Go to Archive Menu
archive menu

The Archive

 

 
Appendices
Click, You're Hired. Or Tracked...
A Report on the Privacy Practices of Monster.com
Copyright © 2001 The Privacy Foundation

By Pam Dixon
Executive Director, The World Privacy Forum

Appendix A
Appendix B Go back to Report

Appendix A
Detailed problem description: Monster.com and Private Label corporate sites

Corporations with private label accounts at Monster.com appear to cloak their involvement with Monster. Meanwhile, the corporate affiliate sites require users to accept cookies ó all from a domain called "newjobs."

For example, when job seekers apply online for a job at the Blockbuster.com website, the resume goes to blockbuster.newjobs.com.

When job seekers apply for an Adecco job online directly from the Adecco corporate website, the resume goes to jobsearch.adecco2.newjobs.com.

In every instance, the domain "new jobs" is involved in some way. Even when job seekers merely look at jobs at the Sony Electronics website, the URL in the browser window reads http://sel.newjobs.com/.

Packet sniffing the transactions and a series of ping and traceroute tests conducted on the corporate websites revealed that all of the corporate websites using "newjobs" domains, like blockbuster.newjobs.com , jobsearch.adecco2.newjobs.com, snelling.newjobs.com belong to TMP/Monster.com, and that the information going to "newjobs.com" is actually going directly to Monster.com.

A check on the Arin.net database and the Whois database revealed that newjobs.com is owned by TMP Worldwide in Maynard, Massachusetts, the offices of Monster.com.

Here is just one result of a ping, this of the URL snelling.newjobs.com. The ping was to determine what the actual IP address of snelling.newjobs.com was.

ping -a snelling.newjobs.com

Pinging alliances.monster.com [63.112.169.9] with 32 bytes of data:

Reply from 63.112.169.9: bytes=32 time=105ms TTL=109
Reply from 63.112.169.9: bytes=32 time=176ms TTL=109
Reply from 63.112.169.9: bytes=32 time=136ms TTL=109
Reply from 63.112.169.9: bytes=32 time=127ms TTL=109

Ping statistics for 63.112.169.9:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds: Minimum = 105ms, Maximum = 176ms, Average = 136ms

The ping revealed that snelling.newjobs.com had the IP address of 63.112.169.9. When a query to the ARIN database was made regarding to whom the 63.112.169.9 domain belonged, here is what came back:

UUNET Technologies, Inc. (NETBLK-UUNET63)
UUNET63 63.64.0.0 - 63.127.255.255
Monster.com (NETBLK-UU-63-112-168) UU-63-112-
168 63.112.168.0 - 63.112.171.255

And a look at the Whois database was simply more confirmation of who owns the newjobs domain. Here are the query results:

Registrant: TMP Interactive (NEWJOBS-DOM) 5 Clock Tower Place Ste 500 Maynard, MA 01754-2574 US
Domain Name: NEWJOBS.COM

What does TMP/Monster ownership and usage of newjobs.com mean for job seekers looking at and applying for jobs at corporate sites with Monster affiliations?

First, the long-term tracking "newjobs" cookies given to applicants at Blockbuster and other corporate websites are available to Monster.com until the cookies are deleted.

Additionally, any information given to the corporate site when the URL of "newjobs" is showing will be going to Monster.com. Most of the affiliate sites require that job seekers set up a profile with a password. Users are not told that the profile information is sent to Monster.com. Indeed, at most of the affiliate sites, the fact that the information is going to Monster.com is not revealed anywhere, including in the privacy policies, if privacy policies are available.

This following is an example of data from a packet sniffer which shows what is happening as a job searcher is posting a resume ostensibly to Adeccoís corporate website. Note that the information is going to adecco2.newjobs.com, a domain that belongs to Monster.com, not Adecco. The resume is given a unique ID, and a cookie with data is being sent to the newjobs (Monsterís) domain, and the cookie itself contains the resume senderís name (in this case Angela Mortlach) and the resume senderís e-mail, (in the case technologydiva@thedixonreport.com).

