
XKeyscore Exposé Reaffirms the Need to Rid the Web of Tracking Cookies - DiabloD3
https://www.eff.org/deeplinks/2015/07/xkeyscore-expose-reaffirms-need-rid-web-tracking-cookies
======
tonylemesmer
Its sometimes annoying (having to type in login credentials etc.) but I use
Firefox with Self Destructing Cookie addon. It seems to control this problem
quite well (at least I think it does). I whitelist sites I want to keep
cookies for but basically everything else is destroyed as soon as the tab
closes.

Someone please correct me if I'm wrong that this addon deletes this kind of
cookie / localstorage.

Firefox is kinda good at storing passwords so I don't have to retype all my
logins which removes most of the annoyance.

~~~
dspillett
It would stop some tracking, but the people doing the tracking have many
clever (and some not so clever as sometimes the simplest things just work!)
ways to fingerprint you beyond cookie values. See things like
[https://en.wikipedia.org/wiki/Evercookie](https://en.wikipedia.org/wiki/Evercookie)
for an example of how much trouble you really need to go to in order to try
avoid being tracked.

I keep toying with the idea of writing an add-on that doesn't just destroy
tracking cookies (well, any non-white-listed cookies) but instead shares them
around randomly - so next time you visit a site you might have the cookie from
last time I did, or someone the other side of the world... That would also not
affect anyone using mixed techniques like Evercookie (the discrepancy between
what each state store has recorded could be seen and used to throw out the
data instead if letting it pollute the tracking pool). Of course care would
need to be taken here: if you share cookies from sites that take
authentication you could open up session hijacking vulnerabilities. Only
storing/sharing cookies from HTTP sites might help (no site requiring
authentication should be running through un-Sed HTTP) but wouldn't be a
perfect solution.

~~~
fnordfnordfnord
With the current state of affairs I think that poisoning the well is a better
tactic than trying to prevent being tracked.

------
nosnoopcharter
There's a great op-ed by Stanford's Jonathan Mayer and Princeton's Ed Felten
explaining this problem.

[http://www.slate.com/blogs/future_tense/2013/12/13/nsa_surve...](http://www.slate.com/blogs/future_tense/2013/12/13/nsa_surveillance_and_third_party_trackers_how_cookies_help_government_spies.html)

Their two labs also wrote a solid academic paper on the topic.

[http://randomwalker.info/publications/cookie-
surveillance-v2...](http://randomwalker.info/publications/cookie-
surveillance-v2.pdf)

------
dgoldstein0
This really makes me want to see what happens if I could make my browser only
accept secure cookies (cookies sent over https only). Unfortunately I can't
find a chrome extension that implements this.

~~~
pdkl95
This may not be effective in some cases, given the NSA's history of targeting
the plaintext before it gets wrapped in SSL. (i.e. the infamous "SSL added and
removed here! :-)" sketch of Google's network[1]).

Additionally, far too many sites use cloudflare (or similar) to provide their
SSL creating a single point of failure and a tempting target for
eavesdroppers. (and who knows how many don't bother to encrypt the requests
from the SSL proxy back to the actual serve?)

[1] [https://www.washingtonpost.com/world/national-
security/nsa-i...](https://www.washingtonpost.com/world/national-security/nsa-
infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-
say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html)

------
steve19
The EFF might not like it, and most internet users might not like it either,
but being able to track users pays for most of the free content we consume on
the internet. Thats just the reality.

Less pragmatic people might argue "micro payments" or some such idea, but the
fact is people have never really paid for news. News has always been
subsidised heavily by advertising. Almost everyone who argues this is running
an Adblocker.

Also third party cookies (and ads) are something any internet user can disable
in a few clicks.

~~~
mrweasel
I sort of agree with you, but I do remember having newspapers that didn't have
ads, or at least extremely few.

The bottom line is, in my mind, that if you can't make money selling your
product, and needs to resort to ads to make a profit, then your products
existence isn't justified. Displaying ads move money from profitable product,
typically physical one, to products that doesn't provide any real value of
their own.

The Internet is ruined in some degree, because we never paid for anything
initially, so when companies moved in, it was expected that their stuff would
be free to. Now we're stuck in a situation where the online only companies for
the most part can't make money, without pimping the wares of companies with
physical products, or selling their users data.

~~~
danneu
I run some forums that offer value to mostly teens. How do you propose I make
money from them?

The more money I make from a forum, the more time I can invest in the forum
which enhances its value to its community.

Adsense pays good money. Donations are always a joke. And somethingawful.com
had to get impressively big before it could charge $10/registration. Oh, and
teens have no money and nobody pays for forums.

"If it needs ads, it shouldn't exist" is just tone-deaf at best. Much of what
people are willing to pay for and how they're willing to pay for it are
perceptions that you have little control over.

The thing about ads is that people generally don't associate a cost with them.
It's just how it is. The second you charge $1 for something, then your website
now charges money while all of your competitors are "free" regardless of their
ads. Whether it's acceptable to charge that $1 mostly comes down to convention
and what people are already used to.

~~~
PhantomGremlin
_teens have no money_

Teens have lots of money. At least my daughter does (she has a part time job).

Your problem is that even when teens do have money, they won't spend it on
your forums. E.g. if my daughter already has four swimsuits, why does she need
to buy a few more? And does she need to spend $4 on a sugary drink several
times a week?

The "free" website is more valuable to a teenager than the one charging $1.
There's not much you can do to change that. As you say, "It's just how it is".

If I asked my daughter if she would be willing to spend $1 (per month?) on a
website, she'd probably find that laughable. Most teenagers would.

The Freemium model for phone apps does work in extracting money from
teenagers. Perhaps you can do something along those lines?

