128 comments

[ 25.5 ms ] story [ 753 ms ] thread
Great. How does it work...
My guess is that it looks at HTTP requests on the site and looks to see if cookies are created. Then matches them to a database of sites/services that are known trackers.

Essentially, just about any banner advertisement will show up on Collusion. Also, any type of javascript visitor tracking like GetClicky or Google Analytics.

As if there wasn't a compelling case for Adblock and the like already..
Adblock doesn't protect you against this. But something like Ghostery sure does.
Creepy. I wonder if a possible solution (for the tracking across sites part) is to make sure that each website can access only the cookies it creates. For example, chrome creates a seperate process for each tab and the process would have a lock on its cookies such that other processes can't access it. A VM for each process in a way.
I think disabling third-party cookies (via your browsers preference) would accomplish this (though it's no VM), with the added benefit of not needing to re-log in for each tab/window.

This doesn't, however, block all tracking scripts, as some may get your IP via an embedded 1x1 gif or other request. There's still the issues of super-cookies, or Flash cookies, or scripts that embed a unique image in your cache and then read it out, etc. So for this I recommend AdBlock or Ghostery.

Edit: Here's aseful link on this topic: http://samy.pl/evercookie/

Safari does this already, I believe. Certainly on iphone, not sure about on mac.
The cookie protocol already works this way, and has for as long as cookies have existed. The issue is that a website can load content from a third-party domain, and the historical cookie protocol implementation has historically treated those requests as cookie-able. (Hence "tracking pixels," third-party ad services and stats collection, etc.)

The demo mentions the privacy concerns of third-party cookies, but does not mention that there are significant positive uses for such cookies. In the demo, reference.com sets cookies for thesaurus.com and dictionary.com, which are different domains run by the same operator. Such cookies allow the operator to provide customized services across the domains. Third-party cookies allow for richer embedded-content experiences. Video is a great example of that.

The revenue sites can get from third-party cookied ad networks is significantly higher than from unpersonalized third-party ads. Large sites like HuffPo and NYT are able to sell a lot of their premium inventory directly, so a big reduction there is likely to disproportionately affect smaller sites.

I believe rohit89 means something else. Imagine you visit IMDB, which contains resources from doubleclick.net that set a doubleclick.net cookie. Next, surf to the WSJ which also has doubelclick.net content. Your browser could simply not send the doubleclick cookie because it knows that it came through IMDB and not through the WSJ.

In order to do this, a browser (or extension) would need to track through which sites a 3rd party cookie was set, and only send the 3rd party if you're on that same site again. Else it should just pretend there is no 3rd party cookie.

I'd definitely install an extension that would implement this process.

Yup, that's what I meant. Sandboxing on a per tab basis. To put it another way, each new tab you open is like a new incognito session.
This is great, I'm a big fan of transparency, I wonder how long it will take for the site's in question to either a) throw a fit about Collusion, or b) start making some workarounds to prevent it from working right. Which of course will be followed by the Collusion people figuring out how to keep up the transparency. It's times like this I wish I had tons of money, I'd donate a grip to Collusion and anyone else helping prevent sneaky corporations from being, well sneaky.
The one I consider the worst is IMR Worldwide. The best I can make of it is they are affiliated with Nielsen. They don't even have a website. How do I opt out of their tracking? How do I tell this private corporation to stop monitoring me? DoubleClick is very clear. They have a website. I can opt-out. The issue here is transparency.
Does the demo require flash? I can't see anything.
You have to click "click here"
Chrome is probably not going to match this service, as google would prefer to track us. Will this drive people back to Mozilla?
1. There are plenty of Chrome extensions which block trackers like this, such as Ghostery

2. You can disable third-party cookies in Chrome's preferences if you like

The majority of general users have not expressed any sentiment that they mind being tracked in this way on particular websites who have "opted in".

In fact, based on advertising trends, they actually find it useful and respond well to it - adverts that show you products that you've recently been browsing for etc.

Introducing? Here's a post about it from >6 months ago http://threatpost.com/en_us/blogs/collusion-firefox-add-pain...
Yep, I remember installing this way back when... Pretty nice, though.
Mozilla works in the open, so our "launches" are rarely new or secret projects. Everything is on GitHub the day it's written. Most things we launch have been around for a while; a launch just signifies it's ready for public consumption.

(Note: I work at Mozilla, however have no clue specifically about Collusion.)

