
Everyone is watching what you do online. How user tracking with cookies works - rdfi
https://www.blinkingcaret.com/2018/06/13/everyone-is-watching-what-you-do-online-how-user-tracking-with-cookies-works/
======
kop316
At work I am forced to use Internet Explorer, and by using it I found a
surprisingly useful feature: I can not only clock all third party cookies, but
it prompts me as to whether I want a first party to store any cookies. The
prompt allow allows me to automatically blacklist a site from providing me any
cookies. I really enjoy this, as if I know there is a site I will never log
into, I can permanently blacklist it with one click. I tried to see if I can
do the same but I did not find this feature on Firefox.

I have also noted that certain sites will be very user hostile if you do this.
Reddit will load the site and actually overlay a white screen to make it
appear like it never loads if you block its cookies.

~~~
m52go
> Reddit will load the site and actually overlay a white screen to make it
> appear like it never loads if you block its cookies.

That's CRAZY. Couldn't reproduce in Edge though.

~~~
blacksmith_tb
This isn't uncommon for sites that sniff adblockers too, though it varies how
much of an obstacle it is. Often you can Inspect the div they are covering
things up with and just delete it (or block it for good with uBlock etc.) -
clever implementations won't fetch the actual content you wanted to read, so
you'll only uncover an empty page, though.

~~~
KozmoNau7
That's why I use Cookie AutoDelete. It lets the page set cookies, but as soon
as you navigate away or close the tab, they're gone.

------
aerotwelve
What's the best way to circumvent this? Is it even possible?

I'm no expert (which is why I ask), but I assume that blocking third-party
cookies in your browser won't prevent situations like the _tracker_ example
the author provides.

That is, since you visited _tracker_ at least once, their cookie would have
been set during that visit as a first-party cookie, and therefore the http
requests to retrieve the 1x1 transparent image from their server will contain
the data they're after, right?

~~~
koolba
> What's the best way to circumvent this? Is it even possible?

Set you browser to clear _all_ cookies on close, use a separate browser for
anything that requires authentication (ex: gmail), and never mix the two types
of browsing. If they create a profile on you the cookies it's tied to
disappear when you close your browser.

It's feels like a minor pain when you first start out but you used to it
quick. Plus since you're not logged into anything by default there's a
slightly higher barrier to ordering needless crap online.

It's not foolproof as you can be tracked by a combination of other factors
(see: [https://panopticlick.eff.org/](https://panopticlick.eff.org/)) but it's
much better than the alternatives.

~~~
jedimastert
There's also Facebook Multi-account Containers
([https://addons.mozilla.org/en-US/firefox/addon/multi-
account...](https://addons.mozilla.org/en-US/firefox/addon/multi-account-
containers/)), which might do what you're looking for

------
airstrike
I vaguely remember using a Firefox extension a long time ago that allowed one
to whitelist / sticky a handful of domains that would be spared from the usual
"delete every cookie", giving the user a renewed sense of control over what
the web knows about them.

Nowadays with online fingerprinting¹ this may amount to nothing more than
placebo, but I do miss it.

__________

1\. [https://arstechnica.com/information-
technology/2017/02/now-s...](https://arstechnica.com/information-
technology/2017/02/now-sites-can-fingerprint-you-online-even-when-you-use-
multiple-browsers/)

~~~
lucb1e
Called self-destructing cookies. It broke with web extensions and cannot be
replaced (like many other add-ons I use) because the web extension APIs to
provide the functionality do not exist. I'm still on Firefox 55 though, so I
can still use it (like firegestures, quickjava, no close buttons, vertical
tabs, and others that are labeled as legacy).

I always find it very creepy when I looked something up on someone else's
laptop and use it again half a year later, only to find that it remembers my
last visit and (for example) centers the map where I last left it. I'm so used
to having things be cleaned up against tracking, I don't even really
experience what the web is like these days.

~~~
ealhad
> cannot be replaced

Or can it?

[https://github.com/Cookie-AutoDelete/Cookie-
AutoDelete](https://github.com/Cookie-AutoDelete/Cookie-AutoDelete)

[https://addons.mozilla.org/en-US/firefox/addon/cookie-
autode...](https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/)

~~~
lucb1e
Ah, they did finally implement an API for localStorage then. Good to see!

