The big sale of your personal data on Le Bon Coin

Le Bon Coin leaks your personal data as soon as you arrive on its website

Le Bon Coin is a huge commercial success in France; the classified ads site has become indispensable to many individuals. Since I regularly have items to resell, I wanted to understand whether Le Bon Coin respected my privacy. Let's start with the website leboncoin.fr. Here are the steps to follow if you want to reproduce the experiment:

• Disable your adblocker.
• Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account.
• Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), “Network” tab or launch Charles Proxy.
• Then go to the home page leboncoin.fr.

First observation: Le Bon Coin does not offer a direct option to refuse marketing surveillance. This presentation does not comply with the GDPR: the "I understand" option is highlighted in blue and, above all, users must configure their choices via the "Personalize" button. The vast majority of users will not make the effort.

Let's now look at the requests sent when you arrive on the site. As a reminder, you have not yet chosen whether to accept or refuse tracking:

Surprise! You have not taken any action, but Le Bon Coin is already multiplying calls to marketing companies, and some of these companies are starting to track you without your consent. Here is a list of trackers using a personal identifier (a pseudonym):

• Datadome : bot protection solution.
• Sublime : via ayads.co, a French ad-network specializing in page designs (formerly Sublime Skinz).
• AT Internet : via ati-host.net, AT Internet is a “historic” French analytics company, originally called Xiti. We have already encountered it elsewhere, cf. "Consent: the worst user experience and surveillance with Lemonde.fr" and "Boursorama Banque leaks your connection data".
• Facebook : Le Bon Coin uses Facebook's marketing toolkit, among other things for its analytics brick.
• Google : via doubleclick.net. Le Bon Coin also uses the advertising monetization solution “Google Ad Manager” from the Mountain View firm.

Now what happens if you click the "Customize" button?

Good news, there is a “Refuse all” button, let’s click on it and observe the requests sent:

You have just made the effort to refuse all tracking, but you are still leaking your personal data to the giants of advertising surveillance:

• Facebook : continuous tracking. Facebook tracks your every action on the leboncoin.fr site. Ironically, the Menlo Park firm specifically collects the information that you clicked on the "Refuse All" button.
• Google : via its Google Ad Manager advertising monetization platform (combining an ad server and an SSP), Google also collects your browsing.

Browse a few pages and you can see that calls to marketing companies still account for the majority of requests:

Most of these actors seem to take your consent into account here (no cookies are placed, even if they could theoretically track you with your IP address and browser characteristics), but one might wonder why Le Bon Coin calls them at all. The trackers already listed above continue tracking you (Google, Facebook, AT Internet, Sublime, Datadome), and we can also notice a newcomer, Index Exchange (via casalemedia.com), another advertising monetization platform.

If you now continue browsing without paying attention to the consent banner (like the vast majority of users), it is outright carnage:

There is no restraint here: everyone is tracking you. We can spot:

