LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for September 4, 2008

The Kernel Hacker's Bookshelf: UNIX Internals

DRI, BSD, and Linux

SCHED_FIFO and realtime throttling

LWN.net Weekly Edition for August 28, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Red Sheriff

[Posted March 12, 2003 by corbet]

[This article was contributed by Tom Owen]

Check your cookie list in your browser for cookies from imrworldwide.com -- if they're there, then the red sheriff is watching you.

You won't be alone. For well over a year, vexed users have been popping up on the newsgroups, in slashdot and on lists of all sorts with independent rediscoveries of Redsheriff's activities. Unscientific sampling suggests that machines not owned by paranoid technicians always have these cookies.

The web was not designed to make marketing easy. Proxies and other caches mean that the server logs can dramatically undercount page views and downloads. Spiders and bots work the other way, but there's no reason to believe they balance out. The users share and reuse their IP addresses, you can't tell for certain what country they're in, and they even lie to their own PCs. Maybe M. Mouse is a legitimate name in Martinique, and a birth date of 01/01/01 might just mean that you saw Steamboat Willie first time round. But probably not.

Advertisers hate this. They hate trusting the word of a site owner about page impressions, but even when those numbers make sense they still don't know if the campaign is reaching the target preteens, or is being wasted on middle-aged tax consultants who just really like Britney. Many of them prefer to stick with old media where they get respectable numbers from the likes of Nielsen and ABC.

So the demand for better information is huge, and there's a long history of attempts to get it: doubleclick, web bugs and third-party cookies. The big accounts at the traditional end of the industry prefer to trust names and methods translated from broadcast media: closely monitored sample panels, surveys and focus groups. That would be fine, but one thing that no-one has ever been able to do is reconcile the numbers from these two approaches.

Redsheriff want to bridge that gap -- by making the whole internet their panel.

Founded in Australia in 1996 as a research firm, by 2001 Redsheriff was expanding into technical means. Along the way, they picked up global ambitions and some serious capitalists led by WPP, Martin Sorrel's advertising conglomerate. Earlier website versions on the Wayback machine couple horrifying wild-west copy with fairly explicit information about their offerings which is lacking from the current site.

And in fact they keep a lowish profile all round. There are no secrets, but no fuss either and little interest in publicity. It doesn't matter: the evidence is easy enough to gather. Redsheriff client sites (try Selfridges) drop or reference two main components:

  • A pair of persistent cookies -- IMRID and V5 -- reporting to imrworldwide.com, a domain registered to redsheriff. You seem to get an IMRID once only -- if it's there it'll never be altered. It seems as though it's intended to be a globally unique machine name. By contrast V5 updates for almost anything you do on the site.

  • A java applet (real java, not a script) called Measure, mostly silent, but recognisable from the console message 
    ----------- RedSheriff  Measurement -----------
Privacy:  http://www.redsheriff.com/privacy.htm
    It returns a record to imrworldwide.com when you leave a site.
This is all traditional cross-platform stuff. It's certainly unusual to use an applet for this job and some users have been blaming Java, but it means it'll work on anything: Mozilla, Opera, IE or that cool new mobile phone.

Redsheriff say they can report on movement within a flash site, as well as use of non-client sites, and it looks as though these are jobs for the applet. There doesn't seem to be an ActiveX component yet, but given MS's attitude toward Java, this is probably only a matter of time.

So far, Redsheriff knows many of the sites you visit from day to day and year to year, and within some of them they know the pages you look at. This is a good start (for them), but technical means aren't enough: they don't know who you are. This next stage is probably what has piqued the interest of partners like WPP and Taylor Nelson Sofres

What these buyers want is income, age, education, family status, and Redsheriff apparently gets it the easy way: by popping up a questionnaire with a chance of winning some prize. This questionnaire carries the client site branding, but the data goes to the Redsheriff servers. As a final touch, some percentage of the responses are qualified with telephone interviews. The privacy policy is surprisingly less clear than it could be -- it looks as though some identifying personal information will be held on the basis of the target's consent implied when they filled in the survey.

