6600 Dealership Website Hack? - SpinCar At It Again? Clarivoy "hack the dom"

[craigh]

Chad is right.
I can't get anything Criteo to fire, it's just dormant code unless you meet specific criteria.
TreasureData fires every time, but a large portion of this code is doing nothing or is special edge cases for specific dealers:

 

[Alex Snyder]

Things are still coming to light (offline), but it might be time to give SpinCar the benefit of the doubt. Even though it is questionable that this exact thing seems to have happened twice now

Everything I'm about to say is purely my opinion on reading things. I have not spoken to anyone at SpinCar or Clarivoy.

I think SpinCar has had enormous growth quickly and :thumbup: to them for it! When that rocket ship blasts off it is difficult to do everything cleanly. Judging by the use of dealership names in the script I'm going to guess some quick code was thrown together to get something out the door. The word sloppy comes to mind, but it is understandable when moving at their pace. Plus, this is the advertising side of the car business - it ain't medical equipment or space engineering. My point is that this is forgivable. All it takes is transparency and an apology.

On collecting lead data. Is this an accident? Is it being sold for profit somewhere? Does SpinCar even know it is happening? Again, this looks sloppy without a public explanation. If I were a SpinCar dealer I'd want to know EXACTLY what is happening with my customers' personal information off of my website's lead forms. There are potential legal issues to be mindful of.

And if I were SpinCar I'd be diving deep into what "TreasureData" is and where the collected lead data is flowing to. Might there be a partner in the script that did not disclose all that was happening?

With all that's going on in this thread, we will be hosting Jeffrey Tognetti on the next RefreshFriday to focus on (AGAIN) what it means to have scripts on your website. This time the focus will be on the penalties coming in 2020 from California's version of GDPR.

 

[csabatka1]

Things are still coming to light (offline), but it might be time to give SpinCar the benefit of the doubt. Even though it is questionable that this exact thing seems to have happened twice now

Everything I'm about to say is purely my opinion on reading things. I have not spoken to anyone at SpinCar or Clarivoy.

I think SpinCar has had enormous growth quickly and :thumbup: to them for it! When that rocket ship blasts off it is difficult to do everything cleanly. Judging by the use of dealership names in the script I'm going to guess some quick code was thrown together to get something out the door. The word sloppy comes to mind, but it is understandable when moving at their pace. Plus, this is the advertising side of the car business - it ain't medical equipment or space engineering. My point is that this is forgivable. All it takes is transparency and an apology.

On collecting lead data. Is this an accident? Is it being sold for profit somewhere? Does SpinCar even know it is happening? Again, this looks sloppy without a public explanation. If I were a SpinCar dealer I'd want to know EXACTLY what is happening with my customers' personal information off of my website's lead forms. There are potential legal issues to be mindful of.

And if I were SpinCar I'd be diving deep into what "TreasureData" is and where the collected lead data is flowing to. Might there be a partner in the script that did not disclose all that was happening?

With all that's going on in this thread, we will be hosting Jeffrey Tognetti on the next RefreshFriday to focus on (AGAIN) what it means to have scripts on your website. This time the focus will be on the penalties coming in 2020 from California's version of GDPR.

TreasureData is fired by Clarivoy in http://tags-cdn.clarivoy.com/spincar/td/tva/loader.js, which is fired by u.clarivoy.script.setAttribute("src", "//tags-cdn.clarivoy.com/spincar/td/tva/loader.js") in integrator.swipetospin.com



http://tags-cdn.clarivoy.com/spincar/td/tva/loader.js code:

