Is there a firefox addon that will substitute one cookie for another, say on that's a couple of Gig?
EFF warns of 'one-way mirror' of web surveillance by tech giants – led by Google
As the sacred shopping season gets underway, the Electronic Frontier Foundation has issued a report detailing the privacy cost of surveillance-based commerce. Issued on the Monday after the US observance of Thanksgiving, a day so known for online shopping that marketers branded the event with its own commerce-promoting moniker …
COMMENTS
-
-
Tuesday 3rd December 2019 09:41 GMT David Shaw
attack cookies?
I was recently being 'attacked' by a 3 gigabyte cookie, just one site
Safari/local-storage/https_www.(fairly mainstream site).co.uk_0.localstorage
I guess it's from my annoying habit of annoying TLA's
(one of the TLAs had intercepted my visit to this .co.uk site, sent me to a succession of "congratulations you have won $prize" very random IP sites - all based in Bulgaria - then a day or so later I noticed the super cookie. not sure if it was data being exfiltrated or compromising data being installed. I have that supercookie archived somewhere off-line, for when I'm bored and can be bothered picking it apart.
So yes, gig sized cookies are being used against ppl, so why not send 'em back!
(The TLA fun seemed to stop when I switched my machine to the Pi-hole address range)
-
Tuesday 3rd December 2019 17:26 GMT Roland6
Re: attack cookies?
>So yes, gig sized cookies are being used against ppl, so why not send 'em back!
But to be really effective, the 'cookie' needs to be sent from some cloud server and if you are doing this, why limit it to a gig, a terabyte is probably more appropriate; with a faulty checksum so that it repeats the download...
-
Tuesday 3rd December 2019 11:52 GMT Doctor Syntax
Sales and marketing types habitually assume that the public will readily click on links or open files received from random unknown strangers (not that said marketing types have the self-awareness to realise they're random unknown strangers). I can only assume that expectation comes from their being willing to do the same and, in fact, here we have them reading files, cookies, from random unknown strangers relying on the belief that these are the files they planted themselves. So don't bother with just replying with an oversized payload of random stuff. Send them something really nasty.
-
-
Tuesday 3rd December 2019 03:26 GMT Anonymous Coward
How long before google and facebook weaponize their data in order to protect their own interests? At least they will know whom to lobby in order to block any meaningful legislation. You cannot help but think that it is a little to late, and that the battle has already been lost. Too little too late EFF.
-
Tuesday 3rd December 2019 19:45 GMT Anonymous Coward
Unintended consequences.
You don't need to. Or even risk breaking any law.
Did a highly important person leave embarrassing photos on Facebook or Google Android services?
Are they going to risk finding out if Facebook or Google are honest or criminal?
I don't think they need to think twice.
-
Tuesday 3rd December 2019 06:21 GMT T. F. M. Reader
Cypher, the report author?
Is it a real name? Or is it an ironic pseudonym chosen to remind (some of) us of a graph query language the likes of which (Gremlins, etc.) are probably used behind that one-way mirror?
-
-
Tuesday 3rd December 2019 13:07 GMT Anonymous Coward
My preference is to use the Epic Browser with Duckduckgo as the default search engine.
https://www.epicbrowser.com/
I still have, and use, Firefox for sites like "The Register" where I have a subscriber account but loads/most of my web browsing can be done with Epic
In cases where I want yet more assurance that I'm free from being tracked I have Whonix installed on Virtualbox.
-
-
Tuesday 3rd December 2019 09:36 GMT Pascal Monett
"The problem is complex"
Not really. Tracking is part of the Internet because the law was ignorant of the issue and the greedy ones saw an opportunity and, like cockroaches, infested the place. Now the law can be made to say that tracking is illegal and any company that is caught tracking gets its yearly revenue (before tax) as a fine.
Well, it could be made to say that, in countries where companies do not write the law.
Yes, I like sledgehammers. How did you notice ?
-
Tuesday 3rd December 2019 09:59 GMT Paul Crawford
Re: "The problem is complex"
Another solution that might appeal to governments is a "tracker tax" so none of this EU-style "do you consent to cookies/blah-blah-bla?" pop-up crap, but every aspect of tracking is taxed and, of course, companies must fully declare their income or face criminal charges.
-
Tuesday 3rd December 2019 11:57 GMT jmch
Re: tracker tax
If the tax per tracker is just a percentage, which is how taxes usually work, companies will still track. As long as they make money from any instance, they don't care. Its anyway a miniscule margin gigantic volume business, making the margin even tinier will not change that much.
This level of tracking should simply be banned. No one would accept that it's OK that someone follows you in real life every step/drive that you take, what shops and offices you visit, not only recording what you buy but what you browsed and how long you looked at what... Its stalking, and people do not object only because they are mostly unaware of the level of stalking
-
-
Tuesday 3rd December 2019 13:42 GMT jmch
Re: tracker tax
"I take it you don't have a mobile phone? Never drive a car? Always pay cash?"
