Ever more intrusive advertising surveillance
Despite the regulations (GDPR, ePrivacy, CCPA), browser protections (Firefox, Safari or Brave), browser ad blockers (uBlock Origin) or via DNS service (NextDNS, Adguard or Pi-hole), advertising surveillance has not decreased. It mutated to bypass your protections.
The accelerator of this evolution? Facebook obviously, with its “resilient signals”, allowing it to siphon a large part of the data generated by your online and offline activities. As the third-party cookie as a surveillance vector is disappearing (Google Chrome is the exception), it was necessary to find new surveillance vectors, which cannot simply be reset by Internet users. Taking as inspiration adtech “champions” such as Criteo, Facebook encourages advertisers to send it your email, your name, your telephone number or your postal address: “resilient signals”.
If many adtech players (Liveramp, Criteo) have been identifying you via your email for a long time, the phenomenon is relatively new among the major advertising platforms. The study "Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission" illustrated the extent of email leaks on the web, to adtech players, but also to Facebook and TikTok.
How could your email leak to these big platforms? This is what we are going to discover with Guerlain, one of the flagships of French luxury, and owned by LVMH group.
Even before creating a Guerlain account, the hash of your email is already leaking to Pinterest
For this test, let's navigate to the Guerlain website, with the tool Charles Proxy activated, and exceptionally click on "Accept and close" when the consent banner is displayed (to Guerlain's credit, I did not notice any e-mail hash leaks if refusal):
“Improve your experience and offer you services and communications tailored to your interests”, a seemingly harmless message.
Then, let's navigate the Guerlain account creation page, and let's start filling out the form:
This personal data should only concern Guerlain, right?
Let's look at what happens on Charles Proxy when you enter your email, even before confirming the email:
Notice a strange request to the social network Pinterest.
The parameter p.d. of the request to Pinterest contains another parameter em, consisting of a long, seemingly indecipherable string of characters. Pinterest documentation for advertisers gives the answer:
pd: Partner data.
em: hashed email address value.
Guerlain therefore leaks a hash of your email address to Pinterest even before you have confirmed the creation of your account! This service is actually called "Enhanced Match" (the meaning of em), I talked about it last May :
No third-party cookies? No problem!
But don't worry, Pinterest uses a hash of your email address, and the connection to Pinterest is secure, your privacy is protected !
Allow websites to leak your email, and pretend to do so to protect your privacy!
The reality is that the correspondence between your email and its hash is probably already circulating widely and companies are making money from it.
How to check for yourself if Guerlain is leaking a hash of your email to Pinterest? Enter your email on this site, by selecting the correct hash function (often SHA256) :
Welcome to the Matrix.
Bingo, the numerical value 14d0247dc47a564d9fd70f7e895915e8daa5c8a455549f2b559d5a42cbf0653c corresponds to the field em sent to Pinterest.
Note that when the advertiser sends customer data directly to Pinterest, this one is not so careful about the email :
email: We support both hashed (SHA256, SHA1, MD5) and cleartext customer data fields.
Confirm the creation of the account, and say goodbye to your personal data
I now finish filling out the form, and click on 'Confirm'. Personal data leaks are massive:
Let us already note illicit use of Google Analytics (if Guerlain wanted to continue using Google Analytics, it would need to follow these recommendations from the CNIL).
By zooming in on the parameters sent to Google Analytics, we note the same hash of your email (SHA256), sent via the parameter cd11 (a 'custom' dimension, which Guerlain therefore took the liberty of creating especially for the occasion). It turns out that the practice is prohibited by Google Analytics (if only Google enforced its rules):
To protect user privacy, Google policies prohibit the sending of data that we could use or consider to be personally identifiable information.
You could argue: this is a hash of my email, not my plain email (as if Google doesn't already know your email and therefore its hash). Except that Google took care ofalso prohibit sending hashes to Google Analytics :
Guerlain violates Google Analytics rules to better monitor you, calmly.
With Guerlain, the surveillance is American but it is also Chinese since the same hash of your email leaked to TikTok (Xi Jinping's magic remote control) :
TikTok is more transparent, the variable is called email.