In case anyone is curious, a couple of the key use cases for the tracking pixels are:

1. Tracking ad frequency and performance (e..g, did you buy something after you saw an ad; don't show you more than X ads for a given product)

2. ID synchronization between ad exchanges, ad buyers, and data targeters

3. Retargeting (e.g., showing you an ad after you've been to a site)

4. 3rd party data: things like guessing whether you're interested in cars or ceramic figurines and selling the ability to target you with ads

5. Site performance data (omniture, google analytics etc)

I find that unlike disabling cookies altogether, the web is a very usable with cookies set to expire when you close your browser. So all cookie based tracking is reset whenever I restart. In firefox you can alter rules on a per site basis. I only enable permanent cookies on my banking site which asks annoying "secret questions".

This demo only showed me 3 cookies from IMDB (which I browsed in this session I guess).

Note: the "restore my last session" link in firefox will work against this setting and reload your cookies from the last session.

The only place that should indeed be more safe is the one you choose not to clear the data from. Shouldn't it be the other way around?
My bank asks dumb questions that the average person could possibly figure out. In which city does my eldest sibling live? Mother's maiden name? These are useless.
I've never had a problem getting them to accept answers that have nothing to do with the question and look more like passwords.
Exactly my solution. And if I'm opening an account in person I usually feel obliged to lecture the poor banker on why these questions are a liability--remember Sarah Palin-- etc.
I do this for privacy, not for security. It gives me more privacy than the default setting.

Perhaps that's an irony that the bank should consider, or anyone that has weird password requirements that end up working against their goal.

Anyone who cares will be using flash cookies, local storage (or the user storage behavior thingy in IE < 8), etags, etc. Web browsers are full of tiny crevices for tracking tokens to hide.
Premium advertisers generally avoid these kind of practices; basically they don't do business with agencies that use flash cookies and/or browser hashing.

Typically, an ad network wants to conform to the guidelines set by the IAB [1], which explicitly recommends against flash cookies, calling them illegal [2].

So, all in all, if something can hurt a brand's reputation among consumers, advertisers generally don't spend their money there. Shady practices like these are among them.

[1] http://www.iab.net/

[2] http://www.iabeurope.eu/news/iab-europe-condemns-%E2%80%98re...

That only applies to organizations that have a presence in the EU (which probably includes most of the big ad networks, since they have international sales teams). Smaller players domestic to the US don't have the same constraints. Also, it's not just ad networks that do browser tracking.
Intentionally bypassing user settings to track users might seem like a practical, albeit ethically wrong, business decision, right up to the point that you get caught. Ask Hulu and KISSmetrics, for two. (search "zombie cookies" and those companies names.)
I used to have that, but nowadays I never close my browser anymore. I don't switch off my notebook, it only goes to sleep. I only restart the browser when it crashes (not that often these days) or some OS update forces a reboot.
I also use that configuration in Firefox, with cookies expiring at browser close by default. I use the Cookie Monster add-on to easily whitelist sites like HN, my banks, etc. where I want long-lasting cookies:

https://addons.mozilla.org/en-US/firefox/addon/cookie-monste...

I browse with Flash disabled (tip: there are ways of bypassing the Flash Block add-on, so disable the flash plugin completely when you don't need it, it's easy to re-enable and reload a page on occasion) and have the Better Privacy add-on cleaning up Flash cookies on a timer and at browser close:

https://addons.mozilla.org/en-US/firefox/addon/betterprivacy...

Also, the Ghostery plugin is a nice lightweight alternative to AdBlock to just block tracking scripts without wiping out ads everywhere. It kind of side-steps the tracking issues this Firefox Collusion plugin is highlighting.

https://addons.mozilla.org/en-US/firefox/addon/ghostery/

Very interesting idea and well executed, but the layout of the graph nodes makes it hard to tell who the worst sites are:

http://f.cl.ly/items/3A2C0x2a1f0F370Y0d3E/Screen%20shot%2020...

It also seems to want to push some graph nodes off the screen.

You can move along and pull the nodes to make it more readable. It's quite cute.
In a previous version of the visualization, the nodes would increase in size proportionally to the number of incoming links. It was dropped during a UI overhaul as it didn't fit the new visual style. But I'm looking for another way to make the "worst" sites stand out in a crowded graph. I would welcome your suggestions.
All of these services / plugins / demos are incomplete without analyzing Flash cookies. I worry the result is people thinking they're more anonymous than they really are. (You can view your Flash cookies here: http://www.macromedia.com/support/documentation/en/flashplay...)