That just leaves hiding the tab bar, gestures that work in all windows (e.g.
also in the view-source URL windows) and that work before the target page has
loaded, etc.

~~~
ealhad
Right. And _maybe_ it should be done before supporting VR.

------
a_imho
Browser vendors are very much complicit in this abuse, imo cleaning up cookies
should be opt-out if they were serious about privacy.

------
gerbilly
Firefox has firstparty isolation, can anyone comment on how much protection
this offers against being tracked liked this?

------
dstjean
Thank you! Great vulgarization...

I'll share that with my non-IT colleagues!

------
die_fault_user
Where is this information stored on my computer? Is there a central location
for the information that I can look at or software to read the cookies?

~~~
zeta0134
The information is stored within your web browser, so the instructions to view
it will depend on what OS and browser combination you use. In Google Chrome
for example, you can view cookies in the Developer Tools (F12, or Menu -> More
Tools -> Developer Tools), under the Applications tab. This will show you the
cookies visible to the website in your current browser tab. Firefox's
developer tools have similar capabilities; I don't know the instructions for
other browsers offhand though.

Cookies are sent to the website by your browser automatically when you visit
pages. This is usually limited to the cookies belonging to the domain that set
them, but the rules allow some flexibility for cross origin sharing. When you
hear about tracking cookies, these are most commonly set by an embedded
iframe; these can use a different domain from the page that embeds them, and
in the case of ad networks this domain is often shared among many sites. These
cookies present the largest potential danger to privacy, as they allow a
third-party domain to track some browsing behaviors on the host sites in a way
that isn't obvious to the user, and this can be used to build up a profile
about the sites that user visits most frequently.

If you clear your history in your browser, the website will see no cookies
from your browser on the next request. Most sites will simply set a new set of
cookies immediately, treating you as a new visitor. You can instruct most
browsers to automatically clear your cookies when you exit. Browsers which use
a "private browsing" mode also typically use a separate cookie store, so they
won't send any cookies from your regular session. From a tracker's point of
view, this creates sort of a second user, and in theory should separate that
activity from your main accounts. (In practice this can be easily circumvented
with browser fingerprinting if a tracker is particularly determined.)

Not all cookies are bad, mind. They're one of the earliest widely adopted
implementations of "local storage" for websites, and for a time they were the
only reliable way a site could remember a visitor between requests. The most
visible effect of clearing your cookies is usually logging you out of
everything, since most sites still store your session this way.

~~~
bogomipz
>"Not all cookies are bad, mind. They're one of the earliest widely adopted
implementations of "local storage" for websites, and for a time they were the
only reliable way a site could remember a visitor between requests."

Could you elaborate on what you mean by "for a time they were the only
reliable way a site could remember a visitor between requests"?

Isn't this still the dominant/primary way websites add state to a stateless
protocol? What other way is there for managing se? Is there something that has
supplanted cookies for "remembering" or managing sessions?

~~~
antsar
One approach that doesn't rely on cookies is HTTP Basic Authentication.

The first request to a protected page will produce an authentication
prompt[0]. Subsequent requests to the same site will automatically send the
same set of credentials (in every browser I'm familiar with. This part of the
spec seems to be optional [1]).

Using HTTP Basic Authentication, the server can track the user across
different pages. All other state can be maintained on the server side, keyed
to the user.

[0] [https://i.stack.imgur.com/QnUZW.png](https://i.stack.imgur.com/QnUZW.png)

[1]
[https://tools.ietf.org/html/rfc7617#section-2.2](https://tools.ietf.org/html/rfc7617#section-2.2)

~~~
eli
Why is this better than a session cookie? Basic auth is a pretty wonky user
experience. Hard to customize the prompt and "logout" is awkward.

~~~
antsar
I didn't say it's better :) Just an alternative.

