Research To "Reveal the Unseen World of Cookies"

An anonymous reader writes "The Guardian newspaper has teamed up with Mozilla to research the monitoring of online behavior through cookies and other web trackers. After downloading the Collusion add-on for Firefox, you can generate a visual representation of all the cookies that have been downloaded which are linked to the sites you have visited. This shows quite an interesting picture. The Guardian staff then want the data from Collusion to be uploaded to their site, after which they say 'we can build up a picture of this unseen world. When we've found the biggest players, we'll start tracking them back — finding out what data are they monitoring, and why.'"

Great Idea

[thesaintar]

I hope implementing it in the right way (with publicly accessible statistical and analysis methods) will shed some light into how we're being tracked. Is there an equivalent of Collusion for Chrome?

Re:Great Idea

[WrongSizeGlass]

Is there an equivalent of Collusion for Chrome?

I believe it's called Google Ads ;-)

Re:Great Idea

[Theophany]

When we've found the biggest players, we'll start tracking them back — finding out what data are they monitoring, and why.

I can answer this entire thing in 2 seconds. Porn, so they can sell it to you. In that order.

Re:Great Idea

Who goes on the internet to BUY porn?!

Re:Great Idea

[Dishevel]

Is there an equivalent of Collusion for Chrome?

Yes

Re:Great Idea

I thought the ";-)" was a clear indicator of joking...

Re:Great Idea

Must be those evil child porn addicts that we're busy throwing into prison. Since they are supporting the child porn industry and all the evil it involves, they must be buying it somehow. Because if they are downloading terabytes of child porn for free, they would be destroying child porn industry just like those pirates downloading software, music and movies for free are destroying the respective industries.

Re:Great Idea

You mean those ads which are displayed on all browsers and are in no way tied or targeted to Chrome?

Either you're a troll or that was a bad joke.

It's interesting to me how someone joking around is considered a 'troll' to you. You are what is wrong with /. these days. 'Troll' is the new 'I disagree with you'.

Did he REALLY evoke an emotional response from you by saying what he said? Did it truly upset you to the point where you were incensed and bitter over his words? If so, then maybe he is, indeed, a troll. Otherwise, shut up.

Re:Great Idea

Not the GP but still got a comment.

Its sad how humor is lost on a greater number of /. users these days. No one can make a joke without someone getting their panties in a twist. Not everything is serious all the time lighten up and learn to laugh. If you can do that here then maybe you can do it in your real life and actually make friends rather then being an uptight twat who people are afraid to joke with.

Re:Great Idea

[CaptainLugnuts]

When we've found the biggest players, we'll start tracking them back — finding out what data are they monitoring, and why.

And then we'll sell the info back to them!

Re:Great Idea

what the first guy said about humor was true but a bit coarse.

but then you came along just being a dick and killing his point. he said lighten up.

you're stomping around calling people fucktards. now you're the cancer here

one person has an offpost wasnt your cue to stomp around like your elite here

Re:Great Idea

[Calos]

It's interesting to me how someone joking around is considered a 'troll' to you.
That's flat out dishonest of you. I said either a troll or a bad joke. In other words, I found the joke so bad I couldn't be sure if they were really trying to make a joke or actually trolling, or both.

You are what is wrong with /. these days. 'Troll' is the new 'I disagree with you'.
Wrong. I'm not saying they might be trolling because I disagree. I said it because the entire premise of the joke is factually without basis. There can be no disagreement about that. That's precisely what made it humorless, or at least to me, and combined with the fact that articles about Google are often ripe for trolls, it's also what pushed it into grey area of might-be-trolling.

Did he REALLY evoke an emotional response from you by saying what he said? Did it truly upset you to the point where you were incensed and bitter over his words? If so, then maybe he is, indeed, a troll.
So someone is only a troll if they succeed in eliciting an emotional response? Not simply for trying? The entire basis for someone being called a troll is subjective to each and every individual reader? If you believe that, you have no right to judge anyone's use of the word, as you cannot know their circumstances and perception and how what they read made them feel. Interesting how, according to you, if I was irrationally affected by the comment, I would be completely justified.

Otherwise, shut up.
So, let me get this straight. You ignore the meaning of my post and any parts which don't fit the topic you want to rant about; twist the meaning of what I wrote into a strawman about misusing "troll" as "disagree;" assert that myself and presumably a nebulous faceless group of people are thereby destroying /.; and tell me that if I'm not irrationally upset by something someone says, I shouldn't post. And you think I'm what's wrong with /.?

