How surveillance capitalism tracks you without cookies


#1

Originally published at: http://boingboing.net/2016/09/06/how-surveillance-capitalism-tr.html


#2

See, as long as it had decent adblocks and privacy badger, I would be ok with using a cookie cutter browser so long as my identity was protected.


#3

It sounds like an awful lot of work to go through just to learn that I really like tits.


#4

Is there a good firefox plugin that randomly and dramatically changes the browser fingerprint a few times a day?


#5

The browser can be exactly like every other browser in the world, your actions and the capabilities of modern DOM would soon give it a unique fingerprint.

Modern websites are nothing like the human-readable HTML you may have seen in the past. Instead, they’re often baroque combinations of HTML div elements, CSS, fonts, and javascript. The CSS lets the architect easily re-style pages, and all the div elements help them dice up the page into zone of styles. Technically, the structure is still separate from the style (the original design goal of CSS), but 90% of the structure just exists to let you hang the style off of it. In addition downloadable custom fonts let them overload symbols (so that, for example, a * character becomes a custom image to serve as a bulletpoint, or the character m to serve as the “hamburger” menu button. Document Object Model (DOM) events and javascript let the browser change the page in response to your actions, such as by changing the CSS of an element from “hidden” to “visible”.

An example of how this can be abused: javascript and DOM can be used to read the value of properties on the open page. (You wouldn’t expect them to be able to set something without reading it back, would you? That would make designs very brittle when an error eventually creeps in.) That means you can read the color of various links, to see if they match the visited link color or the unvisited link color. Do that with the 500 most popular web sites, and you have a pretty good idea of where that browser has been, which paints a pretty unique picture of your history for fingerprinting. And of course, none of those links need to be visible, when CSS can hide them.

Basically, the DOM (what the browser lets a website do to itself as you interact with it) supports a lot more flexibility and power than it really needs. They do this because of the modern goal of supporting web-native “web apps” - video games, video players, spreadsheets, calculators, all running directly from a browser - which basically requires you to re-implement most of the OS API to give every type of app the range of data it may need.

Depending on how open your browser is, you can disallow some of these (which is the supported fix for the example above) at the expense of breaking the standard, and possibly needed webpage functionality. But of course, if you break functionality, the site admin can detect the lack of compliance and just say you’re not running a supported configuration, so to hell with you. Update your browser/accept cookies/enable javascript or GTFO. But of course, if they do allow you to use their site , your lack of compliance can always be used as a fingerprint datapoint as well. Ultimately, taking all the power out of the browser and putting them into open standards just shifted real power from the user (who owns the machine) to the web architects (who wrote the web page). Unless a privacy violation is so egregious that a browser-maker breaks it for all it’s customers by default (as with above example), or unless many thousands of people used an add-on that does the same, you can still be tracked.


#6

Since that would mean randomly breaking and restoring various bits of functionality in the browser, probably not.

The best thing you can do is to use noScript. That can effectively turn off Javascript for all unfamiliar pages. In addition, it can block custom fonts. You can use Firefox settings to spoof your user-agent string and HTTP referer, but that’s probably a bit excessive.


#7

The best thing you can do is use the Tor Browser Bundle, which is designed specifically to make your web traffic completely indistinguishable from that of any other user of the Tor Browser Bundle.

In general, any active thing you do (changing the user-agent string for example) is much more likely to make you more distinguishable rather than less.

See how unique your browser configuration is here: https://panopticlick.eff.org/


#8

The sites that determine how unique your browser’s fingerprint is are enlightening. Even with noScript, ghostery, or any other privacy add-on, it may still be able to uniquely identify you. Better would be an add-on that randomly changes your font-list, for example.


#9

If I’m going to be tracked. I want cookies!


#10

Didn’t we have this exact same conversation 1-2 years ago? As I recall, the verdict was that it’s possible, but much too difficult to be profitable. No?


#11

The thing to remember is that many players in the tracking industry are not unlike the tailors in the Hans Christian Anderson tale The Emperor’s New Clothes. They don’t really care if the system works or not, only that they can convince advertisers to buy their snake oil to sell their snake oil.


#12

So, is this a good score?

Seriously, I can’t tell.

I got, noscript, uBlock Origin, and don’t accept cookies from third parties and also all cookies are deleted upon exit. So…

Also, that 0.51 bits seems kind of weird… How can you have half a bit? I know it’s just the average of something, but shouldn’t they round to whole bits?


#13

Sounds like time for someone to code up a browser fingerprint scrambler. Identify the fingerprint criteria, randomly install/uninstall little-used fonts, update/roll back minor browser versions, etc. I sure that some of these items are more malleable than others.


#14

For at least some of these you could probably spoof them, no need to actually change anything, just change the value you feed to the servers.


#15

This topic was automatically closed after 5 days. New replies are no longer allowed.