7 comments

[ 4.4 ms ] story [ 30.2 ms ] thread
Ah, but using ETags to track users doesn't work unless JavaScript is enabled. As one who normally doesn't use JavaScript, I had to turn JS on then refresh the page to make this spying example 'work' (i.e.: track me).

As I've been saying for years, get rid of JavaScript and 90%+ of these privacy violations and other security breaches will melt away.

The trouble is we users have to suffer the brunt of this JavaScript 'disease' because it primarily benefits large commercial interests. If ordinary users get trampled upon as a consequence then that's just too bad.

Seems I've found yet another good reason to keep JavaScript turned off.

They use JS to show it for the example. But using etag for tracking works just fine without JS.
Yeah, I should learn not to post late in the night when I should be asleep (when I abbreviate, I often get into trouble). I didn't explain the other steps I take to stop tracking and there's quite few. Besides turning off JavaScript, these include plug-ins for ad-blockers, on-the-fly cookie-deleters and for the random changing of User Agent info among other things.

In addition, I use multiple browsers on both my PCs (usually 4) and smartphones (3) which—with the exception of one instance mentioned below—all are set by default to the following parameters:

- Location access — off

- Block 3rd party cookies — on

- Remove identifying headers — on

- WebRTC – off

- Clear cookies on exit — on

- Clear cache on exit — on

- Clear web storage on exit — on

Often before closing a browser—and depending on the sites I'm visiting—I'll manually clear the last three items above. (If I deem a site to be risky then I'll clear these items every few minutes or as soon as I'm finished with it).

Naturally, such action can break some sites, so to avoid this and or to save time I'll copy the relevant URL to another totally 'clean' browser specifically set aside for the purpose. For instance, I normally use Palemoon to browse HN but it's so loaded with protection that cannot be turned off quickly that it poses problems when posting comments (this level of protection means that sometimes I'm blocked from posting or that I have to refresh or renew the login info every time I want to do an edit, etc.). To overcome this I'll copy the URL into say a clean copy of Waterfox which still has protection (but it's minimal). This certainly overcomes any cache tracking (in fact you'll note this process effectively doubles protection against the cache tracking issue mentioned in the article).

Next, when internet activity has stopped for 10 minutes my machines are set to reboot the router/modem which gives me a new IP address when I next connect to the net. Moreover, my PCs upon start (and during router restarts) are set to only connect to the internet manually (i.e. the internet is essentially never connected to my PC unless I'm present at the machine).

I've been doing this with ongoing refinements ever since the early days of XP (then using Internet Explorer and Firefox as my original browsers).

At the time, it was a somewhat slow process to clear IE's cache on-the-fly so I put a link to its cache directory on the taskbar which gave me instant access to it. As subdirectories in IE were locked by the system, deleting them was performed by that wonderful utility unlocker, it'd kill the lot in a second or two and IE would have to rebuild a new clean set when it was next used.

Often, out of convenience, I'll simultaneously use multiple devices to browse the internet. Here, I'll use a smartphone's browser in conjunction with one of those in my PC. To save time typing a link on the second machine, the URL is 'copied' manually from one device to another with the aid of search engines (Duckduckgo or Startpage). As the smartphone and the router/modem each use different ISPs, there's no common IP address, hence tracking is made all that much harder.

Furthermore, my smartphones are rooted and I've deleted all their GApps, Gmail, etc. (BTW, I never use social media nor trust any of my files to the cloud). Also, I always use a firewall to block access to the internet for all apps except those that I've especially permitted (those permitted are mostly safe apps from F-Droid). The firewall is also set to automatically block all 'unknown' connections to the internet that act through various UIDs, 1000, 10015, etc. All unnecessary internet access is blocked not only by denying permissions but also by nuking 'receivers' and or modifying apps' manifests. Moreover, the only Android system app that I allow through the firewall is Downloads

I don't understand what the relevance is (in the big picture) of any of the details in how web pages track people. As long as a server can return a page with arbitrary links, isn't that good enough? Any way at all that the page received shapes the next server access, is good enough for tracking.
1. From many users' perspective the perception is that tracking is an undesirable and or unnecessary feature that's crept into the Web over the past 20 or so years. It is undesirable because it violates users' privacy not to mention their autonomy to act independently without being watched and monitored. And given that most tracking is done covertly and surreptitiously it just makes matters worse. When new tracking method come to light (as with this cache tracking) users become depressed, these problems seem never-ending, we users feel as if we're constantly under siege.

2. Users were never asked about whether they wanted to be tracked or their privacy violated before these so-called spying 'features' were unilaterally introduced to the Web by powerful players—advertisers, web hosts and others who introduced the technology for their own pecuniary interests, inter alia. Even now, most PC and smartphone web users have little or no idea about how all encompassing and dangerous this technology actually is—as it's not in the interests of those who introduced it to overtly publicize the details.

3. As governments worldwide have almost universally failed to act with any degree of effectiveness to protect online users, there is still no consumer law that's specifically aimed at protecting end users from tracking harassment and privacy violations. This means that users themselves have had to take on this responsibility. Many have tried with varying degrees of success (unfortunately, they've mostly failed).

4. Years by year, users have found that it's increasingly difficult to stop themselves from being tracked and to maintain their privacy because the techniques used against them have become more frequent as well as increasingly sophisticated (as with this cache hack). Whenever users have a minor victory and succeed in thwarting hacks, Big Business responds with yet another. It's a David and Goliath problem, Big B. has huge financial resources that enable the further development of hacks and users little or none for the development of protection measures.

5. And as we know, this is only the beginning: Google's tracking ecosystem† also includes seemingly free Google apps with smartphones and PCs—apps such as Gmail, Google Maps and Google Earth along with many others that have been cleverly designed to be highly-addictive. This electronic heroin as I call it has now become so all pervasive that it has become totally indispensable to not millions but actually billions of people.

6. Even if they aren't au fait with the all the details, users are effectively at war with Big Tech over privacy, tracking and the mining of their data (and tragically it's a war that Google and other Big Tech companies have been winning for years).

I would have thought the relevance of my previous post would have been obvious, that is that this browser cache matter is just one small part of this much huger problem. As such, it cannot be isolated from the other matters that I raised therein. Moreover, listing the other matters was to bring to the reader's attention the extreme lengths that internet users have to go to if they want to escape the clutches of these behemoth online monopolies. Even if they do succeed then their freedom is likely to be short-lived.

__

(One only has to look at how Google has used its overwhelming monopoly to track users and to violate their privacy, not only has it been completely successful but the way it's gone about it has meant that it has been diabolically effective doing so. Moreover, when it comes to tracking and extracting user's personal data, the Android ecosystem is conceptually and in practice a technical masterpiece without peer. It is unrivaled in its ability to collect massive amounts of data then deliver it all up to Google. The Android O/S is a watershed in operating system design as it includes paradigm-shifting technology that was specifically deve...

Quick note on this one. ETags have been used for years, but there is a court case from 2011 and before, speficaly noting this ETag technology as undeletable cookies. Was just a click away from the Wikipedia page. So I think anybody using it, would have an huge issue with the laws. Personally, I think the tracking pixels are more interesting to look at.

https://www.extremetech.com/internet/91966-aol-spotify-gigao...