Lots of other information, like the resume ID, is also in the cookie. Now Monster.com has that information. Even if no one from Monster ever saw the resume itself, they would still get the name and the e-mail address, key marketing information to get, especially when the resume sender hasnít intended to put the resume on the Monster site or give Monster this information.

GET /additionalinfo.asp?resumeid=14987889&original= HTTP/1.1

Accept: */*

Referer: http://adecco2.newjobs.com/skills.asp? resumeid=14987889&original=

Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Host: adecco2.newjobs.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDGQGGGRQM= OMPOAOEAOAIDHAGKANMHFHIN; cookietest=ok; ASPSESSIONIDQGQGGQFT=MJBCHBFAPMIBDHNCEJDFFNGE; ASPSESSIONIDGGGGQQYH=GKPGBOEAOIKMMPMIEFHHKKJF;
rem1=MONKEY=669327894135&REMUSER=18041345; 18041345=
MONKEY=3511506487104&LASTLOGIN=7%2F25%2F01+ 2%3A48%3A14+PM; newjobs%2Ecom=
NAME=angela+q+mortlach& LASTLOGIN=0&NICKNAME=angelaq1792&FP=01&UP=&
EMAIL= technologydiva%40thedixonreport%
2Ecom&CP=&MONKEY= 1%2E54210030299197E%2B15&BANSTATUS=0&LOGINID= leanne4342&USER=18041345

Therefore, in this situation, job seekers are sending profile information to Monster.com without notice. The same goes for any resumes sent ostensibly to corporate websites with undisclosed Monster.com affiliations.

In one situation, at Travelers Insuranceís corporate job application site, by using the same e-mail to set up a profile as was used to set up an account at a totally separate corporate site, the following message was given:

Good news! We already have an account set up for you with your e-mail address. Simply click here for your Username and Password to be sent via e-mail to continue the log in process.

This message confirms source interviews which noted that Monster.com keeps all job search profiles together. It is disconcerting to discover that the mere act of going to a corporate website can get a job seeker a Monster.com profile, in which case a job seeker would have no understanding of the true privacy policies for that information and how the data may be used.

In another example, if a job seeker went to the H&R Block website to apply for a job, here is what they would see:

The URL in the browser window would be:

http://hrblock.newjobs.com/login.asp?redirect=/resume.asp

It has already been shown that newjobs.com actually belongs to Monster.com. The job seeker would read the following text about what H&R Block says about applying for a job via its corporate website:

Career Management Account

Click here to create an account. We encourage you to create an account to simplify your communication with us and allow us to match your skills with future opportunities within our company. Your information will remain confidential.

If you already have an account, please login.

Nowhere is Monster.com mentioned, alluded to, or even seen in the URL, cookies, or anywhere else. The privacy policy from the job search page was unavailable during the times the site was visited; the following page was listed as the policy, but did not come up: http://hrblock.newjobs.com/universal/privacy_policy.html.

The H&R Block general privacy policy was analyzed and even it did not contain any reference to its job search or career area, or its use of Monster.com or that information sent ostensibly to the H&R Block website was actually going to Monster.com servers. The site also did not mention that creating a profile on its site was going to create a Monster.com profile.

It should be noted that European sites with Monster.com affliliations are sometimes more direct in expressing that affiliation. Many of the EU companies sites that were analyzed disclosed their relationship with Monster.com clearly.

go back to Report

Appendix B
Monster.com Detailed Problem Description: User Tracking involving AOL

When a job seeker visits Monster.comís home page, the job seeker is requested to accept an assortment of cookies, small text files that identify a computer to the entity depositing the cookie. The users are also requested to run ActiveX controls. ActiveX controls are a type of technology that has been widely reported on as potential privacy problems at websites.

Naturally, users are not forced to accept cookies. But when cookies are not accepted, many of the pages at Monster.com do not work correctly, something Monster.com admits to in its policies. From the Monster privacy policy:

You have the option of setting your browser to reject cookies. However, doing this will hinder performance and negatively impact your experience on our site.

