
Ask HN: How prevalent is non-cookie-based web tracking today? - ryeguy_24
I just started reading about things like Header Enhancement and SuperCookies and find them to be quite egregious. Does anyone know how much of this activity is being used by big known companies?<p>For example, I just found out that my account settings at Verizon Wireless were allowing them to use Header Enhancement (UIDH) adding a unique identifier on every http request I sent. So, if I log in to a site, they can associate the UIDH with my account so next time I’m in browser incognito mode, they already know who I am (or have a good guess).
======
mirimir
Trying to circumvent tracking at the browser level is hopeless.

The only effective approaches that I know of are 1) using Whonix (best in
Qubes) to connect via Tor; and 2) using multiple OS-level VMs that connect via
different nested VPN chains.

And even then, there are risks from fingerprints that depend on GPU and
virtual graphics drivers in VMs.

So when compartmentalization really matters, it's necessary to use different
host machines, on different LANs (or at least vLANs).

Using Tor is rather painful, given all the CAPTCHAs. And the learning curve
for Qubes is a little steep.

But using multiple VMs with different nested VPN chains is actually quite
convenient, once you've set it up. I use a pfSense VM as the gateway router
for each VPN service. So creating nested VPN chains is easy: You just create
virtual networks of the pfSense VMs, with Linux workspace VMs wherever you
like.

With a decent host machine, I can work ~seamlessly as a few low-isolation
personas via nested VPN chains, and another few high-isolation personas via
nested VPN chains and Whonix instances.

~~~
bo1024
Not sure about the priorities here. Fingerprinting should be the main concern,
so steps 1,2,3 are obscuring IP address and disabling cookies and JavaScript.
Even beyond that, not sure how chaining VMs etc helps much more than a single
VPN.

Although an ideal solution would spin up a random VM, browser, screen size,
and tor connection for each new web page visited...

~~~
mirimir
> an ideal solution would spin up a random VM, browser, screen size, and tor
> connection for each new web page visited...

Sure. I wouldn't limit it to Tor, though. Because there are just too many
CAPTCHAs. That's much less of an issue using VPNs.

Chaining VPNs is arguably overkill for avoiding fingerprinting. Still,
trusting a single VPN service is risky. If they were complicit, you'd still be
tracked. But if you at least chain two VPN services, there's less risk.
Overall risk is more or less the product of all the individual risks, if
they're independent.

Edit: If exploit resistance is less of an issue, it's easy to chain VPNs at
the Linux OS level using ip route and iptables. Iptables rules drop everything
on enp0s3 except traffic to the first VPN server, and drop everything on tun0
except traffic to the second VPN server.

You set enp0s3 as the route for the first VPN server. After connecting to it,
you set tun0 as the route for the second VPN server. After connecting to it,
you check for leaks using tcpdump.

~~~
pmoriarty
How do you pay for your VPNs in a non-trackable way?

If you pay via credit card, the VPN account has your name attached to it, no?
So what good will chaining VPNs do when all the VPNs have your name attached
to them?

Bitcoin is also supposedly not anonymous (or so I've heard.. I really don't
know much about bitcoin, so please correct me if I'm wrong here), so paying
with it sounds like it won't be any better.

Also, I have to ask: Who are you trying to prevent being tracked by? If it's
by advertisers, I don't see how chaning VPNs would be any better than using a
single VPN.

~~~
dashwav
I have been using Mullvad[1] for a year or so now and am really happy with the
extent they go to avoid storing payment information. One of the things that
caught my eye about them initially is that you could literally mail them an
envelop containing your account number and $5 cash and they will add that time
to your account, which seems to solve what it was you were asking about
(although I am sure physically mailing something comes with it's own issues of
privacy).

[1][https://mullvad.net/en/help/no-logging-data-
policy/](https://mullvad.net/en/help/no-logging-data-policy/)

~~~
mirimir
Yeah, love Mullvad. They've been around for about a decade. Along with AirVPN,
Insorg and IVPN. IVPN may still accept cash as well.

------
dharmab
I don't want to go into much detail, but I work for a major company in this
space and nost companies in the industry can track you with reasonable success
even if you are logged out over multiple devices. Your (approximate) location,
browsing habits and patterns are good enough data to predict what kind of
stuff you buy.

If you want to not be tracked, turn off JavaScript for a start.

~~~
pavel_lishin
> _good enough data to predict what kind of stuff you buy._

Then why are the ads that _do_ sneak through my adblockers or onto Instagram,
etc., such hot, moist garbage? Is it just a lack of people wanting to
advertise at my demographic?

~~~
checkyoursudo
I have been suspicious for a while that all of these companies that claim to
know everything about us, or people who are afraid that these companies know
everything about us, are wrong.

I don't feel like I am unusual in any way, as in I can't see how I have any
natural, dumb-luck defense against any of this tracking. If companies like
Google, Amazon, FB, etc, are in any way really trying to use what they think
they know about me to get me to buy stuff or influence my thoughts or
behaviour, then they seem to be doing a really, really bad job of it.

As far as privacy goes, my concern is far more focused on apps/programs
stealing my photos of my kids, or tracking me around town, or knowing who I
meet and talk to.

As far as predicting my future behaviour, I have not been impressed so far.

