back to article EFF warns of 'one-way mirror' of web surveillance by tech giants – led by Google

As the sacred shopping season gets underway, the Electronic Frontier Foundation has issued a report detailing the privacy cost of surveillance-based commerce. Issued on the Monday after the US observance of Thanksgiving, a day so known for online shopping that marketers branded the event with its own commerce-promoting moniker …

  1. stiine Silver badge

    Is there a firefox addon that will substitute one cookie for another, say on that's a couple of Gig?

    1. Andrew Commons

      Cookie Zip Bomb?

      I believe you can have compressed cookies so you could maybe exploit this to deliver a zip bomb.

      1. Anonymous Coward
        Thumb Up

        Re: Cookie Zip Bomb?

        Oh man if someone makes a Firefox extension that does that I'd download it right away!

    2. David Shaw

      attack cookies?

      I was recently being 'attacked' by a 3 gigabyte cookie, just one site

      Safari/local-storage/https_www.(fairly mainstream site).co.uk_0.localstorage

      I guess it's from my annoying habit of annoying TLA's

      (one of the TLAs had intercepted my visit to this site, sent me to a succession of "congratulations you have won $prize" very random IP sites - all based in Bulgaria - then a day or so later I noticed the super cookie. not sure if it was data being exfiltrated or compromising data being installed. I have that supercookie archived somewhere off-line, for when I'm bored and can be bothered picking it apart.

      So yes, gig sized cookies are being used against ppl, so why not send 'em back!

      (The TLA fun seemed to stop when I switched my machine to the Pi-hole address range)

      1. Anonymous Coward

        (fairly mainstream site)

        That's cruel. You really should name names there!

        You can always post anonymously here if it's not a site you want to admit to visiting. Even if you're not in the least ashamed of it but just consider it a matter of privacy!

      2. Jamie Jones Silver badge

        Re: attack cookies?

        There's a bug there. Maybe the site knows about the bug and was exploiting it maliciously, or maybe not.

        However, local_storage data is not allowed to go over 5Mb per site. The browser should have rejected/truncated it.

      3. Efer Brick

        Re: attack cookies?

        Perhaps someone has implemented a real-life Pied Piper network?

      4. Roland6 Silver badge

        Re: attack cookies?

        >So yes, gig sized cookies are being used against ppl, so why not send 'em back!

        But to be really effective, the 'cookie' needs to be sent from some cloud server and if you are doing this, why limit it to a gig, a terabyte is probably more appropriate; with a faulty checksum so that it repeats the download...

    3. Doctor Syntax Silver badge

      Sales and marketing types habitually assume that the public will readily click on links or open files received from random unknown strangers (not that said marketing types have the self-awareness to realise they're random unknown strangers). I can only assume that expectation comes from their being willing to do the same and, in fact, here we have them reading files, cookies, from random unknown strangers relying on the belief that these are the files they planted themselves. So don't bother with just replying with an oversized payload of random stuff. Send them something really nasty.

    4. Blackjack Silver badge

      Icecat is the browser you want if you want a more privacy focused Firefox.

  2. Anonymous Coward
    Anonymous Coward

    How long before google and facebook weaponize their data in order to protect their own interests? At least they will know whom to lobby in order to block any meaningful legislation. You cannot help but think that it is a little to late, and that the battle has already been lost. Too little too late EFF.

    1. LDS Silver badge

      They are already doing....

    2. Anonymous Coward
      Anonymous Coward

      Unintended consequences.

      You don't need to. Or even risk breaking any law.

      Did a highly important person leave embarrassing photos on Facebook or Google Android services?

      Are they going to risk finding out if Facebook or Google are honest or criminal?

      I don't think they need to think twice.

  3. T. F. M. Reader Silver badge

    Cypher, the report author?

    Is it a real name? Or is it an ironic pseudonym chosen to remind (some of) us of a graph query language the likes of which (Gremlins, etc.) are probably used behind that one-way mirror?

  4. LDS Silver badge

    "trackers can use first-party cookie sharing in combination with TLS session data..."

    "... to build a long-term profile of user behavior"


  5. KittenHuffer Silver badge

    Firefox with CanvasBlocker, Ghostery, HTTPS Everywhere, NoScript, Privacy Badger, and uBlock Origin!

    Any others that need to be added to that list?

    1. Doctor Syntax Silver badge

      Cookies Exterminator?

