Ask HN: Refusing all cookies, still targeted by ads. How?
On a blank new work computer using Chrome but not logged in, I refuse all cookies but still see myself being tracked, for example by ads targeted to my surf history.
I could think of sophisticated methods, but maybe the simple answer is that refusing cookies doesn't actually do anything?
117 comments
[ 3.7 ms ] story [ 188 ms ] threadMost IPs don’t change that much.
Browse on Tor if you really want to avoid tracking.
My usual loadout is Thorium + the EFF's Privacy Badger extension, and sometimes UBO.
https://github.com/ungoogled-software/ungoogled-chromium
it looks like some of their patches are now built into debian? Like on this list:
https://udd.debian.org/patches.cgi?src=chromium&version=114....
disable/signin.patch seems to reference the ungoogled chromium repo
There are also experimental Windows builds of Bromite (another Chrome fork that is very close to Chromium, but with a light built-in adblocker.)
https://github.com/uazo/bromite-buildtools#test-windows-vers...
Seeing things I search for on google, like very unrelated to normal YT viewing like specific tech queries show on YT.
Although, while fingerprinting is a thing, most people get targeted because they use their home IP. This is one good reason why a good vpn provider is better than wireguard on a vps.
https://coveryourtracks.eff.org/
Everything about you that isn't identical to everyone else can be combined to guess who you likely are. Your exact browser version, OS, supported APIs, your IP address, your latency to Google servers... Anything that isn't a complete match to everyone else.
You may have a new install, but your IP and latency match your old install. What are the odds you're not the same person?
It's all probabilistic. But Google has a lot of incentive to get really good at making those guesses.
I have been fingerprinted on sites completely unrelated to serving Google Ads.
Wait until the nsfw blackmail comes.
- the websites you view. you may have a common 3-4 that you visit in a row, sometimes on autopilot. fingerprint.
- the way you type and move your mouse. your cadence is unique, you have subtle changes in how you use your mouse. fingerprint.
In the end, you've got two things to work with: Things you can convince the browser to actively identify itself with, and the things you can track regardless.
Cookies are in the first category, but they are not alone. You can get things as simple as presenting an entire site with customized URLs that track a user through querystrings being appended to everything with an identifier. You can track certain caching differences. You can program a website to use local storage and submit a token on every URL click with a fairly simple handler. This isn't even remotely a complete list.
In the second category, you've got IP address, browser versions, various settings... see something like https://www.amiunique.org/ .
In a nutshell, your rich browser experience leaks so much data along so many axes that it is essentially inconceivable that you could ever prevent yourself from being fingerprinted. What you can do is try to detach that fingerprint from a real person, to a certain extent rotate what you can, etc. But in reality you can't be shipping up kilobytes of header information on each web request and expect there isn't something in there that can track you.
https://www.amiunique.org/fingerprint says I'm 100% unique; with all the red lighting up I'm not surprised.
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
- ePrivacy Directive which is about local storage
- GDPR which is about information processing
Cookies aren't really mentioned in GDPR or other privacy laws, folks just latched onto cookies as one area that can track users. But really, all personal data is subject to most of the privacy laws, including outbound requests as well as stored data.
IANAL. But for context from lawyers, see: https://ico.org.uk/for-organisations/direct-marketing-and-el...
A web server’s logs may include the IP and http request they’ve made, but once you start attaching that to an identity instead it might count as data processing.
> ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
One can use the “legitimate interest” basis (recital 49 may be relevant here) or “compliance with a legal obligation” for logging.
That still falls into the EU Cookie definition in the law. [0] If a website is doing this regardless of the user choosing not to allow cookies, it's committing a violation in the eyes of the law (in the EU at least).
[0] https://softwareengineering.stackexchange.com/a/295212
The other interesting thing is that it lists my plugins and "do not track" settings. They are both fairly unique. So, someone who attempts to anonimize themselves using plugins or browser features are just highlighting themselves.
I wonder how unique `wget` would be.
I would expect that any reasonably sophisticated fingerprinting system would not rely primarily on the useragent, and agree that anything that isn't stock only serves to distinguish you further.
Besides the fonts, only 3% of the people recorded in their database have their monitors configured for 30-bit color.
Therefore it appears that taking good care of my eyes makes me easily identifiable, but there is no workaround for this, except for running the browser in a VM, where the characteristics of the hardware and whatever else is installed could be well hidden.
It hides the fact that I have a 30-bit monitor by pretending that it is a 24-bit monitor, but the list of available fonts remains visible, so I can still be uniquely identified.
list of fonts, list of plugins, media devices (the combo of webcams and microphones my work computer uses)
Great site for understanding what your browser tells about who you are.
GDPR absolutely does not rely on specific implementations. Even earlier things I'm pretty sure don't, but GDPR has a much more general coverage. It's extremely important people understand this when they're writing software.
