Curse LLC - more than 280 firms have access to data on our pcs while visiting CFC

Since the new rules the EU just approved about the protection of personal data for CFC members in the EU, an information window is popping up, informing the CFC member, that this site is using an ad delivery service provided by a firm with the nice name 'Curse' (!). It seems CFC members outside the EU don´t receive any information what really happens at CFC. As in another thread in this forum about the 'Curse banner' screenshots were demanded, I will add screenshots to this post.

In the first information window you get the following information:



If you here simply click on 'Got it, thanks', you will never have any glimpse what really happens at CFC by Curse LLC and more than 280 other firms, which seem to have access to the data in your pc while visiting CFC.

If you click on 'Learn more', the following information window is popping up:



Now comes the first big question for me:

Is setting all the options in that window to 'Inaktiv' really completely eliminating all activities of Curse and the other more than 280 firms on my pc while visiting CFC?

Here I have some doubts, because when clicking on 'Learn more & Set Preferences' in that information window, the following information boxes are popping up:



It seems 'toggling out' is not working well for eliminating the access and storing of information on the user´s pc, as in this window (if you have ever clicked on it) there is the information, that for 'opting out' of the activities of many firms you have to visit other sites on the internet and to do further steps for (hopefully) exluding these firms from your pc. This concerns more than 80 of the more than 280 firms that have access to the user´s pc while visiting CFC (if I counted well 88 firms). Screenshots with the lists of these firms and the requirement of visiting the internet at other sites 'to opt out' will come later in this post.

Another unsolved question is, what must be done, if Curse adds new firms to have access to the pc to opt them out. Must each member now watch Curse every day to see, if they have added a new firm and than again have to opt these firms manually out?



Here especially the very global clause, that Curse and the other more than 280 firms can gather any information about the user´s activity on that device (showing that this permission is considered globally by using the formulation 'including web pages and mobile apps visited or used'), is triggering sorrows, as this sounds like a license for completely outspying the user´s pc (not only the browser´s data) -and this is not acceptable.

By klicking in the information box shown in screenshot 2 also the following information boxes are popping up:










These information boxes are showing, that these firms perform personalisation and gathering and combining of personalized datas of the user. The occurrencies around Cambridge Analytica make me very sceptical, what can happen here, if there is only one 'black sheep' among those more than 280 firms that have access to the data in the user´s pc when visiting CFC, that is not gathering datas only for the user, but about the user and is taking advantage with those informations by selling them (around several corners) to employers, banks, insurances, political groups or is using them for criminal purposes.

The following screenshots show the more than 280 firms that have access to data from a user´s pc while visiting CFC:





The list will be continued in the next post as no more uploads in this post are allowed.

 

Continued: List of firms that have access to a user´s pc while visiting CFC:






















List will be continued in the next post.

 

List continued:

















In the discussions about Curse between CFC members outside the CFC forums some, especially American CFC members, couldn´t believe, that such an amount of data mining is done at CFC. My guess is, that it is done to all CFC members outside the EU, too, as the EU members of CFC were only informed when the new law was approved and there was the danger of very cost intensive actions of European lawyers.

I think this post would be a good possibility to clarify if such data mining by Curse and the more than 280 firms is also done to CFC members outside the EU, especially to CFC members in the USA - and if this is done to those members, too, what can they do to protect against it.

Now my second big question arises: Isn´t it better to maintain CFC by donations instead of data mining by Curse and over 280 other firms?

 

Also a thank you very much to you, Noble Zarkon, for helping to inform the CFC members, what really happens by Curse when visiting CFC. Many years ago in a discussion about the future financing of CFC, I opted for 'financing' by advertisment. Now I´m really shocked when seeing what happens here on my pc by Curse. The decision to become a supporter for me seems to be the right one.

The problem is, that a supporter only can stop this data mining for himself. I hope, CFC will gain so many supporters when seeing the truth, that even for members, who cannot afford such a support, the adware of Curse can be abolished somewhere in the future and my post can contribute something to achieve this aim. At least by now, every CFC member in the EU can make the proof of the activities by Curse and the many firms behind it, by simply not clicking on 'Got it. Thanks' - but on the link 'learn more' when the 'Curse Banner' is appearing.

I now will become one of the first new supporters of CFC. But I have one more question to clarify, about becoming a supporter of CFC:

Does the Supporter (Permanent Upgrade) for 36.00 USD mean, that the future access to CFC will be free for all time (as long as CFC is existing) from any advertisement and all ad ware?

