18 Oct 2003 forrest   » (Journeyer)

Alarming Privacy Violation

I'm sure I must not be the only one here who invests in Vanguard Funds; they have a reputation for low overhead.

Their website is clearly geared towards IE, the only browser they guarantee to work. Mozilla under Linux usually works though, and that's what I usually do. To do a buy transaction you're shepherded through a series of scrollbar-less windows. They offer you the option to print a record of the final transaction, but you're not supposed to save the html, as evidenced by this bit of javascript:

document.onmousedown=noRight;
document.onmouseup=noRight;

function noRight(e) { if (event.button > 1) { alert("Sorry, the right click has been disabled for this application."); return false; } }

Of course, I saved the html: I wanted to store a record on my computer and the above code presented no restriction to me.

Just now I was looking at the html source so I could enter my data into Gnucash, when I saw something that made a chill run up my spine:

	<div class="gh"><img SRC="https://ad.doubleclick.net/activity;src=9999;type=vangu99;cat=mfbuy9999;qty=1;
cost=999;ord=99999999999;u=99999|Individual|prd;tran=9999999999?" WIDTH=1 HEIGHT=1 BORDER=0></div>

I changed all the numbers to random strings of 9s to obscure my personal financial information (and added a newline to make the formatting less obnoxious), but from the original content it's clear that information about my transaction was sent. To ad.doubleclick.net.

I feel violated. I'd feel really violated if ad.doubleclick.net didn't resolve to 127.0.0.1 on my system.

I guess I'd better go re-read their privacy policy with a fine-tooth comb.

P.S. I know I've read some things before about why Doubleclick in particular is a very dubious entity to trust with one's personal information. I know I can google for it, but if anyone can help me out by pointing me to the best articles to reference in my upcoming complaint to Vanguard, that'd be great.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!