I recently fell down a deep dark hole on the internet.

It began by researching a part for my central air conditioning but ended up with me stumbling upon a terrible development in modern advertising: spam driven by my browsing habits.

If that sounds like a privacy invading hellscape you’d like to avoid, read on, dear reader.

It was one of those manic googling sessions; copying and pasting in serial numbers, clicking frantically, trying to make sense of a piece of hardware I had assumed I would never need to understand.

I can’t remember if I found what I was looking for on sears.com, but I certainly wasn’t interested in buying anything from them.

Sears wasn’t about to let me off the hook so easily: a week or so later, I received an email asking me if I was still interested.

Also, emoji in subject lines from marketers is officialy lame

Interested? Interested in what?

Since I keep pretty good track of what newsletters and promotions I’m subscribed to, I was certain I never signed up for a Sears list – I don’t even have an account on sears.com:

So how did Sears get my email address?

At the bottom of the spam was a clue from a company named Criteo:

This message is personalized by Criteo Email based on your previous browsing behavior. To understand why you received this email and access Criteo Email privacy policy, click here. If you want to opt-out only from Criteo Email personalized emails, click here.

On Criteo’s website they further explain how this retargeting works:

…if you browse on one of our advertisers’ website and click on a product of that website, you may receive a personalized email promoting that product or similar items from that advertiser.

But this doesn’t really explain how they got my email address— it’s not that that big of a secret, but clearly no human was involved in this process, so I was extremely curious how Sears managed to sign me up without ever knowing my email in the first place.

On Criteo’s website, it says received they received my email from a “partner” database:

What partner? What database? There’s no explanation of who gave my email address to Criteo.

But after puzzling through their site, here is what I think happened:

I am signed up to some platform which is a Criteo partner. It’s entirely unclear who this partner is. While Criteo boasts a “close partnership” with Facebook, Facebook claims that they do not share personally identifying information such as your email address with ad partners. Regardless, a platform with my email address gave it to Criteo. That platform dropped a Criteo cookie in my browser at some point in the past. That platform delivered my information (a way to identify me using a cookie and a hash of my email address) to Criteo. A couple weeks ago servers alerted Criteo that my Criteo ID was browsing sears.com. They are able to do this because sears.com loads Criteo code and uses a criteo.com cookie, screenshot here. Criteo queries its partner for my email address when Sears wants to send spam to users who browsed their website. Sears gets my email via Criteo and subscribes me to a newsletter and sends me the spam.

Criteo (and their partners, like sears.com) have successfully performed an end-run around the traditional newsletter opt-in process.

By managing email lists and functioning as an advertising retargeting network, Criteo enables spammers to enroll innocent users browsing the web to 3rd party newsletters.

Criteo claims that they “never stored [sic] any personal information”, but at some point they have to get my email address to give to Sears.

Here’s how they describe how that happens:

Only when we craft the email on behalf of our advertisers, we receive your name, surname and email address from our partners, should you have consented to receive their emails marketing. At no point are these identifying data stored by Criteo Email. Criteo Email deletes these data as soon as the email is sent to you.

Let’s ignore the fact that they assume Sears had my consent (they didn’t).

Criteo’s claim that they didn’t store my information is besides the point. The problem is that I got signed up for spam because I was merely browsing the web, and now a third party has my name and email address. Criteo gets to claim they don’t store that information, but what does it matter if it ends up in the hands of spammers like Sears?

This transaction breaks a core promise using the internet: just because I visit a website doesn’t mean I consent to getting spam from it.

Is this legal?

Unfortunately, in America, it appears to be. The CAN SPAM act actually allows direct marketing email messages to be sent to anyone, without permission, until the recipient explicitly requests that they cease (opt-out).

That said, Criteo is a company based in France, where email laws are more strict: the EU requires users to opt-in into direct marketing unless there’s a preexisting business relationship. Whether browsing a website could be considered a “preexisting business relationship” is anyone’s guess, but my gut is that Criteo is in an extremely grey area of the law if they’re doing this to European users.

But is it right?

It’s one thing to have on-page display ads follow a user around the web, but it is another to use retargeting to sign users up for spam. And spam might be just the beginning: the metadata about your browsing habits circulated by companies like Criteo could be used for much worse things than sending you junk mail.

What happens if Criteo partners with a background check service? Or an insurance company? Suddenly your browsing habits might be curtailing real life opportunities that have nothing to do the web.

And combined with the risks of traditional data brokers, the power of ad retargeting data is ripe for abuse.

Call me old-school, but this is a pretty depressing development of the web.

But until legislation catches up to regulating the negative consequences of retargeting, there may not be much you can do about this besides blocking cookies, ads, and opting out of Criteo’s entire system by submitting your email address here.