Hollyman’s World blog

I had the most magical experience on the Internet during the last few weeks. The whole experience has me a bit amazed and scared at the same time. And it all started with a simple magazine that I received at home last week.

Here is the story.

A few weeks ago i found out that a good friend of mine was moving out of state and selling his motorboat. Highly interested in purchasing said boat, I began to search online to look at comparable boats for values and some sites on boating accessories. I needed to find out what the actual cost of boat ownership was.

Like all good searches, I started out with google. I looked for the same model boats out there and ended up on sites like boattrader.com and others. Naturally, I hit some of the other sites out there like boat.com, which is really just a captive search site getting ad money for links that you click on while visiting.

I found some very good information on boat parts, covers, registration info and going sale prices. Good for me!

Then it happened. One Saturday a couple of weeks later, I received a catalog from Overtons.com in the mail. That is postal mail, mind you, not email. I was a bit surprised at the timing of this, as it seemed to fit in pretty well with my needs, but was totally unsolicited.

I next asked my friend and neighbor if they had signed me up for the catalog. Neither did. So now I am pretty shocked that somehow, Overton’s received my Personally Identifiable information, including my name and home address, apparently from search and surfing the web.

Being the Network Security person that I am, I decided to start the hunt for data. First, I started off by simply calling Overton’s to ask them why I was added to their mailing list. The operator there was nice, but she did not know why I was added. She suggested the basics, like it was a mass-mailing for the area. Well, that’s not an option, because Colorado doesn’t have that much water to send unsolicited magazines to non-boat owners.

I then sent an email to Overton’s from their online web email form, asking for assistance with finding out how they added me to the list. A nice gentleman responded that they purchased it from a 3rd party marketing company. This company seemed to be a large marketing company and I realized I probably wouldn’t get anywhere with that lead.

Next I decided to try and back-track my steps with Firefox and NoScript, wondering if this would show anything cookie-wise that might shed some light on the situation. I started off with my original search terms on google.com. One of the early sites I came to was boattrader.com. Using NoScript, I found this site to have a cookie from addthis.com.

I did some research on this domain and found the Registrant information from whois:

Domain Name: ADDTHIS.COMDomain Name: ADDTHIS.COM

Domain Name: ADDTHIS.COM

Registrant:

Clearspring Technologies

8000 Westpark Drive

Suite 625

McLean, Virginia 22102

United States

I then did a google search for “clearspring technologies” and found a wikipedia page that discusses them. One of the comments on the wiki page mentions the methods they use for gathering data:

Well, that certainly seems like a smoking gun to me! Here is one of the websites that I visited AND they have a cookie for addthis.com AND that is run by Clearspring Technologies AND (at least) wikipedia mentions that they actively track users personally identifiable information for sale to direct advertising.

The scary thing is, I can’t verify that this is indeed where my information was stolen. They could have stolen other cookies on my computer that may have had some additional information they used to find my personal data. It’s pretty hard to tell at this point. But the fact remains that someone sold my information, without my knowledge or consent and sent me materials in the mail that I did not request. That should be a scary concept for people that are searching for things other than boats.

Put this in the larger context with all of the news on Privacy with Facebook here, here and here and Google grabbing people’s WiFi data and people should definitely be concerned about what data they share and with whom. It isn’t a question of IF someone will use your information, it is WHEN. My catalog is proof!