Ask HN: Refusing all cookies, still targeted by ads. How?

81 points by 2rsf ↗ HN
On a blank new work computer using Chrome but not logged in, I refuse all cookies but still see myself being tracked, for example by ads targeted to my surf history.

I could think of sophisticated methods, but maybe the simple answer is that refusing cookies doesn't actually do anything?

117 comments

[ 3.7 ms ] story [ 188 ms ] thread
There are plenty of ways to fingerprint you aside from cookies, as you’ve probably surmised (“sophisticated methods”).
Such as your IP address hehehe. Super sophisticated.

Most IPs don’t change that much.

Browse on Tor if you really want to avoid tracking.

With Comcast, I can change my IP address on-demand by spoofing my router's MAC address.
This is one reason I use a VPN for almost all my personal browsing. That and I don't want spectrum to see where I'm going, because they will sell it. Like, I know a VPN isn't super-spy stealth tech, but it handles a couple basics pretty well and I end up hitting sites from a very generic IP.
You need tracker blocking extensions, and/or a "degoogled" version of Chrome like Thorium or Brave.

My usual loadout is Thorium + the EFF's Privacy Badger extension, and sometimes UBO.

can you say why degoogled chromium matters for tracking, or link to a writeup?
The Ungoogled Chromium project itself is a pretty good summary. In a nutshell, Chromium (whether signed in or not) "phones home" to Google for a number of reasons, and the official Chrome builds do it even more (though in harder to observe ways since the changes are closed source).

https://github.com/ungoogled-software/ungoogled-chromium

Extensions are blocked for "security and privacy concerns", and our internal systems don't work well with non standard browsers for some reason
(comment deleted)
Brave’s worse. It injects affiliate links without notifying users. Honestly, I can’t understand why do people still use brave as a “privacy browser”.
I've noticed Google now syphons data from my searches to feed my youtube recommendations, always felt like two separate systems until about a month ago.
I was wondering about that, but I wasn't sure it was new. Are you using YouTube Premium?
Nah just a google account I only use for YouTube but don’t log out of. No email or maps usage only google search and heavy YT subscription and watch data.

Seeing things I search for on google, like very unrelated to normal YT viewing like specific tech queries show on YT.

It doesn't depend on cookies or any other site settings. just use an ad-blocker.
There are so many ways to track you. Think about the combination of ip address, user agent string, display resolution, supported apis on your browser version. They might already be unique among everyone who uses your ip.
Use a vpn and disposable VMs and then you can even allow cookies. If that isn't practical you will have to disable js to prevent fingerprinting.

Although, while fingerprinting is a thing, most people get targeted because they use their home IP. This is one good reason why a good vpn provider is better than wireguard on a vps.

X-Forwarded-For, and/or unique IP, and/or client fingerprinting.
Fingerprinting.

Everything about you that isn't identical to everyone else can be combined to guess who you likely are. Your exact browser version, OS, supported APIs, your IP address, your latency to Google servers... Anything that isn't a complete match to everyone else.

You may have a new install, but your IP and latency match your old install. What are the odds you're not the same person?

It's all probabilistic. But Google has a lot of incentive to get really good at making those guesses.

Probabilistic, to a staggeringly high certainty. I used to think "meh, how accurate could all that possibly be?". I now know it's close enough to 100% for the false positives to be negligible.
But that's also a form of tracking. Are you saying it's a form of tracking which is exempt under the GDPR? Do you have a source on that?
I doubt it's allowed under gdpr, but it's also hard to prove it's being done. Much of it can be done server side based purely on IP address.
It's not exempt but advertisers do it anyway.
Chrome stopped reporting chrome version because of this iirc.
Are we sure its Google?

I have been fingerprinted on sites completely unrelated to serving Google Ads.

Wait until the nsfw blackmail comes.

some additional methods to detect you

- the websites you view. you may have a common 3-4 that you visit in a row, sometimes on autopilot. fingerprint.

- the way you type and move your mouse. your cadence is unique, you have subtle changes in how you use your mouse. fingerprint.