The site fails regularly when cookies are not accepted. When cookies are accepted on a job seekerís computer, they may work in concert with banner ads to reveal job searching patterns of individual computer users, even if no resume has been posted.

The banner ads on Monster.com are served, or delivered, by AOL. The placement of the banner ads raises concerns, because they are located on very sensitive pages, including the pages where job seekers are requested to fill in forms with resume data, contact information, and other personally identifying information. Images on Web pages (like banner ad images) can be used to gather the data that a job seeker is filling in on a Web form.

Web forms, if they are not handled correctly, can pose privacy risks to job seekers. The crux of the issue is how the Web form transfers data to servers. The preferred method for collecting information from Web forms is the POST method, which allows information only to pass to the servers where it needs to go, in this case, Monster.com servers. But the GET method of collecting information from Web forms bundles information on forms into URLs and allows third parties, in this case, AOL, to pick up the information, too.

An analysis of the Monster site using a packet sniffer reveals that Monster.com Web pages use the POST method infrequently, and primarily utilize the GET method. While Monster.com may argue that due to its exclusive relationship with AOL that it needs to pass all key consumer data to AOL, Monster.com passes all job seekerís information to AOL servers, regardless of AOL membership or presence on the AOL site. Further, the Monster.com privacy policy does not disclose this relationship.

Hereís a sample job search showing how the tracking process works on Monster.com.

After entering the Monster site and clicking on the "First Timerís" area, then "Job Search," this researcher filled in the information that a job was sought in Dallas, Texas, as an accountant. The following URL showed in the browser window:

http://jobsearch.monster.com/jobsearch.asp?cy=US&brd= 1&lid=615&fn=1&q=accounting

Any URL that shows in the Web browser window can also be "seen" by the third party advertisers that have banner ads on the page. In this case, the advertiser is AOL. The images making up the banner ads are coming from the AOL servers, or computers, which means that there is the potential for the AOL servers to get the information in the URLs.

A packet sniffer was used to analyze the logs of this job search session. The logs revealed that the preliminary job search information filled in on the job search page form was indeed passed to AOL. Note that this job search was conducted not on AOL, but on the open Web.

GET /html/93042540/monster?search=l615+c1&height= 60&width=468&htmlpre=document.write%28%27&htmlsuf= %27%29%3b&xlnl=%5cn&xltick=%5c%27&ctype= application/x-javascript HTTP/1.1

Accept: */*

Referer: http://jobsearch.monster.com/jobsearch.asp?cy= US&brd=1&lid=615&fn=1&q=accounting
Accept-Language: en-us Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Host: ads.web.aol.com
Connection: Keep-Alive

Because Monster used the GET method in its job search form, AOL has information that search number 1615 (it is unknown what that number means) was looking for a job in a US city, (615 likely is the code for Dallas, but this is unknown) and that the keyword used for searching was accounting. So far, this information spill is annoying and unnecessary, but not damaging per se. This information is not, at this point, extensive, particularly if that user is visiting for the first time and has not created a Monster profile or posted a resume.

After the search button was clicked on the job search page, a list of jobs was returned. A JP Morgan job was selected. The following URL showed up in the browser window:

http://jobsearch.monster.com/jobs/11752048.asp? jobid=11752048&CCD=my%2Emonster%2Ecom&JSD= jobsearch%2Emonster%2Ecom&HD=company% 2Emonster%2Ecom&ADJ=&AD=http%3A%2F%2Fjobsearch% 2Emonster%2Ecom%2Fjobsearch%2Easp%3Fcy%3DUS% 26brd%3D1%26lid%3D615%26fn%3D1%26q%3Daccounting&Logo=1

The job ID for this JP Morgan accounting position is 11752048, as noted in the highlighted section of the URL above.