~~~
furi
There was a point a year or two ago where everyone was recounting these
stories of how AI targeted advertising was terrifyingly accurate, it could
tell you were pregnant before you found out for yourself, etc. At the time I
was routinely opening YouTube with cookies disabled and getting suggested
YouTube generated categories with a super low hit rate, stuff like "Recipes"
that would be filled with nothing but general interest food videos (i.e. "you
won't believe what we found at this market", "we made the largest burrito
ever", never with any instructions), "Metal Music" containing a single
acoustic cover a metal song and half a dozen EDM tracks or "Role Playing
Games" stocked to the brim with Fortnite videos.

I just checked now and it's better than it was but there's still a "DIY"
category containing one DIY video, a Japanese cooking tutorial and a video of
somebody putting iPads in a bucket of slime. I'm not sure I have very much
faith in their ability to deeply infer things about me from a limited dataset
when they can't identify videos with ingredients in the description or sort
music into genres given the set of all music (and millions of comments on it)
to work with.

------
oil25
By far the biggest tracking offender is Javascript. Enabling it could reveal
your operating system, cpu/gpu architecture, screen resolution, draw a precise
and unique canvas fingerprint, etc. There are also mutable browser headers
like user-agent and of course your IP address. However, the more advanced and
insidious tracking is based on your behavior - what time you're active, what
wifi networks are in range, who you communicate with, what is your writing
style, and so on. Most of that collection happens on mobile phones, so I
strongly advise against signing in on Android/iOS devices if you don't want to
be tracked across the Web and beyond, or using telemetry-free open source
mobile operating systems altogether.

------
lucb1e
You give a USA specific example, so I'll give one from where I live: aside
from a few (like Google, Facebook, LinkedIn) that I suspect do things like
recommendations or friend suggestions based on our static IP address, in the
Netherlands it's virtually nonexistent. And illegal, at least without telling
us that they do tracking (no matter if it's through cookies, the law never
even mentions cookie). Header injection (MITMing traffic) is something I only
hear about from far away and seems very invasive to me.

Same in Germany, but there they have rotating IP addresses (which is both a
pain (hosting) and a blessing (privacy)).

Hmm, although, would MAC address tracking count? That happens here and there
(by roughly the same amount in any EU country, as far I can tell, which is not
very much), mostly with WiFi captive portals where you sign away your soul in
the terms of service. I'm not sure about the legality (hiding GDPR consent in
the TOS) but it happens. From experience, I can say that if you find out and
you send them a letter with a copy of your ID, they'll happily give you all
the data they have on any MAC address you claim.

~~~
Left4Yee
I caught Vodafone and Telekom in Germany injecting headers. The former for
shady cooperations and tracking, the latter for cache screwery. The latter did
dns modification to turn nxdomain into a navigation help, a site that looks
like google but everything is ads.

Vodafone CPE equipment saves all mac adresses ever present in the local
network and unassociated wifi client macs in the air and sends them back as
part of diagnostic data.

Edit: They also DNS Censor popular warez sites and libgen

~~~
dvfjsdhgfv
> They also DNS Censor popular warez sites and libgen

This happens in some other European countries, too, like Italy.

------
joyjoyjoy
Use browser plug ins

* ublock origin

* no script

* cookie auto delete plug in, deletes cookies if tab is closed

* (I use also I don't care about cookies for the EU cookies clusterfuck)

* Canvas blocker

* Privacy badger

* Glyph detection blocker

* Decentral eyes

* Privacy settings

* Privacy-Oriented Origin Policy

* WebRTC leak protection

* https everywhere

* I have a browser spoofing plug-in too but don't think it works so well.

Use VPN

use different browsers for different purposes.

use startpage.com instead of google

Here, try your luck:

[https://amiunique.org/](https://amiunique.org/)

[https://panopticlick.eff.org](https://panopticlick.eff.org)

Does not work so well. Instead of preventing canvas, fonts, browser ID etc.,
the plug-ins should randomize it.

~~~
cartoonworld
Are you aware of any way to bundle setting for Firefox (or whatever) that
include these kinds of changes?

I know you can export the about:config and share that, but I have always
wanted a kind of ansible for setting up a browser with plugins and other
changes for my personal use.

Additionally, If I could tell my friends and family: Hey just use my Firefox
Playbook and feel safe on the internet, thereby reducing the cognitive load of
figuring out how to do that, I'd probably have a lot more success helping
curious but busy people take control of their privacy.

~~~
joyjoyjoy
You don't want your family to use my setup. I breaks many things.