To be clear, they don't need to know you by name and address, if you're AnonymousUser#7820300195 they still get to know what you were browsing, what interests you, and what you're likely to click on. In fact, knowing your actual personal details is probably a liability they don't need.
(comment deleted)
Cookies was a simple concept that politicians could glom on to and legislate around, but, yes, they're quite unimportant in the grand scale of things.

In the end, you've got two things to work with: Things you can convince the browser to actively identify itself with, and the things you can track regardless.

Cookies are in the first category, but they are not alone. You can get things as simple as presenting an entire site with customized URLs that track a user through querystrings being appended to everything with an identifier. You can track certain caching differences. You can program a website to use local storage and submit a token on every URL click with a fairly simple handler. This isn't even remotely a complete list.

In the second category, you've got IP address, browser versions, various settings... see something like https://www.amiunique.org/ .

In a nutshell, your rich browser experience leaks so much data along so many axes that it is essentially inconceivable that you could ever prevent yourself from being fingerprinted. What you can do is try to detach that fingerprint from a real person, to a certain extent rotate what you can, etc. But in reality you can't be shipping up kilobytes of header information on each web request and expect there isn't something in there that can track you.

https://www.amiunique.org/fingerprint says I'm 100% unique; with all the red lighting up I'm not surprised.

The important bit is that the cookies not only are irrelevant from the point of view of allowing tracking to occur technically, they're also irrelevant from a legal point of view. A company must have your consent to hold and process your information for a specific purpose, regardless of whether or not that is done using cookies or fingerprinting. If you have been presented with a consent popup and have not consented, and the company is tracking you by other methods, then that is illegal. (It'd be illegal also if they hadn't given a consent popup at all.)
Under which law is this illegal? I'm only aware of legislation that forces websites to ask for consent for storing cookies.
The ePrivacy Directive (collaqually Cookie Law) doesn’t actual specify only cookies. Section 66 of https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... just talks about third parties storing information on equipment:

Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

That sounds like it applies to cookies and local storage, not all tracking. It doesn't sound like it applies to IP-based or device fingerprint-based tracking.
If you are able to identify a unique user from its browser fingerprint, then it's personal data: GDPR applies. And for ad purposes, consent is pretty much required.
Yes GDPR applies, but the part that I was replying to doesn't.
It's two different directives:

- ePrivacy Directive which is about local storage

- GDPR which is about information processing

This is a critical thing that so many miss. If somebody has a website that doesn't use any cookies, but does send a POST request to www.bigcompanyanalytics.com/send-user-info with a body containing user-identifying information, then that is still illegal if the user has not consented to analytics (if they are in an area that requires opt-in for analytics).

Cookies aren't really mentioned in GDPR or other privacy laws, folks just latched onto cookies as one area that can track users. But really, all personal data is subject to most of the privacy laws, including outbound requests as well as stored data.

IANAL. But for context from lawyers, see: https://ico.org.uk/for-organisations/direct-marketing-and-el...

How does that work given that web servers have request logs that capture some identifying info? You already know some things about the user before you can even serve them the consent popup.
I’m not an expert on this, but perhaps it’s the usage of that data and linking to a person that crosses the line.

A web server’s logs may include the IP and http request they’ve made, but once you start attaching that to an identity instead it might count as data processing.

Storing counts as processing under the GDPR; the definition is in article 4. It's not hard to find.

> ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

One can use the “legitimate interest” basis (recital 49 may be relevant here) or “compliance with a legal obligation” for logging.

> You can program a website to use local storage and submit a token on every URL click with a fairly simple handler

That still falls into the EU Cookie definition in the law. [0] If a website is doing this regardless of the user choosing not to allow cookies, it's committing a violation in the eyes of the law (in the EU at least).

[0] https://softwareengineering.stackexchange.com/a/295212

My favorite thing from that uniqueness website is that it shows cookies enabled as more common and thus more anonymizing. Not that they wouldn't just fingerprint you using those cookies if it was enabled.

The other interesting thing is that it lists my plugins and "do not track" settings. They are both fairly unique. So, someone who attempts to anonimize themselves using plugins or browser features are just highlighting themselves.

I wonder how unique `wget` would be.

