If you've been browsing the internet for more than 5 minutes you already have cookies from some of the major ad networks. Therefore if you do not have cookies from the major ad networks, you're either a brand-new device or an incognito browser. All that is left to do is get in bed with the ad network to ask them if they have good cookies for this session. As it so happens most of the companies trying to bust the incognito mode are already in that crowded bed.
The next loops in this spiral are: 1) an incognito mode that seeds good-looking ad cookies 2) ML models trying to distinguish synthetic/cloned/5-seconds-old cookies from genuine ones 3) matching ML models trying to out-fox the models from step 2, and so on.
The last fit of madness will be a hidden session in Chrome browsing the web on your behalf, building up a bogus profile for the ad networks, and the ad networks trying to figure out if the clicks in your fake session are sufficiently human-like.
And whoever wins in this war, the ad networks will end up collecting even more data than they do now.
>I generally do not connect to web sites from my own machine, aside from a few sites I have some special relationship with. I usually fetch web pages from other sites by sending mail to a program (see https://git.savannah.gnu.org/git/womb/hacks.git) that fetches them, much like wget, and then mails them back to me. Then I look at them using a web browser, unless it is easy to see the text in the HTML page directly. I usually try lynx first, then a graphical browser if the page needs it (using konqueror, which won't fetch from other sites in such a situation).
This could be done on the CPU+RAM+disk resources of a $4.50/month vm.
For the purpose of not being tracked by advertising networks (not a nation-state intelligence agency), a stateless vm located on a static ipv4 /32 in bulgaria that saves absolutely no data would be rather hard to track back to its actual user.
And I would say what Stallman does probably gives him a very unique fingerprint (wget ting web pages from a unique server). I doubt he is doing that for privacy.
The first parts of this have already been tested by Mozilla: https://trackthis.link/
No reason to block sites that set cookies, since in a few minutes they will be deleted anyway.
Better cut the power cord, too, just to be safe.
The overwhelming majority of the web still works just fine. It's trivial to pick out what doesn't, as it either tends to:
a. require cookies for some inane task that doesn't need them, and it tells me this
b. breaks horribly. Typically, JS trying to access LocalStorage, but not checking whether the call was successful or not.
The grandparent is also wrong about,
> Therefore if you do not have cookies from the major ad networks, you're either a brand-new device or an incognito browser.
No, or you're whitelisting all or third-party cookies. (The latter being significantly easier to do, and causes much less breakage. I don't think I've ever seen a third-party cookie cause breakage.)
N.b., I'm not necessarily recommending what I do to others; it takes a lot of work, and I really need better tooling around my flow. But it gives me the context on how cookies/persistence causes or does not cause site breakage.
Then use whitelist to selectively allow cookies from some "friendly" sites to be stored permanently.
Often the browser stays open for hours and you'll have identifying tracking cookies very quickly.
A great, really underused feature in Firefox is first party cookie isolation: it isolates all cookies set by a site to the same domain, preventing all cross site tracking.
Set privacy.firstparty.isolate to true in about:config.
Some more info: https://www.ghacks.net/2017/11/22/how-to-enable-first-party-...
I switched yesterday and couldn't be happier. :)
Overkill? Maybe, but it works for me.
Are among those "plenty" the actual important pages that people want to use? Or some irrelevant pages here and there?
And how do you know there are plenty?
In fact, even if it is so, how can anyone verify that, even just about your sites? We can merely just trust you.
Where is this special list of important pages? Are the sites I want to use not important? Does your comment need to be so simultaneously defeatist and hostile?
Or, as I like to call it, pragmatic.
Visits are a power law distribution, 80% of people's visits go to 20% of sites, and so on, recursively. s
So unless e.g. the top 1000 (which may vary depending on country) people want to use are there, e.g. the social media, news sites, booking, video, shopping sites, banking sites, you're just talking about a number of niche websites.
Sites that "still work with JS disabled" are in the minority on those lists.
