Ever more intrusive advertising surveillance
Despite regulations (GDPR, ePrivacy, CCPA), browser protections (Firefox, Safari or Brave), browser ad blockers (uBlock Origin) or DNS services (NextDNS, Adguard or Pi-hole), advertising surveillance has not decreased. It has mutated to bypass your protections.
The accelerator of this evolution? Facebook, obviously, with its “resilient signals”, allowing it to siphon off a large share of the data generated by your online and offline activities. As the third-party cookie as a surveillance vector is disappearing (Google Chrome being the exception), new surveillance vectors had to be found, ones that internet users cannot simply reset. Taking inspiration from adtech “champions” such as Criteo, Facebook encourages advertisers to send it your email, your name, your phone number or your postal address: “resilient signals”.
While many adtech players (Liveramp, Criteo) have long identified you via your email, the phenomenon is relatively new among the major advertising platforms. The study "Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission" illustrated the extent of email leaks on the web, to adtech players, but also to Facebook and TikTok.
How could your email leak to these major platforms? This is what we are going to discover with Guerlain, one of the flagships of French luxury, owned by the LVMH group.
Even before creating a Guerlain account, the hash of your email is already leaking to Pinterest
For this test, let's browse the Guerlain website, with Charles Proxy enabled, and exceptionally click "Accept and close" when the consent banner is displayed (to Guerlain's credit, I did not notice any email hash leaks after refusing):
“Improve your experience and offer you services and communications tailored to your interests”, a seemingly harmless message.
Then, let's go to the Guerlain account creation page, and start filling out the form:
This personal data should only concern Guerlain, right?
Let's look at what happens on Charles Proxy when you enter your email, even before confirming the email:
Notice a strange request to the social network Pinterest.
The pd parameter in the request to Pinterest contains another parameter, em, made up of a long, seemingly indecipherable string. Pinterest's documentation for advertisers gives the answer:
pd: Partner data.
em: hashed email address value.
Guerlain therefore leaks a hash of your email address to Pinterest even before you have confirmed the creation of your account! This service is actually called "Enhanced Match" (the meaning of em), which I talked about last May:
No third-party cookies? No problem!
But don't worry, Pinterest uses a hash of your email address, and the connection to Pinterest is secure, so your privacy is protected!
Allow websites to leak your email, and pretend to do so to protect your privacy!
The reality is that the correspondence between your email and its hash is probably already circulating widely and companies are making money from it.
How can you check for yourself whether Guerlain is leaking a hash of your email to Pinterest? Enter your email on this site, selecting the correct hash function (often SHA256):
Welcome to the Matrix.
Bingo, the numerical value 14d0247dc47a564d9fd70f7e895915e8daa5c8a455549f2b559d5a42cbf0653c corresponds to the field em sent to Pinterest.
Note that when the advertiser sends customer data directly to Pinterest, Pinterest is not so careful about the email:
email: We support both hashed (SHA256, SHA1, MD5) and cleartext customer data fields.
Confirm account creation, and say goodbye to your personal data
I now finish filling out the form, and click on 'Confirm'. Personal data leaks are massive:
Let us already note illicit use of Google Analytics (if Guerlain wanted to continue using Google Analytics, it would need to follow these recommendations from the CNIL).
By zooming in on the parameters sent to Google Analytics, we note the same hash of your email (SHA256), sent via the parameter cd11 (a 'custom' dimension, which Guerlain therefore took the liberty of creating especially for the occasion). It turns out that the practice is prohibited by Google Analytics (if only Google enforced its rules):
To protect user privacy, Google policies prohibit the sending of data that we could use or consider to be personally identifiable information.
You could argue: this is a hash of my email, not my plain-text email (as if Google did not already know your email and therefore its hash). Except that Google also took care to prohibit sending hashes to Google Analytics:
Guerlain quietly violates Google Analytics rules to better monitor you.
With Guerlain, the surveillance is American but it is also Chinese since the same hash of your email leaked to TikTok (Xi Jinping's magic remote control) :
TikTok is more transparent, the variable is called email.
