Ask DH to Publish "That List" of Vetted 3rd Party Service Providers


In light of the tsunami of hacks in the news [1], I take the reasonable security measures of running a tight firewall on my workstation and a SCRIPT / COOKIE blocker on my browser.

When I attempt to use, my browser warns of to a long list of third parties attempting to run scripts and write cookies.

Dreamhost’s published Privacy Policy covers Dreamhost’s uses for and protection of the Customers’ Private Personal Data. It does not appear to cover any of the 3rd party eavesdroppers trying to access (attack? :o) customer systems.

Why is trying to run a program on my system? Why is monitoring my system while I am keying in my CREDIT CARD NUMBERS to pay Dreamhost?

DH tech support mentions a list of:
<< "reputable third-party providers, vetted by our designers, developers, security team members"
but claims that:
<< “Tech Support team doesn’t have a list of such third-party tools because that list changes frequently”

I have asked Dreamhost to kindly publish specific guidance on which 3rd party hosts are currently vetted and for what specific customer servide so that we can whitelist them.

PAYING CUSTOMERS deserve to know who we must allow to access our systems in order to use Dreamhost. Has anybody else gotten a better answer?



Note [1]:
3 BILLION Yahoo accounts Hacked
145 Million Equifax accounts Hacked
US voting system Hacked?

Technical Support response from Dreamhost regarding
Full Disclosure of Vetted 3rd Party Service Providers:


DreamHost uses a variety of tools to constantly improve customer
experience. Some of these tools are offered by reputable third-party
providers, vetted by our designers, developers, security team members and
marketing people. Tech Support team doesn’t have a list of such
third-party tools because that list changes frequently. You also seem to
be fairly knowledgeable at discovering what those extra services are, so
you can do your own research too. In any case, you should be reassured
knowing that all the data collected and how it’s used is described in our
privacy policy which I suggest you to read and understand fully. We do
our best to protect customer’s privacy and we have a good record in doing
so but ultimately what is acceptable is based on individual’s choices:
if you’re not comfortable with DreamHost’s privacy policy, you may decide
not to use DreamHost services.


that’s a very sane thing to do, good for you!

You may want to try a different blocker, one that instead of constantly raising flags, making your navigation experience horrible, just silently drops everything that is not crucial to the operations of the site you’re reading. For example, I use uBlock Origin on Firefox mainly for adblocking and EFF Privacy Badger to block everything else annoyingly intrusive.

Drip is marketing automation software (you can easily check it for yourself --one of the beauties of html is that you can see easily what’s running in your browser). What do you mean that it’s trying to run a program on your system? Can you share a screenshot of what you’re seeing specifically? facebook is … well, I’m sure you know who they are and what they do since you seem to be privacy conscious.

I don’t understand your question: you can look easily at the list of services loaded by every page on, your browser addon is telling you which ones they are. DreamHost has vetted all of those, otherwise they wouldn’t be there. Also, as far as I know, none of them are strictly necessary to buy/use/enjoy DreamHost’s services. Try disabling them all and see if you can still do things.

Maintaining a whitelist of these service is also a moot point: if you’re privacy conscious, why would you want to whitelist facebook anyway?

I personally use another approach which I suggest you to try: block ads with an addon like uBlock and use Privacy Badger. Those alone will address most of your concern. If a website like DreamHost or others refuse to operate because a script is not being loaded, then analyze that individual script and decide if you want to whitelist it or go browse somewhere else.



You run No Script Blocker because Dreamhost has already vetted their Trusted Partners. For other sites, you glance at the Page_Source to easily spot any unfriendly code.

Your assertion that you can ~“easily analyze individual scripts” is not remotely credible for many reasons:

  • Many scripts (especially malicious ones) run “On-Page_Load” so they run before you have an opportunity to read the rendered page or the source.
  • Some scripts just send arguments to their server which are used to build the actual, "Just-In-Time" Javascript. You can NOT see the Code until after a script is executed and any damage has already been done.
  • Running without a Script Blocker or debugger, you would have no idea what is being run inside the browser's virtual machine.
  • Even if you were to set a breakpoint to stop after the "Just-In-Time" script is written, the length and complexity of tracking code would make it all but impossible for anybody but the writer it to make sense of it. 