I'd really like to see the browsers take on this practice. Safari, for example disables 3rd party cookies by default, but leaves open this huge hole via Flash.

Can't speak for anyone else, but I always run my browsers with Flash disabled or uninstalled so Flash cookies make no difference to me.
ClicktoFlash/ClicktoPlugin (Mac) is great, you only execute flash if you want to. This little app saves me hours of battery life on my Macbook Air. I don't know what's available on Windows/Linux however if you're on a Mac I can't recommend it enough.
Depending on your browser, you might be able to do this directly in browser setting. In newer Opera versions, the setting to enable click to flash is at opera:config#UserPrefs|EnableOnDemandPlugin
The FlashBlock plugin for Firefox provides "click to Flash" functionality.
> you only execute flash if you want to

NoSciprt allows you to do that, so does Flashblock. I'm sure there are similar plugins and extensions for browsers other than Firefox (well, maybe not NoScript, it seems pretty unique).

Even stranger to see no mention that cookies aren't needed at all to track users successfully.

Check your browser at http://panopticlick.eff.org/

Basically, using useragent, plugins, time zone, language, screen size, etc etc etc, you can fingerprint a user pretty reliably without using cookies.

Cookies are just an easy way to track users client side, but if there is an 'assault' on cookies, then people will just start relying more on server side tracking of users instead.

Disabling 3rd party cookies etc really achieves nothing.

Also, there's numerous methods you can use to store "cookies" in the browser these days, (localstorage api, http cookies, flash, cache etc)

If you really don't want to be tracked for some reason, disable javascript, clear out your user-agent, and use TOR.

Wow, there's a lot of unique information there that I didn't expect, such as installed system fonts. Hashing this information could generate a fairly reliable primary key.
Not mentioning names, but I used to be involved in a project that used this method to track users. From my observations, it was very useful as filter for further analysis. It's not perfect, but really quite good.
Maybe, but there would have to also be passes through the data afterward to link identities. Hashing is dangerous since browsers are living, dynamic beasts. When someone updates their browser, their useragent changes, and you'll want to keep their new identity as an extension of their old one. Not to mention that people use multiple browsers. So there's going to be a vital step of "linking the new identity to old ones" which can happen on a different thread more dedicated -- but you'll need to keep data. You'll probably truncate ultralarge fields and then GZIP them or so, rather than just hashing them.

One interesting thought: how much space would you need to pull this off? Chromium generates 12 KB of data which can gzip to 3KB, Firefox generates 5 KB of data which can gzip to a little over 1KB. Truncate-then-gzip could be used to keep perhaps 0 - 4 KB per person. Assume that your average user uses ~2KB. That's still rather a lot, when compared with what you can do with counters -- 8 bytes or so to store. If you wanted to keep your database under 2 TB, you could only handle a million people, not hundreds of millions. So it would really be a big distributed project to link identities as they evolve over time. I imagine that's one huge factor in using tracking cookies; it's lazy for scaling.

It reminds me of Latanya Sweeney's work in 1990 that demonstrated that 87% of the US population can be identified by just their gender, zip code, and full date of birth.

An interesting project might be to create a database having a table with the useragent hash as the primary key, and associate each identity in the user table to a number of these useragent hashes.

(comment deleted)
I would love to see a plugin that mimics the statistically normal setup. (all 3 of the browsers I currently have open read in as unique)
Or something that randomizes your browser fingerprint values each time you restart.
Incognito mode does that fairly successfully. Try the Panopticlick link in incognito, you'll see what I mean.
"only one in 1,024,434 browsers have the same fingerprint as yours."

fairly successful? eh.

I think that you are that one, as well. Do the test in a normal window and then in an incognito window. Each "Browser Characteristic" had the same result in both.
I try to mimic TorBrowser's fingerprint as far as possible.
Correct me if I'm wrong on this:

Those may be unique for your browser right now, but if you were to update your fonts or your plugins, that would generate a completely new user and all their information about you would be lost. Same as if you delete your cookies, but I bet it happens more frequently.

That's true, it would. In that case you'd need alternative methods to carry the identity across hash changes. Companies participating in this tracking could use their legitimate cookies, or even just login events, to pair up one hash with another.