Essentially you're saying "don't use all those sites with the content/services you want", use all those others that don't have tracking (but which you don't really care for).
E.g. pointing to Diaspora vs Facebook...
The best I've seen people come up with on this front is DDG vs Google.
You'd be surprised how many sites are still viewable without JS enabled.
The whole privacy deal on the web just shows moral corrosion. It is putting IT neck to neck with scammers.
I think the reason you can't find one is likely because you are disqualifying all the ones that aren't violating it. There a lots of websites that don't violate GDPR: they don't record any information. Perhaps we can quibble about server logs and whether or not IP addresses are PII, but let's stick to at least the broad strokes here since you are saying all sites blatantly violate GDPR.
I think what you are probably trying to say is that amongst the websites that are trying to harvest your data, (virtually) all of them do so in a way that violates GDPR. This is not surprising to me, because at its heart GDPR is trying to encourage companies not to harvest personal information.
I don't think we will ever get around that. The question is not whether or not many (most? virtually all?) companies will try to get around GDPR (they will). The question is whether or not GDPR will have an positive influence on the use of private data. I can say in the company I do work for, it has completely transformed how we deal with PII. We now actually have gatekeepers that tell marketing what they can and can't have access to. If there are problems, then people actually get chewed out and we put real, emergency resources into fixing them. I mean it is absolutely night and day.
For us there is always this fight between people and departments that would like unrestricted access to information and people who are protecting it. Without GDPR, there was no defense! There was no argument you could make -- "It's wrong!" "By whose definition? The lawyers are fine with it" Now we can legitimately say, "You can't legally do that". Not only that, but I've even had marketing managers being very concerned that we might be handling data incorrectly. I've never, ever seen that before in my 30 year career.
Yeah, there are lots of problems and I don't see them going away ever, but man GDPR is really helping in a lot of areas.
>The question is not whether or not many (most? virtually all?) companies will try to get around GDPR (they will)
They arent getting around, they are violating it, based on GDPR beeing doe as a concept, you cant workaround it.
The question is, when it will be enforced.
I dont have anything against tracking, targeted ads etc. but if GDPR is followed, which means opt-in consents, no "lets stuff everthing under legitimate interest" and so on. Under GDPR conditions I am even prepared to turn off ad blockers.
And I wont even start talking about mobile applications.
Legitimate interest is the next best for everyone. You collect the data for contract purposes and you retain it beyond the contract period, or you use it for something other than the contract, but it's for a legitimate reason. You must tell the user that you are using the data for the legitimate reason and what that legitimate reason is!!! It's a very good way to use data. If the user objects, then they can object and you can't use the data (you have 1 month to respond).
After that (and ignoring lawful basis, etc) you have consent. Consent is an awful reason to collect and retain data. You don't need it for the contract. You have no legitimate reason to have the data or to use it. You just want it. So you ask the user if it's OK.
No company should choose consent. It's horrible, even for the business. As I've written before, if the user opts out, there doesn't seem to be a way to opt them back in if they change their mind. So if there is any way for you to turn consent into contract basis, you really, definitely should! If there is some reason that the user would like to consent, they you shouldn't be using consent. You should offer them a service.
It's super frustrating to me that people harp on about consent, because that it really going against the grain for GDPR.
Bottom line, "the grain" of GDPR is user interest. Not "user expirience", not bussines interest.
And it is HARD to decide instead of him, I would rather pop up consent dialog with opt-in than showel everything under legitimate interest.
As it is so easy to make it wrong: sure, you are sending a packet to the customer, you need (legitimate interes) address, phone number comes handy (requiring it is fishy), forcing it to protect login on a social network? I wouldnt do it. For me, as a security aware person, you would crawl trying to prove I am in danger with 15 letter random generated passwords generated for each and every site. Unlike for John Doe. So, it becomes optional, while forcing it, in my case, violates GDPR. It was just one example.
But anyway, check Tim Walters.