To the GP: sorry if I came off a bit callous, as these ACs and mods seem to think. I'll put a smiley at the end next time so I don't seem so serious.

Re:Great Idea

To the GP: sorry if I came off a bit callous, as these ACs and mods seem to think. I'll put a smiley at the end next time so I don't seem so serious.

PROTIP: The smiley won't help.

After your wall of text Fisking the above AC you now come off as way too serious, oversensitive, and kind of butthurt (probably from a combination of the AC's stinging post and the stick embedded in your ass.)

Re:Great Idea

[Higgins_Boson]

*snip*

You ramble on and on with your inane and worthless counter arguments. Trolls have had the same definition online for AGES now, and you've gone out and created your own definition of what a troll is for the context of this story and discussion. If you do not understand those basic things then, by all means, shut up as I have previously requested of you

You also didn't merely "seem" serious. You obviously WERE serious. So trying to lie your way out of your stupidity is just making you look worse. Also, you DID disagree with him. You disagreed with his basis for his joke about Chrome. You got all huffy and puffy and started to blow things down, but you sadly can only blow certain things down well. His joke not being such a thing.

Grow a damned sense of humor and stop labeling everything as troll. Learn what trolls do, how they operate and WHY they operate. If levity is something you can't handle, then just fucking move on and keep your trap shut.

Re:Great Idea

[Higgins_Boson]

Also, I am no longer posting as an anonymous coward. I have no problem telling you like it is.

Re:Great Idea

[tehcyder]

I'm not saying they might be trolling because I disagree. I said it because the entire premise of the joke is factually without basis.

Hate to break the news to you, but jokes don't have to be factually accurate or even vaguely plausible.

You seem to have issues with people criticising Google in a humourous way. I suppose at least you're not an Apple fanboy, but a Google fanboy isn't much better.

Get over it, they're computer companies not our Lord Jesus Christ.

Re:Great Idea

[tehcyder]

Who goes on the internet to BUY porn?!

Well a fair amount of people obviously do or you wouldn't get so much advertising, would you? Advertisers don't do it for the fun of it.

Re:Great Idea

you tell'im BoBo! overt idiocy is better!

Re:Great Idea

[wiedzmin]

Seems to be broken or for some mysterious reason incompatible with my AdBlock Plus, NoScript and Ghostery addons. Hm...

How to get rid of them

[GameboyRMH]

On Firefox, disable HTML5/DOM storage, install CookieMonster 1.5 and BetterPrivacy.

Re:How to get rid of them

[zarlino]

On Google Chrome, the first thing to do is disallowing third-party cookies:
Settings -> Under the Hood -> Content Settings -> Block third-party cookies and site data

Re:How to get rid of them

I found that NoScript drastically reduces the clutter on the Collusion graph.

Re:How to get rid of them

[hairyfeet]

One of the things I like about Comodo Dragon is that is the default setting, so no need to try to walk someone through killing third party cookies. With Dragon and ABP everything "just works" .

Re:How to get rid of them

[arth1]

Protect the whole network.

I was thinking of making a squid filter that replaces cookies to known adentity sites with any variable data changed to random data of the same length and composition.

In my opinion, if a server wants to inform other sites about my visit there, fine, do so, but then they need to contact the sites, not trick me into doing it for them.

Re:How to get rid of them

It'd be lovely if that just worked, but in practice, a lot of sites break, sometimes subtly, and there's nothing to indicate which cookies were blocked, or which sites you need to add exceptions... so that e.g. your bank won't require you to triple-authenticate with your security question every time you try to log in.

Pot kettle spy.

[FatLittleMonkey]

we'll start tracking them back — finding out what data are they monitoring, and why.

Well, here's my contribution;

The Guardian page in the link has six trackers:
24/7 Real Media
Audience Science
ForeSee
Maxymiser
Optimizely
Quantcast

I don't know what any of them do, and I blocked them all. Fuck 'em.

Re:Pot kettle spy.

[Lucky75]

I actually see 9:

24/7 Real Media
Audience Science
ForeSee
Google Adsense
Maxymiser
Omniture
Optimizely
Quantcast
Twitter Button

Re:Pot kettle spy.

[fluffythedestroyer]

I was gonna ask if guardian was included in their own stats ?

Re:Pot kettle spy.

[SirFatty]

I fully agree with blocking them... I use ghostery, check something like Time.com (Technologizer specifically). There's about twenty separate trackers there. Unfortunately, disabling some of these will actually break functionality. In this case, there is a Apple II anniversary slide show on technologizer's site and I could not advance through the slides until I enabled the tracking.