Likely this could be done in a way that doesn't violate any terms of service or data disclosure promises. After all, pushing out "browser fingerprint 'abcd' and 'efgh' are the same person" isn't disclosing information that most people would realize they're trusting someone with.

Even so, for someone like Google with their scale, even identifying users for a short amount of time would work better than not identifying them at all.
Even if you had this 'lossy' tracking method for users, you can still deduce that the 'new' user generated by a browser is a potential match of the old user agent info with a certain probability.

More than likely, only the browser version will change. For larger updates, would-be-broken plugins would disappear or see a newer version. It would be a ton of effort to track users this way, but I think it's within the realm of reason for those with enough incentive (NSA, maybe advertising companies)

It doesn't need to be easy to implement to become easy to use, if someone implements this in a way which can be packaged up and included on sites with only a single line of code somewhere it becomes trivial to apply this to any site that wants it.
Panopticlick asked me to enable Java, which I only do for trusted sites. How much identifying information can be gathered with just Javascript to determine how unique my browser is?
I believe the Java is simply for the Fonts which falls back to Flash if you say no.

User Agent provides quite a lot of identifying information; OS/OS version, browser version. Panopticlick breaks this down for you, one in every 186,062 data points they have has my User Agent. This provides 17.5 bits of identifying entropy (log2 of 186062).

They mention they have a total database size of 2,046,684, which requires 20.96 bits of identifying information. So to answer your question about how much identifying information you can get from Javascript, a lot.

You can then also get Flash Version, Time Zones, Browser Plugins, IP Address, Screen Info.

Pardon me for doubting the EFFs claim. Just for grins, I took my stock laptop (as handed out by my company, so I _know_ they're identical), fired up a completely unmodified Safari (not my normal browser, hence nothing installed), and it still claims I'm unique.

At which point the word BS comes to mind.

But just for grins, I repeated the test with a Chromebook fresh out of the box, and of course it's flagged "uniquely identifiable".

I'm not saying the underlying claim - browser characteristics can be used to track you - is bogus. I am saying that I think that site is intentionally exaggerating for effect. Or, more realistically, that while they can extract 20+ bits of info from those strings, the values in that 20+ bit domain are far from uniformly distributed.

Wait, posting factual info gets you downmodded? Go HN, I guess.
He's probably being downvoted (not by me) because he's misunderstood the tool: his signature is unique among all browsers that have visited that page, not every browser in existence.
Why is it implausible that either of those systems has a unique fingerprint among all those that have run the Panopticlick tool?
Because that means that nobody with a stock chromebook and nobody with a stock laptop from my employer (of which there are many, let's put it that way) has ever visited the panopticlick site.

But just because, I tried two more chromebooks (same model), both in guest mode, both stock configuration - and they're both flagged as "unique" too.

Maybe I'm just a victim of a really long update cycle of their database.

(Addendum: I went back with my original laptop, all cookies cleared, and it's indeed not considered unique any more. So maybe I really just saw some lag in updating their DB)

(Addendum 2: Just to clarify, I never doubted that you can be uniquely identified. But the "unique" part was wrong for my sample. )

Even if you have the same system fonts and plugins installed, the order in which they are reported may be stable on one system but differ on another (due to filesystem inode layout). The EFF's Panopticlick FAQ [1] suggests that Flash and Java plugins should alphabetize the font lists reported from their APIs to reduce variation.

https://panopticlick.eff.org/faq.php

What really surprised me is that running it in incognito mode (in Chrome) made absolutely no difference to my results.

I know that incognito mode is geared towards not leaving a trace on the user's computer rather than being anonymous to the server, but I guess I assumed that with the plugins disabled they wouldn't be visible to the server.

As long as your browser leaks the list of available plugins and fonts, you're not incognito.

An alternative I'd like to see is a standard somewhat fixed small set of plugins and fonts.

I have yet to find a network that uses fingerprinting in that way. The use of ETags in the wild has been seen (KISSMetrics), but nobody has (as yet) had to resort to fingerprinting from the client side since effective blocking of traditional methods isn't pervasive.
I wonder if there is a way to block presentation of the list of plugins to the server.

AFAIK it's not very useful information and certainly removes one of the bigger unique factors.