I do have a mobile phone, and I know that the phone provider has access to my whereabouts. I also know that, unlike in the US, they do not sell or otherwise share this information with anyone else unless presented with a judicial warrant, because I live in a country that values privacy very highly*. This data only has to be kept for 6 months.
I do drive a car, rarely, as I mostly use my motorbike. In either case, I have vehicles that don't report my every move back to base, and unlike the UK, there are no ANPR cameras to report my whereabouts to any busybody in a police uniform, because I live in a country that values privacy very highly*.
I do pay using credit cards, and I know that the payment provider / bank has access to my financial transaction history. I also know that they do not share this information with anyone else unless presented with a judicial warrant, because I live in a country that values privacy very highly*.
*Switzerland, in case you're wondering, and I believe most of the EU operates on a similair basis
-
-
Tuesday 3rd December 2019 12:25 GMT Claverhouse
Re: tracker tax
Of course, all wise and pertinent.
However, I am for once not being Anti-American when I point out the bulk of Internet
consumerscustomers* users are American which is where the wealth to purchase is, and most Americans, through national culture simply don't care about all this stuff -- as is shown by the recently hardening attitudes of American Media regarding the refusal of cookies, personalisation and tracking under the protection of the EU, moving to either shuttering content completely or twistedly driving the apparent choices into a finality of 'Accept All.'And they will soon be joined by the Chinese, who are used to tracking anyway, and the Indians, who are as trusting and good-humoured as the Americans.
The Grand Trackers merely have to hold their nerve, and then they will be able to bug everyone, everywhere, every minute.
.
.
Even here, I once noticed a top City of London Fraud cop, dealing with the existential terror of online piracy rather than tracking and spying, aver the Internet was primarily there for shopping. And happy families each shopping on their own device, laughing merrily as in an advertisement.
-
Wednesday 4th December 2019 00:42 GMT Pascal Monett
Re: the bulk of Internet consumers are American
Um, sorry pal, but in case you haven't got the email, the Internet has escaped USA borders and most of its users now are not actually American citizens.
-
-
Tuesday 3rd December 2019 13:40 GMT ThatOne
Re: tracker tax
> This level of tracking should simply be banned.
Yes but there is money to be made, so they will tell you that if you don't have anything to hide you have nothing to worry about. The official theory being that only criminals, terrorists and perverts fear tracking, so, if you do, you are...
Who is going to stop trackers anyway? The government(s)? Certainly not, those are just trying to get a slice of the pie, for their own reasons (better/more control over the Great Unwashed).
Last but not least, the younger generations don't really feel concerned. Give them something shiny and they will gladly tell you everything about themselves, their family and their friends. For them it's "gossip".
Add to this situation the constant breaches and the ever-increasing bulk of information which becomes public that way, and you'll have to accept the idea that there are faceless people out there you've never met, but who know you better than your spouse and your GP put together...
-
Tuesday 3rd December 2019 21:57 GMT JohnFen
Re: tracker tax
"Last but not least, the younger generations don't really feel concerned"
My observation is that the younger generations tend to be more concerned than the older generations. However, they're also more transactional, and are willing to trade personal data for services under the right circumstances. Their concern is not necessarily total privacy, but that they want to have control over who gets the data and who doesn't.
-
Wednesday 4th December 2019 02:38 GMT ThatOne
Re: tracker tax
> My observation
Congratulations, your "younger generation" samples are much more intelligent than mine. And yet mine are all higher education, so it's not an educational issue. It's also not an information one, for I've been explaining it to them for years, to no avail. They just don't care.
The older generations feel much more concerned about it, and are willing to do something about it. Maybe it's that they remember a world where "privacy" still meant something, while the younger ones are growing up with the friendly uncle Google (Facebook, etc.) having constantly a hand in their pants.
-
-
-
-
-
-
Tuesday 3rd December 2019 11:35 GMT Venerable and Fragrant Wind of Change
Re: why it works
Or alternatively, because it's what we expect.
I was brought up in the Cold War era, and as a child enjoyed thrillers. The protagonists would routinely find their offices, hotel rooms, etc bugged, or be followed, by the villains, and sometimes vice versa (yes, the goodies did it too). So while I knew that I wasn't such a high-value target that some evil spy would be watching and listening, I never had any expectation of privacy.
Surely that kind of thing is very widespread (especially if we include those for whom God sees everything/Santa knows if you've been good/etc), and it makes anonymised (or at least identity-agnostic) tracking for non-threatening purposes like advertising look entirely benign in comparison!
-
-
Tuesday 3rd December 2019 15:00 GMT Jamie Jones
HTML local storage hole - GDPR fails?
[ EDIT: I just noticed local storage cookies mentioned in the article. I missed that before posting. ]
Remember way back when, and we were all deleting our persistent cookies, then it was discovered that flash "super cookies" were being leveraged to restore the persistent data?
Well, now, we have official 'super-cookies' -- html5 local storage can be used not just as a super cache, but to store data that javascript can read and send back to the server.... aka super-cookies.
So....
1) How many browsers clear "local storage" when clearing cookies?
2) All these sites with their GDPR popups etc. - do these sites consider "local storage" the same way as cookies?
