Slashdot Mirror
Researchers Expose Tracking Service That Can't Be Dodged
Worf Maugg writes with this excerpt from Wired:
"Researchers at U.C. Berkeley have discovered that some of the net's most popular sites are using a tracking service that can't be evaded — even when users block cookies, turn off storage in Flash, or use browsers' 'incognito' functions. The service, called KISSmetrics, is used by sites to track the number of visitors, what the visitors do on the site, and where they come to the site from — and the company says it does a more comprehensive job than its competitors such as Google Analytics."
The data collected can be used to track the user over several sites, as the "cram cookies" are persistent through browsing sessions. The only way to remove them is to clear all browser cache data on close and restart the browser. Sounds like privacy invasion to me - although ISPs forced to log user activity is far more damning than these transgressions.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
Ghostery claims to block KISSmetrics fully...
Where can I get software to defeat it? Or a clear enough description that would allow me to write that software?
Please do not read this sig. Thank you.
It seems their tracking is using some javascript code. Noscript. No problem.
You can use Ghostery to block this and many other tracking scripts. http://www.ghostery.com/download
This can be dodged by disabling javascript, like everyone already does, who cares about privacy.
I also appear to have dodged it by having their servers blocked in /etc/hosts. Not sure at which point I did that.
Comment removed based on user account deletion
So when are the antivirus companies going to block it?, its clearly malware, and are the FBI going to investigate them for "hacking" ?
Taking a quick look at the JavaScript they use there doesn't appear to be anything particularly unusual going on such as browser fingerprinting, or even as encompassing as evercookie which can be easily defeated using built in browser options. The only thing that seems different about it is that it attempts to use more storage techniques than other tracking services, browser local storage , e-tag tracking, and ie userdata storage in addition to the common browser and flash cookies. To say that it "can't be dodged", while possibly true for the average user, doesn't hold for anyone who knows how to configure their browser for greater privacy.
According to the KISSmetrics site:
Now, I'm no fan of tracking or advertising, but TFS/A sounds like scaremongering to me, I fail to see how this service is any more "unblockable" than other analytics providers such as Google. Moreover, since many people are signed into Google all the time for things like Gmail, I'd say Google has the capability to tie a lot more personal information to a site visitor in Google Analytics.
That's not to say that Google share said information with GA account holders, but then KISSmetrics claim not to share personally identifiable information either:
https://alephnull.uk/
yes, most porn on internet originally originated from paper publications. midget, animal, everything.
in such, it's the internet that proved to everyone that yeah, sexual stuff does happen. you no longer needed to go to a city with a sleaze district to know.
anyways, if sites are dynamically created, it's easy enough to make every link ride POST information or a trailing argument in the url which can used for tracking a particular users link journey through the site. how it would be news I don't know though.
world was created 5 seconds before this post as it is.
Looking at my cookies, I see a bunch from different sites which are all called ACOOKIE and all start "C8ctAD" and have other long string matches in the content.
I wonder if this is doing the same thing.
"How KISSmetrics Tracking Works
KISSmetrics uses a variety of technologies to track people across the various browsers and computers they use. In doing so, we provide our customers a full view into how their customers interact with their websites.
Sites who use KISSmetrics may choose to provide us with personally identifiable information for their customers, or they may choose to use anonymized identities.
Sites have always had the option of using one of our server-side APIs, which do not set cookies or use any other means of identification. As of July 2011, sites may also choose to use only traditional cookie-based KISSmetrics tracking, which means that user information would be cleared whenever the consumer cleared their browser cookies.
For consumers who do not wish to be tracked by KISSmetrics, the freely available AdBlock Plus extension will prevent their information from being tracked by KISSmetrics. Learn more about AdBlock Plus.
The Technical Details
When a person visits a site that is using the KISSmetrics Javascript API, two javascripts are loaded:
t.js
i.js
t.js is the same for all people who visit a specific site (t.js is unique to each KISSmetrics customer).
i.js returns a unique âoeidentityâ for each person. This identity is just a random set of characters â" it does not contain an email address, name, IP address, or anything else that would be useful for identifying a person outside of KISSmetrics.
When i.js loads, we set ETags and HTTP headers to tell the browser to cache the value of i.js for as long as possible. We also set the personâ(TM)s random identity in a first-party cookie and as a third-party cookie on our domain (i.kissmetrics.com).
This means that if a person clears their browser cache or cookies, the random identity is likely to persist and that person will keep being âoeknownâ as a consistent random identity. If the random identity persists in one of these methods, we will reset the others so they all share that same random identity.
We do not use CSS or other versions of the technique known as history knocking.
The cached value for i.js is unique to a person, regardless of which site they are visiting. This means that to KISSmetrics, we know a single person by the same randomly-generated identity whether theyâ(TM)re visiting customer site A or customer site B. However, there is no way for our customers to access each others' data or know anything about a person's activities on other sites.