Yes, I reduced my plugins count in firefox to slightly decrease my uniqueness. piling on additional tracking prevention addons means getting tracked more.
The absence of things can be as profound as their presence.
Simply using Firefox is a problem in that regard. I think most recent number I saw for Firefox usage was 1%.
Yes, that's true. I think Firefox now tries to hide itself by sending a false user agent? Everything is a trade-off though... using a version of firefox that's closer to stock is probably helping a tiny bit. Or maybe it's not, since Firefox wants people to use plugins (and for some reason, doesn't warn of the dingerprinting danger).
Mine currently says Firefox in it. You can override it without a plugin in the about:config setting general.useragent.override.

I would expect that any reasonably sophisticated fingerprinting system would not rely primarily on the useragent, and agree that anything that isn't stock only serves to distinguish you further.

I have also looked there and what makes me unique is that nobody else has the same list of installed fonts, which is not a surprise for me, because I have bought several commercial high-quality typefaces, while most people have only the fonts installed by the operating system and by popular office suites.

Besides the fonts, only 3% of the people recorded in their database have their monitors configured for 30-bit color.

Therefore it appears that taking good care of my eyes makes me easily identifiable, but there is no workaround for this, except for running the browser in a VM, where the characteristics of the hardware and whatever else is installed could be well hidden.

Have you tried Firefox's resistFingerprinting abou:config flag? I don't know if they've implemented those but technically speaking I don't think a vm is necessary.
I have tried that right now, in Firefox 102.12.

It hides the fact that I have a 30-bit monitor by pretending that it is a 24-bit monitor, but the list of available fonts remains visible, so I can still be uniquely identified.

or starting a campaign to convince others to adopt your ways!
My most unique settings were:

list of fonts, list of plugins, media devices (the combo of webcams and microphones my work computer uses)

Great site for understanding what your browser tells about who you are.

> Cookies was a simple concept that politicians could glom on to and legislate around, but, yes, they're quite unimportant in the grand scale of things.

GDPR absolutely does not rely on specific implementations. Even earlier things I'm pretty sure don't, but GDPR has a much more general coverage. It's extremely important people understand this when they're writing software.

Correct; the actual “cookie law” (ePrivacy 2002/58/CE) talks about “the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user”. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

So local storage is also covered by this law. For other fingerprinting techniques, if you can identify a user, GDPR applies. And for ad purposes, the only realistic legal basis is consent.

I’ve been on a team doing fingerprinting research (specifically entropy sources). It’s amusing that you’re 100% unique and browsing HN commenting about fingerprinting. (You’re exactly a demographic that would be unique.) Most people aren’t unique, far from it. Consider iPhone 14 Pro Max users browsing through a 5G connection. All the users in the same cell look exactly the same.

If I had to guess, based on what I know about you (what I mentioned in the previous paragraph), I would guess that you built your own computer. This almost guarantees a unique fingerprint.

With the deprecation of 3rd party cookies, we will definitely see an increase in fingerprint-based tracking. That being said, it’s going to look different than unique cookies (and it doesn’t explain OP’s situation.

(Or it might actually be that simple. Your fingerprint might be unique between IP re-addressing, and that’s all it is.)

I'm on Linux in Brave, so in general that I'm unique didn't surprise me. As you say, that part is expected. Stock Dell laptop, though.

Quite a lot of the specific details did surprise me though, to the point of wondering if there's a bug somewhere in their code determining percentages. "Audio context": "sampleRate : 44100, state : suspended" 0.05%? Gyroscope is a green check (I don't even 100% know what that means) and that's 0.13%? "Battery": "charging : true, chargingTime : 0, level : 1", 0.08%? (And is that even useful for fingerprinting over any significant period of time anyhow?)

I suspect their database is very small and doesn't include many normal people. I also think they aren't taking into account the dimension of time: they say that the latest version of chrome is unusual.
I’m pretty skeptical of this of this fingerprint test. I’m on a 5G connection, in a major city with a completely default current gen iPhone, and it seems to think I’m 100% unique. Which I don’t believe for a second.
There's only 1.9 million samples in their database, and to be fair, the people who go to that site to test their fingerprint, are probably the kind of user who is going to have a unique fingerprint, notsomuch a common user. So a common user going there is likely a bit unique.
Im in Firefox and it tells me 43% of the fingerprints are Firefox.

So seems very skewed!