• Weborama : French data marketing company, notably leaking your personal data to Russian companies.
• Criteo : a French surveillance marketing giant specializing in "retargeting", with unethical practices.
• AppNexus : via adnxs.com, an American advertising monetization platform (SSP), acquired by the telecoms giant AT&T and also offering an advertising space purchasing platform (DSP).
• Realytics : a programmatic TV purchasing platform.
• Amazon : in GAFA, it is not just Google or Facebook that provides advertising solutions, Amazon also offers its monetization solutions for publishers.
• Smart AdServer : a French advertising monetization platform.
• TheTradeDesk : via adsrvr.org, an American advertising space purchasing platform.
• Yahoo : yes Yahoo still exists... And offers advertising solutions.
• Temelio : via leadplace.fr, a French solution that cross-references your personal data online and offline. You won't escape it!
• Graphinium : via crm4d.com, another French solution that cross-references your personal data online and offline.
• Zemanta : acquired by Outbrain (world leader in clickbait links at the end of articles), Zemanta offers a platform for purchasing “native advertising” (“disguised” advertising, with the same visual appearance as the content, as on Facebook or Twitter).
• Liveramp : via rlcdn.com, world leader in cross-referencing your personal data online and offline (competitor of Temelio and Graphinium).
• Nielsen : via exelator.com, the marketing research giant expanded onto the internet through the acquisition of the personal data provider eXelate in 2015.
• ZBO Media : via zebestof.com, a company of the Figaro group - CCM Benchmark, presenting itself as "the only programmatic player able to exploit all of the Figaro Group’s data – CCM Benchmark". As a reminder, read the article "Le Figaro, emblem of invasive advertising tracking on French media sites".
• Pubmatic : American advertising monetization platform.
• TripleLift : via 3lift.com, an ad-network specializing in native advertising.
• Adform : platform offering a complete suite of advertising tools, firstly for advertisers and agencies (adserver, DSP and DMP) but also for publishers (adserver and SSP).
• OpenX : another American advertising monetization platform.
• Adot : via adotmob.com, a French ad network.
• ESV Digital : via esearchvision.com, a French company formerly known for its tracking tool for sponsored link campaigns on Google.
• Integral Ad Science : via adsafeprotected.com, fraud detection tool, visibility measurement (is the advertising displayed visible to the user or at the bottom of the page?), and "brand safety" (is the advertising broadcast on a "quality" site?).
• Adobe : via everesttech.net, Adobe is known for Photoshop, but the American company has made numerous acquisitions (Analytics, Tag Management, DMP, media buying, etc.) in order to provide a complete marketing suite.
• Delta Projects : via de17a.com, a company managing the purchase of advertising space.
• Addition : German company offering advertising solutions to advertisers and publishers.
• Turn : company offering an advertising space purchasing platform and a “Data Management Platform”, acquired by Amobee in 2017.
• BidSwitch : essential player in programmatic advertising, intermediary making it possible to bridge the gap between purchasing platforms and monetization platforms which are not directly connected to each other. It is a subsidiary of the Russian company Iponweb.
• Beeswax : via bidr.io, offers a configurable advertising space purchasing platform, the advertiser thus has greater room to maneuver to integrate its own purchasing logic (compared to "turnkey" solutions such as Google's purchasing platform).
• Bid Theater : advertising space purchasing platform.
• OnAudience : personal data provider.
• Quantcast : ad-network, also offering an analytics tool (via which it will profile you) and a CMP (consent collection platform).
• Conversant : via dotomi.com, an American data marketing company.
• Admixer : a company providing advertising tools for publishers and advertisers.
• Adventori : a company specializing in the personalization of advertising banners.
• Simpli.fi : ad-network.
• Lotame : via crwdcntrl.net, provider of personal data.
• Wizaly : via tk.conforama.fr, attribution platform. Allows an advertiser to understand which advertising campaigns are effective. Apparently, Conforama uses Wizaly (which goes through domain delegation or CNAME) to measure the distribution of its advertisements on Le Bon Coin.
• PulsePoint : via contextweb.com, programmatic player specializing in the health field (!)
• CloudTechnologies : via erne.co, a Polish company boasting of analyzing and monetizing users' personal data in more than 200 markets.
• Tapad : American advertising company specializing in multi-device surveillance. Its pitch: find you whatever device you use, then sell this information to brands and other adtech companies.
• DataXu : via w55c.net, advertising space purchasing platform bought by Roku, the leader in connected television in the United States (ahead of others ChromeCast, Android TV, Amazon Fire TV or Apple TV).
• Adelphic : via ipredictive.com, an advertising space purchasing platform, is part of the marketing company Viant.
• Tribal Fusion : old-fashioned ad-network, we're on heavy ground here, go to the site and you'll see that it still uses Adobe Flash.
• Fifty : via fiftyt.com, company managing advertisers' advertising campaigns (Trading Desk).
• Playground : company providing tools for creating advertisements and measuring their effectiveness.
• Gumgum : ad-network.

Log in, and let Weborama track you permanently

When you log in to your Le Bon Coin account, Weborama does not just track you via an advertising identifier that you could reset by deleting your cookies. It receives a hash of your email address. How does Weborama present itself? If we read its home page:

Weborama offers advanced consumer insight solutions based on unique, extremely precise and scalable semantic analysis technology to enable businesses to generate growth while rationalizing their marketing costs. Designed using Semantic AI, Weborama offers a combination of efficient and effective technologies, data and expertise. 100% GDPR compliant.

We had already encountered Weborama before:

• Weborama and Lemonde.fr, site slowness and leak of your personal data to Russia
• Consent: the worst user experience and surveillance with Lemonde.fr
• L'Équipe, first on sport and on surveillance
• Fnac sells off your personal data
• Le Figaro, emblem of invasive advertising tracking on French media sites

Weborama acts like a Trojan horse on the leboncoin.fr site: it "enables" the leak of your personal data to a whole series of new marketing companies, some located in Russia:

Non-exhaustive list of partners with whom Weborama synchronizes your personal identifier on the Le Bon Coin site. French, American or Russian companies with which Le Bon Coin has no apparent connection.

But Weborama also retrieves the details of your browsing on Le Bon Coin, linked to a signature (the variable "_emailhash") corresponding to your email. Here is the information collected for a simple view of a Formica table listing:

“100% GDPR compliant”, really Weborama?