This leak is enabled by TikTok’s “Advanced Matching” feature:
Of course, on the privacy side, everything has been thought through: fingerprinting if there is no match:
“Privacy Safe”, by TikTok.
The SHA256 hash, or the magic wand of privacy protection:
TikTok is not capable of identifying customers who are not TikTok users, except that TikTok vacuums up the address books of its users...
And for lazy advertisers, TikTok offers the “Automatic Advanced Matching” option, which allows it to scan the different form fields by itself in order to retrieve, for example, your email and phone number:
Rejoice advertisers, TikTok spyware can automatically recover your customers' personal data!
Note that here again, TikTok did not invent anything; it simply copied Facebook.
Visit a new page, and your email leaks to Facebook
It was surprising not to see Guerlain leak your email to Facebook. If you view an additional page, you will see that the call to Facebook contains a variable udff[em], which contains the SHA256 hash of your email:
em, the little note for your email.
Advanced matching allows advertisers to leak a wide range of personal data :
Don't worry, Facebook will find you.
Facebook Advanced Matching is far from the only Facebook tool available to advertisers to monitor you; you will find others in this thread:
Pinterest, Google, TikTok and Facebook collect all of your browsing on the Guerlain site, associated with a persistent identifier (your email), but this is not an exception in the LVMH galaxy. Let's look at Givenchy, for example.
Givenchy account creation and personal data leaks
If you create an account on Givenchy, you will also notice leaks based on your email (still a SHA256 hash), this time to Snapchat via the variable u_hems:
One more American social network, why deprive yourself?
Snapchat also makes life easier for advertisers, as you can read in this thread:
Givenchy Beauty account creation and personal data leaks
I had barely started creating a Givenchy Beauty account (different from Givenchy) when I saw strange requests going through Charles Proxy:
The browser-info variable is very detailed; combined with your IP address, it gives Yandex very fine-grained fingerprinting. The point-click variable retrieves the pixel location of all your clicks. So, happy to see your behavior leaking to Russia?
But it is not over: the French company ContentSquare seems to retrieve a lot of information about what you type (keylogger ?!):
Every move you make, every step you take, I'll be watching you.
After entering first and last name, click 'Continue':
Check the requests sent in Charles: the hash of your first name (udff[fn]) and your last name (udff[ln]) are already leaking to Facebook:
In the next step, when you enter your email, its hash (udff[em]) leaks live to Facebook (without even clicking 'Continue'):
Note the leaks to Google Analytics and DoubleClick, while ContentSquare continues to collect information while you create your password...
Note that I only tested 3 LVMH group sites, at random. It is likely that this surveillance by major advertising platforms through persistent data such as your email is widespread at LVMH.
All major advertising platforms have a “Matching” service
We saw LVMH group sites use the matching services of Facebook, TikTok, Pinterest and Snapchat. Obviously, beyond its Google Analytics service, Google is not left out:
Elon Musk's latest toy, Twitter, also offers its “matching” service:
The LVMH group sites are far from being an exception, as evidenced by the Leaky Forms study. A large number of advertisers already rely on these invasive methods, and with the upcoming disappearance of third-party cookies on Chrome (if Google wants it), this tracking mode is becoming the standard.
How to protect yourself
Failing sanctions against this type of practice (hello CNIL), you will have to protect yourself individually. Since ad blockers are ineffective (unless you block all calls to Google and social networks), and browser protections are ineffective (tracking is based on persistent data, not cookies), one option is to use a different email alias for each service you use. I know these 4 services, but you will no doubt be able to find others online:
- SimpleLogin, recently acquired by ProtonMail, which bodes well for an interesting integration.
- Firefox Relay, directly from your favorite browser.
- DuckDuckGo Email Protection, with the DuckDuckGo extension, for good protection on the web.
- Hide My Email if you use Apple, including Safari integration.
Note that there are limits: email aliases will not protect you when Facebook (or others) perform the "matching" via your phone number, your first and last name, or your postal address.