Doubleclick gets through?

[kukla]

Recently visited youtube. Only scripts actually shown in NS message were youtube.com and .ytimg.com. Had to allow both for the site to work. What I don't understand is what was going on in the status bar, where I saw quite a lot of other activity, including "transferring data from doubleclick.net". (Maybe I don't understand the difference between activity showing in the status bar and NS messages).

When I visit NY Times, for example, NS blocks doubleclick, does this mean it's not being blocked on youtube? If it isn't, how is it able to get through? Does it piggyback on .ytimg.com or on youtube.com, itself? I hate doubleclick and don't want it anywhere near my computer. Didn't see anything for doubleclick in cookies. Thanks.

[therube]

NoScript is not blocking doubleclick.net.
It is blocking JavaScript from doubleclick.net from running though.

[kukla]

It is blocking JavaScript from doubleclick.net....

Thanks. I do understand NS works by blocking JS. But please explain what's happening when I see "transferring data from doubleclick.net" in the status bar? Is that a script, and if so, shouldn't NS be blocking it? How do I know NS is blocking it, since it isn't shown by NS as blocked?

I had to allow JS for youtube to work, but even so, shouldn't doubleclick still be blocked (if it's not), as it is in NY Times, or any site, for that matter, where scripts are blocked selectively?

[therube]

On this page, http://www.youtube.com/watch?v=GSKL5E3zSjs, I see these domains:

Code: Select all

http://code.google.com/
http://digg.com/
http://spaces.live.com/
http://twitter.com/
http://www.adobe.com/
http://www.bebo.com/
http://www.facebook.com/
http://www.google.com/
http://www.hi5.com/
http://www.myspace.com/
http://www.orkut.com/

http://gdata.youtube.com/
http://help.youtube.com/
http://m.youtube.com/
http://s.ytimg.com/
http://www.youtube.com/

For Youtube to work, youtube.com & ytimg.com must be allowed.

Now Youtube also has links to all those other domains & so may be loading data from them, but as far as scripts are concerned, no JavaScript from any of those other domains will run unless those domains have been Allowed.

(I didn't happen to see doubleclick.net.)

[Giorgio Maone]

But please explain what's happening when I see "transferring data from doubleclick.net" in the status bar? Is that a script, and if so, shouldn't NS be blocking it?

"Transferring data" means exactly that, data (not necessarily code) is being transferred.
It can be an image, an iframe or a stylesheet, none of those are blocked by NoScript in its default configuration.
If it's a script, you won't see that message because NoScript blocks the transfer before it starts (unless you've whitelisted doubleclick.net and the top-level domain).

If you want any transfer from doubleclick.net (including images and whatever) to be blocked, grab latest development build, open the NoScript Options|Advanced|ABE panel, select the "USER" ruleset and add

Code: Select all

Site doubleclick.net *.doubleclick.net
Deny

[kukla]

Thanks, Giorgio, for follow up; I guess it's obvious I don't really understand that much about the subject. Bottom line question: should I be concerned in any way by this behavior. If it's just adding some element to the site or page, and not tracking MY data, then I don't really care. If it's not "transferring code," you seem to be saying its harmless. Is that right?

[Giorgio Maone]

If it's not "transferring code," you seem to be saying its harmless. Is that right?

Well, not exactly. With every HTTP data transfer some information is sent:

1. Your IP
2. The address of the page you're visiting
3. Some details about your browser configuration

All of this info, except the IP, can be faked (e.g. using the RefControl and the UserAgent Switcher extensions).
If you're OK with this, there's no other harm that can be done without scripting.
Otherwise, use the ABE rule above.

[kukla]

Well, not exactly. With every HTTP data transfer some information is sent:

1. Your IP
2. The address of the page you're visiting
3. Some details about your browser configuration

And in the case of DC that information could and would be used, I suppose, for tracking? So, then, what's
essentially the difference among:

1. a cookie from DC?
2. a script from DC?
3. a link from DC?

Are they equally invasive/insidious, equally to be avoided? Thanks for help with my basic education on this.

[Giorgio Maone]

And in the case of DC that information could and would be used, I suppose, for tracking?

Yes, but your IP alone is not enough for effective profiling (many users can share the same IP), and therefore it won't be used for tracking unless other data is available for identification (see below).

So, then, what's
essentially the difference among:

1. a cookie from DC?

A persistent cookie can be used for profiling, by setting it to a globally unique ID which will be "seen" in all the pages where doubleclick.net manages to be requested.
Usually IP+Cookie give good profiling chances but can be easily defeated.
That's why the first privacy move you learn is disabling at least 3rd party cookies (e.g. cookies set by doubleclick.net while you're visiting youtube.com).
Personally, I use the CS Lite extension to disable them everywhere but the site where I really need them for authentication purpose, and only for the current session.
This way profiling (and therefore tracking) is almost impossible, unless you enable scripts and other content.

