From the home page of the website, you are tracked
If like me you want to limit your dependence on GAFAs, you may have already placed an order on the Fnac. Indeed, beyond the problems tax evasion, abuse of dominant position or employee exploitation, Amazon is also a key player in surveillance capitalism with, among others:
- Amazon Advertising and Amazon Publisher Services : advertising solutions for advertisers and publishers. Little known to the general public, Amazon is already the world's number 3 advertising platform, behind Google and Facebook.
- Amazon Alexa : Amazon's voice assistant, a spy present in millions of homes.
- Amazon Ring : very popular connected videophones in the United States, Ring has been purchased by Amazon in 2018, and this subsidiary signs partnerships with multiple police services.
Amazon's competitors in the e-Commerce sector therefore have an avenue ahead of them to offer a customer experience that respects privacy, which is unfortunately not the case for Fnac as we will see. Let's start our investigation with the fnac website :
- Disable your adblocker.
- Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account.
- Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), click on the Application tab, then Cookies on the left panel.
- Then go to fnac.com.
- Do not surf on Fnac, but look at the different cookies placed by third-party companies (other than Fnac).
As we can see, even before having browsed and accepted tracking, you find yourself tracked by several companies:
- AppNexus : represented by the adnxs domain, an American company, it is one of the leaders in the adtech sector (far behind Google), offering both advertising monetization solutions for publishers and an advertising space purchasing platform for advertisers. Acquired by AT&T in 2018, with the lucrative video advertising market in mind but also the merger of personal data held by the American telecoms giant and the advertising data of hundreds of millions of Internet users.
- Criteo : the French adtech giant, world leader in retargeting. If you have visited product pages, then been bombarded with banner ads for these same products all over the web, for several days or even weeks, it was probably Criteo. This company literally revealed to the general public the intrusive side of personalized advertising.
- Google : represented by the domain doubleclick.net, its advertising solution for publishers and advertisers, dominant in the adtech market.
- Eulerian : represented by the ew3.io domain, French solution attribution (allows Fnac to understand which advertising campaigns trigger sales) and to data management (allows Fnac to profile you to better target you).
- Smart AdServer : another French company, allows Fnac to monetize its advertising inventory.
- iAdvize : French company offering conversational purchasing assistance.
Fnac is clearly illegal here, like many French websites (read on this subject: collecting consent on the internet: a widespread lie). And Fnac does not respect its own information banner, indicating not to place third-party cookies until you have continued your navigation.
Note the fictitious "consent" presented by this banner: continuing your navigation is equivalent to accepting the deposit of cookies, the cross-referencing with your customer data, the distribution of personalized content and advertisements, the carrying out of marketing studies and the prevention of fraud! This type of banner, still present on many French websites, comes from a flaw introduced by the CNIL in 2013, indicating that "the continuation of your navigation constitutes agreement to the deposit of Cookies on your terminal"! This light notion of consent should no longer be valid within a few months, with the arrival of new recommendations from the CNIL regarding the collection of consent.
Continue browsing, the trackers are multiplying
What happens if you “continue browsing”? All you need to do is scroll on the Fnac home page, and observe the new requests sent via the Chrome console or the software Charles Proxy :
Many new marketing companies are now tracking you, we can note:
- Mediarithmics : French company offering an advertising space purchasing platform, and a data management solution (better profile you to better target you).
- Facebook : as with Google, Facebook's monitoring tools are omnipresent on the web, and very widely used by advertisers.
- Temelio : represented by the Leadplace domain, a French data marketing company, offers advertisers the opportunity to cross-reference your personal data online and offline. So you are being hunted everywhere!
- Weborama : another French data marketing company (always better profile you, to better target you).
- MediaMath : represented by the mathtag domain, an American company, one of the main advertising space purchasing platforms on the market.
- Bluekai : data marketing company, American this time, bought by the giant Oracle in 2014. It was one of the first companies to launch a DMP (Data Management Platform) on the market, more than 10 years ago.
- Bidswitch : Russian company that builds programmatic advertising platforms for multiple clients, and which serves as an intermediary between advertising space purchasing platforms and advertising monetization solutions.