As for your example, I totally agree! Forcing you to log in to a social network to send a package is crazy. I order cheese making supplies on the internet because I have no other way to buy them. Not a single supplier of cheese making supplies even offers to make me log into a social network.
You're making the statement that all sites are blatantly disregarding the GDPR and I think it's because you just don't pay attention to the sites that aren't.
I'll give you an example (which is is cheese making again). I wanted to check the shipping costs for cheesemaking.com. I don't like the fact that they make me fill out all of their order forms before they tell me the shipping cost, but they do. They have a newsletter which they use to do their marketing, but for now I've not signed up for it. When I didn't complete the process, they sent me an email. They asked if something went wrong and said they will hold my order for 48 hours. After that, they will delete all of my information.
And these guys aren't even in the EU (and neither am I, although I work on contract for a company that is). This kind of behaviour is exactly what I expect and I think it is completely in line with the directives. The only thing they were missing is telling me under which lawful basis they were operating in each case.
Is it contract basis? Keep in mind that as far as I can tell, "contract basis" does not actually require a contract to be in place (i.e. you don't have to have consideration), so I think there is an argument for saying that since I contacted them and started to initiate a purchase, following up on why I didn't finish (for a limited time period) is within the directive.
Even if it weren't, it is almost definitely within legitimate interest. To really qualify for that, they would have to offer to let be object, but since they will delete my data after 48 hours I think they are following the spirit of the directive (because you only have to respond within 1 month).
I don't know. I think the reason you keep getting down voted is because you seem to be focussed on something that is different than what everyone else is talking about. It's absolutely true that there are a lot of companies who don't give a flying monkey's about GDPR. But it is untrue that there isn't anyone. The rest is details and as Tim Walters is at pain to explain the GDPR specifically is not prescriptive because they want you to follow the principles not a check list of rules.
I am talking about:
“There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give that market the blessing of legislation. One cannot monetise and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction." (https://edps.europa.eu/sites/edp/files/publication/17-03-14_...)
Anyway, I was talking about social network requiring your phone number, not market requiring to log in with social network id. And you are talking about bussines where there is a bussines transaction. I am talking about site you surf to.
OK. That was not clear at all to me! Now that I understand that, I understand what you were trying to say a lot better. I still don't think we materially disagree with each other, though. There are lots of sites that are good examples for GDPR. I think it is absolutely true that none of them are trying to harvest and sell your data! I don't see how that could be the case. If you use that as your criteria, I don't think it is possible that you will find an example. Should those sites be banned from the web? I'm not sure, but it wouldn't bother me, that's for sure!
What did occur, is that advertisers could not be sure of performance so placed more value on the prominence and reputation of the media source. National well reputed papers got the best deals, regardless of real world performance.
It will lead to tight localization again, as advertisers can’t rely on Google just selecting the right people to display ads to, but would have to seek specific sites to advertise on.
The world will be fine.
Remember the "mention this ad and get 10% discount" ads? There you go.
Newspapers did it to some extent, and they were not competitive businesses against methods where tracking does exist.
The reality is that newspapers are still very strong lobbyists, especially in newspapers, as they frequently sink politicians who don't toe their line with unrelated scandal or just plain fantasy. If Google pushes this they are likely to find legislation, particularly in the EU, mandating quite the opposite to what you want.
And then I can buy a 'regular' subscription for google products that comes with actual support? It's like a dream world.
As for messenger, there will probably always be some "free" messaging service out there. Free in quotes as it'll come with phone, isp, or email subscriptions.
I already pay for newsblur.
Google is also working to update Chrome APIs that will cripple privacy centric add-ons and those that allow ad-blocking, like uMatrix and uBlock origin soon, so enjoy it all while it lasts.
Then in browsers like Chrome, click the site icon, SSL icon, or little plugin icon in the address bar — some icon usually appears, which when clicked gives access to enable/disable blocked content for this site.
This does not really work without 3rd party cookies, does it?
