Monthly Archives: July 2012

CNN Lies to Every One of Its Web Viewers

When is it okay to flat out lie to your users?  I would argue: Never.  But the website of one of the world’s most watched sources of news, CNN, does just that.

Near the bottom of every article is a section called “We recommend” and “From around the web”.  These sections list about six links to other articles either on CNN itself, other Turner properties, or simply as a paid referral service for selected partners.  So what’s my beef with this?  It’s not the targeted marketing, it’s the outright lie I noticed they make when you hover over any of those links with your mouse.

For some background, I’m a huge dissident against outbound link tracking.  It’s fundamentally the same as gluing a GPS tracking device to your forehead and giving a a tracking device to the website you’re visiting.  I have a problem with it because I think there is a fundamental freedom that is eroded by this technology – the freedom to consume information without being tracked for doing so.  Do I have the right to pick up a magazine and browse through it without giving someone my telephone number?  I would say yes — I think it is a natural right to be able to consume information without having your consumption observed.

But my belief here isn’t realistic — tracking basic visitor behavior and consumer preferences is the basic monetization and sustainability model for most of the Web as we know it.  So, this world doesn’t mesh with my perfect world, but at least I should know if someone is observing my behavior, right?  Observing CNN’s privacy policy one can clearly see the word “link” is referenced twice, once in relation to third-party sites that may cookie you, and once for integration to social media or other partner sites that may have differing privacy policies.

Okay, fair enough, therefore I should expect that if I am surfing just CNN’s website, if I disable cookies, and if I turn on my do not track header, I should expect not to be tracked, right?  No, and the reason is I cannot find out when I’m still on the CNN site to only stay within it.  The reason is CNN has specifically coded it’s site to lie to me about when I’m staying within it or navigating away.  For an example, if I were to hover over one example link in these two sections, I see the following in my browser status bar:

I right-clicked the link in Chrome and copied the URL.  Then curiously I noticed the link read differently in the browser status bar when hovering over it, this time reading:

Youch, what’s that, and why did it change?  On closer inspection, by viewing the source of the page, I can see the target href of the link is exactly as reproduced above, going to  I peeked at some other URL’s in the same section that I had not yet left-clicked or right-clicked and noticed this:

<a target=”_self” href=”; onmousedown=”this.href=’;rdid=349349184&amp;type=WMV_d/t1_ch&amp;in-site=false&amp;req_id=968ab83e0a0f44e584d8744520d2aea0&amp;agent=blog_JS_rec&amp;recMode=4&amp;reqType=1&amp;wid=100&amp;imgType=0&amp;refPub=0&amp;prs=true&amp;scp=false&amp;version=59070&amp;idx=4&#8242;;return true;” onclick=”javascript:return(true)”>Knicks’ Jason Kidd arrested on suspicion of DWI</a>

And herein is the deception — this piece of inline JavaScript code changes the target of the link at the moment it is clicked to go to the address.  Because target href originally reads to the final destination of the article, hovering over it gives the false impression that my click will directly take me to it.  Instead, at the moment I click it, the target href is changed to the potentially unscrupulous third-party, and I have been given no browser notification this would happen prior to my click, and upon responding, it redirects me back to the original CNN article I initially wanted to view.  On a broadband connection, you probably wouldn’t even notice the superfluous page load and redirect back to CNN’s site.  Deceptive!

So, sure, why should anyone care?  Isn’t this just plumbing, technology, and toolbox of tricks inherit of the Web?  Maybe, but the problem here is the lie.  You do not lie to your users.  Ever.  Outbound web tracking is not a web beacon.  Web beacons are a different kind of “evil” – usually some JavaScript that opens an IFRAME to a third-party site that issues a cookie to track you; however, web beacons are covered by CNN’s privacy policy, so if they were equivalent, it’s all fair.  Web beacons can be simply disabled by turning off third-party cookies in today’s browsers.  This is precisely why outbound link tracking is becoming popular – it circumvents the privacy management tools most users have available and have knowledge of.  Outbound link tracking is no more insidious than web beacons are, but the implementation of them often lies to the end user about what their action will do (a click in this case).  An honest implementation would be to either clearly state in the privacy policy that any links you click may be link tracked or simply not to deceive the user by rewriting the target href the moment they click it to actually go to the link tracking site so the browser status bar is truthful on hover (Twitter’s strategy).

Well, at least it’s just CNN at fault here.  At least no one else would stoop to such shady tactics.  Surely not Google (/url) or Facebook (l.php).. no, definitely not…