Can you explain how you are able to “easily check” not yet written browser scripts running only an ad blocker?



Something like the Developer Tools will help you find out what happens in your browser at any given time, what scripts are loaded, what communication goes in and out of your browser, with what payloads, etc.

For Firefox, you find Developer Tools documentation here:

Other browsers have similar tools. If you see fishy things running in your browser you can ask here or as a Support ticket.


I have similar privacy and “unwanted-ware” concerns as the OP, use ad blockers, etc, but I haven’t been as attentive to the topic as the OP. And while I appreciate the cordial and direct responses from @smaffulli, respectfully I also find them a bit deflective in this thread. The OP is asking why Facebook is involved in his business transaction. The answer to that isn’t to watch the wire to see what scripts are being loaded by Facebook, which are most likely compressed for performance and obfuscated specifically to thwart inquiries like this. Multiply that by several service providers and this akin to telling consumers that if they want to know what’s in their food they should do the chemical analysis on their own.

I do occasionally look at the scripts downloaded and executed in my browser, and usually the answer is simply that some third party is getting metrics on my transactions, not accessing or storing my data. But the problem here is that if there is a “list” of such providers, and it changes, and these providers are simply doing what they do without DH supervision, then DH should advise us of who these folks are and give us an opportunity to vet/whitelist/blacklist these companies as we desire.

I don’t blacklist Facebook since I use their services, but I do block some of their ads and other scripts as being invasive. I don’t expect them in any way to be involved with pages loaded from DH except perhaps in ads. So if they’re authorized by DH to do Anything else, I want to know about it.

I don’t think it’s unreasonable to ask why various other companies are being injected into transactions between us and Dreamhost. I don’t believe DH intends in any way to be malicious or careless. But if the company is going to take a “don’t worry about it” posture rather than telling us what’s going on, I want the information required to make that decision on my own.

I’m personally not asking for the list here. I’m supporting the OP’s request because I believe its his right to know what’s being thrown into his browser by DH and companies it authorizes. If some third-party software is trying to install something on his system or mine, we have a right to know why and some fore-notice so that we can avoid it.



DreamHost’s privacy policy states that they collect at least:
Your name, e-mail address, billing address, security question / answer, credit card info, social security number (??) password, IP address, and a history of your actions. “some of which may be personally identifiable”.

DreamHost’s privacy policy states how they use this data:
They sell your info only to "trusted business affiliates and/or associates"
One might trust their “trusted business affiliates”, but certainly not their [untrusted] “associates”.

Given the choice to make $$ and sell your data or not make $$, the decision is a no-brainer. Dreamhost can and very likely does sell your personal information, but only to those whom they trust and/or associate.

In addition to selling your data, they also have a list of
"reputable third-party providers, vetted by our designers, developers, security team members and marketing people"
whom they allow to run scripts on your machine.

Who are these third-party evesdroppers?
“Tech Support team doesn’t have a list of such third-party tools because that list changes frequently.”

Does anybody believe that everybody at Dreamhost except tech support knows who these reputable parties are? Could this be why their other trusted and paying business partners, their customers, can not know who is using their computer?

Tech support sent this answer:
Re: Full Disclosure of 3rd Party Security Vetting LIST
Message #: 140310247
Time: 2017-10-11 22:46:23
"I have consulted the highest authorities at DreamHost and unfortunately we will not be publishing that information. Please let me know if you have any other questions. Thanks! Heckman

So, this Privacy Policy appears to state that Dreamhost can make $$ by selling your personally identifiable information to anyone on the planet as the sale itself would make that party an “associate”.

Buy canned customer data or Harvest it Yourself!
Or, if you want to harvest Dreamhost’s customer’s data yourself without any paper trail or traceable bank transactions, Dreamhost will give you the keys to the customer’s computer by inserting your Script into their web pages. You can execute whatever you like in their browser on their computer. And, Dreamhost will guarantee to not publish your identity as you hoover up all the customer data you want. Whose privacy do they value?

These third-parties running scripts might also have privacy policies as to what they collect and what they do with it. The “Highest authorities” at Dreamhost refuse to identify their “reputable third-party providers” so we can’t know what these policies or uses are. Surely, like Dreamhost, they can sell your harvested data to their untrusted associates, ad infinitum.