And there is also the possibility of a brand new computer with no cookies. Then that kind of detection will not necessarily work for every one.
I don't, as I block all third party cookies. No exceptions.
Incognito mode can be made to look exactly as if you opened your browser after creating a new profile and immediately opening the site. As long as they can’t afford to block these users it can be made to work.
If the browser vendors would tighten their products up and start considering things like profiling the user's installed fonts as a security vulnerability, then we might see some progress. Unfortunately Google has a financial incentive to make Chrome trackable to advertisers.
There's already been some talk about changing things so that tracking is less necessary (https://webkit.org/blog/8943/privacy-preserving-ad-click-att...) and I wouldn't be surprised if a lot more comes out by the end of the year.
This is what I'm referring to. The browser should not leak this info to random websites.
= NO Incognito
Menawhile on NYTimes
= You’re in private mode.
What's funny is that this is pretty much what ReCaptcha v3 is. Asking how "authentic" the Google cookie looks.
Instead I'd like to see a browser that generates such a noisy fingerprint that it is useless: Each time I start an 'anonymous' session, grab a fingerprint from a pool that is sufficiently similar to mine that things render properly (matching resolution for example) but that has also been used by thousands/millions of others.
Sure, you can figure out the perfect ad to show me, but if I'm never going to see it, you're wasting your time.
 - https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...
 - https://support.mozilla.org/en-US/kb/focus
Chrome is an ad network itself, well, a biggest player. I'm browsing in default Private mode on Safari for years, so yes, my fight is over, no cookies for me, lol. And on always-on VPN.
$ cat ~/bin/chrome-new
TMPDIR=`mktemp -d /dev/shm/chrome-XXXXX`
google-chrome --user-data-dir=$TMPDIR --no-first-run --no-make-default-browser "$@"
rm -rf $TMPDIR
My only gripe is that the containers won't be in sync accross systems, which is already time-consuming to setup..
For those like me who need a bit more detail:
1) make a text file called chrome-new
2) put the following contents in the file in a POSIX-like OS
TMPDIR=`mktemp -d /dev/shm/chrome-XXXXX`
chromium-browser --user-data-dir=$TMPDIR --no-first-run --no-make-default-browser "$@"
rm -rf $TMPDIR
chmod u+x chrome-new
1. Open the profile menu. (This is the icon in the top right, just to the left of the three vertical dots.)
2. Click "Manage people", click "Add person" (lower right).
3. Type "Darned Newspapers!" and click "Add".
4. When you get blocked, copy URL, use the profile menu to navigate to open a new "Darned Newspapers!" window, paste URL.
It's a real profile, so it should behave quite closely and should be harder to detect. Of course, unlike incognito mode, it will save your history, so be aware of that.
Talking about this makes me feel the same as when I discuss youtube-dl.
Maybe they could encrypt with a key kept in memory? That'd still allow detection of use though.
Might seem like an incidental concern, but being able to vacuum up a pattern of incognito sessions from a seized laptop (at a border crossing, say) and correlate it with the activity of an online pseudonym could be pretty useful.
Just check periodically (at startup?) for orphaned temporary storage data. I'm sure there are other parts of the browser that need to do this sort of thing anyway - expired cache data, for example.
EDIT: I suppose these are often backed by memory anyway, so not sure if this would solve the problem, but interested in hearing arguments around it nonetheless.
A browser requires a generic solution to prevent denial of service due to excessive resource consumption.
You can check it yourself here: https://www.ziggogo.tv/
But that is another way in which newspaper sites could do this detection is they wanted to, send an HTML5 EME clearkey to a one pixel video in the corner and get back the error response.
I think Google are on to a complete loser here tbh, and I'm not sure why they're wasting development resource. As much as using incognito mode to bypass soft paywalls might be fun for a user, there's no real moral justification. There's no privacy issue here in a newspaper giving a clear and unambiguous statement before you enter that you've got to disable incognito, and a user can either choose or refuse to do it. It's probably the clearest consent screen in the world.