Log in to Safari, and leak your Criteo connection data

As we have already seen in the article "Criteo, a French surveillance marketing giant", Criteo pushes its clients to create a security hole on their sites in order to better track users using ad blockers or privacy-friendly browsers such as Safari. To check whether Le Bon Coin is vulnerable, let's log in via Safari and watch the requests come through:

Bingo! Le Bon Coin leaks your login data to Criteo. The strange domain bvubje.leboncoin.fr is a domain delegation (or CNAME) to dnsdelegation.io, which itself is a domain delegation to gum.criteo.com. What is the point of Criteo using a CNAME to monitor you on Safari? This mechanism has several objectives:

• Avoid being blocked by certain adblockers (use uBlock Origin to avoid this tracking). But this argument is valid for all browsers.
• Override blocking of third-party cookies.
• Bypass the duration limit on cookies created in JavaScript (7 days), because the cookie is now created server-side (no duration limit). NB: Safari will soon correct this point.

But the domain delegation system allows all cookies associated with the leboncoin.fr domain to be sent to Criteo, including the "luat" cookie (the cookie that remembers you are logged in), which I can copy and paste into Chrome via the EditThisCookie extension to become logged in directly. A Criteo employee could therefore log in to your account.

On the iOS app too, you are tracked as soon as you open it

To observe the requests sent by the Le Bon Coin iOS application, I use Charles Proxy. Let's open the Le Bon Coin application:

As you can see, and as on the web, you can get rid of the annoying consent window by clicking "Accept and close" (the choice highlighted in blue), or spend energy trying to avoid surveillance by clicking "Learn more". Once again, a "dark pattern" prevents you from choosing freely. What happens with marketing tracking? Before I have even given (or withheld) my consent, Le Bon Coin leaks my personal data:

Some of these trackers were already collecting your personal data on the website, but we are also seeing new trackers:

• Weborama : already present on the website.
• Google : via Doubleclick (and the Google Ad Manager publisher advertising monetization solution) and Firebase (Google's toolbox for mobile developers), already present on the website.
• Appsflyer : mobile marketing company offering in particular an attribution product, which allows Le Bon Coin to know which advertising campaigns triggered the installation of the application.
• Accengage : a French push notification tool, acquired in 2018 by mobile marketing company Airship.
• Datadome : already present on the website.
• Amazon : via serving-sys.com, the Sizmek agency and advertiser server, formerly Mediamind, originally called Eyeblaster, acquired by the American e-commerce giant in 2019.

Refuse surveillance, and Le Bon Coin still leaks your personal data

Let's click on "Find out more":

Some partners would therefore like to offer targeted advertisements or content on the basis of legitimate interest, which is clearly at odds with the GDPR. Let's click on "Refuse all" and look at a few ads:

The surveillance never stops: I am still tracked by Google, Appsflyer, Datadome and Weborama.

Log in, and Weborama will find you

When you log in, the same trackers continue to follow you. But one tracker goes further: Weborama receives the details of each ad viewed with the hash of your email address. Yes, the same identifier as on the web. Weborama can therefore track you whatever device you use, even if you reset your identifiers. This hash allows it to follow you across all websites and applications using its services, and therefore to build a very precise profile about you.

In the maze of legitimate interest

You may be thinking: if I am still being tracked, I must have missed an option. At the very bottom of the “Learn more” form, you can click on “See our partners”:

There you discover that some partners are pre-checked, in contradiction with the GDPR:

Let’s look at the Weborama partner:

Legitimate interest is therefore pre-checked for Weborama, and Weborama considers that it can use this legal basis for various purposes, including creating a profile to display personalized content. Now let's deactivate all partners:

Nothing changes: Weborama is still there, and we also see AT Internet again:

Log in, and Weborama still retrieves the hash of your email address. Yet you have clearly indicated that you refuse tracking by all partners; as a result, the refusal of consent and "opt-out" from legitimate interest are sent to Weborama:

This signal was encoded according to the TCF v2 protocol (a protocol for collecting and transmitting consent signals between advertising players, set up by IAB Europe, the advertising technology lobby). Let's decode it via this site:

How can Weborama then track me so aggressively (details of all ads viewed, persistent tracking through the use of a hash of my email address) when it receives the information that I refused any processing based on consent or legitimate interest? How can other partners like Google continue to track me?

"Weborama, a combination of technologies, data and high-performance expertise 100% GDPR compliant" ?!

Le Bon Coin violates its own privacy policy

If we look carefully at the Privacy Policy of the Le Bon Coin website, in the “Use of your data” section, paragraph “Use of your data with your consent”, we can read, among other things:

• We may, with your consent: [...] share your data with our advertising partners, data controllers, for the purpose of improving the performance of our partners' campaigns on our site.
• We do not share your personal data with our third-party partners without your consent. However, if you click on an advertisement, its advertiser will be able to know that you visited the page where you clicked.

Le Bon Coin therefore violates its own privacy policy.

What to do?

How can Le Bon Coin and the CNIL allow this? In the absence of dissuasive sanctions from the CNIL or a reaction from Le Bon Coin, you can protect yourself individually. You can install an ad blocker such as uBlock Origin on the web, or apps such as DNSCloak, Adguard or NextDNS on iOS.