Marketing / Privacy

How one Brooklyn data scientist discovered a new, insidious world of email spam marketing

This isn't your parents' Nigerian prince spam anymore.

(Photo courtesy of Fred Benenson)

By now, everyone is used to ads following you around the web. You look at ONE PAIR of Warby Parker glasses and all of a sudden:

This happens.

This happens.

But data scientist Fred Benenson came across a new phenomenon recently: after browsing for a replacement air conditioning part on the Sears website, he later got an email from Sears asking if he was still interested in the product.
He’s never signed up for a Sears email list, never gave Sears his email and really doesn’t want to be getting emails just as a result of browsing a page. So how’d it happen? Not content to just delete the email, Benenson did some investigative work and detailed it in a modestly brilliant Medium post, “Browsing your website does not mean I want your spam.”

“At the bottom of the spam was a clue from a company named CriteoThis message is personalized by Criteo Email based on your previous browsing behavior. To understand why you received this email and access Criteo Email privacy policy, click here. If you want to opt-out only from Criteo Email personalized emails, click here.”

So Benenson clicked and found that Criteo, a direct marketing firm hired by Sears to do this kind of thing, had gotten his email from a “partner” database. Huh? Benenson still doesn’t know what company he once gave his email to sold it to Criteo, but he suspects that whichever it is dropped a Criteo cookie in his browser and delivered his info to Criteo. When he browsed the Sears page, Criteo, knowing the company is one of their clients, handed his email over to Sears and Sears blasted Benenson.

It's a concrete example of our day-to-day privacy expectations being violated.

We asked Benenson to reflect on the whole experience and what he thought about the future of spammy marketing.


Technical.ly Brooklyn: OK, but did you find the replacement part?

Fred Benenson: I was able to track down a guide to decipher its serial number, which said it was from 1987. Which was the information I needed since it meant I would need to get it replaced by a professional.

TB: Do you think that if this becomes a more widely adopted marketing tactic that people will actually start to care about their privacy settings and what they agree to when signing up for new accounts? I feel like right now the costs of the privacy of your data are so low or invisible people really dgaf. But your example is quite visible, if obscured in its origin.

FB: I think examples of advertisements following users around the web and my story will start to add up in people’s minds and they’ll slowly begin to realize that ad-blockers, privacy-aware extensions and browsers like Ghostery and Brave are ways to protect themselves from that creepiness. Best case scenario, I can see it as a kind of awareness akin to the way people shop for organic produce — they go to Whole Foods because they want ingredients that they think are healthier and promise better sustainability, and they similarly might choose a privacy-aware browser, search engine or email address even if they only have a vague awareness of the benefits.

Getting spam for browsing the web is a “weird enough” moment that I thought it would really drive home some of the more abstract privacy concerns that privacy geeks have had for years. And that is what makes the Criteo story valuable: it’s a concrete example of our day-to-day privacy expectations being violated. Most of the time when people hear “third-party cookies” or “ad retargeting” their eyes glaze over, but explaining what happened with Criteo made those concerns much more immediate.

TB: Is this practice fair?

FB: I think it’s unfair in the sense that it violates users expectations (see: the principle of least astonishment) in a profit-driven way which will eventually degrade users trust when browsing the web.

Of course, expectations and trust are relative: if we learn to accommodate this type of behavior then at some point email-spamming-websites won’t be all that surprising.

TB: Should we just give up and expect that people will market to us at all times with or without our permission? Like, is the premise of a web that includes privacy an anachronism?

FB: We should assume that ad retargeting companies and data brokers will continue to innovate in the ways they can aggregate data about us, our behavior and our preferences. A commenter posted on my Medium post that he went to a Criteo presentation where they indicated that they have “more of this” planned for the future.

Platforms like Facebook, which has strong incentives to uphold user trust, may have some sway in establishing guidelines of what data they’ll allow advertisers to use, but it doesn’t mean that other, less savory companies (like the one that shared my email address with Criteo) will follow them.

Which gets to the real reason I wrote that post up: I wanted to take a stand on behavior that I saw as violating a core norm of the web, and my hope was that it might be able to get them, and others, to think twice about violating people’s day-to-day privacy expectations.

Series: Brooklyn

Knowledge is power!

Subscribe for free today and stay up to date with news and tips you need to grow your career and connect with our vibrant tech community.

Technically Media