3rd party cookies are not required for this. They make it easier but...
I used to work on a team that could match users between browsers. E.g. Do some browsing in Chrome. Switch to Firefox, or privacy mode, or whatever with NO shared cookies go browse some more sites, and we could match up the two sessions to the same human. And no, we didn't need IP address or browser fingerprinting or any of that. It just requires a sufficient amount of network visibility, a tiny bit of patience... and a lot of processing power and storage. ;)
Not OP, but it is surprising the level of accuracy that you can get just by comparing daily websites that people tend to go to, time spent on them, and in what order.
Genuine question: Does that work if you use the different browsers for different purposes? Like chrome for work, firefox for personal stuff, safari when on mobile, firefox private mode for… other personal stuff.
Seems like the browsing patterns would be very different depending on browser.
Unfortunate but this is a very common practice in the ad-tech world. Companies like LiveRamp rely on this "signed-up-email-sharing" between publishers to make their email onboarding products (via which they are able to map email to cookie).
Well, they claim to be privacy aware and won't let you map < 20 emails to cookie at a time but it's pretty easy to bypass that.
How do they exclude EU citizens from being tracked? More importantly (as an SF based company) how do they operate given the California Consumer Privacy Act?
Is this another case where startups plan to break the law until they’re big enough to influence it or they operate at a profit despite fines?
> Is this another case where startups plan to break the law until they’re big enough to influence it or they operate at a profit despite fines?
Considering the GDPR has yet to be effectively enforced against much bigger breaches like Google's and Facebook's activities, it seems like it's not that bad of an idea.
The fact that they're still in business and have business presence in Europe is quite telling about the incompetence of various EU data protection agencies.
Knowing someone's email can effectively be the keys to the kingdom.
I noticed recently on gmail with some XHR lookups they do when you hover over people's email addresses, it fetches their email, name and a couple of other datapoints. You can tweak the request to enter any other email address to discover those details about them.
Then there's the social networks. They do mitigate how easy it is to bulk upload contacts and correlate email addresses (or phone numbers) to profiles, but it's certainly not impossible- and people who are making it their business to data mine will exploit all these kinds of 'opportunities'.
I remember the days where social networks would have a form where you entered your email details (including password) and they would log in as you and retrieve all contacts to include in the network. I was shocked. I was more shocked that I saw people actually giving up all their details... That was like 15 years ago, so probably wouldn't fly today though.
Today, the app just request the Contacts permission on your phone and vacuums them all up that way. Every social media app does this, FB (including WhatsApp/IG), Snapchat, Linkedin, etc.
I tried to link a new bank account to paypal recently and they tried to get me to let some third-party log into my bank's website on my behalf. After finding the tiny "No thanks" option (which inexplicably required running said third-party's JavaScript on my device) I was ultimately able to do it the old fashioned way but this process, as they warned, took 4 days rather than being "instantaneous." I think a lot of people are still bullied/tricked into sharing credentials with all manner of skeezy websites.
I saw this as well, very sketchy. I'd rather not use a feature that requires me to give out banking details - I don't think that even is allowed in bank's T&C. Probably if a 3rd party stolen your money because you give them your details, you won't be covered. I was asked this once and I refused. I'd rather enter things manually than let someone "have a peek".
22 comments
[ 2.5 ms ] story [ 36.3 ms ] threadI used to work on a team that could match users between browsers. E.g. Do some browsing in Chrome. Switch to Firefox, or privacy mode, or whatever with NO shared cookies go browse some more sites, and we could match up the two sessions to the same human. And no, we didn't need IP address or browser fingerprinting or any of that. It just requires a sufficient amount of network visibility, a tiny bit of patience... and a lot of processing power and storage. ;)
Seems like the browsing patterns would be very different depending on browser.
Did this take place in the US? Could you share more details about the work, and the "why" that drove it?
Well, they claim to be privacy aware and won't let you map < 20 emails to cookie at a time but it's pretty easy to bypass that.
Is this another case where startups plan to break the law until they’re big enough to influence it or they operate at a profit despite fines?
Considering the GDPR has yet to be effectively enforced against much bigger breaches like Google's and Facebook's activities, it seems like it's not that bad of an idea.
The fact that they're still in business and have business presence in Europe is quite telling about the incompetence of various EU data protection agencies.
I noticed recently on gmail with some XHR lookups they do when you hover over people's email addresses, it fetches their email, name and a couple of other datapoints. You can tweak the request to enter any other email address to discover those details about them.
Then there's the social networks. They do mitigate how easy it is to bulk upload contacts and correlate email addresses (or phone numbers) to profiles, but it's certainly not impossible- and people who are making it their business to data mine will exploit all these kinds of 'opportunities'.