      1. KittenHuffer Silver badge

        0 results searching for that one!

        Searching for 'cookies' returned some that might do the same thing. 'Cookies Disable", "Self Destructing Cookies", "Self Destroying Cookies", "Kill Cookies", "Cookie AutoDelete"!

        Does anyone have a recommendation?

    2. Anonymous Coward
      Anonymous Coward

      My preference is to use the Epic Browser with Duckduckgo as the default search engine.

      I still have, and use, Firefox for sites like "The Register" where I have a subscriber account but loads/most of my web browsing can be done with Epic

      In cases where I want yet more assurance that I'm free from being tracked I have Whonix installed on Virtualbox.

      1. Mr. Nanook

        Windows & Mac only. Based on Chromium.

  6. Pascal Monett Silver badge

    "The problem is complex"

    Not really. Tracking is part of the Internet because the law was ignorant of the issue and the greedy ones saw an opportunity and, like cockroaches, infested the place. Now the law can be made to say that tracking is illegal and any company that is caught tracking gets its yearly revenue (before tax) as a fine.

    Well, it could be made to say that, in countries where companies do not write the law.

    Yes, I like sledgehammers. How did you notice ?

    1. Paul Crawford Silver badge

      Re: "The problem is complex"

      Another solution that might appeal to governments is a "tracker tax" so none of this EU-style "do you consent to cookies/blah-blah-bla?" pop-up crap, but every aspect of tracking is taxed and, of course, companies must fully declare their income or face criminal charges.

      1. Venerable and Fragrant Wind of Change
        Thumb Up

        Re: "The problem is complex"

        Upvote for the seed of a really interesting idea.

        The question, as ever, is "how?"

      2. jmch Silver badge

        Re: tracker tax

        If the tax per tracker is just a percentage, which is how taxes usually work, companies will still track. As long as they make money from any instance, they don't care. Its anyway a miniscule margin gigantic volume business, making the margin even tinier will not change that much.

        This level of tracking should simply be banned. No one would accept that it's OK that someone follows you in real life every step/drive that you take, what shops and offices you visit, not only recording what you buy but what you browsed and how long you looked at what... Its stalking, and people do not object only because they are mostly unaware of the level of stalking

        1. Venerable and Fragrant Wind of Change

          Re: tracker tax

          No one would accept ...

          I take it you don't have a mobile phone? Never drive a car? Always pay cash? And wear tinfoil when out and about?

          Hang on, you're posting right here on social media. Whoops!

          1. jmch Silver badge

            Re: tracker tax

            "I take it you don't have a mobile phone? Never drive a car? Always pay cash?"

            I do have a mobile phone, and I know that the phone provider has access to my whereabouts. I also know that, unlike in the US, they do not sell or otherwise share this information with anyone else unless presented with a judicial warrant, because I live in a country that values privacy very highly*. This data only has to be kept for 6 months.

            I do drive a car, rarely, as I mostly use my motorbike. In either case, I have vehicles that don't report my every move back to base, and unlike the UK, there are no ANPR cameras to report my whereabouts to any busybody in a police uniform, because I live in a country that values privacy very highly*.

            I do pay using credit cards, and I know that the payment provider / bank has access to my financial transaction history. I also know that they do not share this information with anyone else unless presented with a judicial warrant, because I live in a country that values privacy very highly*.

            *Switzerland, in case you're wondering, and I believe most of the EU operates on a similair basis

        2. Claverhouse Silver badge

          Re: tracker tax

          Of course, all wise and pertinent.

          However, I am for once not being Anti-American when I point out the bulk of Internet consumers customers * users are American which is where the wealth to purchase is, and most Americans, through national culture simply don't care about all this stuff -- as is shown by the recently hardening attitudes of American Media regarding the refusal of cookies, personalisation and tracking under the protection of the EU, moving to either shuttering content completely or twistedly driving the apparent choices into a finality of 'Accept All.'

          And they will soon be joined by the Chinese, who are used to tracking anyway, and the Indians, who are as trusting and good-humoured as the Americans.

          The Grand Trackers merely have to hold their nerve, and then they will be able to bug everyone, everywhere, every minute.



          Even here, I once noticed a top City of London Fraud cop, dealing with the existential terror of online piracy rather than tracking and spying, aver the Internet was primarily there for shopping. And happy families each shopping on their own device, laughing merrily as in an advertisement.

          1. Pascal Monett Silver badge

            Re: the bulk of Internet consumers are American

            Um, sorry pal, but in case you haven't got the email, the Internet has escaped USA borders and most of its users now are not actually American citizens.

        3. ThatOne Silver badge

          Re: tracker tax

          > This level of tracking should simply be banned.

          Yes but there is money to be made, so they will tell you that if you don't have anything to hide you have nothing to worry about. The official theory being that only criminals, terrorists and perverts fear tracking, so, if you do, you are...

          Who is going to stop trackers anyway? The government(s)? Certainly not, those are just trying to get a slice of the pie, for their own reasons (better/more control over the Great Unwashed).

          Last but not least, the younger generations don't really feel concerned. Give them something shiny and they will gladly tell you everything about themselves, their family and their friends. For them it's "gossip".

          Add to this situation the constant breaches and the ever-increasing bulk of information which becomes public that way, and you'll have to accept the idea that there are faceless people out there you've never met, but who know you better than your spouse and your GP put together...

          1. JohnFen Silver badge

            Re: tracker tax

            "Last but not least, the younger generations don't really feel concerned"

            My observation is that the younger generations tend to be more concerned than the older generations. However, they're also more transactional, and are willing to trade personal data for services under the right circumstances. Their concern is not necessarily total privacy, but that they want to have control over who gets the data and who doesn't.

            1. ThatOne Silver badge

              Re: tracker tax

              > My observation

              Congratulations, your "younger generation" samples are much more intelligent than mine. And yet mine are all higher education, so it's not an educational issue. It's also not an information one, for I've been explaining it to them for years, to no avail. They just don't care.

              The older generations feel much more concerned about it, and are willing to do something about it. Maybe it's that they remember a world where "privacy" still meant something, while the younger ones are growing up with the friendly uncle Google (Facebook, etc.) having constantly a hand in their pants.

      3. JohnFen Silver badge

        Re: "The problem is complex"

        The problem with that is that when you put a tax on something, you've legitimized it. Tracking people without their informed consent shouldn't be legitimized, it should be very illegal.

  7. Anonymous Coward
    Anonymous Coward

    why it works

    because we don't care and assume "it always happens to somebody else". Also, "privacy vialotion" is unlike a flea bite, that you immediately feel and scratch your bum, it's like a tick, that sucks quietly (TBE, anyone?)

    1. Venerable and Fragrant Wind of Change

      Re: why it works

      Or alternatively, because it's what we expect.

      I was brought up in the Cold War era, and as a child enjoyed thrillers. The protagonists would routinely find their offices, hotel rooms, etc bugged, or be followed, by the villains, and sometimes vice versa (yes, the goodies did it too). So while I knew that I wasn't such a high-value target that some evil spy would be watching and listening, I never had any expectation of privacy.

      Surely that kind of thing is very widespread (especially if we include those for whom God sees everything/Santa knows if you've been good/etc), and it makes anonymised (or at least identity-agnostic) tracking for non-threatening purposes like advertising look entirely benign in comparison!

      1. JohnFen Silver badge

        Re: why it works

        Yes, this. It's a mistake to confuse resignation with not caring.

  8. Alister Silver badge

    said Bennett Cyphers, EFF staff technologist and report author,

    No way that is his real name. Really? Come on...

  9. Jamie Jones Silver badge

    HTML local storage hole - GDPR fails?

    [ EDIT: I just noticed local storage cookies mentioned in the article. I missed that before posting. ]

    Remember way back when, and we were all deleting our persistent cookies, then it was discovered that flash "super cookies" were being leveraged to restore the persistent data?

    Well, now, we have official 'super-cookies' -- html5 local storage can be used not just as a super cache, but to store data that javascript can read and send back to the server.... aka super-cookies.


    1) How many browsers clear "local storage" when clearing cookies?

    2) All these sites with their GDPR popups etc. - do these sites consider "local storage" the same way as cookies?

    3) Have a look at your local_storage files... You'll be shocked.

    ( on android, these are sqlite3 files in /data/data/*/app_webview/Local\ Storage )

    Whilst on the subject of android, for apps that use webview, check the other stuff in app_webview - you'll see all sorts of other stuff including copies of search terms and autofill entries, and these are COPIES - not cleared down by "clear private data" options in most browsers!

    1. JohnFen Silver badge

      Re: HTML local storage hole - GDPR fails?

      "Well, now, we have official 'super-cookies' -- html5 local storage can be used not just as a super cache, but to store data that javascript can read and send back to the server.... aka super-cookies."

      Indeed. This is one of the many things that are part of HTML5 that make me truly despise HTML5.

      1. ttlanhil

        Re: HTML local storage hole - GDPR fails?

        As a dev who spends some time on front-end... LocalStorage can be useful.

        As long as browsers treat them as the same thing (e.g. "Clear cookies and site data" in my FF; or similar rules for 3rd party cookies as 3rd party localstorage) it doesn't make the tracking situation any worse than you already have with cookies.

        1. JohnFen Silver badge

          Re: HTML local storage hole - GDPR fails?

          I'm not saying it doesn't have legitimate uses. All of the things that were added to HTML5 have legitimate uses, even the aspects that I find objectionable.

  10. LeahroyNake


    Staking is illegal in most countries for obvious reasons.

    Online staking via social media comes under the same law, its still stalking.

    How these huge corporate entities get away with it should be obvious. They provide the info to gov agencies upon request. Are people really surprised that there is one rule for them and another for the rest of us. If anyone expects any real legal repercussions against these corps they are deluding themselves. The government vs encryption argument is just a time wasting exercise to distract from the real issue IMHO.

  11. Roger Kynaston Bronze badge

    worthless data

    Given the challenges in getting useful data out of very large data sets I would have thought that the exabytes or whatever of data that the big trackers have must be close to useless in identifying trends for an individual to make targeted ads worthwhile. The government example is trying to identify terrorists, paedophiles and other threats to civilisation from the data they hoover up. The bigger the data set the bigger the number of false positives which renders the whole exercise pointless.

    You can see this in operation on Amazon which bombards you with suggestions to buy something you have just bought.

    Shirly, once the people paying for Google's ads work this out they will stop paying for it and Google et al will go bust. Or am I being naive and over optimistic in assuming ad purchasers are going to make that sort of nuanced thinking?

  12. Eric O'Brien

    It's One Way GLASS, not mirror

    When the reference is to invisible observers, hidden behind a mirror, I think the correct term is One Way GLASS. They can see you, you can't see them = "one way." All mirrors are "one way." Calling something a "one way mirror" is pointless (or senseless). A mirror is completely opaque. Ordinary glass is fully transparent... visibility goes both ways. Hence, normal glass is "two way" glass. On the other hand, ONE way GLASS is something special. See also "semi silvered" or "half silvered glass," which properly configured can offer transparency in only one direction.

  13. Mike 137 Silver badge

    The wider scope

    Almost all the comments here exclusively consider online tracking. However the report goes a lot further by examining real-world tracking as part of the picture. I've recently been involved in discussions about self sovereign identity - a nice concept whereby the individual can theoretically retain privacy by creating multiple pseudonymous digital identities that do not intersect and using them for different purposes.

    This report strongly suggests that when the entire scope of tracking on- and off-line is taken into account it's almost impossible for separate identities not to intersect, as the self sovereign digital component is inevitably only a small part of the person descriptor required to perform transactions in the real world. Consequently the real solution can only be to disallow tracking that is not freely permitted tracked subject, but that's not going to happen because of vested interests and the toothlessness of legislation.

    1. JohnFen Silver badge

      Re: The wider scope

      "the individual can theoretically retain privacy by creating multiple pseudonymous digital identities that do not intersect and using them for different purposes."

      This is something that I've been doing since around 1991. Every so often, I slip up and manage to get two identities correlated in some way, requiring me to nuke them both, but it generally works well.

      "when the entire scope of tracking on- and off-line is taken into account it's almost impossible for separate identities not to intersect,"

      I don't think it's anything close to impossible. But maintaining the separation does require more effort, and a willingness to forgo a certain level of convenience (for instance, by only buying things with cash)

      "Consequently the real solution can only be to disallow tracking that is not freely permitted tracked subject"

      I agree 100% with this. I'm not as skeptical as you are about the likelihood that this will happen, but I do think that if it does, it's going to take decades of fighting.

  14. Gerlad Dreisewerd

    They want data

    So let's give them data. Lots and lots of randomly generated data. Your real browsing data is still there in a dump truck load of gibberish. Knowing what's good data and what's bad data will be problematic.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021