: Quantcast http://pixel.quantserve.com/pixel request 302 redirects to Facebook and other ad networks I just spent a few hours investigating what I thought might be a malicious Chrome extension (using
I just spent a few hours investigating what I thought might be a malicious Chrome extension (using developer tool to audit them, highly recommended!), an ISP/DNS injection issue, or a malware infection, but best I can tell this is occurring as a legitimate response from Quancast's pixel servers. I have now been able to reproduce the issue on multiple computers, browsers, and ISPs, and am fairly confident that the responses are coming from their servers; I just don't know why. After checking their FAQ and Privacy Policy I don't see see any details about this type of activity, and am very concerned about why these redirects to 3rd party trackers are being occasionally injected into our web site and what information is being gathered on our users.
While visiting area51.stackexchange.com one of our employees noticed an odd request to ad.360yield.com, which appears to be an analytics company called Improved Digital. While investigating I found that requests to pixel.quantserve.com/pixel were occasionally getting 302 redirect responses to various ad networks and analytics companies. Easiest way to test this was visiting a Quantcast directly measured site like SO/SF/SE and using the network tab of the F12 developer tools (with "Disable cache" checked) to check for suspicious domains (right click header to add this column) or unexpected 302 responses from the pixel request. So far I have been able to see the following 302 responses occur:
ad.360yield.com/match?publisher_dsp_id=... (this one captured in IE)
and another 360yield when visiting Stack Overflow homepage:
facebook.com/tr?id=....&cd[prospecting]=T-.... (WHY IS THIS ON AREA51?)
stags.bluekai.com/...?id=... (analytics company acquired by Oracle)
bh.contextweb.com/bh/rtset?do=add... (this one captured using fiddler proxy)
tap.rubiconproject.com/oz/feeds/quantcast-pmp/tokens?afu=...
I also saw redirects to: analytics.twitter.com, ads.yahoo.com, e.nexac.com/e/quantcast_sync.xgi, ce.lijit.com, x.bidswitch.net, delivery.swid.switchads.com, rtb-csync.smartadserver.com, and soma.smaato.net
It appears this has been happening at least since December 2014, but I haven't been able to find any information about why Quantcast redirects to 3rd party trackers other than this short blurb from Ghostery (bonus that link also has opt-out and privacy contact details):
We believe this company facilitates or engages in 3rd party interest-based targeting.
So my question is: By opting in to Quantcast's "Measurement & Insight" services, which shouldn't require them linking to multiple 3rd party trackers, to what else have we exposed our users?
Dec 16 2015 Quick update: We just had a great meeting with Quantcast about how their beacon works. They gave a high level explanation of the process and plan on providing more technical details as an answer here once they have some time to write up a response. If any webmasters have further questions I recommend contacting your account representative or using their contact form.
They also indicated that the beacon can be disabled via the settings section of our Quantcast profile and that turning it off will not impact our use of the Quantcast Measure service. We feel confident that there is nothing nefarious occurring as they do have safeguards in place to protect user privacy and do not explicitly use SO/SE (or any specific site) user traffic directly in any targeting algorithms. But we appreciate the ability to opt out of the beacon and plan on turning it off.
More posts by @BetL925
2 Comments
Sorted by latest first Latest Oldest Best
Quantcast Measure Terms of Service (https://www.quantcast.com/terms/measure-terms-service/) Section 6:
Quantcast servers may choose to occasionally respond to any publisher’s Tag by redirecting the browser to a third-party anonymous beacon to support the provision of Quantcast services in market. The decision to beacon is not related to you the publisher, your traffic, or your user base.
I highly suspect this is cookie matching with various audience data/analytics providers and ad companies.
It seems to be covered in their privacy policy, albeit fairly vaguely:
We may share with third parties Non-PII, including certain Log Data, as part of providing and improving our Measure and Advertise products. For example, we may disclose such data to companies involved in ad delivery or ad visibility.
As to whether it really counts as "non-PII" (Personally Identifiable Information) – I think that's highly up for debate. If they are indeed matching unique identifiers, then yes, they're not sharing any "extra" information, but they're still allowing 3rd parties to track the same user and match them up with any data they have in their system, which is clearly personally identifiable.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.