One way to handle logout (without closing the browser) is to have a logout
link with a destination of
"[https://bad_username:bad_password@example.com"](https://bad_username:bad_password@example.com").
I believe this causes the browser to forget the original (valid) credentials
and attempt authentication with the invalid credentials. This will fail, and
produce a new login prompt. Then you have to close the prompt, and close the
subsequent "401" page.

So yeah, it is awkward.

~~~
eli
Fair enough. I think modern browsers warn on links with username/password. The
UX for basic auth is so bad it is not really a usable feature

------
limonkufu
I really don't understand why this is a bad practice. I know it is horrifying
to give your web history to total stranger for god knows what purposes they
will use. But going extra mile to implement privacy so that no site/some sites
could talk behind your back (looking at you firefox multi account containers)
seems like an equally horrific act that cripples websites not ad providers.

When I used these kind of precautions I saw that analytics got no access and I
believe most of the site-owners need these information to operate/develop
their sites and it seems like a lot of work to implement those in-site
tracking features yourself. Or I started to see random ads all over the place
like early 2000s, I do enjoy targeted ads because when I am looking for
something those ads could help a lot, only if there is a way to stop them
after I made a purchase though.

So, if anyone could simply explain why this is SO bad or send me to correct
discussion (I do believe these matters discussed previously a lot).

~~~
JackCh
> _" I do enjoy targeted ads because when I am looking for something those ads
> could help a lot"_

You said _could_ instead of _do_. Have they ever actually? Do you really click
on ads? I don't think I've ever encountered somebody who admits to willingly
clicking on ads. The only ad clickers I've seen are people who do it by
accident or people who don't realize they're clicking on an ad (usually older
folk with poor computer skills.)

~~~
m90
Clicked on multiple ads for a multitude of reasons in the course of the last
38 years. I'd be surprised if I'm the only one in here.

~~~
mikestew
What were you clicking on in 1980?

------
mkirklions
So a cookie only knows the website that referred me?

So if I copy paste the website in the address bar, they dont learn anything
about my last browsing habit?

~~~
wierd0
> So a cookie only knows the website that referred me?

Not really. Instead, each time you return to a site that has set a cookie on
your computer, that cookie is included in the request header.

That same site will also know about your last visited page, even if it's
outside of their domain, because of the "referer" frpm the request header.

> So if I copy paste the website in the address bar, they dont learn anything
> about my last browsing habit?

If you do that, then the referer will be empty and whatever site you visit
will not know what you did last.

Cookies are just one thing. Web beacons i.e. tracking pixels, and the fact
that companies utilizing those to suck up data about web users sell it feely
to others for the sake of targeted marketing, is the reason you see
peronalized ads all over the internet whenever you've finalized an online
purchase.

------
sandworm101
This revelation should be front page on every newspaper. That IT companies
have been hiding these things inside our computers is a violation of our
privacy, even our property rights. How muck electricity has been used by these
things, electricity I pay for. Either Google needs to reimburse me for hosting
their "cookies" or we need to ban cookies altogether.

[https://torproject.org/](https://torproject.org/)

~~~
bcoates
How do you think HN logins work? Cookies are the basis of session management.
If you don't want to store cookies for Google, don't. It's a feature right
there in your browser.

There are lots of shady tracking systems in the world and cookies aren't one
of them: they are clear, user-visible, and in the user's direct control both
in theory and in practice.

Tor isn't relevant to this. If you're using Tor to block cookies you're Doing
It Wrong.

~~~
gaius
_Cookies are the basis of session management._

They are one technique. In, oh, 1996, we did this by simply generating a
unique URL for each user. If you wanted to stay logged in you bookmarked it,
and if you didn’t you... didn’t. It was right there to see in the address bar
as well, no sly hiding it in HTTP headers.

~~~
dahart
FWIW, cookies started being used for session management in 94. The privacy
debate about them was going strong by 96.

> In, oh, 1996, we did this by simply generating a unique URL for each user.

That's certainly one way to do it, but you're not saying it's convenient or
great for privacy, right? If the URL is the auth token, then there's no
security. Typing URLs, sharing URLS, and bookmarking (logged in, logged out,
shared links, server side rendering), all get problematic.