I tried the amiunique fingerprinter with my iPhone, software updated to the latest version, stock Safari browser, and it said I was unique among all however many users had tried before.
If I remember correctly, that site was actually used to publish an early paper about fingerprinting. Their database is simply people who visit their site. You probably are unique among people who have visited! I doubt it sees much traffic anymore. This would explain the parent being unique also now that I think of it.

There are a few studies that used sites like that and got lots of traffic (by advertising on sites like HN) from non-normal users.

There was a landmark study done in France that measured fingerprints through a government website. The general population was much less unique.

Edit: found the AmIUnique paper: https://scholar.google.com/scholar_lookup?journal=Proceeding...

GPRD doesn't target just cookies, but tracking in general, which must be known and consented.

So basically what OP says is that most sites are just not following the European laws.

Thank you! I find people repeating the "GDPR is stupid because there are other ways to track than using cookies" thing all the time and it's so frustrating. Misinformed comments like that usually end up at the very top of discussions like this.
It's hard to convince someone when their livelihood depends on not understanding.
Looking through that site, one of the things used to identify you is the value of the "do not track" header...

So the existence of that header actually makes tracking worse on the web

If a website uses local storage and submits tokens somewhere, the ad network only knows what a user does on that site, not all over the internet and it doesn’t know it’s you when it’s time to pick an ad.
Cookie sharing networks never actually needed to use cookies to share information about you. It’s ironic, but true. The disclaimers about using cookies and the regulations about providing those disclaimers never actually did anything to protect your privacy.
All it did was make surfing the web more annoying because now you have to accept or decline cookies before you actually do anything on the page you landed on.
The ad tracking industry has evolved to do server side fingerprinting (Network, device U/A, Address lookups), canvas based fingerprinting.
Firefox blocks canvas access for this reason, which is a real pain now because it has actual usefulness. I hate advertising so much.

Like, advertising on its own is already disgusting. I've worked hard to prevent myself from seeing/hearing ads. But the fact that this industry has also turned into a nightmare panopticon is so stupid. I wish we could literally ban all advertising. Maybe an exception for coupons in newspapers.

This shit is so hard to control. The only way to control it is adblockers like uBlock and/or DNS-wide solutions like PiHole
Recently, I discovered that SwiftKey keyboard (I assume) was leaking tracking data from Incognito on Android. I would open an Incognito tab in Chrome, the keyboard would show up in "anonymous" mode, but products I searched for still turned into ads in Facebook/Instagram and AdSense in a couple of minutes.

I assume it was SwiftKey since it was the only piece of software that had access to those keywords besides Chrome itself (which I assume is not the leaker since it never leaked data from Incognito on desktop and because it also happened in Firefox Private Browsing). The "Am I Unique" fingerprint for an Incognito vs a regular tab is also different, so I assume it's not a matter of fingerprinting with server-side tracking.

We are being tracked by the least suspicious pieces of software nowadays, it's becoming more and more difficult to know where the actual tracking came from as we add more and more layers of complexity into our computers. It's scary to think about.

Chrome is tracking you by default. Check out chrome://settings/adPrivacy on the desktop - not sure if you have any control over this on the mobile version.
This page doesn't exist in chrome for me and I can't find it by searching the settings. I wonder if it's a regional thing -- I'm in the US. Are you not in the US by chance?
I had a similar experience with the Samsung keyboard. It's seemingly sending data to Facebook/Instagram, and also it had Grammarly embedded in it. I never knowingly consented to having my conversations sent to Grammarly and I was furious about it.
> I could think of sophisticated methods, but maybe the simple answer is that refusing cookies doesn't actually do anything?

This is a great opportunity to conduct a double blind experiment! Set up three Chrome profiles: your current one, one that's totally fresh, and one that's connecting from a different IP over a Socks proxy. Write a script to randomly start Chrome with one of these profiles; every hour quit the browser, restart it with a random profile, and record the ads you see. Do they all get the same distribution of ads? Do they start out different, but eventually converge?

Profile? not allowed here by IT
Etags can be used to track you and likely are, especially at the network level. Additionally your network provider may be adding headers to your requests which enable you to be identified. Finally, your browser and device combination are probably configured in a way that gives you a fairly unique identifier.
A proxy tracker can fingerprint without you even noticing.