! function(t, i) {
if (void 0 === i[t]) {
i[t] = function() {
i[t].clients.push(this), this._init = [Array.prototype.slice.call(arguments)]
}, i[t].clients = [];
for (var e = function(t) {
return function() {
return this["_" + t] = this["_" + t] || [], this["_" + t].push(Array.prototype.slice.call(arguments)), this
}
}, a = ["addRecord", "set", "trackEvent", "trackPageview", "ready"], n = 0; n < a.length; n++) {
var o = a[n];
i[t].prototype[o] = e(o)
}
var r = document.createElement("script");
r.type = "text/javascript", r.async = !0, r.src = ("https:" === document.location.protocol ? "https:" : "http:") + "//tags-cdn.clarivoy.com/spincar/td/clarivoy.js";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(r, s)
}
}("Clarivoy", this);
var td = new Clarivoy({
host: "in.treasuredata.com",
database: "hits",
writeKey: "5623/e2aef8b67ca3206cc64f6baa5843b838d573e9c6"
});
properties = {};
var property_id = properties[window.location.hostname.replace(/^www\./i, "")] || "",
plugins = "";
if (navigator.plugins) {
for (var np = navigator.plugins, plist = new Array, i = 0; i < np.length; i++) {
plist = np.name + "; ", plist += np.description + "; ", plist += np.filename + ";";
for (var n = 0; n < np.length; n++) plist += " (" + np[n].description + "; " + np[n].type + "; " + np[n].suffixes + ")";
plist += ". "
}
for (plist.sort(), i = 0; i < np.length; i++) plugins += "Plugin " + i + ": " + plist
}
var timezone = "";
try {
var timezone = (new Date).getTimezoneOffset().toString()
} catch (e) {}
var cookies = navigator.cookieEnabled ? "enabled" : "disabled";
td.set("$global", "clarivoy_property_id", property_id), td.set("$global", "clarivoy_user_agent", window.navigator.userAgent), td.set("$global", "clarivoy_plugins", plugins), td.set("$global", "clarivoy_timezone", timezone), td.set("$global", "clarivoy_cookies", cookies), td.set("$global", "td_global_id", "td_global_id"), td.trackPageview("pageviews");

 

[Jeffrey Tognetti]

Chad is right.
I can't get anything Criteo to fire, it's just dormant code unless you meet specific criteria.
TreasureData fires every time, but a large portion of this code is doing nothing or is special edge cases for specific dealers:

View attachment 4367

View attachment 4366

Understood about Criteo...however, it may NOT be the case entirely. Meaning if there was a retargeting campaign in place before where the U variable has a dealer ID and that campaign is no longer active then, in theory, it would still be collecting data.

My point is simple - Why have the script at all?

Finally, my larger point is, that there are other people imbedded in the script that are in fact collecting data, inclusive of PII.

(This I know for a fact)

The dealers we have as clients did NOT consent to this and had run-ins previously around this but yet it is happening again. That is the very direct point I'm making.

 

[C Dorman]

Hmmmmmm, I haven't always seen eye to eye with Jeffrey on everything, but he's right. At best this is sloppy. When it comes to my data I don't trust anybody. And I mean anybody, including the OEM's. And as much as I hate it, the CCPA is going to shine a light on the dark data spots of the car business. Dealers are going to have to KNOW what's going on with their data. All of these companies are going to have to sign a boatload of disclosure statements about who they share data with and what they do with it. It's gonna get really ugly before it gets cleaned up.

 

[Jeffrey Tognetti]

Hmmmmmm, I haven't always seen eye to eye with Jeffrey on everything, but he's right. At best this is sloppy. When it comes to my data I don't trust anybody. And I mean anybody, including the OEM's. And as much as I hate it, the CCPA is going to shine a light on the dark data spots of the car business. Dealers are going to have to KNOW what's going on with their data. All of these companies are going to have to sign a boatload of disclosure statements about who they share data with and what they do with it. It's gonna get really ugly before it gets cleaned up.

There is something much bigger under the surface here. I won't get into what, but it involves much larger players... and there would be a lot of angry dealers if this thread gains traction. I'm sitting on my hands-

 

[Alexander Lau]

Finally, my larger point is, that there are other people imbedded in the script that are in fact collecting data, inclusive of PII.

(This I know for a fact)

The dealers we have as clients did NOT consent to this and had run-ins previously around this but yet it is happening again. That is the very direct point I'm making.

 

[Alex Snyder]

Tomorrow at 1:00 PM EST Tognetti joins us to talk about some of the topics appearing in this thread. I don't think I've ever had so many conversations with outside people to get ready for a show. The number of people volunteering information has been surprising

1. Numerous calls with Tognetti
2. One call with Steve (CEO of Clarivoy) - I appreciated getting some different perspective from him & Matt this morning
3. Texts with an ex-Clarivoy employee
4. Direct Messages with another ex-Clarivoy employee
5. And a very revealing call with another ex-Clarivoy person
6. A call with an exec from a large third-party
7. Chat conversation with another attribution company
8. Numerous questions from dealers hitting me up directly

 

[craigh]

 

[Alexander Lau]