Ask HN: How prevalent is non-cookie-based web tracking today?
I just started reading about things like Header Enhancement and SuperCookies and find them to be quite egregious. Does anyone know how much of this activity is being used by big known companies?
For example, I just found out that my account settings at Verizon Wireless were allowing them to use Header Enhancement (UIDH) adding a unique identifier on every http request I sent. So, if I log in to a site, they can associate the UIDH with my account so next time I’m in browser incognito mode, they already know who I am (or have a good guess).
65 comments
[ 2195 ms ] story [ 5272 ms ] threadSo as "Encrypted web traffic now exceeds 90%" [0] I'd guess at least this type of tracking is gone.
[0] https://news.ycombinator.com/item?id=21421195
Same in Germany, but there they have rotating IP addresses (which is both a pain (hosting) and a blessing (privacy)).
Hmm, although, would MAC address tracking count? That happens here and there (by roughly the same amount in any EU country, as far I can tell, which is not very much), mostly with WiFi captive portals where you sign away your soul in the terms of service. I'm not sure about the legality (hiding GDPR consent in the TOS) but it happens. From experience, I can say that if you find out and you send them a letter with a copy of your ID, they'll happily give you all the data they have on any MAC address you claim.
Vodafone CPE equipment saves all mac adresses ever present in the local network and unassociated wifi client macs in the air and sends them back as part of diagnostic data.
Edit: They also DNS Censor popular warez sites and libgen
This happens in some other European countries, too, like Italy.
Edit: the relevant privacy page is: https://www.ns.nl/privacy/op-en-rondom-het-station.html which also has an image of the sticker I saw.
I'm not sure but I think I remember reading this. And it would mean that hotspot tracking (the most prevalent form as far as I've noticed) still works.
Here is a study of fingerprinting effectiveness. Not what you wanted but a worthwhile read.
https://medium.com/slido-dev-blog/we-collected-500-000-brows...
These guys will tell you how unique is your browser fingerprint
https://amiunique.org/fp
If you want to not be tracked, turn off JavaScript for a start.
Could you go in to detail on how you did this?
I thought JS was an absolute requirement for them.
At the same time I have come across captchas that do need JS. I guess google offers both.
[0] if it had, I would have stopped posting here as I never accept browser JS outside of a VM.
Disclaimer: I work for Google, but not on reCAPTCHA.
It does limit you somewhat, but a large part of the web, in HN, slashdot, bbc, most news sites, TheRegister, wikipedia, most of stackexchange, and a shedload more all work fine.
Fat sites do break though, and I don't think there's really any way around that other than temporary whitelisting.
The Web is a lot faster for me now, though.
Then why are the ads that _do_ sneak through my adblockers or onto Instagram, etc., such hot, moist garbage? Is it just a lack of people wanting to advertise at my demographic?
You can check your BlueKai profile here https://datacloudoptout.oracle.com/registry/
Many large, higher quality ad buyers (agencies and direct sold) can get enough return from non-greyarea inventory like this. There's no point in them taking (even a small) perceived risk of buying this grey market inventory.
However, they likely do use this tracking data second or third hand via their third party data providers brokering and including it in larger data sets they use for cross site targeting via DMPs.
Finally, there's simple economics: people who go through enough effort to block trackers and other things are (perceived) to be less likely to engage with ads (e.g. they see it as you do, when one 'slips through'). So there's no point in paying $$$ for those eyeballs.
All of this in combination means you get low quality, barrel bottoms ads.
It’s pretty shitty and unethical, but welcome to to add tech!
I don't feel like I am unusual in any way, as in I can't see how I have any natural, dumb-luck defense against any of this tracking. If companies like Google, Amazon, FB, etc, are in any way really trying to use what they think they know about me to get me to buy stuff or influence my thoughts or behaviour, then they seem to be doing a really, really bad job of it.
As far as privacy goes, my concern is far more focused on apps/programs stealing my photos of my kids, or tracking me around town, or knowing who I meet and talk to.
As far as predicting my future behaviour, I have not been impressed so far.
I went to a great Google Fireside Chat with Michal Kosinski on data privacy. He said that the only way to get around big data is to spread misinformation. Chose the opposite of your tastes, search for things you don't like, etc. https://www.youtube.com/watch?v=VUwBcTgzbtU
https://twitter.com/settings/your_twitter_data/twitter_inter...
I just checked now and it's better than it was but there's still a "DIY" category containing one DIY video, a Japanese cooking tutorial and a video of somebody putting iPads in a bucket of slime. I'm not sure I have very much faith in their ability to deeply infer things about me from a limited dataset when they can't identify videos with ingredients in the description or sort music into genres given the set of all music (and millions of comments on it) to work with.
the only time these are ever close is when they are based on users' previous search terms
There's human effort involved in planning a micro targeting campaign. Way easier (and short-term cheaper) to do some broad strokes ads with a couple ok-ish proxies for your target market than pay people that know what they're doing. So your conversion rates are garbage and CAC higher than it could be, but your spending is on the action instead of front-loaded on salaries/agency fees.
Missing component here is "when compared against massive existing data sets". That info alone isn't very powerful.
https://blogs.gartner.com/martin-kihn/how-cross-device-ident...
https://blogs.gartner.com/martin-kihn/how-cross-device-ident...
Browser fingerprinting is a single piece in creating an id graph. Fingerprinting would be 100% useless without a graph, unless you're doing it to individuals which would be NSA-level acting.
These all have cookie/nonreg-based components, and there are plenty that don't rely on reg based data at all.
