• Stop being a LURKER - join our dealer community and get involved. Sign up and start a conversation.

6600 Dealership Website Hack? - SpinCar At It Again? Clarivoy "hack the dom"

craigh

Super Moderator
May 19, 2011
1,666
1,080
114
First Name
Craig
Chad is right.
I can't get anything Criteo to fire, it's just dormant code unless you meet specific criteria.
TreasureData fires every time, but a large portion of this code is doing nothing or is special edge cases for specific dealers:

upload_2019-10-11_11-23-57.png

upload_2019-10-11_11-23-38.png
 
Reactions: csabatka1

Alex Snyder

President Skroob
May 1, 2006
2,801
1,416
113
First Name
Alex
Things are still coming to light (offline), but it might be time to give SpinCar the benefit of the doubt. Even though it is questionable that this exact thing seems to have happened twice now :thinker:

Everything I'm about to say is purely my opinion on reading things. I have not spoken to anyone at SpinCar or Clarivoy.

I think SpinCar has had enormous growth quickly and :thumbup: to them for it! When that rocket ship blasts off it is difficult to do everything cleanly. Judging by the use of dealership names in the script I'm going to guess some quick code was thrown together to get something out the door. The word sloppy comes to mind, but it is understandable when moving at their pace. Plus, this is the advertising side of the car business - it ain't medical equipment or space engineering. My point is that this is forgivable. All it takes is transparency and an apology.

On collecting lead data. Is this an accident? Is it being sold for profit somewhere? Does SpinCar even know it is happening? Again, this looks sloppy without a public explanation. If I were a SpinCar dealer I'd want to know EXACTLY what is happening with my customers' personal information off of my website's lead forms. There are potential legal issues to be mindful of.

And if I were SpinCar I'd be diving deep into what "TreasureData" is and where the collected lead data is flowing to. Might there be a partner in the script that did not disclose all that was happening?

With all that's going on in this thread, we will be hosting Jeffrey Tognetti on the next RefreshFriday to focus on (AGAIN) what it means to have scripts on your website. This time the focus will be on the penalties coming in 2020 from California's version of GDPR.
 

csabatka1

Refresher
Jan 7, 2013
141
70
28
First Name
Chad
Things are still coming to light (offline), but it might be time to give SpinCar the benefit of the doubt. Even though it is questionable that this exact thing seems to have happened twice now :thinker:

Everything I'm about to say is purely my opinion on reading things. I have not spoken to anyone at SpinCar or Clarivoy.

I think SpinCar has had enormous growth quickly and :thumbup: to them for it! When that rocket ship blasts off it is difficult to do everything cleanly. Judging by the use of dealership names in the script I'm going to guess some quick code was thrown together to get something out the door. The word sloppy comes to mind, but it is understandable when moving at their pace. Plus, this is the advertising side of the car business - it ain't medical equipment or space engineering. My point is that this is forgivable. All it takes is transparency and an apology.

On collecting lead data. Is this an accident? Is it being sold for profit somewhere? Does SpinCar even know it is happening? Again, this looks sloppy without a public explanation. If I were a SpinCar dealer I'd want to know EXACTLY what is happening with my customers' personal information off of my website's lead forms. There are potential legal issues to be mindful of.

And if I were SpinCar I'd be diving deep into what "TreasureData" is and where the collected lead data is flowing to. Might there be a partner in the script that did not disclose all that was happening?

With all that's going on in this thread, we will be hosting Jeffrey Tognetti on the next RefreshFriday to focus on (AGAIN) what it means to have scripts on your website. This time the focus will be on the penalties coming in 2020 from California's version of GDPR.
TreasureData is fired by Clarivoy in http://tags-cdn.clarivoy.com/spincar/td/tva/loader.js, which is fired by u.clarivoy.script.setAttribute("src", "//tags-cdn.clarivoy.com/spincar/td/tva/loader.js") in integrator.swipetospin.com



http://tags-cdn.clarivoy.com/spincar/td/tva/loader.js code:

! function(t, i) {
if (void 0 === i[t]) {
i[t] = function() {
i[t].clients.push(this), this._init = [Array.prototype.slice.call(arguments)]
}, i[t].clients = [];
for (var e = function(t) {
return function() {
return this["_" + t] = this["_" + t] || [], this["_" + t].push(Array.prototype.slice.call(arguments)), this
}
}, a = ["addRecord", "set", "trackEvent", "trackPageview", "ready"], n = 0; n < a.length; n++) {
var o = a[n];
i[t].prototype[o] = e(o)
}
var r = document.createElement("script");
r.type = "text/javascript", r.async = !0, r.src = ("https:" === document.location.protocol ? "https:" : "http:") + "//tags-cdn.clarivoy.com/spincar/td/clarivoy.js";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(r, s)
}
}("Clarivoy", this);
var td = new Clarivoy({
host: "in.treasuredata.com",
database: "hits",
writeKey: "5623/e2aef8b67ca3206cc64f6baa5843b838d573e9c6"
});
properties = {};
var property_id = properties[window.location.hostname.replace(/^www\./i, "")] || "",
plugins = "";
if (navigator.plugins) {
for (var np = navigator.plugins, plist = new Array, i = 0; i < np.length; i++) {
plist = np.name + "; ", plist += np.description + "; ", plist += np.filename + ";";
for (var n = 0; n < np.length; n++) plist += " (" + np[n].description + "; " + np[n].type + "; " + np[n].suffixes + ")";
plist += ". "
}
for (plist.sort(), i = 0; i < np.length; i++) plugins += "Plugin " + i + ": " + plist
}
var timezone = "";
try {
var timezone = (new Date).getTimezoneOffset().toString()
} catch (e) {}
var cookies = navigator.cookieEnabled ? "enabled" : "disabled";
td.set("$global", "clarivoy_property_id", property_id), td.set("$global", "clarivoy_user_agent", window.navigator.userAgent), td.set("$global", "clarivoy_plugins", plugins), td.set("$global", "clarivoy_timezone", timezone), td.set("$global", "clarivoy_cookies", cookies), td.set("$global", "td_global_id", "td_global_id"), td.trackPageview("pageviews");
 
Last edited by a moderator:
Reactions: Alex Snyder

Jeffrey Tognetti

Getting Refreshed
Nov 15, 2011
64
66
18
First Name
Jeff
Chad is right.
I can't get anything Criteo to fire, it's just dormant code unless you meet specific criteria.
TreasureData fires every time, but a large portion of this code is doing nothing or is special edge cases for specific dealers:

View attachment 4367

View attachment 4366
Understood about Criteo...however, it may NOT be the case entirely. Meaning if there was a retargeting campaign in place before where the U variable has a dealer ID and that campaign is no longer active then, in theory, it would still be collecting data.

My point is simple - Why have the script at all?

Finally, my larger point is, that there are other people imbedded in the script that are in fact collecting data, inclusive of PII.

(This I know for a fact)

The dealers we have as clients did NOT consent to this and had run-ins previously around this but yet it is happening again. That is the very direct point I'm making.
 

C Dorman

Getting Refreshed
Aug 7, 2018
63
50
18
First Name
Chip
Hmmmmmm, I haven't always seen eye to eye with Jeffrey on everything, but he's right. At best this is sloppy. When it comes to my data I don't trust anybody. And I mean anybody, including the OEM's. And as much as I hate it, the CCPA is going to shine a light on the dark data spots of the car business. Dealers are going to have to KNOW what's going on with their data. All of these companies are going to have to sign a boatload of disclosure statements about who they share data with and what they do with it. It's gonna get really ugly before it gets cleaned up.
 

Jeffrey Tognetti

Getting Refreshed
Nov 15, 2011
64
66
18
First Name
Jeff
Hmmmmmm, I haven't always seen eye to eye with Jeffrey on everything, but he's right. At best this is sloppy. When it comes to my data I don't trust anybody. And I mean anybody, including the OEM's. And as much as I hate it, the CCPA is going to shine a light on the dark data spots of the car business. Dealers are going to have to KNOW what's going on with their data. All of these companies are going to have to sign a boatload of disclosure statements about who they share data with and what they do with it. It's gonna get really ugly before it gets cleaned up.

There is something much bigger under the surface here. I won't get into what, but it involves much larger players... and there would be a lot of angry dealers if this thread gains traction. I'm sitting on my hands-
 

Alexander Lau

Sr. Refresher
Feb 11, 2015
2,189
606
113
First Name
Alex


Finally, my larger point is, that there are other people imbedded in the script that are in fact collecting data, inclusive of PII.

(This I know for a fact)

The dealers we have as clients did NOT consent to this and had run-ins previously around this but yet it is happening again. That is the very direct point I'm making.
 
Last edited:

Alex Snyder

President Skroob
May 1, 2006
2,801
1,416
113
First Name
Alex
Screen Shot 2019-10-15 at 3.40.37 PM.png

Tomorrow at 1:00 PM EST Tognetti joins us to talk about some of the topics appearing in this thread. I don't think I've ever had so many conversations with outside people to get ready for a show. The number of people volunteering information has been surprising :eek3:

  1. Numerous calls with Tognetti
  2. One call with Steve (CEO of Clarivoy) - I appreciated getting some different perspective from him & Matt this morning
  3. Texts with an ex-Clarivoy employee
  4. Direct Messages with another ex-Clarivoy employee
  5. And a very revealing call with another ex-Clarivoy person
  6. A call with an exec from a large third-party
  7. Chat conversation with another attribution company
  8. Numerous questions from dealers hitting me up directly
 
Reactions: Alexander Lau