Cookies just scale better.

Depending on your ISP you may be able to change the public IP tied to your router. I did this, and found it significantly reduced what websites were able to track about me...for a while at least, until they learned again. But also, use a VPN.
What do you mean exactly by "refuse all cookies?" The specific method you use will matter a lot.

If the first thing you do when you open the browser on a new machine is go immediately to Chrome's content settings and switch on "Block all cookies" then I'd be very very surprised to see successful tracking and remarketing.

If you just mean you're clicking "reject" on all of the cookie dialogs you see on various websites that's not going to do much.

If you don't use DNS over HTTPS, (available in Firefox, maybe in some other browsers too) then all the pages you browse are leaked to your ISP, who is happy to sell that information to data aggregators. Since I started using DNS over HTTPS and uBlock Origin on mobile, I hardly ever get any relevant adds.
If you are at all concerned with privacy, why are you using Chrome? It should be no surprise that the browser built by one of the largest data-harvesting companies in the world is pretty good at harvesting your data...

If this is a concern for you, maybe consider Firefox? Then grab some extra privacy-conserving extensions like ublock, adnauseam, privacy badger, privacy possum, ghostery, decentraleyes, clearURLs, IStillDontCareAboutCookies, etc.

I get that this is a work machine and you may not have admin rights to install Firefox but any IT manager worth their salt won't refuse a request to change browser, especially if the motivation is personal security.

If they really don't budge (or you are too welded to the Google ecosystem to part with their browser) then maybe you could look for some of the extensions I mentioned above on Chrome?

Actually extensions are blocked for "security and privacy concerns", and our internal systems don't work well with non Chromium browsers
> maybe the simple answer is that refusing cookies doesn't actually do anything?

I agree with all the other comments that are saying this is probably fingerprinting, but you can check whether refusing cookies is doing anything. Two ways:

1. On a page where you refused all cookies but are seeing targeted ads, open developer tools and go into the "Application" tab. Open up Storage > Cookies. Do you see anything listed? You should see nothing there. You also shouldn't see anything in the rest of storage, since "cookie" consent is really "client-local storage consent".

2. You can check whether cookies were sent on particular network requests, like the ones to the ad companies. Open a new tab, open devtools, open networking. Then paste the URL in the url bar. Find an ad request in the networking tab: do you see a "Cookies:" header? If so, it sent a cookie for you.

The truth about cookie behaviour can be found, as it's a browser-driven feature (unlike fingerprinting). But at least some analysis of the cookies will be needed, as I think essential cookies under some definition/interpretation are permitted?

Now what exactly that means I'm not sure. But the first thing my cookie banner does when someone declines the banner is.... create a cookie. But I guess we can argue that's essential for the user experience - to keep the banner out of the way on follow-up page views. Not a lawyer or privacy expert though.

Edit: above is behaviour I found with at least 2 cookie banners. I'm interested in suggestions if this isn't standard!

Good point; you shouldn't see exactly zero cookies. But all cookies should be "strictly necessary" for fulfilling an explicit user request.
Yes, I tried that with mostly inconclusive results, maybe I chose the wrong site, except for one or two sites that were either really impressively good or bad
In addition to the non-cookie fingerprinting mentioned by others that can happen, there is a loophole in the GDPR cookie control legislation that allows "legitimate interest" cookies to continue to be placed and tracked when you click Reject All.

You have to edit your cookie preferences for the site (assuming they provide the option) and deselect Legitimate Interest cookies proactively in order to block them.

This recent write-up on Reddit alerted me to this information:

https://www.reddit.com/r/YouShouldKnow/comments/14ddk4u/ysk_...

This is wrong. Cookies are covered by ePrivacy, article 5(3), not GDPR. There are two regimes for cookies: strictly necessary ones, and others, requiring consent. The fact that disabling “legitimate interest” cookies does not break the service should tell you that they are not strictly necessary.

GDPR enters the picture when cookies are used to identify users. And using the “legitimate interest” basis for ad purposes is illegal, and instead will require consent. Adtech is just hoping that users won't notice and lodge a complaint.

Thank you for the correction!