22 comments

[ 2.5 ms ] story [ 36.3 ms ] thread
It's eight years later, and we finally have a prayer of seeing third-party cookies blocked in all major browsers by default.
I want a uMatrix by default in all browsers.
3rd party cookies are not required for this. They make it easier but...

I used to work on a team that could match users between browsers. E.g. Do some browsing in Chrome. Switch to Firefox, or privacy mode, or whatever with NO shared cookies go browse some more sites, and we could match up the two sessions to the same human. And no, we didn't need IP address or browser fingerprinting or any of that. It just requires a sufficient amount of network visibility, a tiny bit of patience... and a lot of processing power and storage. ;)

that is a pretty big claim. Care to explain a bit more?
Not OP, but it is surprising the level of accuracy that you can get just by comparing daily websites that people tend to go to, time spent on them, and in what order.
Genuine question: Does that work if you use the different browsers for different purposes? Like chrome for work, firefox for personal stuff, safari when on mobile, firefox private mode for… other personal stuff.

Seems like the browsing patterns would be very different depending on browser.

Without being a lawyer, this sounds like a privacy lawsuit waiting to happen.

Did this take place in the US? Could you share more details about the work, and the "why" that drove it?

All that will change is first party cookie will become the new normal having even more privileges.
Unfortunate but this is a very common practice in the ad-tech world. Companies like LiveRamp rely on this "signed-up-email-sharing" between publishers to make their email onboarding products (via which they are able to map email to cookie).

Well, they claim to be privacy aware and won't let you map < 20 emails to cookie at a time but it's pretty easy to bypass that.

How do they exclude EU citizens from being tracked? More importantly (as an SF based company) how do they operate given the California Consumer Privacy Act?

Is this another case where startups plan to break the law until they’re big enough to influence it or they operate at a profit despite fines?

> Is this another case where startups plan to break the law until they’re big enough to influence it or they operate at a profit despite fines?

Considering the GDPR has yet to be effectively enforced against much bigger breaches like Google's and Facebook's activities, it seems like it's not that bad of an idea.

The article is from 2012. Neither of those laws existed.
This is not a new thing and this company isn't the only one doing this. Lead Forensics (https://www.leadforensics.com) and ClearBit (https://clearbit.com) both offer it.

The fact that they're still in business and have business presence in Europe is quite telling about the incompetence of various EU data protection agencies.

This post was from 8 years ago. In 2016 I was definitely using a product like this from yet another party
Knowing someone's email can effectively be the keys to the kingdom.

I noticed recently on gmail with some XHR lookups they do when you hover over people's email addresses, it fetches their email, name and a couple of other datapoints. You can tweak the request to enter any other email address to discover those details about them.

Then there's the social networks. They do mitigate how easy it is to bulk upload contacts and correlate email addresses (or phone numbers) to profiles, but it's certainly not impossible- and people who are making it their business to data mine will exploit all these kinds of 'opportunities'.

I remember the days where social networks would have a form where you entered your email details (including password) and they would log in as you and retrieve all contacts to include in the network. I was shocked. I was more shocked that I saw people actually giving up all their details... That was like 15 years ago, so probably wouldn't fly today though.
Today, the app just request the Contacts permission on your phone and vacuums them all up that way. Every social media app does this, FB (including WhatsApp/IG), Snapchat, Linkedin, etc.
This should be improved to give more granular control - for example an app would not be allowed to leak contacts outside of the phone.
I tried to link a new bank account to paypal recently and they tried to get me to let some third-party log into my bank's website on my behalf. After finding the tiny "No thanks" option (which inexplicably required running said third-party's JavaScript on my device) I was ultimately able to do it the old fashioned way but this process, as they warned, took 4 days rather than being "instantaneous." I think a lot of people are still bullied/tricked into sharing credentials with all manner of skeezy websites.
I saw this as well, very sketchy. I'd rather not use a feature that requires me to give out banking details - I don't think that even is allowed in bank's T&C. Probably if a 3rd party stolen your money because you give them your details, you won't be covered. I was asked this once and I refused. I'd rather enter things manually than let someone "have a peek".