How widespread is this bounce tracking these days? This is the first time I have heard of it, but maybe that's just me being ignorant.
Browser maker Brave has developed a new way to ground "bounce tracking," a sneaky technique for bypassing privacy defenses in order to track people across different websites. Bounce tracking, also known as redirect tracking, dates back at least to 2014 when ad companies were looking for ways to avoid third-party cookie …
Brave is working toward a future where web users' activities don't have to be remembered.
It is sad that this is needed. The spirit of GDPR is that all users should be in control of their data and must give informed permission before second and third parties are allowed to handle direct/indirect PI data (and not even getting into the problem of shadow profiles). So, yes, it is sad that we need technological measures to create more privacy.
We should consider a reverse burden of proof for websites when they employ any form of tracker technology on their website(s). They should be the ones to proof that your data is not being used for anything else than explicitly advertised.
I agree. Its unfortunate that the spirit of GDPR was side-lined in the implementation. Whilst I am normally against legislative solutions, I think the time has come to just out-right ban tracking that uses 3rd parties.
The desperation to make an extra few pennies out of us is sickening and advertising is the scourge of the internet
Whilst I completely agree with you that the onus should be on the firms to justify why they need third party tracking (in truth 99.99999% dont!), but the Problem is Enforcement.
There is basically no government department with the resources to go visiting every company behind every website and demanding to know why they are using third party tracking. Even a scatter gun approach of just approaching those that are most complained about, would be completely ineffective. Big firms would just consider it a cost of doing business to make the fines go away (whilst they continued with the tracking), and only the small guys would get hit.
A law that's not enforced properly may as well not exist...
Say I'm using Firefox with NoScript.
Or say that I'm blocking info.tracker's IP address at the firewall.
Problem solved again.
But I'm happy that there are people who are thinking about the deep mechanics of ad tracking. The more ways we have to block that, the better.
Hard blocking all connection attempts or cookie setting doesn't always work. As you get redirected (bounced) to the tracker site, which then redirects back to the site you are trying to access, a hard block just means that you get a browser failure message when it can't load the tracker site, and you never get the site you wanted.
Likewise, hard blocking cookies from the bounce tracker site can lead to you being constantly bounced between the site you want and the tracker site (site you want checks if third party tracker cookie exists, finds it doesn't and redirects to the tracker site, which tries and fails to set a first party cookie, before redirecting back the the site you want, which checks to see if the third party tracking cookie is there, finds it isn't and redirects you to the tracking site...) so you just get nothing happening in your browser for a few seconds, followed by a browser "too many redirects" failure message.
If you've ever struggled to load a site as your browser just gives you a "too many redirects" error, and you use some sort of ad or cookie blocking tool this is likely what's happening behind the scenes.
You've missed the point here - if you've got Adblock, they decide to redirect you to get your data. If you've blocked the tracker's IP in your firewall, your browsing session will come to a dead stop, due to the redirection target being unreachable.
This workaround instead permits the redirect to the tracker, but expunges the data as son as the redirect is complete, so your browsing session can continue as normal.
Better with Firefox and self destructing cookies that are set to expire after around 20 seconds (unless a whitelisted site). That way stuff can load, they can think they're tracking you, and the garbage will be nuked in short order.
Firefox's is not quite the same as what brave are doing, its subtly similar yes. Mozilla implemented protection from middle men drive by cookies so they did it to prevent you picking up a pervert cookie en route so to speak.
Well, the advertising industry is clearly mass producing fairy dust zero going by the sort of turnover and profits that keep getting mentioned.
Since they're using other people's electricity and bandwidth, I think a tax of, oh I don't know sixty percent? Yeah, tax them sixty percent of their turnover (not profit, that can be creatively made near zero) and use that money for all the green schemes out there.
Let's have advertising fund something useful...
Rather than delete the cookies replacing them with junk would be better. Even if your browser and mine deletes cookies most people's won't so their cookies will still be seen and have value*. Poison the cookie well and let it be known it's poisoned and all cookies are devalued.
* As priced up by those selling the data and perceived by those buying it.
Poisoned cookies may very well be a good way to destroy effective commercial tracking. We need to add as much noise as possible. Swamp them with junk.
Imagine that privacy badger hooks into the requests and every tracking cookie gets different content. Different every time a request is made. Should be fun to have _ga cookies to start filling the database with just junk. A new ID for every request.
This is actually a good idea as an additional add-on. I'd install it for poisoning all those sites that are not blocked by default.
@AC "What am I missing?"
Bounce tracking makes the tracking cookies first party.
"Say a website embeds a third-party script from info.tracker. When the website is visited, the third-party script tries to read third-party cookies from info.tracker that have been stored in the visitor's browser.
If it can't – because third-party cookies are blocked – the script redirects to the info.tracker domain by writing a new URL to the browser's window.location object or via some link hijacking method like injecting an info.tracker iframe into the original website.
Doing so puts info.tracker into a first-party context, enabling it to set tracking cookies."
I get how the initial cookie is set, but it continues to say:
"Info.tracker then redirects back to the original website URL and info.tracker cookies can then be read in third-party contexts"
Is this not the case? If not, then they'd have to "bounce" for every update!
Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances.
The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come.
Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers.
Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway.
"For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."
The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).
OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).
But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.
1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.
Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.
"We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.
California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.
Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.
"First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."
Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.
US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions.
In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.
TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.
"100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users' private data from its own servers and to "fully pivot to Oracle cloud servers located in the US."
That pivot has not yet been completed. According to a June 30, 2022 letter [PDF] from TikTok CEO Shou Zi Chew, obtained by the New York Times on Friday, some China-based employees with sufficient security clearance can still access data from US TikTok users, including public videos and comments.
Blockchain venture Harmony offers bridge services for transferring crypto coins across different blockchains, but something has gone badly wrong.
The Horizon Ethereum Bridge, one of the firm's ostensibly secure bridges, was compromised on Thursday, resulting in the loss of 85,867 ETH tokens optimistically worth more than $100 million, the organization said via Twitter.
"Our secure bridges offer cross-chain transfers with Ethereum, Binance and three other chains," the cryptocurrency entity explained on its website. Not so, it seems.
Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.
Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.
"Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."
Apple's Intelligent Tracking Protection (ITP) in Safari has implemented privacy through forgetfulness, and the result is that users of Twitter may have to remind Safari of their preferences.
Apple's privacy technology has been designed to block third-party cookies in its Safari browser. But according to software developer Jeff Johnson, it keeps such a tight lid on browser-based storage that if the user hasn't visited Twitter for a week, ITP will delete user set preferences.
So instead of seeing "Latest Tweets" – a chronological timeline – Safari users returning to Twitter after seven days can expect to see Twitter's algorithmically curated tweets under its "Home" setting.
Biting the hand that feeds IT © 1998–2022