- Rubicon : American advertising monetization platform.
It should be noted that other marketing companies are appearing if you continue to surf on Fnac. All these companies therefore track you on the web, without your consent, enriching your profile with each page viewed, with each addition to the basket, with each purchase. Some go so far as to cross-reference this online data with information collected on your offline behavior, all with the aim of always better targeting you with personalized advertising.
Refuse cookies, and we will continue to track you
No one clicks on the cookie information banners, and is that very often, they don't work. Fnac is no exception, you can see this by clicking on “Find out more and configure cookies”.
Note here that you can "Authorize all" directly, but that the "Refuse all" button does not exist, you have to uncheck the types of Cookies one by one, which clearly does not respect the GDPR (it must be as easy to refuse consent as to give it). Also, it is impossible to access the list of companies that are tracking you (no information on Google, Facebook, Criteo, Eulerian or other Weborama).
Naively, you might say that deactivating Advertising Cookies should stop tracking. Not quite! Although the list is shorter than if you continue browsing directly, you are still being tracked by several advertising companies.
So Criteo, Google (doubleclick), AppNexus (adnxs), Smart AdServer and Eulerian continue to track you... Let's go back to this "Preference Center" and deactivate the "Analytical Cookies".
It turns out that this setting allows you to no longer be tracked by Google, AppNexus, Smart AdServer and Eulerian (except Eulerian, these are not analytics tools but adtech companies). Criteo still resists, if we reload the home page and we see the tracker reappear.
One last try with Criteo, let's refuse all cookies, by unchecking "Functional cookies".
Bad luck, Criteo is immortal, the Fnac home page always triggers the Criteo tracker.
Confidentiality at Fnac? Access denied!
Eager to know more about this disastrous management of my personal data, I decide to read the privacy policy, still from the “Preference Center”.
No luck, by clicking on the "More information" link, I come across a recipe page... Access denied!
Fortunately, you can still consult the Fnac’s “personal data protection policy”, accessible via the footer of the website... Here, you can better understand to what extent fnac uses your personal data, for example fnac is part of "the Gravity alliance", a large personal data exchange made up of 150 sites and applications, including 2000 targeting segments!
But you will also read some lies, like:
To oppose advertising targeting for the benefit of advertising partners, you must refuse advertising cookies. For more information and to manage your advertising cookies, go to the “Cookies” page of the site.
Which is false for Criteo, Google, AppNexus, Smart AdServer and Eulerian, who always take advantage of your surfing on Fnac to target you later. Another questionable passage:
The legal basis for the use of browsing data for advertising profiling purposes is consent (cookie consent).
I have never consented to this tracking, the consent must be free and informed to be valid according to the GDPR.
Log in and close your personal data
As long as you are not connected, you can decide to delete your cookies and thus start from scratch with the different adtech companies. By connecting, you take the risk that Fnac also leaks permanent data. I wanted to check, and connected to my Fnac account from Chrome, and unfortunately this intuition turned out to be correct: upon login, Fnac leaked to Mediarithmics a hash my email address as well as my Fnac account number.
Who is Mediarithmics ? This French data management company was chosen by the Gravity alliance, the large personal data exchange mentioned in the “Personal data protection policy” from fnac. So, fnac does not just leak your personal data to third parties, it does it with a permanent identifier linked to your email, and it shares this information with 150 other sites, partners of the alliance... What does fnac say about Gravity?
Fnac Darty may also participate in data pooling programs for advertising purposes such as the Gravity Data Media Alliance. [...] FNAC DARTY creates these segments or profiles on the basis of information held by the group's brands (browsing data, purchasing data, declarative data) or information collected as part of our relationships with partners (e.g. member of the Gravity Data Media Alliance),..
Tracking continues on the Fnac App for iOS
If you were thinking of avoiding the leak of your personal data by using the Fnac app, it's a wasted effort. Beforehand, please note that I have limited ad tracking on my iPhone
Then, to carry out the test, I used the Charles Proxy application, and I followed the following steps:
- Closing apps on my iPhone.
- Opening Charles Proxy and enabling tracking.
- Launch of the Fnac application.
