
No Cookies, No Problem – Using ETags for User Tracking - vanni
https://levelup.gitconnected.com/no-cookies-no-problem-using-etags-for-user-tracking-3e745544176b
======
oltdaniel
Quick note on this one. ETags have been used for years, but there is a court
case from 2011 and before, speficaly noting this ETag technology as
undeletable cookies. Was just a click away from the Wikipedia page. So I think
anybody using it, would have an huge issue with the laws. Personally, I think
the tracking pixels are more interesting to look at.

[https://www.extremetech.com/internet/91966-aol-spotify-
gigao...](https://www.extremetech.com/internet/91966-aol-spotify-gigaom-etsy-
kissmetrics-sued-over-undeletable-tracking-cookies)

------
hilbert42
Ah, but using ETags to track users doesn't work _unless_ JavaScript is
enabled. As one who normally doesn't use JavaScript, I had to turn JS on then
refresh the page to make this spying example 'work' (i.e.: track me).

As I've been saying for years, get rid of JavaScript and 90%+ of these privacy
violations and other security breaches will melt away.

The trouble is we users have to suffer the brunt of this JavaScript 'disease'
because it primarily benefits large commercial interests. If ordinary users
get trampled upon as a consequence then that's just too bad.

Seems I've found yet another good reason to keep JavaScript turned off.

~~~
phillipseamore
They use JS to show it for the example. But using etag for tracking works just
fine without JS.

~~~
hilbert42
Yeah, I should learn not to post late in the night when I should be asleep
(when I abbreviate, I often get into trouble). I didn't explain the other
steps I take to stop tracking and there's quite few. Besides turning off
JavaScript, these include plug-ins for ad-blockers, on-the-fly cookie-deleters
and for the random changing of User Agent info among other things.

In addition, I use multiple browsers on both my PCs (usually 4) and
smartphones (3) which—with the exception of one instance mentioned below—all
are set by default to the following parameters:

\- Location access — off

\- Block 3rd party cookies — on

\- Remove identifying headers — on

\- WebRTC – off

\- Clear cookies on exit — on

\- Clear cache on exit — on

\- Clear web storage on exit — on

Often before closing a browser—and depending on the sites I'm visiting—I'll
manually clear the last three items above. (If I deem a site to be risky then
I'll clear these items every few minutes or as soon as I'm finished with it).

Naturally, such action can break some sites, so to avoid this and or to save
time I'll copy the relevant URL to another totally 'clean' browser
specifically set aside for the purpose. For instance, I normally use Palemoon
to browse HN but it's so loaded with protection that cannot be turned off
quickly that it poses problems when posting comments (this level of protection
means that sometimes I'm blocked from posting or that I have to refresh or
renew the login info every time I want to do an edit, etc.). To overcome this
I'll copy the URL into say a clean copy of Waterfox which still has protection
(but it's minimal). This certainly overcomes any cache tracking (in fact
you'll note this process effectively doubles protection against the cache
tracking issue mentioned in the article).

Next, when internet activity has stopped for 10 minutes my machines are set to
reboot the router/modem which gives me a new IP address when I next connect to
the net. Moreover, my PCs upon start (and during router restarts) are set to
only connect to the internet manually (i.e. the internet is essentially never
connected to my PC unless I'm present at the machine).

I've been doing this with ongoing refinements ever since the early days of XP
(then using Internet Explorer and Firefox as my original browsers).

At the time, it was a somewhat slow process to clear IE's cache on-the-fly so
I put a link to its cache directory on the taskbar which gave me instant
access to it. As subdirectories in IE were locked by the system, deleting them
was performed by that wonderful utility _unlocker_ , it'd kill the lot in a
second or two and IE would have to rebuild a new clean set when it was next
used.

Often, out of convenience, I'll simultaneously use multiple devices to browse
the internet. Here, I'll use a smartphone's browser in conjunction with one of
those in my PC. To save time typing a link on the second machine, the URL is
'copied' manually from one device to another with the aid of search engines
(Duckduckgo or Startpage). As the smartphone and the router/modem each use
different ISPs, there's no common IP address, hence tracking is made all that
much harder.