Imagine hiring a plumber to fix your toilet while you were at work only to find out that the plumber is making copies of your key for all of the [undisclosed list of] helpers. And, all of the helpers can make copies for all their “associates”. Everybody would have unlimited access to your home while you are at work.

Dreamhost list moderater Smaffulli says, “here is a list of reputable detective agencies whom you can hire to watch the plumber’s helpers’ helpers’ helpers. There, your problem is solved!”

As Supreme Court Justice Louis Brandeis once said, “Sunlight is said to be the best of disinfectants”.



Not exactly… he’s repeatedly asking for a list of services that is almost impossible to maintain properly. He’s been reassured in private already about DreamHost Privacy Policy but he must have considered that non-satisfactory and decided to keep on asking the same thing in public.

‘why’ (note: there are both .net and .com) is quite simple: DreamHost advertises on Facebook (among other ad services) and loading facebook’s scripts on allows marketers to understand the effectiveness of such ad campaigns. It’s as simple as that.

Whether we like not that the web has become a place where advertisers follow us on any step is a whole different conversation! We can open a different thread and talk about the advantages and limitations of adblockers, for example.

But there is, and it’s in your browser at any given time! The thing is that some of those services may be different based on random selection, for things like A/B testing for example or geographies or other technical reasons.

Here is what I see now on home page when I enable

This is simply not true! Services you see loaded by are selected by DreamHost and of course their services considered useful for DreamHost and its customers, too. DreamHost staff supervises constantly what’s loaded on our web properties! It would be business suicide not to carefully vet any service that is loaded in customers’ browsers!

It’s quite easy honestly: blacklist (as uBlock Origin does by default) and you won’t have to worry about any of this stuff. You can also blacklist safely, and on any domain that is not This is the list of loaded scripts with uBlock Origin enabled on home page:

It’s not unreasonable to ask but it’s unreasonable not to accept the answer he received. We have answered and I’m happy to continue answering specific questions about the services that are loaded, if you have any.


This is not true. Stop spreading falsehood to support your crusade! DreamHost doesn’t sell your data for a profit.

I’ve asked our lawyers to clarify the Privacy Policy: I’ll add more details as soon as they respond.


IMO There’s nothing unreasonable in this thorough response. Thanks as always Dude!


“With the exception of trusted business affiliates and/or associates who work on behalf of or in connection with DreamHost, DreamHost will not provide or sell to any third party your personal information” [1]

Except to affiliates / associates, dreamhost will NOT sell your data. Do the LOGIC:
to affiliates / associates, dreamhost MAY sell your data. Ask your IT gang if this logic is unescapable.

DreamHost doesn’t sell your data for a profit.

Do you sell it for a LOSS. Perhaps you should charge more.
Or, do you share it on a barter system?

The privacy policy mentions the State of California and per the California “Online Privacy Protection Act” [2],
Dreamhost must detail
"the kinds of information gathered by the website", << Check!

Dreamhost does detail "the kinds of information gathered by the website"
The privacy policy makes it abundantly clear that you can sell or share all customer data
DH allows Google LEAD Services, Facebook, getdrip and many others to run scripts over SECURE connections which you can not possibly monitor. What is GOOGLE-LEADS looking for? LEADs to sell perhaps?

You maintain the contradictory points that you “supervises constantly what’s loaded” and that it changes so fast, you can’t keep a list of all of them. Can these both be true?

The evidence suggests that Dreamhost is allowing third parties to run scripts which can shoulder surf on paying customs. Why would DH do this? How about in exchange for promotional considerations like “Trusted Partner” discounts for advertising on Facebook and on Google results pages.

Since DH is not the one collecting the clicks and keystrokes, they do not have to disclose anything.
And, there is no PROFIT on fees not paid and no taxes or paper trails.

Such a barter arrangement would address the raw data needs of Google / Facebook / ??? while giving DH more eyeballs for their ads. This theory seems to be the most plausible explanation for why Dreamhost refuses to explain what all these 3rd party scripts are doing on OUR computers.

If Dreamhost is not and will not sell or share our data OR ALLOW 3RD PARTIES TO RUN SCRIPTS TO COLLECT OUR DATA THEMSELVES, please say so in writing!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.