What this service does is analyze which URLs are fetched from the sites you visit and compare them with a list of known tracker URLs. It doesn't need to care for flash cookies or such, it's there to inform you of who's on a page potentially tracking you. It raises your awareness so you can properly act on it. Another plugin that existed for a while is Ghostery: http://www.ghostery.com/ this one also blocks the fetch of the URL so whatever cookies they might be using becomes irrelevant.

Most of these tracking pixels are not flash anyway so blocking flash won't accomplish anything. Blocking Javascript will do something of course but some are only images so it will still be pointless and you'll still be tracked.

The reality IMHO is that it's better to be targeted by relevant ads than to see dating/scammy ads everywhere.

I got these on Chrome and they work quite well together: AdBlockPlus, Ghostery, DoNotTrackPlus. I guess they are available on Firefox too.
I have made ~/.macromedia a symlink to /tmp, which means Flash cookies are regularly wiped.
Great solution! Note to self: figure out how to do this in Windows
Use mklink /j or junction (SysInternals). Optional: Combine with a ramdisk, such as Dataram.
Cannot upvote this enough. I just saw the trash in ~/.macromedia and was stunned. Immediately rm -rf everything and made the symlink. Will be doing it on my girlfriend's macbook as well.
I'd be reluctant to make a symlink inside your home directory to a system directory like /tmp -- there are always unforeseen consequences. (For example, every backup of your home directory could end up including an unintentional copy of _everything_ in /tmp at the time of backup.)

IMO it's better simply to add "rm -rf ~/.macromedia" to the list of shell commands that get executed upon every login -- or add the commmand as an entry on your personal crontab.

Alternately, I uninstalled Flash months ago and use Chrome whenever I need Flash. Seems to have worked out okay for me.
Alternatively (since the little Flash UI sucks), in these two places-

Windows users:

  Documents and Settings/yourusername/Application Data/Macromedia/Flash Player/Shared Objects/your flash userid/
  Documents and Settings/yourusername/Application Data/Macromedia/Flash Player/Macromedia.com/Support/Flashplayer/Sys/
Mac users:

  Places/yourusername/Library/Preferences/Macromedia/Flash Player/SharedObjects/your flash userid/
  Places/yourusername/Library/Preferences/Macromedia/Flash Player/Macromedia.com/Support/Flashplayer/Sys/
Wow. I have flash cookies from over 700 sites.
Try setting the "Website Storage Settings" to 0 on that Flash settings page. I did that ages ago and haven't noticed anything break because of it.
Use Adblock Plus. Stay Happy. :)
Here is my version of a tracker I wrote. https://github.com/sthorpe/tracked

It sniffs your local packets and tells you all the sites that connect to your computer while you browse.

Then I organize them by number of times connected to your computer. It reveals some really weird sites. Like somehow pandora knows my age and sex....

That is because in the settings of your pandora account it asks for your age and your sex as a preference. They tell you as a side note that it is for ad targeting. Pretty honest (IMHO)
Ahh, I signed up so long ago I had forgotten.
Hello! Collusion main developer here. I am excited to be going live with this project and thrilled to see it being discussed on Hacker News (where I am a long time lurker, first time poster). I value the input from the community here.

To answer an issue which Nostromo and others have brought up, I am well aware that the addon is incomplete until it also includes data on Flash cookies, tracking pixels, localstorage, iframes, useragent fingerprinting, etc. I plan to add all of these things; the bug for adding Flash cookies is at https://github.com/toolness/collusion/issues/22 and I would greatly appreciate help with implementation from anyone who's interested (hint, hint!)

I'm also working on making the graph actionable, i.e. you should be able to click any node and say "Block" (or "whitelist" for sites you are OK with). Firefox already has the ability to set site-specific 3rd party cookie policies, but the interface to it can charitably be described as "for experts only". Collusion could provide a much more usable way to control your browser's policies.

The graph, for those who asked, is drawn using d3.js and SVG.

The demo does not require flash; it uses SVG. You just have to click "click here".

Hi JonoXia. I was already using collusion since quite a while, I guess I got the pointer here at HN some time ago: http://collusion.toolness.org/ So what is happening? is the "new" collusion somehow more "official", i.e. released by Mozilla?

