
Ask HN: How do you tell if a site is tracking you? - neltnerb
So I use LastPass, which currently seems to have servers down and I can&#x27;t login -- another story. But when trying to figure out why it couldn&#x27;t log in, I noticed the (new?) javascript access request for lmiutil.com.<p>So when I see something new like that, I tend to try to visit the website or search google to see what they&#x27;re trying to get me to allow them to run on my browser. Besides, it could be a lastpass related CDN.<p>Going to their website gave a blank window, not too shocking. But the web search gave me this page:<p>https:&#x2F;&#x2F;cdn.lmiutil.com&#x2F;lpassets&#x2F;track-pageload-lp.v11.html?gaid=null<p>Seems to be another blank page, but if I view the source, it&#x27;s sketchy. Excerpt:<p>&lt;meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;img-src https:&#x2F;&#x2F;adfarm.mediaplex.com https:&#x2F;&#x2F;bh.contextweb.com https:&#x2F;&#x2F;sy.eu.angsrvr.com https:&#x2F;&#x2F;rtb.gumgum.com https:&#x2F;&#x2F;partners.tremorhub.com... (long list of known trackers).<p>How would you go about proving one way or another what&#x27;s going on here? Is this kind of things standard ad code for their actual website? Or are they tracking everywhere I use LastPass? It would be cool to find a tutorial of tools of the trade for tracing down the behavior of these complex interdependent systems. Or do the patterns and techniques used evolve too fast for anyone with only moderate expertise to figure out what they&#x27;re doing?
======
armagon
I don't think I can fully address your question (especially the 'prove' part),
but:

1) Why not install Privacy Badger? (
[https://www.eff.org/privacybadger](https://www.eff.org/privacybadger) ) It
watches which sites javascript files are loaded from, and if you go to three
domains and get the same script, and it seems to be sending back information,
it'll flag it and block it.

2) There is the possibility of seeing everything going from your browser to a
remote computer. There are two ways.

a) Use the developer tools. In many browsers, you can bring up dev tools
(possibly by hitting F12), bring up the 'Network' tab, and hit the 'Preserve
Log' button. Everything that goes between your browser and the internet is
recorded. You could dive into every javascript file requested, see which data
and URLs are requested, etc. In most browsers, you can save this data to a
.har file for later analysis, but it will contain cookies, etc, and allow
someone else to spoof you.

b) similarly, you could set up a proxy (Charles Proxy, Proxie.app, mitmproxy,
etc), to proxy HTTP traffic, but you'd also need to go to extra effort to
proxy HTTPS traffic. Then, with your browser (or OS) set up to use the proxy,
you can obtain the same sort of data as in (a).

With this information, you could see which sites you are requesting data from,
what the data is, and, I suppose, analyze the sources to find out what it is
doing.

------
LinuxBender
I can answer the inverse of your question. If a site does not require

\- cookies

\- javascript

\- authentication

then it is less likely to be tracking you. There are some clever tricks that
do not require those three things, but that is getting into hypothetical and
less practical territory.

If you are using NoScript / uBlock or uMatrix / Self destructing cookies or
similar and not logging into any sites, then your odds of being tracked are
fewer.

If you run a combination of BleachBit, CrapCleaner and BCWipe every time your
browser closes, then your odds of being tracked are fewer.

If you have an application firewall that prevents applications from chatting
with the internet without you explicitly initiating the communication, that
also helps. They may contain user-identifiable strings and may share browser
functions.

As for LastPass, I have always steered clear of sites like that. This may have
changed, but for a long time, they required your vault decryption password to
sync with their site. Unpopular opinion, I know.

