
The hidden perils of cookie syncing - randomwalker
https://freedom-to-tinker.com/blog/englehardt/the-hidden-perils-of-cookie-syncing/
======
x0x0
Web users strike me mostly as naive idiots. It's like they suddenly looked up
and are shocked, shocked! that all the free stuff on the internet they enjoy:
high quality journalism like nyt or verge, gossip like gawker, games, free
email + calendar + video services, free chat, free social network services, an
excellent search engine, and on and on and on, actually required money to
build and run! And that the companies involved are going to go to great
lengths to earn as much advertising money as possible. You have to seriously
be an idiot to think that all these companies building services _that end
users don 't pay for_ aren't making money off the end users. Users had to
choose between privacy/paying for things and free stuff, and they clearly
chose free stuff.

It's definitely not the choice I would have made, but I got massively
outvoted.

~~~
cldellow
Web users are fairly naive. Most don't recognize ads in Google results, at
least as of 2012.

I wouldn't even say that it's a function of maximizing ad revenue. If you
wanted to maximize ad revenue, you'd run Google Ad Exchange, not, say,
media.net or AdSense. AdX actually has reasonable policies around cookie
syncing. Website operators do many things poorly as far as revenue
optimization goes--invading my privacy is not step one for them to increase
revenue.

The really big players are sensitive to the PR backlash and behave somewhat
reasonably. The people out of the limelight do the really sneezy things. I
think it is reasonable that most people do not expect hundreds of third
parties to have their browser history dating back several years. Perhaps you
trust the NYT to know your political leanings, but you don't expect that data
to leak to third parties.

On AppNexus, you can buy pixel segments of users with certain diseases. That's
fine, if a little creepy, until you think about how easy it would be to
deanonymize that data.

Even very trustworthy actors get this wrong, btw. The government of Ontario's
human rights website was, until recently, pixelling every visit to their site
courtesy of the ShareThis widget, including sensitive topics like transgender
rights. There was no profit motive there, just oversight on the government's
dev team.

Is it naive to expect that when you visit a government page about transgender
rights, you won't be added to a list of people presumed to have gender
dysphoria, which a third party then sells to other third parties?

Curious people may want to research "data leakage", which is a developing
field in the ad ops world to prevent some of these harmful scenarios.

------
Zirro
I have used the add-on "Self-Destructing Cookies"* to handle normal cookies,
with only a few non-tracker web sites on my whitelist. It has been
surprisingly non-intrusive. It works by removing all cookies from domains that
have not been visited for (by default) ten seconds, resulting in very few
cookies lying around. I am not aware of an equivalent add-on for non-Firefox
browsers.

* [https://addons.mozilla.org/en-US/firefox/addon/self-destruct...](https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies)

~~~
grimman
Thanks for the tip! I went through my entire cookie list (accessible from the
Firefox options dialog) and went from hundreds of domains to ~10 whitelisted
ones. I was baffled to see how many cookies I had stored that I didn't even
know about.

------
jewel
Both firefox and chromium have an option to disable third-party cookies. I
believe this stops this sort of tracking, making each webpage a silo.

I additionally isolate websites where I need to log in into their own profile
using a shell script for each along the lines of the following:

    
    
        chromium-browser --app=http://facebook.com/ --user-data-dir=/home/jewel/work/facebook-profile

~~~
randomwalker
I'm one of the authors of the paper. One of our findings was that third-party
cookie blocking is only marginally effective. See the tables under cookie
syncing in our summary [1] or in our full paper [2]. Trackers bypass cookie
blocking in a variety of creative ways. We're currently investigating the
bypassing mechanisms in more detail.

On the other hand, add-ons like Ghostery work much better.

[1]
[https://securehomes.esat.kuleuven.be/~gacar/persistent/index...](https://securehomes.esat.kuleuven.be/~gacar/persistent/index.html)

[2]
[https://securehomes.esat.kuleuven.be/~gacar/persistent/the_w...](https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf)

~~~
b_emery
Can you summarize for us how to avoid this kind of tracking? Is there much we
can do besides Ghostery?

~~~
laumars
I block tracking at the domain level via a custom hosts file:
[http://someonewhocares.org/hosts/](http://someonewhocares.org/hosts/)

Actually, I went one step further than this, I dump that hosts file into
dnsmasq and set that as my primary domain controller for the home network. So
anything connected via WiFi or ethernet (phones, tablets, laptops, etc) will
also have tracking blocked.

~~~
b_emery
A belated thanks. Much appreciated.