EDIT: found the old HN post, http://news.ycombinator.com/item?id=2741249

Hi gghh, Collusion.toolness.org was started as a personal project/experiment by my good friend Atul Varma. It's recently gathered a lot of interest within Mozilla; we're talking about maybe eventually making it into a built-in Firefox feature (no promises). As described on mozilla.org/collusion, we've got a grant from the Ford Foundation to support development on it. So yeah, what's happening now is basically that Mozilla is committing some real development resources to turn it into a proper product.
I just, erm, browsed around in private mode on FF for a bit and when I went back to normal mode, some of those sites are on the graph.
Hi, Collusion dev here. I don't think that's supposed to happen, as cookies should not be written when in private browsing mode. I'm guessing it's a bug in Collusion's visualization.

If you can reproduce the bug using 'generic' websites (I don't want to know about your private browsing habits), would you mind filing a bug report in https://github.com/toolness/collusion/issues ? It would be a big help. Thanks a lot.

If anyone plans on porting this to a Chrome extension please let me know!
I actually don't mind being tracked... It doesn't really bother me at all. I'd much rather have ads and stuff geared towards what I may be interested in, then some ad for girls pantyhose sale.

I know it sounds strange, but it doesn't bother me one bit.

Publishers are lacking control over who tracks what on their site. My full time project http://www.clarityad.com monitors third-party ad tags and reports pixels dropped.
Very interesting, however it makes Firefox 10.0.2 crash if you refresh the page or click off the collusion tab then back on to it. At least it does in Linux.

Will try it out on OS X later ...

Please file a bug if this is reproducible.
I do find it somewhat ironic that the demo page includes the old

> If you're not paying for something, you're not the customer; you're the product being sold.

http://www.mozilla.org/en-US/collusion/demo/

I also find the name "collusion" unfortunate. Part of my paycheck comes from advertising, and I include google analytics on my site. However, I also work hard to have a crystal clear privacy policy and I don't opt in to the shared analytics logging for my site, so the data only goes to me. But I'm lumped in with the scummiest of ad networks.

Mozilla, of course, offers a free browser. Their funding ultimately comes from the "collusion" they're talking about here and the search traffic they generate feeds it. More directly, you can argue that they sell our search data to the highest(?) bidder. Why isn't DDG the default search provider? Why aren't third party cookies disabled by default and the Do Not Track header enabled by default?

These are actually hard questions, and trite soundbites that ignore actual economics and the tensions inherent in the internet we have today do us no favors. Transparency is the answer in many of these problems we've created for ourselves, I believe, but we need to be able to talk about them with equal intellectual clarity.

edit: as an example, I really liked EFF's Peter Eckersley's quotes in the ars technica article on DNT today:

http://arstechnica.com/tech-policy/news/2012/02/can-do-not-t...

Aren't Mozilla products open source? Someone should offer a pro-privacy flavor which has these settings by default.
Why not Mozilla? They developed the Collusion reporter, but why not attack the problem by bundling privacy tools like Ghostery with Firefox?
Ghostery still requires you to somewhat know what you're doing (if you block too much, sites stop working). It's not something that you can bundle by default.
Good point. I know Ghostery's default settings break Disqus comments and NY Times videos.
What is your criticism here exactly, given that you find this "ironic"? You call for transparency - that's exactly what the published tool provides.

I think the understanding is that advertising is required for many free things on the net (including Firefox), but that unless advertising behaves in a reasonable manner, and the user has some control and understanding over it, it'll be self-defeating as everybody will go start running Adblock, Ghostery, etc.

Do Not Track works due to exactly the same economics. I think there was a public statement that if Do Not Track were enabled by default - no-one would respect it.

There is no conflict of interest here. You either self-police or you're shut down.

My criticism is exactly what I wrote. If that "you're the product" statement is always true, then we are necessarily Mozilla's product that they sell to Google. If it's not always true or is in no way an informative reductive statement (in that all economic gradients could be "products" in a trivial sense), then it should be dropped from the page because it serves as nothing more than a (disingenuous) marketing slogan. The purpose of this tool is ostensibly activism from transparency, not activism from the rabble-roused.

It's a similar argument for the name "collusion". Good marketing, yes, and maybe that's important to get attention and the name isn't that negative. At the same time, it paints everyone with the same brush when, again, the ostensible goal is not to shut down all ad networks on the internet, or the sites that are funded by them, but to give transparency into the links between the ad networks and the sites we visit, in order to hopefully force responsible behavior and give plain choices to end users.