 

Thank you very much for that information.

Edit: The 36 USD are now on the way to CFC via PayPal.

 

A very informative post, and an appropriate name for the LLC. I am in the U.S., but do see the cookies popup as Civinator described when visiting (and not logged on) via Firefox and Vivaldi. I don't see the notice when visiting in IE11 or Opera 12, however. But I'm glad to see that the notification and preference options are available in the U.S. as well. I've noticed these on quite a few other sites over the past month, too, particularly ones with a non-U.S. focus. It's often simpler to apply the new options globally than to only do them by region, and I'm glad how in that way GDPR is improving privacy options outside of Europe as well.

Also a small technical clarification - Curse LLC and other similar companies would not have access to local files stored on your PC, such as in your My Documents folder on Windows, or your Civ save files. In order for that to happen, they would have to exploit security flaws in your browser, as your browser is built to prevent this sort of general access. Otherwise it would be far too easy for someone to set up a website to harvest user's financial documents, tax returns, etc. Curse LLC thus won't have access to all the data on your PC while browsing CFC.

However, there is a lot more latitude on gathering information about sites visited, cookies from other sites, and generally data about what web sites you've interacted with, and advertisers do put a lot of effort into tying together this information to build a targeted advertising profile on you as much as possible. This is a real concern, and part of what GDPR is meant to regulate. From the description, it sounds like the latitude on mobile devices may also be wider than on desktop, particularly the note about which mobile apps were used. I am not a mobile expert, and unable to confirm either way on that.

In addition to recommending supporting sites you regularly visit financially if you can afford it (and especially if it gives an ad-free experience as it does at CFC), another setting I recommend checking for in your browser is the "Block 3rd Party Cookies" one. Checking this will reduce the amount of cross-site tracking that advertisers can do (regardless of GDPR compliance), and thus make it at least somewhat more difficult for them to build targeted advertising profiles. Finally, many browsers have a "Ask websites not to track me" option, which I recommend. While sites are not obliged to honor this request, for those that do it will reduce how much advertising is targeted towards you.

 

I have a question for more tech savvy people than me.

If I use an adblocker, do services like this still track me?

 

Depends on the adblocker and its block list, but usually yes.

 

To expand upon Synsensa's answer...

If an ad blocker block's an advertiser's domains (and thus prevents it from loading JavaScript, images, and other data), then they will have no means with which to track you. So, for example, if your ad blocker blocks the domains belonging to A Million Ads, Limited, then that one of the 280 firms will have no way to track you. But the same ad blocker may not block A.Mob's data. It's a bit of a game of cat and mouse, between the new ad firms (or new domains for existing ad firms) and the ad blockers.

It does also depend on your ad blocker. Some ad blockers, such as Ad Block Plus, have programs where in exchange for a monetary payment and abiding by some restrictions around the types of ads (such as not having pop-up ads), the ad blocker will allow some firms' ads through. Their rationale is that it's really misleading/annoying/screen-grabbing ads that users want to block... but also that they (the ad-blocker) needs a way to make money. If your goal is to avoid all ads, or avoid being tracked by advertisers, however, this is obviously a loophole, which can be pretty large.

These days, uBlock Origin is the ad blocker that seems to be most generally recommended as effectively and universally blocking ads, and not accepting payments for exceptions. From my understanding, it's essentially operated as a Civ mod here would be - done in people's free time, and not as their primary means of income. Although of course that can lead to availability-of-people-to-make-updates issues, so far it seems to be working better than the ad-blocker-which-needs-to-support-people's-livelihoods model. You can also selectively un-block ads on sites you want to support.

Another finer point that bears mentioning is tracking via images. A common technique nowadays is for advertisers to embed tiny, 1-by-1 pixel images either on websites or in e-mails, for tracking purposes. It's most easily explained by e-mail. Let's say your e-mail is cfcisawesome@somewhere.net. You sign up for a mailing list of some commercial store or site. They send you next week's e-mails, and in addition to whatever text is there, can include an invisible image, which might be customized. Maybe it loads from http://www.amillionads.com/smallEmailImage.gif?email=cfcisawesome@somewhere.net. As soon as your e-mail client loads that e-mail (if it loads images), that image will be loaded, and if they've set up their message to include your e-mail in the image URL, and the server to monitor for it, they now know that you've opened that e-mail. Similar techniques (though perhaps relying on somewhere more obscure identifiers) work on websites as well - so if an ad blocker blocks JavaScript, but not images, from advertisers, it's only partially effective.