2. a script from DC?

If a script gets to be executed from a privacy-hostile party, it can basically collect all the information you can see here and much more.
At that point having cookies disabled doesn't help too much, because all that info put together with your IP build a pretty unique and rich profile of you.

3. a link from DC?

It's the same as an image or a frame from DC, and without cookies and/or scripts is pretty useless to them: your IP alone is not a reliable correlation key (see #1), so your info is "poor" for tracking purpose and will be likely discarded not to "poison" the relevant pool.

[kukla]

Thanks Giorgio for taking the time to explain this to me. So, what I can gather from that is that link I saw being loaded in the status bar when I went to youtube would only have been meaningful or useful to DC for tracking me, if I had previously enabled DC, either through a cookie or a script. Then they would have known I had visited youtube and what page I'd looked at. That's what that link is for. Is that right? That's what this seems to come down to.

And in the past when I was using Safari or Camino, or FF without NS, I would have been allowing DC scripts. Am I still being tracked? Is there any way to stop that if it's still happening?

One more thing: Why is it I never seem to get doubleclick cookies (I thought they were so ubiquitous), although I often see the DC script being blocked by NS on certain pages? Can a doubleclick cookie "hide" within some other cookie? Google owns DC; can DC reside inside a Google cookie? BTW, I usually clean out all my cookies and the FF cache at the end of a session, if not before. (I also clean out Flash cookies whenever I see them in Preferences/Macromedia, although I have them blocked at the Adobe Settings Manager, anyway).

Thanks very much again, and I'll let you go after this one.

[Giorgio Maone]

Then they would have known I had visited youtube and what page I'd looked at. That's what that link is for. Is that right?

No, not necessarily. You asked if it could be used to track you, but that's very unlikely their main purpose.
Doubleclick is an advertising company, so the main purpose of the data transfer was probably just showing an advertising banner or something like that.
Of course, the more the data they can collect about your browsing habits while they try to display their ads, the more accurate, "relevant" and targeted will be the content of the ad.

And in the past when I was using Safari or Camino, or FF without NS, I would have been allowing DC scripts. Am I still being tracked? Is there any way to stop that if it's still happening?

They were not tracking you as a "person", they were tracking the user of your browser and modeling a "consumer profìle" to deliver more targeted ads and send your eyeballs more accurately to interested advertisers (e.g. if they learn that your browser is used to display a lot of martial arts videos, they'll probably start advertising fighting sport gears).
Since cookies are limited to the browser were they've been set, just switching to a different browser (or clearing them) is enough to "stop that".

Can a doubleclick cookie "hide" within some other cookie?

No, but as you said since Google owns DC, there's technically nothing preventing them from using the enormous amount of information that Google can collect about your browsing habits for targeted advertising purposes.

BTW, I usually clean out all my cookies and the FF cache at the end of a session, if not before. (I also clean out Flash cookies whenever I see them in Preferences/Macromedia, although I have them blocked at the Adobe Settings Manager, anyway).

If you do that consistently and allow JavaScript/Plugins as sparely as possible, you shouldn't worry too much about "tracking".

[therube]

(I don't think that is the "profile" you intended? Perhaps Profiling practices?)

[Giorgio Maone]

(I don't think that is the "profile" you intended? Perhaps Profiling practices?)

The wrong auto-linking happened because of a GreaseMonkey script I use to speedup my posting here

[GµårÐïåñ]

I guess I never had this issue because I block doubleclick in NS by marking it as untrusted and the rest of its content gets blocked by block from RP, so I guess I was always set, now might include an ABE ruleset just for overkill good measure

[Tom T.]

If you want any transfer from doubleclick.net (including images and whatever) to be blocked, grab latest development build, open the NoScript Options|Advanced|ABE panel, select the "USER" ruleset and add

Code: Select all

Site doubleclick.net *.doubleclick.net
Deny

Like Guardian, I've always had DC in NS untrusted and in ABO blocklist, as well as NS Cookie blocklist. (Do you get the idea that I don't trust DC?) But will add the above to ABE.

Question: So should I copy the same rule into ABE, substituting all other blacklisted sites from NS and AB lists?

Question: Doubleclick is also in my HOSTS file, so I can't go there even if I try. Does ABE add anything to this level of protection, or is this case redundant? In other words, with the browser blocked in Hosts from connecting to DC, is there any other way for DC to xfr data other than by a more trusted party carrying/proxying it for them? I think I'm losing myself here....