative for those who feeel that's important would be to buy some sort of privacy protecting case that has physical shutters built in. If there isn't such a thing then I guess that's a market opportunity for you - though if there really isn't one out there then I'd take that as an indication of the minuscule size of the potential market.
So first Home Depot "incorrectly advised that they had not shared his information with Meta." then Home Depot also referenced "consent fatigue" as a rationale for why, at the time the customer requested an e-receipt, it did not notify them of its practices
It's one or the other.
Plus they stopped, so it's resolved. So now I can rob banks, but if I promise to stop, then it's "resolved" and no longer a problem?
Where the hell is the fine?
Home depot needs to chill it.... People in my house cannot order or shop on home depot website without everyone in the house being completely bombarded with ads for those products. It is annoying and creepy. When can I see what exactly is being shared about me and how??? How can I monitor this for misuse?
I stopped going down the rabbit hole trying to find what is actually being shared. Block the slurp! Set up a Pi-Hole https://pi-hole.net/ , use something besides MS Edge or Chrome, use browser extensions, Ghostery, NoScript, uBlock Origin to name a few. This data slurp is on par with a war... it won't stop because you say chill. It's like telling a charging, angry dog to sit...
No one asked my permission to video me when I went to pay for my shopping.
The first thing I noticed was the flicker just above my head, of course I look up and bingo picture perfect insta moment caught on camera.
No warning, no explanation just a nice video perfect for facial recognition and they didn’t need to ask and of course linked perfectly to my credit card.
That is GDPR in action in the UK.
Presumably FB already knows the address bob@email.com because Bob (or someone else) told them about it, and they just store the hash with the user profile. They can then match the Home Depot hash with what they calculated earlier.
It is mostly true that the hashes will turn out to be unique, but someone intercepting them probably can't easily reverse to the email addresses.
Of course there is nothing stopping Facebook creating a hash table of non Facebook Users email addresses collected from Facebook users address books. Allowing Facebook to know what their users friends bought at Home Depot.
Another piece of data Facebook can add to those shadow profiles it keeps.
Hashing is one way, but every time they hash an email address, it will match anyone else hashing that email. They have two options. They could hash every email address when it comes in and just store a database of emails and hashes. Or if they didn't do that, they can go to their big box of email addresses and hash each one to see if it matches.
Hashing is useful in the case of passwords because there are so many possible passwords out there. If I had a list of hashes and knew that all of them were from an initial set of a million possibilities, they would cease to be useful. That's why hashing a common or weak password doesn't prevent it from being insecure.
There are a lot more than seven hashing algorithms, and you are capable of writing one of your own quite easily (though if you intend to use it for cryptographic purposes, think twice or ten times). If the goal was to have an internal representation that is opaque if leaked, anyone can write their own hash function to sort of do it, though a better way is to assign a random number instead.
The reason Facebook has access is because Home Depot wants them to have access. They agreed on the hashing algorithm to use. Probably the point of using the hash instead of sending the address directly was to have something to say if any non-Facebook user protested about the sharing. Home Depot would say that Facebook was sent a value that, if they didn't have your address, wouldn't identify you. This is without considering that Facebook has lots of email addresses of people that don't have accounts that they could use if they were so inclined.
Home Depot's partnership with Facebook is much more insidious than this. A few years ago, the wife and I were in the local Home Depot looking at kitchen sinks, something we had never done before (well, not since the rise of the Internet, at least). She had her iPhone in her purse, my Samsung was left out in the car. She at no time used her cellphone during our visit to HD, nor did we actually buy a sink. The next day, when she opened the Facebook app on her phone, she was immediate hit with Home Depot ads for kitchen sinks and faucets.
Never forget, your eyeballs are Facebook's primary product.
Step 1: pay for a Meta advert along the lines of "you really ought to buy a Hammer, you can use it to commit crimes you know". Step 2: arrest every hammer purchaser if that advert happened to have been in their feed in the last month. Step 3: brag about having done a great job preventing crime in the area.
They also have a frothing rabid customer retention department. You can try making an online purchase without spam, but the spam will flow. You can't opt-out either. I used California law to have my data removed.
They eliminated ordering as "guest" so now I won't place any orders. How's that for customer retention?
I expect that you already know this, but just in case...
'Canada's Home Depot has stopped using Meta's "Offline Conversions" tool'
In advertising, especially the online variety, a "conversion" is an action -- any action -- which resulted from someone seeing an ad. It could be a click-through on the ad itself. With tracking cookies it is more likely to be that you visited the advertiser's site -- or one syndicated to it -- at some point after the ad was delivered.
The holy grail, of course, is conversion to an actual sale, but others are possible. A favourite of the advertising industry is "awareness". You saw an ad, and this affected your awareness of the advertised product.
Home Depot sharing your freely disclosed email address allows Facebook to score a conversion of the most valuable kind. They (Facebook) showed you an ad, and then you bought something from Home Depot. If you are Home Depot then you probably hope that this sequence involved a Facebook ad for Home Depot, but it doesn't have to be so. No one really cares about causality just so long as the correlation is plausible.
I work in the industry, and I say nuke them from a low orbit.
-A.
I tell stores flat out that no, I'm not giving them an email. If my email is a requirement to check out (hasn't been yet) I have no problem not completing the transaction. Also make them print a receipt as I use paper receipts to reconcile my credit card statement. So far, no issues on that.
Can't say my information isn't collected, but I make it hard to do and don't have a Faecesbook account so no help gor them there. The only goolge account I have is related to the phone, but as I don't use any google services that can put one to the other for generating ads, they're not making that money off me.
Privacy - the odds may seem insurmountable, but fight the good fight anyway.
See
https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/
where the Privacy Commissioner investigated data slurping by Tim Horton's (a coffee and doughnut chain ubiquitous in Canada).
the App identified where he lived and worked, when travelling more than 100 kilometers from his home, and noted when it believed he entered a Starbucks, Second Cup, McDonald’s, Pizza Pizza, A&W, KFC or Subway. In addition to tracking the author’s location within Canada, the App also tracked his location while on vacation in Europe and northern Africa.
I conclude Home Depot is less imaginative than Tim Hortons...../s
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