This escape is permitted thanks to TikTok’s “Advanced Matching” feature :
Of course, on the private side everything is studied, fingerprinting if no match :
“Privacy Safe”, by TikTok.
The SHA256 hash, where the magic wand of privacy protection:
TikTok is not capable of identifying customers who are not TikTok users, except that TikTok vacuums up the address books of its users...
And for lazy advertisers, TikTok offers the “Automatic Advanced Matching” option, which allows it to scan the different fields of the forms on its own, in order to retrieve, for example, your email and telephone number:
Rejoice advertisers, TikTok spyware can automatically recover your customers' personal data!
Note that here again, TikTok did not invent anything, it simply copy Facebook.
Check out a new page, your email leaked to Facebook
It was surprising not to see Guerlain leak your email to Facebook. If you view an additional page, you will see the call to Facebook contains a variable udff[em], this one containing the SHA256 hash of your email:
em, the little note for your email.
Advanced matching allows advertisers to leak a wide range of personal data :
Don't worry, Facebook will find you.
Facebook Advanced Matching is far from being the only Facebook tool available to advertisers to monitor you, you will find some others on this thread :
Pinterest, Google, TikTok and Facebook collect all of your surfing on the Guerlain site, associated with a persistent identifier (your email), but this is not an exception in the LVMH galaxy, let's look at Givenchy for example.
Givenchy account creation and personal data leaks
If you create an account Givenchy, you will also notice leaks based on your email (SHA256 hash always), now to Snapchat via the variable u_hems :
One more American social network, why deprive yourself?
Snapchat also makes life easier for advertisers, as you can see read on this thread :
Givenchy Beauty account creation and personal data leaks
I barely started creating a Givenchy Beauty account (different from Givenchy), which I see strange requests going through Charles Proxy:
The variable browser-info is very detailed, combined with your IP address, it allows Yandex to have very fine fingerprinting. The variable point-click retrieves the pixel location of all your clicks. So, happy to see your behavior leaking to Russia?
But it's not over, the French company ContentSquare seems to retrieve a lot of information about what you type (keylogger ?!) :
Every move you make, every step you take, I'll be watching you.
After having entered first and last name, click on 'Continue':
Check on Charles the requests sent, the hash of your first name (udff[fn]) and your name (udff[ln]) are already leaking to Facebook:
In the next step, when you enter your email, the hash of this one (udff[em]) live leak to Facebook (without even clicking 'Continue'):
Note the leaks to Google Analytics and Doubleclick, while ContentSquare continues to collect information while you create your password...
Note that I only tested 3 LVMH group sites, at random. It is likely that this surveillance of large advertising platforms via persistent data such as your email will be widespread at LVMH.
All major advertising platforms have a “Matching” service
We were able to see the use of the matching service of Facebook, TikTok, Pinterest or Snapchat by LVMH group sites. Obviously, beyond its Google Analytics service, Google is not left out :
Elon Musk's latest toy, Twitter also offers its “matching” service :
The LVMH group sites are far from being an exception, as evidenced by the Leaky Forms study. A large number of advertisers already rely on these invasive methods, and with the upcoming disappearance of third-party cookies on Chrome (if Google wants it), this tracking mode is becoming the standard.
How to protect yourself
Failing to sanction this type of practice (hello CNIL), you will have to protect yourself individually. Since adblocks are ineffective (unless you block all calls to Google and social networks), browser protections are ineffective (tracking based on persistent data, not cookies), one option is to use a different email alias for each service you use. I know these 4 services but you will undoubtedly be able to find others on the net:
- SimpleLogin, recently acquired by ProtonMail, which bodes well for an interesting integration.
- Firefox Relay, directly from your favorite browser.
- DuckDuckGo Email Protection, with the DuckDuckGo extension, for good protection on the web.
- Hide my email address if you are at Apple, including Safari integration.
Note that there are limits: email aliases will not protect you when Facebook (or others) perform the "matching" via your phone number, your first and last name, or your postal address.