Redsheriff is doing nothing all that weird, but the effect is still spooky. Assuming their software and datacenter work right, they'll know largely complete browsing histories stretching over years for vast numbers of computers. And if they can do the surveys right, many of these histories will carry trustworthy demographic information and many more will be similar enough to have it inferred. They can't quite equal a panel in joining up work and home browsing or breaking out multi-use PCs but their potential sample is so comprehensive they hardly care: the data are going to make them big money.

If you don't want to be part of this database, it's easy to stop without marring the browsing experience: simply block third party cookies (erase any you have) and don't run applets. It's that easy. Maybe that's why they don't want the public gaze.

(Log in to post comments)

Browser feature

Posted Mar 13, 2003 12:03 UTC (Thu) by addw (subscriber, #1771) [Link]

It would be really nice if when I install my browser it comes with a default config that has a set of standard sites that cannot set cookies. This sort of site would be a prime candidate for that list.

OK: some people want it, so the first time they try to set a cookie a popup explaining that it is in the standard 'do not accept list' might be nice, but that would require coding work, whereas just having a standard initial list probably would be a lot easier.

My favorite thing

Posted Mar 13, 2003 14:00 UTC (Thu) by mattdm (subscriber, #18) [Link]

I have a small perl script that scans my cookies file at netscape startup looking for (known) ID cookies from places like this. Rather than deleting them, though, it replaces the ID numbers with a totally randomized but similar-looking ones. This is even better than just blocking or deleting them. :)

My favorite thing

Posted Mar 13, 2003 15:27 UTC (Thu) by yohahn (subscriber, #4107) [Link]

Hey,
That script sounds like it would be simple, but why don't you post it! :)

try this?

Posted Mar 13, 2003 20:34 UTC (Thu) by xorbe (guest, #3165) [Link]

Mozilla: Tools -> Cookie manager -> Managed stored cookies
[ ] "Don't allow removed cookies to be reaccepted later"
(does it work?)

try this?

Posted Mar 14, 2003 13:23 UTC (Fri) by torsten (guest, #4137) [Link]

I looked, and I had the redsherriff cookie. I tried this option, I imagine it does work. I did a couple of small test sites, removed the cookies, and they haven't returned.

Torsten

My favorite thing

Posted Mar 14, 2003 23:55 UTC (Fri) by rmassa (guest, #2984) [Link]

Please do post it :)

Not _just_ cookies and Java...

Posted Mar 18, 2003 17:51 UTC (Tue) by roelofs (subscriber, #2599) [Link]

"grep -ri imrworldwide ~/.netscape" turns up a whole pile of pages in the cache that reference some JavaScript and/or web bugs, too: 

    <script language="JavaScript1.1" src="http://server-us.imrworldwide.com/a1.js">
    <img src="http://server-us.imrworldwide.com/cgi-bin/count?cid=us_us-techweb_0" width=1 height=1>

There's also a server-au, and I wouldn't be surprised if there were one for Europe, as well.

Greg Roelofs

Red Sheriff

Posted Mar 21, 2003 23:51 UTC (Fri) by barrygould (guest, #4774) [Link]

I just checked my cookies... no sign of imrworldwide...

I have "accept cookies from the originating site only" turned on in my browser, but that wouldn't block the image-based ones...

So, I then thought of my ad zapper (it integrates into squid. available at: http://adzapper.sourceforge.net/)...
I grepped it, and, sure enough it's blocking it, and apparently is doing it perfectly!
/shameless plug

Red Sheriff

Posted Mar 21, 2003 23:54 UTC (Fri) by barrygould (guest, #4774) [Link]

I should have mentioned that I just have Ad Zapper blocking banners and other annoying images... It does not do any actual cookie filtering, nor does squid.

But, as it blocks the "web bugs", the cookies are never downloaded. :)

Red Sheriff - Blocking

Posted May 26, 2003 10:57 UTC (Mon) by jdc42 (guest, #11451) [Link]

forget mucking around with cookies... I just configured my firewall to not connect with *.imrworldwide.com. The cookies are still there but the poor little java app can't phone home :(

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds