PDA

View Full Version : Cookieless Web Tracking Using HTTP's ETag - Tracking Inst Just the NSA - How is it even Legal?




DamianTV
08-25-2013, 04:35 PM
POLITICAL STUFF

Mods: Posted in General Politics because Tracking is NOT just done by the NSA. In fact, the NSA gets a lot of its data from Commercial Tracking Companies. The reason that this is Political is that again CHOICE is taken away from the PEOPLE. Thus, the question being asked is how is this practice by Corporations considered Legal to begin with, and what can be done about it?

A person can mess around in their browser settings to say DO NOT TRACK and DO NOT ACCEPT COOKIES. Every Browser is defaulted to Accept ALL Cookies and all tracking technologies. But when a new technology arises that prevents the Person from making these choices for themselves, is such behavior by a company Legal? Sure, you have a choice to use different browsers. But like I said, EVERY Browser is set by default to Accept ALL Tracking Technologies.

The thing is that Tracking Technology contines to advance and evolve, while technology for users that support Privacy I believe is going BACKWARDS. For example, Non IPhone and Android phones have NO SETTING that allows a user to disable standard HTTP Cookies. The standard HTTP Cookie is pretty much the first type of Intnernet Technology that allows tracking. And now Web Browsers on non IPhone and Android phones dont even give you the option to disallow the data in the first place. These types of smart phones also dont really have any options to even install alternate types of browsers. This is why I think User Tech is going BACKWARDS in regards to Privacy and ANY User Choice. And we all know what a cunundrum Cell Phone Tracking has become with IPhone and Androids already. Those two types of phones are specifically mentioned because they DO allow for blocking the standard HTTP Cookie, but can you also block FLASH COOKIES? I screw around with tech a lot (when I had money) and have had the time to even do things like test the current generation of Game Consoles and their Tracking Technology. XBox 360 - youre screwed. Wii - Unable to block or delete Flash Cookies. PS3 - Same - Unable to block or delete Flash Cookies. 360 - dont even try. Wii and PS3 in regards to Web Browsing allowed standard HTTP Cookie blocking and clearing cache, but failed to delete EVERY OTHER FORM OF TRACKING.

General Politics - The Govt is supposed to be the servant of the People. The Govt is also expected to intervene on behalf of abuses of the People by Corporations. We know they dont. If a Drug Manufacturer started selling a drug that was guaranteed to cause DEATH after 3 months of use, you'd expect Govt intervention due to the abuse of the People. Abusing Tracking Technology I believe to be no different. These companies are trying to all claim that they have the Right to decide how to handle your Privacy (or complete lack thereof) so that they can put profits in front of everything else. So I dont need to go off on how your Lack of Privacy directly comprimises your Safety.

So the Political Question for you is how is forcing this technology still Legal, and what can be done to start going the other direction where Privacy is protected from both Govts and Corporations? (hint: free market)

---

TECH STUFF

SLASHDOT NEWS
http://yro.slashdot.org/story/13/08/25/1521233/cookieless-web-tracking-using-https-etag


"There is a growing interest in who tracks us, and many folks are restricting the use of web cookies and Flash to cut down how advertisers (and others) can track them. Those things are fine as far as they go, but some sites are using the ETag header as an identifier: Attentive readers might have noticed already how you can use this to track people: the browser sends the information back to the server that it previously received (the ETag). That sounds an awful lot like cookies, doesn't it? The server can simply give each browser an unique ETag, and when they connect again it can look it up in its database. Neither JavaScript, nor any other plugin, has to be enabled for this to work either, and changing your IP is useless as well. The only usable workaround seems to be clearing one's cache, or using private browsing with HTTPS on sites where you don't want to be tracked. The Firefox add-on SecretAgent also does ETag overwriting."


DEMO - SEE IF YOU ARE TRACKABLE
https://lucb1e.com/rp/cookielesscookies/

Type something in the text field (in the link above) then refresh your page. Then do everything you can to get rid of this method of tracking.

SOLUTION

I havent tried this very extensively but manually deleting your Cache seems to work. It even seems to work on Interweb Exploder.

FIREFOX

There is a Plugin for Firefox called "Secret Agent" which I tried and seems to do a very good job of preventing this form of Tracking. Of course, I am using a lot more stuff than you'd probably personally use. Im already blocking cookies, which most of you dont seem to bother doing. I also use both a HOSTS file and custom Ad Blocking DNS Server. Other plugins like Ghostery and Ad Block do fine for blocking 3rd Party tracking, but what about First Party Tracking? IE, how many of you have Google set to your Homepage? Ghostery, Ad Block, Request Policy, etc will all FAIL when it comes to blocking First Party Tracking using ETag methods. Secret Agent prevents you from needing to continuously empty your Browser Cache manually. Seriously, it is a lot easier to use a couple of tricks here and there to set up your browser and then not have to worry about corporations tracking you. This plugin is seriously powerful. In fact, there are other methods of tracking, such what Fonts you have installed, that can be spoofed by this plugin. Its one of the few Firefox Plugins that I recommend more highly than everything else.

FIREFOX PLUGIN - SECRET AGENT
https://www.dephormation.org.uk/index.php?page=81

Repeat after me - "I want this plugin. I want this plugin. I want this plugin."

TEST YOUR PRIVACY

A good way to find out if you are trackable or not is to try sites like Panopticlick (https://panopticlick.eff.org/) and Evercookie (http://samy.pl/evercookie/). The tech stuff here isnt that hard. Either you are Trackable (Not Unique) or you are not. It isnt as difficult as it sounds. Install this, click here, uncheck this and that. If you need help, just ask. PM's to me are fine, or you can post new threads, post in this thread although I intended it for Political Discussions, but however you ask, I'll do what I can to help you become as Untrackable as I can help you to be.

DamianTV
08-25-2013, 07:14 PM
So did anyone try the Secret Agent Plugin?

(one shameless bump)

FrankRep
08-25-2013, 07:32 PM
You realize that all the major browsers identify themselves to the web server right?

Browser: Hi. I'm 184.23.85.201 and my user agent is Firefox 23, etc...

Web server: Welcome, 184.23.85.201. Since you gave me your data, I can do whatever I want with it. I'm going to add your information to a file in case you come back.

later...

Browser: Hi. I'm 184.23.85.201 and my user agent is Firefox 23, etc...

Web server: I just checked my file and I remember you 184.23.85.201 with user agent is Firefox 23.

DamianTV
08-25-2013, 07:36 PM
You realize that all the major browsers identify themselves to the web server right?

Browser: Hi. I'm 184.23.85.201 and my user agent is Firefox 23, etc...
Web server: Welcome, 184.23.85.201. Since you gave me your data, I can do whatever I want with it. I'm going to add your information to a file in case you come back.

That is part of what this Plugin does. Quote from their site:


Randomizing your User Agent makes it a little harder for crooks, rogue ISPs, Phorm, corrupt Governments, and other nasty tracking threats to correlate your clicks on the basis of 'device fingerprinting'.

Secret Agent can also

randomise the 'Accept' header presented by your browser... further concealing the type of browser in use

https://www.dephormation.org.uk/images/secret_agent_user_agents.gif

CPUd
08-25-2013, 09:01 PM
Yeah, you can change the user-agent string (and most anything in the header) to whatever you want- most browsers either have that functionality now, otherwise via plugin.

For mobile devices, when you are going to get a new one, make sure you get one that is easy to flash a custom ROM. This should be a factor in your buying decision. XDA Forums has a list of some of th emore popular ones:

http://forum.xda-developers.com/