Furthermore, my smartphones are rooted and I've deleted all their GApps,
Gmail, etc. (BTW, I never use social media nor trust any of my files to the
cloud). Also, I always use a firewall to block access to the internet for all
apps except those that I've especially permitted (those permitted are mostly
safe apps from F-Droid). The firewall is also set to automatically block all
'unknown' connections to the internet that act through various UIDs, 1000,
10015, etc. All unnecessary internet access is blocked not only by denying
permissions but also by nuking 'receivers' and or modifying apps' manifests.
Moreover, the only Android system app that I allow through the firewall is
_Downloads_. Also, a utility manages the _hosts_ file as additional
bootstrapping protection (same goes for my PCs). The rule is simple—block any
and everything from internet access, the only apps with access are ones I'm
specifically using.

That's the brief explanation (there's more I've not had time to mention). I
accept that my attempts at maintaining my privacy and blocking ads etc. won't
be perfect for reasons too lengthy to explain here (except to say that those
with whom I've contact on the net are likely to 'put me in' to Google (as
they've usually Google accounts, etc.) and the same goes for Google's
monitoring of my neighbors' routers to gather my SSIDs, etc [this nasty scam
gives my location away and ought to be highly illegal]. _BTW, I 'm too lazy to
bother suppressing the 'leaks' any further than this [i.e.: by killing visible
SSIDs]; at this level of suppression I reckon it's not really that important
that I grind the privacy granularity any finer._

The net effect is that going on for nearly two decades I've never had any hint
that Google, _et al_ , are tracking me with sufficient success for them to
bother with me in any noticeable way (any info they gather will be essentially
digital noise). Moreover, I never see ads on my either my PCs or smartphones!
Again, I'd add that by far the most important procedure in taming the likes of
Google, Facebook, Amazon, etc. is to kill JavaScript and _NEVER, EVER_ use any
of their apps.

Killing JavaScript also has other great advantages, the most of important of
which is speed—the internet sans JavaScript is lightening fast. _(If you want
to know what else I reckon is wrong with JS then see some of my earlier posts
on the subject.)_

Of course, none of this should be necessary. That's why we need internet Mark-
II — an internet that puts power and privacy back into the hands of ordinary
users — one that puts these big tech companies in their rightful place and at
our disposal—not vice versa as it is right now.

~~~
perl4ever
I don't understand what the relevance is (in the big picture) of any of the
details in how web pages track people. As long as a server can return a page
with arbitrary links, isn't that good enough? Any way at all that the page
received shapes the next server access, is good enough for tracking.

~~~
hilbert42
1\. From many users' perspective the perception is that tracking is an
undesirable and or unnecessary feature that's crept into the Web over the past
20 or so years. It is undesirable because it violates users' privacy not to
mention their autonomy to act independently without being watched and
monitored. And given that most tracking is done covertly and surreptitiously
it just makes matters worse. When new tracking method come to light (as with
this cache tracking) users become depressed, these problems seem never-ending,
we users feel as if we're constantly under siege.

2\. Users were never asked about whether they wanted to be tracked or their
privacy violated _before_ these so-called spying 'features' were unilaterally
introduced to the Web by powerful players—advertisers, web hosts and others
who introduced the technology for their own pecuniary interests, _inter alia_.
Even now, most PC and smartphone web users have little or no idea about how
all encompassing and dangerous this technology actually is—as it's not in the
interests of those who introduced it to overtly publicize the details.

3\. As governments worldwide have almost universally failed to act with any
degree of effectiveness to protect online users, there is still no consumer
law that's specifically aimed at protecting end users from tracking harassment
and privacy violations. This means that users themselves have had to take on
this responsibility. Many have tried with varying degrees of success
(unfortunately, they've mostly failed).

4\. Years by year, users have found that it's increasingly difficult to stop
themselves from being tracked and to maintain their privacy because the
techniques used against them have become more frequent as well as increasingly
sophisticated (as with this cache hack). Whenever users have a minor victory
and succeed in thwarting hacks, Big Business responds with yet another. It's a
David and Goliath problem, Big B. has huge financial resources that enable the
further development of hacks and users little or none for the development of
protection measures.

