3 min read

You're not anonymous. I know your name, email, and company.

This is a repost of my original post on 42floors.com.

Sumit Suman recently visited a site, did not sign up for anything, did not connect via social media, but got a personal email from the site the next day.

Here’s how they did it.

I’ve learned that there is a “website intelligence” network that tracks form submissions across their customer network.  So, if a visitors fills out a form on Site A with their name and email, Site B knows their name and email too as soon as they land oan the site.

It all started 2 weeks ago when I got a promotional email (anonymized to avoid promotion) offering to

discretely integrate with your existing web site to identify visitors to your website.

I get B2B marketing emails all the time but what caught my eye was the inclusion of a report snapshot for 42Floors.com showing names, companies, and emails of site visitors and the information seemed plausible.

1.jpg

I was both skeptical and concerned so I replied to the sales rep and asked how they could identify 42Floors’ visitors without something like an email link click-through.  His reply was forthright:

2.jpg

Note the last sentence:

For example, if [a visitor] went to XYZ.com and filled out a web form and then [the visitor] later visited 42floors.com, [42Floors] would be able to identify [the visitor] by name/email as well as company details even though [the visitor] never filled out a web form on [42Floors.com].

3.png

I was still skeptical.  So I signed up for a demo account and installed (and hastily removed) the tracker .  As promised, I began to see personally identifying information about our anonymous visitors.  Here are the live reports from this week (sidebar).

4.png

Although only a small subset of users were identified with an email, that is likely due to the fact that this particular network is one of the smaller ones and hence only has information on a small percentage of all internet users.  I will be following up with an analysis of the reach of their larger peers.

Expectations of privacy

When a user visits a site without ever having voluntarily supplied information to that site, should the user have an expectation that their identity is private until they chose to reveal it?

A real-world analogue would be this scenario: You drive to Home Depot and walk in.  Closed-circuit cameras match your face against a database of every shopper that has used a credit card at Walmart or Target and identifies you by name, address, and phone.  If you happen to walk out the front door without buying anything your phone buzzes with a text message from Home Depot offering you a 10% discount good for the next hour.

Farfetched?  I don’t think so.  I expect to see the first iterations of this Home Depot scenario become reality within a few years time.  All the necessary pieces already exist, they just haven’t been combined yet.

It’s inevitable, it’s going to happen, but it shouldn’t

The realization that I’m being personally identified by name as I surf the net is deeply discomforting.  At 42Floors, we’ve made the decision not to use any visitor identification tools.  As for my own Macbook, I’ll probably write a browser plugin ala AdBlock to kill the trackers that make this identification possible.