And that's why I pointed to the EFF's statements in that article. They acknowledge the tensions inherent in the internet we've built and inherited, and postulate that it's possible to force everyone to be better actors without having to burn the house down. Moreover that meaning is exactly what they say, without resorting too much to rhetoric.

> Why isn't DDG the default search provider?

An excellent question. Does DDG have the infrastructure to handle that many searches? It didn't last I checked...

> Why aren't third party cookies disabled by default

Because it breaks things entirely unrelated to ads. For example, with third-party cookies disabled I can't buy tickets to http://www.puppetshowplace.org/ online for my kids.

> and the Do Not Track header enabled by default

Because then it would be completely useless. See http://blog.mozilla.com/privacy/2011/11/09/dnt-cannot-be-def...

I do agree that there needs to be a distinction between "showing ads" and "tracking users", of course. Those are not the same thing.

Does my accepting Google's new privacy policy allow them to link information possibly gained via Google Analytics (using their ubiquitous cookies like _utma, _utmb, _utmz) to my other Google product activities?
I don't think so, as far as I understand analytics, there is nothing to link with other Google products since it only uses first party cookies.

http://code.google.com/apis/analytics/docs/concepts/gaConcep...

On a side note, the doubleclick cookie is explicitly excluded from linking without explicit consent:

> We will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent.

Thanks. This was helpful.

In theory, I see your point about Google not having direct access to a site's first party cookies, but Google is clever. If you monitor the requested resources when you visit any site with those cookies, you'll notice a request to http://www.google-analytics.com/__utm.gif? followed by parameters sending the values of those cookies to Google. So, they are tracking said cookies.

Furthermore, based on a quick estimate based on my current Firefox cookies, Google is (through Google Analytics) aware of 80%-90% of my browsing activity.
But the cookie is per analytics domain, right? And not directly linked to other google cookies.

So I think Analytics "sees" 80% of your browsing but it's multiple fragments, each going to different analytics domains. It's never seen as a single user.

Hmm. Thanks for your help; I'm sorry if I'm not understanding.

Can't Google make certain (admittedly imperfect) inferences based on seeing the same IP address visit gmail.com, then AllThingsD.com, then CA.gov, etc? (All of which use Google Analytics) It doesn't take rocket science to place a high probability that the the IP address that visited gmail is also me across all those domains.

It's not because something is technically possible that it should (or can) be done.

Why go through all the pain of setting analytics such that: it uses per analytics domain first party cookie, serves the javascript and the tracking gif on google-analytics.com (no google.com cookies are transmitted), but they would then try to reconstruct user behaviour based on IPs?

That would be quite deceptive (and might not allowed by the FTC and the privacy policy).

And they can already do global tracking with the doubleclick cookie. But it is explicitly not allowed to link it with other data without consent.

Edit: by the way, thanks for your questions, I never really digged into this and also at first assumed they would have access to a lot more information. But analytics is actually pretty well designed.

Tip of the hat to Mozilla for innovating and trying to make Firefox the best browser possible. It seems like Chrome usage keeps going up; I'm really happy to see Mozilla not sitting around.
I wonder if RequestPolicy helps block this.

My config is as follows:

1. AdBlock (+privacylist)

2. Ghostery

3. RequestPolicy

4. HTTPS Everywhere

5. /etc/hosts with common tracking hosts pointing to 127.0.0.1

6. Disconnect.me

7. Disable 3rd party cookies

8. Uninstall Flash (when I need Flash, I use Chrome)

9. Configure Chrome Flash to not allow any local storage

10. about:config set dom.storage.enabled to false.

This is just a start and it would be nice to have some consistent way to disable localstorage.

My OS is Ubuntu and my Firefox config is:

* AdBlock Plus (with 16 filter subscriptions)

* BetterPrivacy

* User Agent Switcher

* RequestPolicy

* NoScript

* PrivacyChoice TrackerBlock

* Ghostery

* QuickJava

After installing Collusion and going to both the BBC webpage and a random selection of Gawker Media's webpages, the Collusion graph is empty. I can now confirm my selection of security plug-ins prevents tracking. Sweet! :-D

if site cookies are blocked on firefox, so is dom storage
Actually, my bigger fear is for mobile browsers which are much further behind in terms of such features as compared to desktop browsers.
And it's a growing problem. For now i guess the only protection is clear Cache and Cookies. And then load it with opt-out cookies.