Very interesting, and evil: abusing the ETag mechanism for user tracking. (If a user requests some sort of unchanging resource without an etag, you give them a fresh one; and if they request a resource with an etag, you give it to them, with the supplied etag, and record the user.)
Even if Hulu turned off cookie respawning via etags, you can still track users this way, on the server side. I guess the tricky thing is to correlate the etag of the tracker resource with the rest of the requests that a user makes on a site.
> Even if Hulu turned off cookie respawning via etags, you can still track users this way, on the server side. I guess the tricky thing is to correlate the etag of the tracker resource with the rest of the requests that a user makes on a site.
The important distinction is that the ETag is literally no different than a cookie, when used this way. Turning off caching is the new turning off cookies.
Reminds me to write a firefox plugin to strip etags and "if-none-match" - pretty sure most pages can function just fine without them and use last-modified, etc instead. Kind of surprised to not find anything yet on addons.mozilla.org
That's a good point and this would not be practical in a regular browser session but if someone chooses private browsing, an extension could be sure to strip "last-modified" as well as "if-none-match".
Would hurt the server a little and reduce speed because there would not be any caching but still helps guarantee no tracking.
The writeup about the two extensions for firefox is wrong, those two were meant to block the trick where you can determine if a user has visited a specific site/page by looking at the link color/state.
It works in all major (desktop) browsers, but not in some mobile browsers.
I think the cookie debate (in the EU) is not in the best interest of users: with cookies, the user has full control of the data stored, can easily purge cookies, etc. With user-tagging technology moving server-side, this gets a lot more complicated.
What it really boils down to is this: you cannot have both caching and privacy.
For the cache to work your browser must reveal to the server what it has already downloaded, this way or another. And the browser cannot really tell which of the downloaded pieces of data were specially generated to track this particular user.
A possible workaround is to create an intermediate cache to share it with multiple other people, but this creates other privacy concerns.
I believe Google is doing this with its google voice product. We're unable to access our google voice accounts outside the USA, despite disabling flash, deleting all cookies, etc. The ironic thing is, of course, that this is when we need it the most, as we miss more calls being in a radically different time zone.
Yep, so they just filter by whatever IP you are connecting from from outside the US and that's it. Countless websites and services have been doing that for a looong time - just as evil but should not have anything to do with cookies because then you should be able to sign in just fine on a different machine and use voice.
What do you mean by this? I've always been able to send and receive texts through Google Voice in Canada, I can also call (only have it set up to call my gmail) using the web interface. What I've never managed to do is activate the app on my android phone to allow my send/receive texts there even if I couldn't do calls without a US phone number.
Hm, not sure what to tell you. Check the country you have specified in your account settings too, it has to match. All I can say is that I was able to create a "US Google Account" where my country said "United States of America", but was denied when I tried to access Google Voice. My Tor endpoint was in Russia. When I directed Firefox to use an HTTP proxy with a US endpoint, Google Voice fired right up and let me choose a phone number. Hope that info helps somehow.
They tried to make their cookies undeletable. Why would they do something like that? The fuss is that it's a bad, dishonest, skeezy thing to do. Kissmetrics has shown that they are not an honest company, they're a dishonest one that will disregard the privacy concerns of their user's visitors.
RyanGWU82 makes a good point though. People only whined about the "evercookie" method of tracking because of the potential for abuse (across multiple Web properties). Why on Earth would you care if someblog.com knows for sure that you've been to their site five times? I don't think the problem here is that you can be tracked using multiple methods that were not originally intended for use in tracking. I think the problem is that people always had a false sense of privacy (i.e., there was ignorance about what can and cannot be used to track your client).
You're accessing a remote server. There will always be a way for sites to track your visits. There is a necessity for those sites to track your visits. Don't care about their necessity to track you? Stop going to those sites.
See, I still don't understand how this is dishonest. They didn't try to make "undeletable cookies," they're not using cookies! I understand that to a layperson "cookie" means "anything that identifies me to a web site," but they're wrong, and what's dishonest about using an analytics mechanism that's not a cookie?
Even if -they- never aggregated the data, does that really mean that nobody aggregated the data? If the clients get raw data, couldn't they (privately) swap data with another client? I assume that if it can be done, it will be done.