- Export Charles Proxy logs to my computer.
Here is the result:
Who does Fnac send my personal data to? To the following data marketing companies:
- Google : it's difficult to escape Google, Fnac uses Crashlytics (crash monitoring tool, purchased from Twitter) and Google Analytics, the omnipresent analytics tool.
- Accengage : French push notifications tool, purchased in 2018 by the mobile marketing company Airship. Looking at the details of the requests to Accengage, I realize that Fnac leaks my first and last name in plain text, coupled with the details of my smartphone, all the Fnac products consulted as well as a variable indicating my agreement to be geolocated, "optin_geoloc": "Y" (I never gave my agreement).
- Adobe : you knew Photoshop but Adobe is also a marketing giant, and Fnac uses its analytics tool.
- Criteo : targeted on the web, I am also on the Fnac application. And Criteo knows how to find me, a hash of my email is sent with each request.
- Adjust : a mobile marketing solution offering fraud prevention, analytics, attribution but also a solution for building user profiles.
- Glaze : a French solution to personalize the customer experience.
Personal data sent
Fnac therefore sends personal data (first and last name) to Accengage. Beyond the fact that I never consented to such tracking and that Fnac does not warn of this leak of personal data, what does Accengage’s personal data protection policy ?
No personal data is reported. Fnac probably freely decided to send Accengage the names of its customers, which would fit in the “relevant information” box. Also, Accengage claims to respect the user preferences indicated in the iOS settings:
However, this is not the case, I checked the “Limited advertising tracking” box and Accengage continues to track me, by name.
The Criteo case
Fnac also sends a hash of my email address to Criteo. What does this say?Personal data protection policy", in the section relating to sharing data with third parties?
To allow us to connect your different terminals (computers, mobile phones, etc.) and provide you with a consistent experience across the different devices you use. To find out more about the system for combining different devices or to object to it, you can go to http://www.criteo.com/fr/privacy/
So let's go to the Criteo privacy policy, and let's read the section relating to deactivation of Criteo services on mobile applications. It is also indicated there:
For iOS (version 6 and later), activate the “Limited advertising tracking” option: to do this, in your device settings, go to “Privacy” > “Advertising” and activate the “Limited advertising tracking” option.
What should activating the “Limited ad tracking” option change according to Criteo?
I notice that the hash of my email address is still collected, it allows Criteo to recognize my device and associate me with the data that Criteo already has on me. So maybe Criteo doesn't store this hash, but I can't prove it, and why collect it in the first place?
It should be noted that Fnac does not send my email address in plain text to Criteo, but that the latter accepts from its customers the sending of email addresses in "plain text", "to ensure the greatest possible flexibility" cf. the Criteo support site, currently oddly offline but still accessible via Google cache. Criteo then says "encrypt" the emails (incidentally, we don't say encrypt but encrypt). Here again I cannot prove it, you would have to trust Criteo.
It is therefore particularly enlightening to observe Criteo's double discourse, reassuring with users and permissive with advertisers. Here is its commitment to users:
If the identifier of my smartphone is permanent, my email (or even a hash of my email) is too, yet Criteo collects it, even if I deactivate advertising tracking. Fnac is also still guilty: how can we justify this close partnership with a third party so disrespectful of the privacy of its customers?
An impossibility of limiting tracking on the Fnac app for iOS
If limiting advertising tracking on iPhone is not enough, how can you stop being tracked? You would be right to think that Fnac provides an option to refuse tracking in its application (after all, even if it does not work well, Fnac displays a consent banner on its website). I ended up finding the "Personal data protection policy" from fnac from the iOS app, it's a real obstacle course, you need:
- Go to “My Account”.
- Then in “My contact details”.
- Then click on “Read more” at the bottom of the page.
- Then scroll to the bottom of the page, and click on "here".
Bad luck again, Fnac does not provide any option to refuse to be cheated. In conclusion, unless you install adblockers for applications (see. How to protect your privacy on an iPhone?), it is impossible to avoid the leak of your personal data on the Fnac application. We therefore hope that in the future, the CNIL will have the means and above all the will to enforce the law and thus better protect your privacy.