Another avenue could be that they just check the uniqueness of your signature; if it's too generic: block content, and only lift it after installing a first party extension or something, that way, for most people it will just work and for the few that are false positives, you have a workaround. The whole goal of the incognito modus is also a way to detect it.
It's the same for adblockers; just serve a unique content key with the ad and check back via the ad provider if it was loaded before proceeding to serve content.
Only serving ad-free content to crawlers is no problem either, because ip ranges for the big ones are known and you can't spoof them in TCP. It's all a question of effort Vs reward. They probably know just a very small percentage of users will abuse it, so it's not worth it for them to spend a lot of effort blocking it.
For example: in a retail store, if there's a difference in expected vs actual money of ~€4, it's not even worth it to investigate, because it will cost more than you'll get back from resolving it. It's sometimes hard for me to comply because I always want to have stuff match 100%, but it's always a effort Vs reward dilemma that you have to work with.
That's really not the same thing as Google actively developing a tool to block soft paywalls, that will primarily be used by people to just not pay for things who really don't give a stuff about people running things on their computer or not.
Just delist the (paywall'd) articles. That's the annoying thing - when articles come up on Google and you can't read them. Please fix this.
If people want to pay, that's fine. Perhaps ISP's should pay for these websites via their plans so there's no more need to login.
I don't want to login to something just to browse a feed. I believe people would be happy to pay for these websites, but in a convenient way, ahead of time. Allow IP ranges, create a browser plugin that reauthorizes the site session even in incognito / w/o password saving. Innovate like Spotify did.
Annoying and badgering the user is 101 UX antipattern. One reason some don't buy is they don't want to encourage it.
It's fair to hold them to a high standard because many of these websites are articles and presentation is supposed to be a forte. You don't battle the adblockers and incognito modes - you fight to make it easier and more convenient for your readership.
There is an added benefit to using profiles in that if any other window is open from a separate profile, then all profile context menus acquire an "Open link in ..." menu item which will then list all the other profile names. Unknown why it doesn't do that context menu modification all the time.
If your other profiles are only used for development-time scenarios, you can also choose to "Clear Browsing Data..." on them at will, since you won't be losing anything valuable
Unless you're really paranoid, all you need is a VM, which hits the Internet through a VPN service. You use the host machine for meatspace stuff, and the VM for private stuff.
Why not just create a new "real" storage db on disk, deleting it when the incognito window/tab is closed? It seems like this approach would defeat all of this class of attacks.
I seriously do not understand.
Browsers are so complex that I imagine incognito mode is always going to leave some kinds of statistical signatures that can be detected and exploited through merely moderate cleverness, but will be much harder to hide on Chrome's side.
Is it worth it for Chrome? Or would resources be better spent on other parts of the browser?
It's not really a privacy/security problem or anything as far as I can tell -- just a way to bypass paywalls, right? "Sites not detecting my incognito mode" never felt like part of the web's "contract" to me.
I was under the impression that they're either just doing straight HTTP requests for HTML only... or they're running a full headless browser in normal mode.
So I'm not getting what's different here?
Sites have a long history of serving up different content to different users, e.g. to paying users, or blocking certain countries based on content contracts. It's certainly not part of the "web's contract" that scrapers get paywalled content they haven't paid for.
All they have to do is navigate to a site using incognito mode detection and briefly review the code to find the next hole to plug. In this case, probably stop advertising the correct limit for incognito mode, and introduce latencies on writes to mimic a real file system. These are not a trivial fixes, but they also are not hard.
No, the point is to make the people subverting this for their own nefarious gains (looking at you, NYT) put so much effort, money, and time into it, that eventually they die a slow horrible death and, maybe, just maybe, something better and more relevant and less evil comes along (or maybe NYT changes their ways - either works).
I mean, look at this thread, so may great undermining methods! Beautiful.
But it might take a few decades of uninformed confusion.