This is similar to credit card purchases â" Store A knows what you bought at Store A with your Visa. Store B knows what you bought at Store B with your Visa. Visa knows what you bought on Store A and Store B, but does not share that information between vendors. Just like Visa, KISSmetrics does not share any information about your interactions with Site A with Site B or with any third parties.
The Privacy Details
KISSmetrics has never, and will never, share personally-identifiable customer information with any third party sites.
KISSmetrics has never, and will never, share anonymous customer activity of what people did on customer Aâ(TM)s site with customer B.
Person data is available to the KISSmetrics customer for the lifetime of their relationship with KISSmetrics. When a customer ends their relationship with KISSmetrics, they may request that their data be deleted within 30 days.
If you have questions, weâ(TM)re happy to answer them at privacy@kissmetrics.com."
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
There are always ways. It only depends on how much effort you want to put into it. You could use proxy servers to mask IP and change them frequently or even jump from one free wifi hotspot to another. You could repeatedly purge all your cache, cookies, history etc after every site you visit.
If you RTFA, you'll see that this service is using persistent storage on your computer that is NOT contained in your cache, cookies, or browser history. Even using a DIFFERENT BROWSER on the same computer (i.e. Firefox, then Chrome) this site can track you and link your sessions. I regard this a as a browser bug, and it needs to be fixed in the browser. We can't rely on legislation or promises of good behavior from website operators to fix this problem. It really needs to be fixed in the browser, or, if it is a Flash issue, it needs to be fixed in Flash. I hope a patch comes out for Firefox soon!
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
It's a real pity that Ghostery isn't free software.
It has a look-but-don't-touch licence for the source code. Being able to look is better than nothing, but if no one can modify or fork it, then it's unlikely that anyone's reading the source code at all. I wouldn't trust my privacy to something with no community or third-party oversight.
Here's gnu.org's list of free, mozilla-compatible add-ons:
http://www.gnu.org/software/gnuzilla/addons.html
For privacy, there's only really Noscript and Requestpolicy.
Expert in software patents or patent law? Contribute to the ESP wiki!
goto http://www.kissmetrics.com/how-it-works and get tracked:
{!-- KISSmetrics for kissmetrics.com -->
{script type="text/javascript">
var _kmq = _kmq || [];
function _kms(u){
setTimeout(function(){
var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true;
s.src = u; f.parentNode.insertBefore(s, f);
}, 1);
}
_kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/bd3a8adc30561f08e0ccb9ad3120aa1d14b25d05.1.js');
{/script>
with my htttp://i.kissmetrics.com/i.js :
var KMCID='IEkB3hUXZTz9zHRV1r51WjJJlB8';if(typeof(_kmil) == 'function')_kmil();
So there you go. NoScript->no KISSmetrics. "Can't be dodged"? Nonsense. For those who canot live without JS it should be trivial for a plugin to detect and delete their scripts. As usual the evil "tracking" requires the active cooperation of your browser.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Question:
Would modifying my MacAddress stop this kind of tracking?
This sort of thing is why the EU's half-witted privacy rules on cookies miss the point.
The thing to control is the tracking of users (particularly without their consent), and the storage and onward transmission/sale of user-information - not some particular technology that is being used to do that at any given stage in the evolution of the web.
Of course, if your legislative process is owned by the corporate world, or your voters believe in the rights of corporations, rather than citizens, that is unlikely to happen.
Paul "Say no to feeping creaturism"
On our site we did a comparison between our local stats and Google analytics, we found that so many people are blocking them ithere was a skew that fluctuated between 5 to 15% from day to day....
We now run OWA which does a pretty good job.
Get everyone to set their key to the same value. >:D
"This guy's been on 2,500 websites every 6 seconds!"
The difference is that you can see the cameras in the store as you walk in, you don't necessarily get to see the tracking mechanisms when you browse the web.
1 - Anonymous redirection, something like TOR
2 - Forbid anything of theirs to run on your computer.
And then, for #3. Find out who is using it and boycott their companies products/services.
---- Booth was a patriot ----
The main trick used was to persistently store data via Flash. The article did say that other persistent storage techniques were used (SQLite, localStorage, etc .. technologies iOS has as well) but one less, and a very commonly used technique, is rendered useless if you're on an iPhone or iPad.
The best thing about a boolean is even if you are wrong, you are only off by a bit.
It's called a web browser.
EFF has shown that you free transmit all sorts of info, that taken as a whole, can uniquely identify you.
Visit it yourself and see where you're at: it told me my fingerprint was unique out of over 1.6M browsers already checked.
You can block pieces - such as using NoScript, or Tor - but then you only *reduce* your uniqueness
The best thing about a boolean is even if you are wrong, you are only off by a bit.
just how many entries does kissmetrics.com have for Lynx?