A person not in IT is probably just fine if you install ublock Origin.

Or you would have to train your family to use different browsers for different
things and you want to have at least one "vanilla" browser on your system.
Just recently my US CC website stopped working with my browser. For such
things you want to have one major browser without any plug ins.

e.g.

1\. Google Chrome (Vanilla, no plug ins). Used when needed (recently to pay my
CC). 2\. Chromium: Facebook, Gmail 3\. Firefox: buying tickets etc. 3\. Vivali
Browsing the internet

Again my setup does not work so well against fingerprinting. My plug-in
combination is so unique that I can be tracked via my plug ins.

------
ignoramous
Apart from the usual canvas / webrtc in-browser shenanigans, the most
surprising one that I found was using a _dns cookie_ to track users across
browsers and devices discovered/invented/disclosed by u/DanielDent:
[https://news.ycombinator.com/item?id=20219878](https://news.ycombinator.com/item?id=20219878)

> _As with traditional HTTP cookies, DNS cookies can be used to track users on
> the web. They have no concept of "first party" or "third party" and can be
> read across different websites or from a different browser. They can also be
> used outside the web environment, for instance to track a web conversion
> which occurs after reading an email but not clicking on a link, or to track
> a sign-up in a mobile application after viewing a website. They also have
> application in DDoS mitigation - especially on IPv6 networks._

I am curious what other techniques are in active use to track a user across
devices / software...

~~~
pygy_
DNS cookies are nasty. The POC tracks you between normal and private tabs,
even with the Tor browser.

------
soared
Excellent reading for anyone interested the subject from a technical and
business/enterprise point of view. This gets rid of the FUD 'browser
fingerprinting' and uses actual industry terms.

[https://blogs.gartner.com/martin-kihn/how-cross-device-
ident...](https://blogs.gartner.com/martin-kihn/how-cross-device-identity-
matching-works-part-1/)

[https://blogs.gartner.com/martin-kihn/how-cross-device-
ident...](https://blogs.gartner.com/martin-kihn/how-cross-device-identity-
matching-works-part-2/)

~~~
soumyadeb
This is mostly talking about creating a probabilistic ID graph - creating a
unique ID across devices. This is technically not same as browser-
fingerprinting. Latter is much simpler

~~~
soared
Yeah that is kind of the point I wanted to get across. Fingerprinting isn't
some major secret that big tech is using.. its a small tactic used by some
companies that gets more attention than it really deserves. There is a section
in part 2 specifically about fingerprinting under the subtitle "DENTIFYING A
DEVICE WITHOUT AN ID".

Browser fingerprinting is a single piece in creating an id graph.
Fingerprinting would be 100% useless without a graph, unless you're doing it
to individuals which would be NSA-level acting.

------
soumyadeb
I would think Header Enhancement is not widely used (only few ISPs or so use
it) but Browser fingerprinting must be quite wide-spread. It is hard to detect
from the client-side so hard to say how wide-spread is it

Here is a study of fingerprinting effectiveness. Not what you wanted but a
worthwhile read.

[https://medium.com/slido-dev-blog/we-
collected-500-000-brows...](https://medium.com/slido-dev-blog/we-
collected-500-000-browser-fingerprints-here-is-what-we-found-82c319464dc9)

~~~
ryeguy_24
So, how does browser fingerprinting work. Does it basically look at the 1) IP
and 2) Browser Agent pair for near uniqueness?

~~~
soumyadeb
Lots of things from browser settings to what plugins you have.

These guys will tell you how unique is your browser fingerprint

[https://amiunique.org/fp](https://amiunique.org/fp)

~~~
sm4rk0
This should be mentioned here, too
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

------
air7
I can't provide stats on your questions, but as per your example, your ISP can
only add headers to non SSL traffic. Any website you access with HTTPS is safe
from this type of privacy violation.

So as "Encrypted web traffic now exceeds 90%" [0] I'd guess at least this type
of tracking is gone.

[0]
[https://news.ycombinator.com/item?id=21421195](https://news.ycombinator.com/item?id=21421195)

------
soared
The most common non-cookie based tracking are cross-device graphs that are
registration based (reg based) and run by
facebook/google/linkedin/pinterest/etc. If you've ever logged in to facebook
(or haven't logged in) and a site has a fb pixel or share button, its much
easier for them to track you.

These all have cookie/nonreg-based components, and there are plenty that don't
rely on reg based data at all.

------
Left4Yee
Google Captcha only works if webgl canvas is available. If its not available
they give me infinite captchas and never let me through.

------
Cactus2018
FYI about these two websites that demonstrate the various data your browser
shares:

[https://browserleaks.com/](https://browserleaks.com/)

[https://webkay.robinlinus.com/](https://webkay.robinlinus.com/)

------
fonosip
Here's an option for adblock + vpn.
[https://ba.net/adblockvpn](https://ba.net/adblockvpn)

