Le Bon Coin leaks your personal data as soon as you arrive on its website
Le Bon Coin is a huge commercial success in France, the classified ads site has become indispensable to many individuals. Having goods to resell quite regularly, I wanted to understand if Le Bon Coin was respectful of my privacy. Let's get started with the website leboncoin.fr, here are the steps to follow if you want to reproduce the experience:
- Disable your adblocker.
- Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account.
- Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), “Network” tab or launch Charles Proxy.
- Then go to the home page leboncoin.fr.
First observation: Le Bon Coin does not offer a direct option to refuse marketing surveillance. This presentation does not comply with the GDPR: the "I understand" option is highlighted by the color blue and above all it requires the user to configure their choices via the "Personalize" button; the vast majority of users will not make the effort.
Let's now look at the requests sent when you arrive on the site, as a reminder you have not yet made the choice to accept or refuse to be tracked:
Surprise! You have not taken any action but Le Bon Coin is already increasing calls to marketing companies, some of these companies are starting tracking without your consent. Here is a list of trackers using a personal identifier (pseudonym):
- Datadome : bot protection solution.
- Sublime : via ayads.co, a French ad-network specializing in page designs (formerly Sublime Skinz).
- AT Internet : via ati-host.net, AT Internet is a “historic” French analytics company, originally called Xiti. We have already encountered them elsewhere, cf. "Consent: the worst user experience and surveillance with Lemonde.fr" and "Boursorama Banque leaks your connection data".
- Facebook : Le Bon Coin uses Facebook's marketing toolkit, among other things for its analytics brick.
- Google : via doubleclick.net. Le Bon Coin also uses the advertising monetization solution “Google Ad Manager” from the Mountain View firm.
Now what happens if you click the "Customize" button?
Good news, there is a “Refuse all” button, let’s click on it and observe the requests sent:
You have just made the effort to refuse all tracking, but you are still leaking your personal data to the advertising monitoring giants:
- Facebook : continuous monitoring, Facebook follows all your actions on the leboncoin.fr site. Ironically, the Menlo Park firm here specifically collects the information that you clicked on the "Refuse All" button.
- Google : via its Google Ad Manager advertising monetization platform (bringing together an adserver and SSP), Google also recovers your surfing.
Check out a few pages and see that calls to marketing companies still account for the majority of queries:
Most of these actors seem to take your consent into account here (no cookies placed, even if they could theoretically track you with your IP address and with the characteristics of your browser), but one might wonder why Le Bon Coin is calling them. The trackers already listed previously continue monitoring (Google, Facebook, AT Internet, Sublime, Datadome), we can also notice a little new one, Index Exchange (via casalemedia.com), another advertising monetization platform.
If you now continue your navigation without paying attention to the consent banner (like the vast majority of users), it is literally carnage:
There is no neighborhood here, everyone is stalking you, so we can spot:
- Weborama : French data marketing company, notably leaking your personal data to Russian companies.
- Criteo : a French surveillance marketing giant specializing in "retargeting", with unethical practices.
- AppNexus : via adnxs.com, an American advertising monetization platform (SSP), redeemed by the telecoms giant AT&T and also offering an advertising space purchasing platform (DSP).
- Realytics : a programmatic TV purchasing platform.
- Amazon : in GAFA, it is not just Google or Facebook that provides advertising solutions, Amazon also offers its monetization solutions for publishers.
- Smart AdServer : a French advertising monetization platform.
- TheTradeDesk : via adsrvr.org, an American advertising space purchasing platform.
- Yahoo : yes Yahoo still exists... And offers advertising solutions.
- Temelio : via leadplace.fr, a French solution allowing you to cross-reference your personal data online and offline, you won't escape it!
- Graphinium : via crm4d.com, another French solution allowing you to cross-reference your personal data online and offline.
- Zemanta : redeemed by Outbrain (world leader in putaclic links at the end of articles), Zemanta offers a platform for purchasing “native advertising” (“disguised” advertising, having the same visual as the content, like on Facebook or Twitter).
- Liveramp : via rlcdn.com, world leader in cross-referencing your personal data online and offline (competitor of Temelio and Graphinium).
- Nielsen : via exelator.com, the marketing research giant has expanded onto the internet via the redemption from the personal data provider eXelate in 2015.
- ZBO Media : via zebestof.com, a company of the Figaro group - CCM Benchmark, presenting itself as "the only programmatic player able to exploit all of the Figaro Group’s data – CCM Benchmark". As a reminder, read the article "Le Figaro, emblem of invasive advertising tracking on French media sites".
- Pubmatic : American advertising monetization platform.
- TripleLift : via 3lift.com, an ad-network specializing in native advertising.
- Adform : platform offering a complete suite of advertising tools, firstly for advertisers and agencies (adserver, DSP and DMP) but also for publishers (adserver and SSP).