* ublock origin
* no script
* cookie auto delete plug in, deletes cookies if tab is closed
* (I use also I don't care about cookies for the EU cookies clusterfuck)
* Canvas blocker
* Privacy badger
* Glyph detection blocker
* Decentral eyes
* Privacy settings
* Privacy-Oriented Origin Policy
* WebRTC leak protection
* https everywhere
* I have a browser spoofing plug-in too but don't think it works so well.
Use VPN
use different browsers for different purposes.
use startpage.com instead of google
Here, try your luck:
https://amiunique.org/
https://panopticlick.eff.org
Does not work so well. Instead of preventing canvas, fonts, browser ID etc., the plug-ins should randomize it.
This questionable judgment on their part seriously puts their reputation at risk in my eyes.
I know you can export the about:config and share that, but I have always wanted a kind of ansible for setting up a browser with plugins and other changes for my personal use.
Additionally, If I could tell my friends and family: Hey just use my Firefox Playbook and feel safe on the internet, thereby reducing the cognitive load of figuring out how to do that, I'd probably have a lot more success helping curious but busy people take control of their privacy.
A person not in IT is probably just fine if you install ublock Origin.
Or you would have to train your family to use different browsers for different things and you want to have at least one "vanilla" browser on your system. Just recently my US CC website stopped working with my browser. For such things you want to have one major browser without any plug ins.
e.g.
1. Google Chrome (Vanilla, no plug ins). Used when needed (recently to pay my CC). 2. Chromium: Facebook, Gmail 3. Firefox: buying tickets etc. 3. Vivali Browsing the internet
Again my setup does not work so well against fingerprinting. My plug-in combination is so unique that I can be tracked via my plug ins.
> As with traditional HTTP cookies, DNS cookies can be used to track users on the web. They have no concept of "first party" or "third party" and can be read across different websites or from a different browser. They can also be used outside the web environment, for instance to track a web conversion which occurs after reading an email but not clicking on a link, or to track a sign-up in a mobile application after viewing a website. They also have application in DDoS mitigation - especially on IPv6 networks.
I am curious what other techniques are in active use to track a user across devices / software...
The only effective approaches that I know of are 1) using Whonix (best in Qubes) to connect via Tor; and 2) using multiple OS-level VMs that connect via different nested VPN chains.
And even then, there are risks from fingerprints that depend on GPU and virtual graphics drivers in VMs.
So when compartmentalization really matters, it's necessary to use different host machines, on different LANs (or at least vLANs).
Using Tor is rather painful, given all the CAPTCHAs. And the learning curve for Qubes is a little steep.
But using multiple VMs with different nested VPN chains is actually quite convenient, once you've set it up. I use a pfSense VM as the gateway router for each VPN service. So creating nested VPN chains is easy: You just create virtual networks of the pfSense VMs, with Linux workspace VMs wherever you like.
With a decent host machine, I can work ~seamlessly as a few low-isolation personas via nested VPN chains, and another few high-isolation personas via nested VPN chains and Whonix instances.
Although an ideal solution would spin up a random VM, browser, screen size, and tor connection for each new web page visited...
Sure. I wouldn't limit it to Tor, though. Because there are just too many CAPTCHAs. That's much less of an issue using VPNs.
Chaining VPNs is arguably overkill for avoiding fingerprinting. Still, trusting a single VPN service is risky. If they were complicit, you'd still be tracked. But if you at least chain two VPN services, there's less risk. Overall risk is more or less the product of all the individual risks, if they're independent.
Edit: If exploit resistance is less of an issue, it's easy to chain VPNs at the Linux OS level using ip route and iptables. Iptables rules drop everything on enp0s3 except traffic to the first VPN server, and drop everything on tun0 except traffic to the second VPN server.
You set enp0s3 as the route for the first VPN server. After connecting to it, you set tun0 as the route for the second VPN server. After connecting to it, you check for leaks using tcpdump.
If you pay via credit card, the VPN account has your name attached to it, no? So what good will chaining VPNs do when all the VPNs have your name attached to them?
Bitcoin is also supposedly not anonymous (or so I've heard.. I really don't know much about bitcoin, so please correct me if I'm wrong here), so paying with it sounds like it won't be any better.
Also, I have to ask: Who are you trying to prevent being tracked by? If it's by advertisers, I don't see how chaning VPNs would be any better than using a single VPN.
And yes, Bitcoin is not anonymous. Just the opposite, in fact. Some cryptocurrencies arguably are anonymous. But that's never really been tested, and in any case, they're not widely accepted.
Any VPN service that I connect to directly, I pay with credit cards. Because there's ~zero anonymity for them, no matter what.
But for the rest, I pay with well-mixed Bitcoin. I anonymize Bitcoin using wallets in a series of Whonix instances, via Tor. Using a different mixing service for each step. With N steps, I have somewhere between N/3 and N-1 ~anonymous Bitcoin pools. Depending on how many mixes I consider adequate.
So then I select Bitcoin pools for paying VPN services in proportion to the degree of separation.
[1]https://mullvad.net/en/help/no-logging-data-policy/
Just curious, for most normal people, when does compartmentalization really matter?
If you define "normal people" to exclude those who take existential risks, then compartmentalization never really matters for them. But that's a sad way to live, in my opinion.
Compartmentalization would have mattered a lot for Chelsea Manning. Or, arguably, for Julian Assange. Or for various public figures whose careers have been destroyed after pwnage. Or for DPR.
https://browserleaks.com/
https://webkay.robinlinus.com/