I was recently looking at a number of application whitelisting solutions and one of the ones I was looking at was Carbon Black. I spent quite a bit of time on their website trying to see if they actually published any solid, useful, technical documentation about what it is they actually do beyond their tagline "Stop the Most Attacks. See Every Threat. Compromise Nothing."

A few days later I got a call from a sales person from Carbon Black saying that they saw I was interested in their product.

I assume they have some algorithm on their website analytics that does a lookup on any IP address that spends more than a set amount of time on their site (I was there for about 10 minutes). If you do a PTR lookup on our gateway IP address or throw it into any Geo IP database like ipinfo our organisation comes up. From there it's not hard to Google us, call reception and ask for whoever manages IT Security.

I browse the web with Do Not Track switched on, I understand that it's voluntary and websites can just ignore that flag. But tracking me shows a complete lack of respect for users privacy wishes and doesn't inspire me to install their products on all of the desktops I manage.

Bruce Schneier blogged about something similar recently where websites were grabbing user form data before it's submitted. He says

"This is important because it goes against what people expect"

Just like using javascript to grab from data, tracking users is not that technically difficult but it's not what people expect. Browsing someone's website is not the same as filling in the contact us form and you don't expect to get a call from one of their marketing people.