5\. And as we know, this is only the beginning: Google's tracking ecosystem†
also includes seemingly free Google apps with smartphones and PCs—apps such as
Gmail, Google Maps and Google Earth along with many others that have been
cleverly designed to be highly-addictive. This electronic heroin as I call it
has now become so all pervasive that it has become totally indispensable to
not millions but actually billions of people.

6\. Even if they aren't _au fait_ with the all the details, users are
effectively at war with Big Tech over privacy, tracking and the mining of
their data (and tragically it's a war that Google and other Big Tech companies
have been winning for years).

I would have thought the relevance of my previous post would have been
obvious, that is that this browser cache matter is just one small part of this
much huger problem. As such, it cannot be isolated from the other matters that
I raised therein. Moreover, listing the other matters was to bring to the
reader's attention the extreme lengths that internet users have to go to if
they want to escape the clutches of these behemoth online monopolies. Even if
they do succeed then their freedom is likely to be short-lived.

__

† _(One only has to look at how Google has used its overwhelming monopoly to
track users and to violate their privacy, not only has it been completely
successful but the way it 's gone about it has meant that it has been
diabolically effective doing so. Moreover, when it comes to tracking and
extracting user's personal data, the Android ecosystem is conceptually and in
practice a technical masterpiece without peer. It is unrivaled in its ability
to collect massive amounts of data then deliver it all up to Google. The
Android O/S is a watershed in operating system design as it includes paradigm-
shifting technology that was specifically development by Google to ensure that
it had total control over every aspect of users' smartphone data. Whilst I do
not like the way it works to have 'control' over users' data, it'd be churlish
of me for not to acknowledge Google's brilliance in developing it. The bottom
line: Android has been and is remarkably effective for Google, it's brought in
billions of dollars profit for the company.

Android was designed by lateral thinkers working at their best and it shows
what can be achieved when billions of dollars profit is potentially in sight.
Giving but one example, one cannot help but be truly impressed by how
effective Android's 'transmitters', 'receivers' and 'broadcast' mechanism is
[sorry, it's too detailed to explain here]. ('Tis a shame MS Windows isn't as
sophisticated—but in a user-friendly way with more control given over to
users.)

That said, Android is only just one part of Google's larger data collection
operation, Google bootstraps the accuracy of its collected data by cross-
referencing every aspect of it with data from a multitude of different
sources. Just to mention a few, it data-mines its search engine and records
who is searching and for what; it searches and collects data from its many
applications including reading the contents of users' Gmail messages; and, as
previously mentioned, it uses various nefarious tricks such as manipulating
Wi-Fi hardware of my Google-using neighbors so as to determine my SSID with
the view of determining my location, etc.—even though I'm not an active user
of any Google service! Why you may well ask—well Google still needs to know
about me, as information about my email address, location etc. can be used to,
say, provide intermediary data which is used to link people who own Google
accounts but who otherwise are seemingly separated and unconnected from each
other. If I happen to know these people and I email them independently of each
other then this is the only pretext Google needs to link them with the view of
determining groups centered around these people, their interests and degrees
of separation from others—and so on, and so on.

Nothing in all of history has ever seen the likes of this monumental
surveillance system. Google now tracks personal information and indexes it for
about a third of the world's population and it achieved all this without so
much as a whimper from governments. No one in power ever seriously questioned
whether this is legally or morally acceptable until after it was all in place
and up and running. Now that ecosystem is too big to change let alone
dismantle. A similar situation exists with Facebook. The implications of this
for the world's population are truly enormous.)_

------
treyhuffine
Friend link (no paywall): [https://levelup.gitconnected.com/no-cookies-no-
problem-using...](https://levelup.gitconnected.com/no-cookies-no-problem-
using-etags-for-user-
tracking-3e745544176b?source=friends_link&sk=23762a0d85cb0025e78e2d7f42cd034a)