- OpenX : another American advertising monetization platform.
- Teenager : via adotmob.com, French ad-network.
- ESV Digital : via esearchvision.com, a French company formerly known for its tracking tool for sponsored link campaigns on Google.
- Integral Ad Science : via adsafeprotected.com, fraud detection tool, visibility measurement (is the advertising displayed visible to the user or at the bottom of the page?), and "brand safety" (is the advertising broadcast on a "quality" site?).
- Adobe : via everesttech.net, Adobe is known for Photoshop, but the American company has made numerous acquisitions (Analytics, Tag Management, DMP, media buying, etc.) in order to provide a complete marketing suite.
- Delta Projects : via de17a.com, a company managing the purchase of advertising space.
- Addition : German company offering advertising solutions to advertisers and publishers.
- Turn : company offering an advertising space purchasing platform and a “Data Management Platform”, acquired by Amobee in 2017.
- BidSwitch : essential player in programmatic advertising, intermediary making it possible to bridge the gap between purchasing platforms and monetization platforms which are not directly connected to each other. It is a subsidiary of the Russian company Iponweb.
- Beeswax : via bidr.io, offers a configurable advertising space purchasing platform, the advertiser thus has greater room to maneuver to integrate its own purchasing logic (compared to "turnkey" solutions such as Google's purchasing platform).
- Bid Theater : advertising space purchasing platform.
- OnAudience : personal data provider.
- Quantcast : ad-network, also offering an analytics tool (via which it will profile you) and a CMP (consent collection platform).
- Conversing : via dotomi.com, an American data marketing company.
- Admix : company providing advertising tools for publishers and advertisers.
- Advendori : company specializing in the personalization of advertising banners.
- Simpli.fi : ad-network.
- Lotame : via crwdcntrl.net, provider of personal data.
- Wizaly : via tk.conforama.fr, attribution platform. Allows an advertiser to understand which advertising campaigns are effective. Apparently, Conforama uses Wizaly (which goes through domain delegation or CNAME) to measure the distribution of its advertisements on Le Bon Coin.
- PulsePoint : via contextweb.com, programmatic player specializing in the health field (!)
- CloudTechnologies : via erne.co, a Polish company boasting of analyzing and monetizing users' personal data in more than 200 markets.
- Tapad : American advertising company specializing in multi-device surveillance. Its pitch: find you whatever device you use, then sell this information to brands and other adtech companies.
- DataXu : via w55c.net, advertising space purchasing platform bought by Roku, the leader in connected television in the United States (ahead of others ChromeCast, Android TV, Amazon Fire TV or Apple TV).
- Adelphic : via ipredictive.com, an advertising space purchasing platform, is part of the marketing company Viant.
- Tribal Fusion : old-fashioned ad-network, we're on heavy ground here, go to the site and you'll see that it still uses Adobe Flash.
- Fifty : via fiftyt.com, company managing advertisers' advertising campaigns (Trading Desk).
- Playground : company providing tools for creating advertisements and measuring their effectiveness.
- Gumgum : ad-network.
Log in, and let Weborama track you permanently
When you connect to your Le Bon Coin account, Weborama does not just track you via an advertising identifier that you could reset by deleting your cookies. She gets a hash of your email address. How does Weborama present itself? If we read the home page:
Weborama offers advanced consumer insight solutions based on unique, extremely precise and scalable semantic analysis technology to enable businesses to generate growth while rationalizing their marketing costs. Designed using Semantic AI, Weborama offers a combination of efficient and effective technologies, data and expertise. 100% GDPR compliant.
We had already been able to meet Weborama previously:
- Weborama and Lemonde.fr, site slowness and leak of your personal data to Russia
- Consent: the worst user experience and surveillance with Lemonde.fr
- L'Équipe, first on sport and on surveillance
- Fnac sells off your personal data
- Le Figaro, emblem of invasive advertising tracking on French media sites
Weborama acts like a Trojan horse on the leboncoin.fr site: it "allows" the leak of your personal data to a whole bunch of new marketing companies, some located in Russia:
Non-exhaustive list of partners with whom Weborama synchronizes your personal identifier on the Le Bon Coin site. French, American or Russian companies with which Le Bon Coin has no connection.
But Weborama also retrieves the details of your surfing on Le Bon Coin, linked to a signature (the variable "_emailhash") corresponding to your email. Here is the information collected for a simple formica table consultation:
“100% GDPR compliant”, really Weborama?
Log in to Safari, and leak your Criteo connection data
As we have already seen with the article "Criteo, a French surveillance marketing giant", Criteo is pushing its clients to create a security hole on their sites in order to better track users using adblockers or privacy-friendly browsers such as Safari. To check if Le Bon Coin is vulnerable, let's connect via Safari and watch the requests come through:
Banco! Le Bon Coin leaks your Criteo connection data. The strange domain bvubje.leboncoin.fr is a domain delegation (or CNAME) to dnsdelegation.io, which itself is a domain delegation to gum.criteo.com. What is the point for Criteo to use a CNAME to monitor you on Safari? This mechanism has several objectives:
- Avoid being blocked by certain adblockers (use uBlock Origin to avoid this tracking). But this argument is valid for all browsers.