AOL servers get to pick up this information too, as seen in the network logs of this job search as analyzed by a packet sniffer:

GET html/7014704/monster?height=60&width=468&htmlpre= document.write%28%27&htmlsuf=%27%29%3b&xlnl=%5cn&xltick= %5c%27&ctype=application/x-javascript HTTP/1.1
Accept: */*
Referer: http://my.monster.com/login.asp?authtype=1&redirect=% 2Fapply%2Easp%
3Fjobid%3D11752048%26redirect%3Dhttp% 253A%252F%252Fjobsearch%252Emonster%252Ecom% 252Fjobsearch%252Easp%253Fcy%253DUS%2526brd% 253D1%2526lid%253D615%2526fn%253D1%2526q%253Daccounting
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Host: ads.web.aol.com
Connection: Keep-Alive

Because Monster.com used the GET method to collect information from its job search forms, that information is bundled and shows up as a URL in the Referer field of the above information. Again, when information is in the referer field, third parties can pick it up. The JP Morgan job ID number is highlighted in yellow in the URL. The country and probable state ID is highlighted in green. The keyword "accounting" that has been passed along to AOL is highlighted in pink. Looking at the Host field, you can see that this information is going directly to AOL servers. (Host: ads.web.aol.com)

This pattern of information spillage continues throughout the Monster.com site, even for people who have not registered or posted a resume. At this point, AOL servers are being passed information about what pages have been looked at, what job area, city, state and country are being looked at, and what specific jobs have been looked at.

If a job seeker then decides to apply for a job online, they can register to do this. Registration is required before posting a resume on Monster.com, according to research. Frequently, job seekers are asked to take pre-employment tests before they can send a resume to the job. The JP Morgan job, for example, required that users rate their skills in four job skills areas.

At the Monster registration and resume posting area, the information spills continue. The registration and resume posting pages contain ads from AOL. As already seen, these ads can pick up the information filled into Web forms because of Monsterís use of the GET method. If JP Morgan had provided contact information on its job ad, or if Monster had allowed them to provide it, a job seeker would be able to go directly to JP Morgan to apply for the job. It should be noted that some job advertisements on Monster.com do provide e-mail contact addresses, so that savvy job seekers can bypass Monster.com and apply directly. But this is not a given, and without such reference information, a job seeker who wanted to apply for this job would have to click the Apply link, which leads to the Monster.com registration page and resume building page.

Here is a packet sniffer log of what one of the resume page transactions looks like; in this case a few pages of the resume had been partially created.

GET /html/7014704/monster?target=_top&height=60&width=468 HTTP/1.1

Accept: */*

Referer: http://my.monster.com/userprofile.asp? resumeid=14129236&viewresume=&original=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Host: ads.web.aol.com
Connection: Keep-Alive

In this situation, AOL servers are being sent the resume ID number, which is highlighted in yellow above. They do not appear to have the name of the person, but they do have the resume ID number that ties the resume directly to one unique person and their complete profile of information stored at MyMonster.com. It is not clear why AOL servers need the resume ID number of a person applying for a job on Monster.com and not on AOL.com. Monster.com says it has over 8.6 million resumes in its database; thatís a lot of user data to have passed along to AOL servers.

A note about information correlation at Monster.com. The job ID that became part of the job search profile earlier (11752048), was then placed with personally identifying information such as name and made available to Monster.com servers. It is perfectly understandable and acceptable that Monster.com needs to send this information to its own servers for limited time periods. But AOL has the Job ID and now the Resume ID. With these two pieces of information, it is technically possible, given even a small accidental data spill, to correlate personally identifying information to the ID numbers. These ID numbers are given to all site visitors who post resumes, even if Monster.com is accessed outside of AOL or accessed without using AOL Internet services.

Below is the log showing Monsterís correlation of the data; please note that this information is not going to AOL servers in this instance. This data is to show that Monster has correlated the ID numbers with personally identifying information. It is unknown if this correlating data is given at any point to AOL either through the servers, or elsewhere offline. Please note that it is normal for a job site to correlate ID numbers with other information. What is unusual is to pass these numbers to third party servers belonging to such entities as AOL.