Anons need not reply. Questions end with a question mark.
Some of us sheeple like to watch youtube.
You do I (sometimes), but I use only HTML5 video tags to do so... no javascript (or Flash) required.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Google and Facebook are more likely to be able to track you despite you trying to avoid it. Their stuff is "everywhere". If you use their services and go somewhere else but somehow still load stuff (images/scripts) from their servers (or servers they can get info from) they know who you are and what IP you are currently using.
That's what RequestPolicy is for. You can control what images/scripts/content from other domains gets loaded on a site-by-site basis in a way similar to Noscript. It's great in addition to Noscript (not as a replacement).
For example, when you load Slashdot with RequestPolicy turned on, you don't get any of the static content like images/css because that all seems to be stored on fsdn.com. You can easily select the RequestPolicy icon and tell it to allow requests from slashdot.org to fsdn.com. In a similar manner, you can let google.com load scripts and content from google.com while preventing other domains from doing so.
It's really the only way to prevent client-side tracking services that haven't yet hit the blacklists. It's more than the average user would be willing to do, but if you really want to stop tracking or you're just interesting in seeing which CDNs and how many off-domain resources sites use, it's worth checking out.
It tracks your presence and where you go on THEIR site. If you don't like it then don't go there.
Be MORE than happy to, gimme a list of the sites using this shit and I'll be damned sure not to go there....
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
> ...it should be trivial for a plugin to detect and delete their scripts.
And in fact Ghostery already does so.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I went to that site and it said
Your browser fingerprint appears to be unique among the 1,684,880 tested so far.
HAHA! ... Wait, what?
HAND.
APK, is that you?
The guy in charge says they are not doing anything illegal, so I feel a whole lot better. Sort of like when a bank says they're not doing anything illegal when they send you the 12th set of final mortgage papers and then tell you there's a mistake (for the 12th time) and you have to submit everything again and they've already charged you $80000 in fees... Nope, no problem there.
Sorry, but gray text on gray background is making my eyes bleed.
I disabled jscript by default and only allow a few whitelisted sites to run em. Much easier on me and keeps FF running a bit faster because I don't have tons of shit in the about:config listing for noscript.
Mod me up/Mod me down: I wont frown as I've no crown
My superior solution uses both Adblock Plus lists and Hosts lists. Basicly it a script that pulls several Adblock Plus and Hosts lists, mangles them and converts them to a format that SquidGuard can eat. My firewall redirects all HTTP traffic SquidGuard which then redirects all hits to a PHP page that checks for the mimetype of the offensive link and returns a clean tiny of same mimetype to my browser. This way the site thinks I've downloaded the ad, but it is never shown nor do I have to wait any longer than to get the headers of the ad. It also does some magic on known tracking urls and randomized the used IDs etc. I might have to do some tweaking in the future if enough ad services begin using HTTPS though it would only require me to add a cert to my machines and I could again tunnel the traffic throught SquidGuard.
In the past I used the HOSTS file method but there was couple sites it was problematic with and also it is so much easier to managed blocking from one server than from all my dozen or so computers.
- Raynet --> .
JavaScript is not needed at all: an etag header can be used to track you across different sites by including say a .CSS or .GIF file served by using a shared "tracking url" at a known site.
Example:
In the first request, the response header has ETag: "97a-494505e0c46c0"
In the second request, the request header has If-None-Match: "97a-494505e0c46c0" - this acts like a cookie.
If the "tracking" server receives a request with no If-None-Match: header, it replies with the file and sets the ETag to a unique value (exactly equivalent to the "cookie" value). If the server receives a request with the If-None-Match:, the value can be used to track the user... for example the server takes the If-None-Match: value, and returns back the image with the same etag value, and *also* set a cookie with that value in the response header!
Happy moony
In the case of the VISA card two companies could check with each other if any customers were using the same car too. But that is not enabled by the system other than being the source of the single identifier in the same way VISA is...
However the difference really is that the person has no idea said unique identifier is being assigned to them.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Your browser fingerprint appears to be unique among the 1,684,880 tested so far.
Yeah right, that's what they whisper in your ear, telling you you are the only special one in the whole universe... until you find the web site has been seeing lots of other browsers, frequently, and without protection.
Ew!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Oh, what a surprise, someone mentioned the hosts file and look.. not half a day later and a fat, mindless maggot called APK pops up like an ugly little prairie dog.
I reject your invitation as I prefer to make a counter-offer: *I* invite *YOU* to die slowly in a fire.
P.S. => Please tell me you haven't spawned.
..Mullah or Pope, Preacher or Poet, who was it wrote: "Give any one species too much rope and they'll fuck it up"?
Haven't you figured it out yet? Nobody cares about your fucking hosts file bullshit.