- Override blocking of third-party cookies.
- Override the duration limitation on cookies created in javascript (7 days), the cookie now being created on the server side (no duration limitation). NB: Safari will soon correct this point.
But the domain delegation system allows the sending of all cookies associated with the domain leboncoin.fr to Criteo... Including the "luat" cookie (cookie remembering the fact that you are connected), which I can copy and paste into Chrome via the extension EditThisCookie to be directly connected. A Criteo employee can then log in to your account.
On the iOS app too, you are tracked as soon as you open it
In order to observe the requests sent by the application Le Bon Coin on iOS, I use Charles Proxy. Let's open the Le Bon Coin application:
As you can see and like on the web, you can get rid of the annoying consent window by clicking "Accept and close" (choice highlighted via blue color) or spend energy trying to avoid surveillance by clicking "Learn more". Once again, a "Dark pattern" to not let you choose freely. What is happening with marketing monitoring? Before even giving (or not) my consent, Le Bon Coin leaks my personal data:
Some of these trackers were already collecting your personal data on the website, but we are also seeing new trackers:
- Weborama : already present on the website.
- Google : via Doubleclick (and the Google Ad Manager publisher advertising monetization solution) and Firebase (Google's toolbox for mobile developers), already present on the website.
- Appsflyer : mobile marketing company offering in particular an attribution product, which allows Le Bon Coin to know which advertising campaigns triggered the installation of the application.
- Accengage : French push notifications tool, purchased in 2018 by mobile marketing company Airship.
- Datadome : already present on the website.
- Amazon : via serving-sys.com, the Sizmek agency and advertiser server, formerly Mediamind, originally called Eyeblaster, was redeemed by the American e-Commerce giant in 2019.
Refuse surveillance, Le Bon Coin always leaks your personal data
Let's click on "Find out more":
Thus some partners would like to offer targeted advertisements or content on the basis of legitimate interest, which is clearly in contradiction with the GDPR. Let's click on "Refuse all" and look at some ads:
The surveillance never stops: I am always tracked by Google, Appsflyer, Datadome and Weborama.
Connect, Weborama will find you
When you log in, the same trackers continue to follow you. But a tracker goes further: Weborama receives the details of each ad viewed with the hash of your email address. Yes, the same identifier as on the web, Weborama is thus able to track you whatever your device, even if you reset your identifiers. This hash allows it to follow you on all websites and applications using its services, and therefore to build a very precise profile about you.
In the twists and turns of legitimate interest
You may be thinking, if I'm still being tracked, it's because I must have missed an option. At the very bottom of the “Learn more” form, you can click on “See our partners”:
There you discover that certain partners are pre-checked, in contradiction with the GDPR:
Let’s look at the Weborama partner:
Thus, the legitimate interest is pre-checked at Weborama, and it considers that it can use this legal basis for various purposes, including the creation of a profile to display personalized content. Now let's deactivate all partners:
Nothing changes, Weborama is still there, we also see AT Internet again:
Log in, Weborama still retrieves the hash of your email address. However, you have clearly indicated that you refuse the tracking of all partners, consequently the information of refusal of consent and "opt-out" of legitimate interest is sent to Weborama:
This signal was coded following the protocol of TCF v2 (protocol for collecting and transmitting consent signals between advertising players, set up by IAB Europe, the advertising technology lobby), let's decode it via this site :
How can Weborama then track me in such an aggressive manner (details of all advertisements viewed, permanent tracking via the use of a hash of my email address) when it receives the information that I refused any processing on the legal basis of consent or legitimate interest?! How can other partners like Google continue to track me?
"Weborama, a combination of technologies, data and high-performance expertise 100% GDPR compliant" ?!
Le Bon Coin violates its own privacy policy
If we look carefully at the Privacy Policy of the Le Bon Coin website, section “Use of your data”, paragraph “Use of your data with your consent”, we can read, among other things:
- We may, with your consent: [...] share your data with our advertising partners, data controllers, for the purposes of improving the performance of our partners' campaigns on our site.
- We do not share your personal data with our third party partners without your consent. However, if you click on an advertisement, its advertiser will be able to know that you visited the page where you clicked.
Le Bon Coin thus violates its own confidentiality policy.
What to do?
How can Le Bon Coin and the CNIL allow this? In the absence of dissuasive sanctions from the CNIL or reaction from the Le Bon Coin site, you can protect yourself individually. You can install an adblocker such as uBlock Origin on the web or apps such as DNSCloak, Adguard or NextDNS on iOS.