14129236 P _ Ī1&Mac246; 0{P ? __ HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Thu, 21 Jun 2001 13:31:12 GMT
Location: /login.asp?NoAuto=1&user=
bethhurley&Password= bethbeth&submit=1&redirect=%2Fapply%2Easp%3Fjobid% 3D11752048%26redirect%3Dhttp%253A%252F%252Fjobsearch% 252Emonster%252Ecom%252Fjobsearch%252Easp%253Fcy% 253DUS%2526brd%253D1%2526lid%253D615%2526fn% 253D1%2526q%253Daccounting
Content-Length: 388
Content-Type: text/html
Set-Cookie: rem1=MonKey=822690325228&RemUser=
17291948; expires=Fri, 21-Jun-2002 13:31:12 GMT; domain=.monster.com;
path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF= "/login.asp?NoAuto=1&user=
bethhurley&Password= bethbeth&submit=1&redirect=%2Fapply%2Easp%3 Fjobid%3D11752048%26redirect%3Dhttp%253A% 252F%252Fjobsearch%252Emonster%252Ecom% 252Fjobsearch%252Easp%253Fcy% 253DUS%2526brd%253D1%2526lid%253D615%2526fn% 253D1%2526q%253Daccounting">here</a>.</body>

The user name, "bethhurley" is highlighted in yellow. The job ID number is highlighted in green, and again, the information about city, state, and keyword shows up in this data. The new number, the user number, shows up in blue.

A cookie that Monster deposited to the computer hard drive echoed this information:

rem1
MonKey=822690325228&RemUser=
17291948
monster.com/
0
3905785856
29497639
391427360
29424215
*
17291948
MonKey=3745570186096&LastLogin=6%2F21%2F2001+ 8%3A47%3A49+AM
monster.com/
0
3961133568
29424417
2036292768
29424217
*

Many users accept these types of cookies, which are meant to allow site visitors the ease of just visiting the site without having to log in every time. This cookie simply remembers the user number, highlighted in blue, and provides visit information such as time and date of the last Monster.com visit. Monster also uses these cookies to track users in a very detailed way as they search for jobs. Monster correlates the unique user ID, which is connected with the resume, across job searches, job applications, and resume postings.

GET /js.ng/Params.richmedia=yes&site= mons&app=www&size=313x163&pp=1 HTTP/1.1
Accept: */*
Referer: http://www.monster.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Host: ads.monster.com
Connection: Keep-Alive
Cookie: NGUserID=a0a0a0e-469-993129856-6; rem1=MonKey=822690325228&RemUser=17291948;
17291948=MonKey=3534516373904&LastLogin= 6%2F21%2F2001+8%3A31%3A23+AM

In the example above, an advertisement served by Monster.com and apparently returning to Monsterís servers, collects a cookie with the user ID. As long as users do not mind their intricate job searching patterns collected by Monster.com and tied directly to them, then this type of tracking will not be a problem. If users mind detailed, personal tracking, then this would not be appealing.

There may be additional issues of datamining ("eResourcing") the information passed to Monster.com servers, a practice Monster.com itself acknowledges to in financial documents filed with the SEC. It therefore becomes important to understand all the ways each bit of information that is passed to Monster.com and the AOL servers is used, now and in the future.

go back to Report


 

The contents of this site are Copyright (c) 1995-2015 North Bridge Group LLC.
All rights reserved. This material is for personal use only. Republication and redissemination, including posting to news groups, is expressly prohibited without prior written consent. Ask The Headhunter, Fearless Job Hunting, the ATH logo and other ATH titles are trademarks or registered trademarks of North Bridge Group LLC and Nick A. Corcodilos.

User agreement, legal information and disclaimer.

Visit the Ask The Headhunter Blog and sign up for your free subscription to the weekly Ask The Headhunter Newsletter.

We welcome comments and
suggestions. Please email to
Ask The Headhunter.