3) Have a look at your local_storage files... You'll be shocked.
( on android, these are sqlite3 files in /data/data/*/app_webview/Local\ Storage )
Whilst on the subject of android, for apps that use webview, check the other stuff in app_webview - you'll see all sorts of other stuff including copies of search terms and autofill entries, and these are COPIES - not cleared down by "clear private data" options in most browsers!
-
Tuesday 3rd December 2019 21:59 GMT JohnFen
Re: HTML local storage hole - GDPR fails?
"Well, now, we have official 'super-cookies' -- html5 local storage can be used not just as a super cache, but to store data that javascript can read and send back to the server.... aka super-cookies."
Indeed. This is one of the many things that are part of HTML5 that make me truly despise HTML5.
-
Wednesday 4th December 2019 08:18 GMT ttlanhil
Re: HTML local storage hole - GDPR fails?
As a dev who spends some time on front-end... LocalStorage can be useful.
As long as browsers treat them as the same thing (e.g. "Clear cookies and site data" in my FF; or similar rules for 3rd party cookies as 3rd party localstorage) it doesn't make the tracking situation any worse than you already have with cookies.
-
-
-
Tuesday 3rd December 2019 15:55 GMT LeahroyNake
Stalking
Staking is illegal in most countries for obvious reasons.
Online staking via social media comes under the same law, its still stalking.
How these huge corporate entities get away with it should be obvious. They provide the info to gov agencies upon request. Are people really surprised that there is one rule for them and another for the rest of us. If anyone expects any real legal repercussions against these corps they are deluding themselves. The government vs encryption argument is just a time wasting exercise to distract from the real issue IMHO.
-
Tuesday 3rd December 2019 16:20 GMT Roger Kynaston
worthless data
Given the challenges in getting useful data out of very large data sets I would have thought that the exabytes or whatever of data that the big trackers have must be close to useless in identifying trends for an individual to make targeted ads worthwhile. The government example is trying to identify terrorists, paedophiles and other threats to civilisation from the data they hoover up. The bigger the data set the bigger the number of false positives which renders the whole exercise pointless.
You can see this in operation on Amazon which bombards you with suggestions to buy something you have just bought.
Shirly, once the people paying for Google's ads work this out they will stop paying for it and Google et al will go bust. Or am I being naive and over optimistic in assuming ad purchasers are going to make that sort of nuanced thinking?
-
Wednesday 4th December 2019 05:55 GMT Eric O'Brien
It's One Way GLASS, not mirror
When the reference is to invisible observers, hidden behind a mirror, I think the correct term is One Way GLASS. They can see you, you can't see them = "one way." All mirrors are "one way." Calling something a "one way mirror" is pointless (or senseless). A mirror is completely opaque. Ordinary glass is fully transparent... visibility goes both ways. Hence, normal glass is "two way" glass. On the other hand, ONE way GLASS is something special. See also "semi silvered" or "half silvered glass," which properly configured can offer transparency in only one direction.
-
Wednesday 4th December 2019 09:19 GMT Mike 137
The wider scope
Almost all the comments here exclusively consider online tracking. However the report goes a lot further by examining real-world tracking as part of the picture. I've recently been involved in discussions about self sovereign identity - a nice concept whereby the individual can theoretically retain privacy by creating multiple pseudonymous digital identities that do not intersect and using them for different purposes.
This report strongly suggests that when the entire scope of tracking on- and off-line is taken into account it's almost impossible for separate identities not to intersect, as the self sovereign digital component is inevitably only a small part of the person descriptor required to perform transactions in the real world. Consequently the real solution can only be to disallow tracking that is not freely permitted tracked subject, but that's not going to happen because of vested interests and the toothlessness of legislation.
-
Thursday 5th December 2019 22:48 GMT JohnFen
Re: The wider scope
"the individual can theoretically retain privacy by creating multiple pseudonymous digital identities that do not intersect and using them for different purposes."
This is something that I've been doing since around 1991. Every so often, I slip up and manage to get two identities correlated in some way, requiring me to nuke them both, but it generally works well.
"when the entire scope of tracking on- and off-line is taken into account it's almost impossible for separate identities not to intersect,"
I don't think it's anything close to impossible. But maintaining the separation does require more effort, and a willingness to forgo a certain level of convenience (for instance, by only buying things with cash)
"Consequently the real solution can only be to disallow tracking that is not freely permitted tracked subject"
I agree 100% with this. I'm not as skeptical as you are about the likelihood that this will happen, but I do think that if it does, it's going to take decades of fighting.
-
-
Thursday 9th May 2024 00:33 GMT Kevin McMurtrie
Press taking notice?
How would the press cover this? "100+ third parties watching you read this." Online news outlets are the worst. There seems to be a toolkit used by many that injects 60 to 200 web bugs, tracks your mouse, uses randomized top-level domains for hosting, attempts to crash adblockers, and attempts to disable the page if there aren't enough working ads and trackers. Ironically, these same sites often crash the JavaScript interpreter without an adblocker.