I'm no expert (which is why I ask), but I assume that blocking third-party cookies in your browser won't prevent situations like the tracker example the author provides.
That is, since you visited tracker at least once, their cookie would have been set during that visit as a first-party cookie, and therefore the http requests to retrieve the 1x1 transparent image from their server will contain the data they're after, right?
1) Get rid of the misfeatures that allow the problem to exist. Change the browser to never send headers that leak information by design (Referer, Cookie, Etag, User-Agent, etc).
1.1) (Optional) Fix stateful sessions that previously depended on cookies with a new HTTP session+authentication feature (that doesn't have the problems that made the Authorization header mostly useless).
2) Strip most of the other HTTP headers that leak bits of entropy so the browser fingerprint is too small (~16 bits max?) to be a unique id.
2.1) (Optional) Add some of the removed functionality back as a single header that reports a single "browser class" out of a handful (<32, 4-5 bits max. ~8 would be better) of predefined classes (e.g. "Standard Desktop with screen size between H1xW1 and H2xW2 with >=2 channel audio output. Supported codecs: audio=[MP3, AAC], video codec [...]", "mobile with multitouch screen with size ...etc...").
Of course, none of this will happen because the people with the power to make most of these changes derive a lot of their income from surveillance.
> Get rid of the misfeatures that allow the problem to exist. Change the browser to never send headers that leak information by design (Referer, Cookie, Etag, User-Agent, etc).
The internet is the problem. If you want to get rid of being tracked on the internet, you have to stop using the internet. If you remove user agents & cookies & tags, you don't solve the problem and you lose some useful features. None of those things keeps your ISP from watching, nor do they stop web sites from noting your IP & requests and storing them on their end. And for anything you have to log into, there's no point to hiding headers.
> Of course, none of this will happen because the people with the power to make most of these changes derive a lot of their income from surveillance.
That's probably not true now, and it's definitely not representative of the reasons the features we have were invented in the first place. Some people really did want custom features to identify a computer's capabilities. Without headers, we'd gimp caching, and we can't differentiate between mobile & desktop, for example.
I'm not sure why you're talking about the halting problem, that just isn't a serious concern in practice, it's a CS theoretic issue irrelevant to this thread or privacy. The major browsers will all let you kill stray JS processes.
Set you browser to clear all cookies on close, use a separate browser for anything that requires authentication (ex: gmail), and never mix the two types of browsing. If they create a profile on you the cookies it's tied to disappear when you close your browser.
It's feels like a minor pain when you first start out but you used to it quick. Plus since you're not logged into anything by default there's a slightly higher barrier to ordering needless crap online.
It's not foolproof as you can be tracked by a combination of other factors (see: https://panopticlick.eff.org/) but it's much better than the alternatives.
If they see you with an IP address and a cookie and a moment later see that same IP with the same browser etc does something else they will correlate them. There is a whole industry around tracking people who explicitly do not consent or have withdrawn their consent to be tracked. That’s why we need GDPR.
Which is why I'm left wondering why nobody has mentioned Firefox Incognito mode (chrome too I think).
At least on firefox, incognito mode does not store cookies on disk. They persist for the duration of the tab/window you logged into.
this would circumvent cookie tracking, I think. I mean I guess not if you opened one icognito window and did all of your browsing inside of it, and never closed it?
am I missing something?
This doesn't solve all tracking, but it will stop some cookie abuse. Choosing to use it also comes with the downside that you can't stay logged in to sites, and you may lose context & history you wanted to keep.
Incognito is super useful for web development precisely because you can very quickly get a fresh profile with no cookies in it.
Blocking the canvas fingerprint also enables easy identification, so you'll need a free add-on that generates noise.
I set my browser (firefox) to clear all cookies on exit but I let my browser save passwords whenever possible. That way you have to log in every time you use a service but at least you don't need to type in the login info every time. It's quick. Of course, this does not work nicely for two factor stuff but you can use another browser for those.
The industry is moving to cross-device tracking to track you over multiple devices, without using cookies. This is probabilistic, not deterministic: There is 88% chance this is user A. But with huge amounts of data still useful.