We especially don't care if it works or not, because this is fucking Slashdot and if we thought a hosts-file-based solution was the right choice WE'D HAVE FUCKING DONE IT OURSELVES ALREADY.
You are truly some special kind of stupid.
..Mullah or Pope, Preacher or Poet, who was it wrote: "Give any one species too much rope and they'll fuck it up"?
Since this uses specific js-tech/js-functions, is there a way to block specific js-functions ? e.g block calls to ajax by specific websites, cuz a website could easily mask as something useful but make calls to java functions that could be used for mischief.
As someone who writes "visibility software" let me just say, there is absolutely no way you will ever have privacy on the web. You can use TOR, or TOR like services, if you don't mind TOR servers being the ones that track you. You can use VPN's if you don't mind the people selling VPN connectivity tracking you. If your traffic is not encrypted or terminates at an untrusted site it is visible. Oh. And just so you know. Encrypted packets carry your mac address because there isn't changes to the headers for last hop so TOR and VPN services can tell you what kind of nic your machine is using. Following the trail from manufacturer to retailer to you takes less than 8 hours. If you haven't gone at least 3 hops of encrypted traffic YOU are visible.
Having to work for a living is the root of all evil.
No. I'm one of those assholes that writes software with the explicit intention of allowing applications like snort to protect people. Unfortunately, it is also usable for other things. The mac address of the machine is encap'd in the header of the packet before decryption. When it is decrypted the mac information is still there. The outer headers of the packet (post encryption) do not have the mac address of the machine. The mac address of the last hop is what you will see in those headers. I suspect the reason you posted anonymous is because you haven't studied l2 or l3 or tor or etc...
Having to work for a living is the root of all evil.
The hardware address is in the packet before encryption. Set up a Linux box with Arpwatch and OpenVPN and see for yourself.
You start following the trail here: http://www.coffer.com/mac_find/
Having to work for a living is the root of all evil.
EISA 3Com Ethernet cards
Nice. I remember them well.
Having to work for a living is the root of all evil.
Here's a more concise way of writing all that (and remember, ANY DNS service you use gets complete access to your domain lookup history):
First line of defense: fairly generic HOSTS list, pointed to 0.0.0.0
Second: use Privoxy (you can actually forego the HOSTS list and just filter at the Privoxy level if you want, but I keep a generic HOSTS list of stuff I know I'll ALWAYS want to block).
Third: Run Firefox with NoScript, TACO and AdBlock Plus.
Fourth: use a TRUSTED DNS. I used to use OpenDNS, but stopped, as it's really a bit *too* open. What I really should be using is an onion routed DNS, but since that's a bit slow and I'm lazy, I just use Google, as they already track most of my online activities anyway (might as well put all eggs in one basket).
Fifth: use an outbound application-level firewall, and only allow specific ports/domains. Make sure the firewall you use is secure, and allows you to audit/log as well as do fine grained rules.
Fifth: We've been talking about HOSTS blacklists, but also create a HOSTS whitelist for sensitive sites. If you hard-code a domain to an IP in your HOSTS file, your DNS will never even see it. This takes some maintenance, as every once in a while the IPs get updated by the owner, but all you have to do is update once, after one lookup, and you're fixed until the next change. This is useful for Banking sites, search sites (Wolfram Alpha, Yahoo, Google, Bing), and any site where you perform payments (app stores, Paypal, Craigslist, etc.).
Sixth: checksum your HOSTS file, and write a script to periodically check to ensure that the checksum hasn't changed. As you're only looking for change, you don't need to worry about collisions and can use a light checksum such as a CRC32 instead of a more intensive one like SHA1 or MD5.
Remember that when looking up the IP address of a domain, this is the order of precedence:
Application layer (depending on implementation -- this covers filters, app-specific translations, MAFIAAFire plugin, etc.)
In-Memory cache
HOSTS file
Local DNS cache
Local DNS proxy
Gateway DNS cache
Named DNS server
Domain's DNS server
Each one of these layers can be compromised, so the more you need to trust the domain to be legit, the closer to the top of the list you should ensure it is legit. It seems to me that the best solution would be a Firefox plugin where you could add static domain -> IIP mappings, so it would all be done within memory, even if your HOSTS file got compromised.
One other layer of security: use separate browser processes for each "private" session -- separate windows should be enough for Lion Safari and Google Chrome, as they run in sandboxed sub-processes. Just opening a new tab is not safe in any browser.
:^\ -- you read everything but the first part of my post, where I said I was summarizing the voluminous amount of data you posted into something succinct (possibly missed due to bad word choice on my part -- precise instead of succinct) (so that people could actually internalize it). I did, of course skip the more esoteric parts, as anyone who was interested in those would likely have read all your posts. I also attempted to abstract the statements so that they would apply to any modern OS, not just Windows.