So local storage is also covered by this law. For other fingerprinting techniques, if you can identify a user, GDPR applies. And for ad purposes, the only realistic legal basis is consent.
If I had to guess, based on what I know about you (what I mentioned in the previous paragraph), I would guess that you built your own computer. This almost guarantees a unique fingerprint.
With the deprecation of 3rd party cookies, we will definitely see an increase in fingerprint-based tracking. That being said, it’s going to look different than unique cookies (and it doesn’t explain OP’s situation.
(Or it might actually be that simple. Your fingerprint might be unique between IP re-addressing, and that’s all it is.)
Quite a lot of the specific details did surprise me though, to the point of wondering if there's a bug somewhere in their code determining percentages. "Audio context": "sampleRate : 44100, state : suspended" 0.05%? Gyroscope is a green check (I don't even 100% know what that means) and that's 0.13%? "Battery": "charging : true, chargingTime : 0, level : 1", 0.08%? (And is that even useful for fingerprinting over any significant period of time anyhow?)
So seems very skewed!
There are a few studies that used sites like that and got lots of traffic (by advertising on sites like HN) from non-normal users.
There was a landmark study done in France that measured fingerprints through a government website. The general population was much less unique.
Edit: found the AmIUnique paper: https://scholar.google.com/scholar_lookup?journal=Proceeding...
So basically what OP says is that most sites are just not following the European laws.
So the existence of that header actually makes tracking worse on the web
Like, advertising on its own is already disgusting. I've worked hard to prevent myself from seeing/hearing ads. But the fact that this industry has also turned into a nightmare panopticon is so stupid. I wish we could literally ban all advertising. Maybe an exception for coupons in newspapers.
I assume it was SwiftKey since it was the only piece of software that had access to those keywords besides Chrome itself (which I assume is not the leaker since it never leaked data from Incognito on desktop and because it also happened in Firefox Private Browsing). The "Am I Unique" fingerprint for an Incognito vs a regular tab is also different, so I assume it's not a matter of fingerprinting with server-side tracking.
We are being tracked by the least suspicious pieces of software nowadays, it's becoming more and more difficult to know where the actual tracking came from as we add more and more layers of complexity into our computers. It's scary to think about.
This is a great opportunity to conduct a double blind experiment! Set up three Chrome profiles: your current one, one that's totally fresh, and one that's connecting from a different IP over a Socks proxy. Write a script to randomly start Chrome with one of these profiles; every hour quit the browser, restart it with a random profile, and record the ads you see. Do they all get the same distribution of ads? Do they start out different, but eventually converge?
Cookies just scale better.
If the first thing you do when you open the browser on a new machine is go immediately to Chrome's content settings and switch on "Block all cookies" then I'd be very very surprised to see successful tracking and remarketing.
If you just mean you're clicking "reject" on all of the cookie dialogs you see on various websites that's not going to do much.
If this is a concern for you, maybe consider Firefox? Then grab some extra privacy-conserving extensions like ublock, adnauseam, privacy badger, privacy possum, ghostery, decentraleyes, clearURLs, IStillDontCareAboutCookies, etc.
I get that this is a work machine and you may not have admin rights to install Firefox but any IT manager worth their salt won't refuse a request to change browser, especially if the motivation is personal security.
If they really don't budge (or you are too welded to the Google ecosystem to part with their browser) then maybe you could look for some of the extensions I mentioned above on Chrome?
I agree with all the other comments that are saying this is probably fingerprinting, but you can check whether refusing cookies is doing anything. Two ways:
1. On a page where you refused all cookies but are seeing targeted ads, open developer tools and go into the "Application" tab. Open up Storage > Cookies. Do you see anything listed? You should see nothing there. You also shouldn't see anything in the rest of storage, since "cookie" consent is really "client-local storage consent".
2. You can check whether cookies were sent on particular network requests, like the ones to the ad companies. Open a new tab, open devtools, open networking. Then paste the URL in the url bar. Find an ad request in the networking tab: do you see a "Cookies:" header? If so, it sent a cookie for you.
Now what exactly that means I'm not sure. But the first thing my cookie banner does when someone declines the banner is.... create a cookie. But I guess we can argue that's essential for the user experience - to keep the banner out of the way on follow-up page views. Not a lawyer or privacy expert though.
Edit: above is behaviour I found with at least 2 cookie banners. I'm interested in suggestions if this isn't standard!
You have to edit your cookie preferences for the site (assuming they provide the option) and deselect Legitimate Interest cookies proactively in order to block them.
This recent write-up on Reddit alerted me to this information:
https://www.reddit.com/r/YouShouldKnow/comments/14ddk4u/ysk_...
GDPR enters the picture when cookies are used to identify users. And using the “legitimate interest” basis for ad purposes is illegal, and instead will require consent. Adtech is just hoping that users won't notice and lodge a complaint.