Re:Pot kettle spy.

[FatLittleMonkey]

Story of my life. I brag about having 6, and the other guy has 9.

Re:Pot kettle spy.

[bfree]

You missed some more!

googleapis
simplifydigital
guim
llnwd
ophan
ytimg
youtube
quantserve
wunderloop
revsci
cogmatch
imrworldwide

I'll leave it as an exercise for the reader to de-dupe the above list (e.g. quantserve Vs quantcast and ytimg Vs youtube) and decide for themselves which ones are innocuous.

I didn't even bother to let any of them run any javascript to discover what else they might try to sneak in. I'm also willing to bet I missed something.

You have to love the "obfuscation" and attempts to get past blocking, from the simple noscript web-bugs to

document.write('<scr' + 'ipt type="text/javascript"

Re:Pot kettle spy.

Hi,

I'm the Guardian journalist working on this.

Unsurprisingly, if you install Collusion after reading an article on The Guardian, you tend to log cookies that our website sets. So we're noticing quite a few of the trackers we use on guardian.co.uk turn up in the project. :)

We're ok with that - better to be open that our website uses cookies for registration, analytics and advertising (just like most others!), than pretend or hide away the fact. Actually, we did another article on the same day showing how we use them: http://www.guardian.co.uk/technology/2012/apr/13/new-law-cookies-affect-internet-browsing.

The ones in that list above are a mix of third-party advertising cookies, analytics and A/B testing (so I'm learning!).

When it comes to the data we're going to try and get from the Collusion info - we can't really infer much about what behaviours have been tracked from the exported data. However, it gives us a nice long JSON string that associates certain cookies as being set when visiting certain sites. At the moment we're using that to find out how many instances of each type of tracker we're seeing across multiple sites.

We're then going to take the most prolific ones and find out more about what they do, who owns them, how they work, etc. However, we're going to be using old-fashioned journalism to do that - research and phone calls.

However, I was thinking of putting up open documents like this: https://docs.google.com/document/d/1lCp8H9i-MJwyORj_MOZflH6BCt9j6HIbQkyS2536knM/edit
so you could see where I'd got to and put me right if I was going off track (as it were). Good idea? Bad idea?

Joanna.

Re:Pot kettle spy.

Urgh. Sorry. Forgot to log in. o_O

Re:Pot kettle spy.

twice...

Re:Pot kettle spy.

[bfree]

However, I was thinking of putting up open documents like this: docs.google.com/blah so you could see where I'd got to and put me right if I was going off track (as it were). Good idea? Bad idea?

Putting this stuff on google is like asking the NSA to host wikileaks ... bad idea.

Re:Pot kettle spy.

[pjt33]

That's not an attempt to get past blocking. It's a necessity to get the HTML parser.

Re:Pot kettle spy.

[pjt33]

To get past the HTML parser.

Re:Pot kettle spy.

[Ihmhi]

Go out and buy a couple cases of boosters and then you won't have to deal with the guy who brags about how many decks he has in his backpack./p

Re:Pot kettle spy.

[joannageary]

Yeah... errr... *blush*

Re:Pot kettle spy.

[joannageary]

What would be the best place to put it bfree? I'm very happy to take suggestions for alternative ways of opening up my note-taking.

Re:Pot kettle spy.

Pastebin.

I mean, host it yourself on your Apple iPad.

Torrents arrrgh cool.

Seriously, you're writing a tech article and you're asking us about hosting text files?

Re:Pot kettle spy.

[joannageary]

I need one place that gets updated as I write my notes - the journalist notepad, but open so everyone can see it. I guess I could reiterate a new pastebin (with a new url) every time I had something new to write or wanted to reformat, but it feels quite a cumbersome way to do it...

Re:Pot kettle spy.

I actually see 9: 24/7 Real Media Audience Science ForeSee Google Adsense Maxymiser Omniture Optimizely Quantcast Twitter Button

Me too. Ghostery says there are nine. I blocked 'em all too. I think that running Ghostery and other add-ons like it will keep Collusion from gathering the information it's trying to gather. That said, I'm not disabling Ghostery to boost The Guardian's readership and/or ad revenue. Sorry, mate!

Re:Pot kettle spy.

[bfree]

You seem to have access to a website you could already publish it on no?

Failing that for whatever reason you could put it in a wiki on branchable? No I'm not affiliated to them in any way but they were the first "good" answer which jumped to my mind.

More obscure but perhaps extra appropriate for the topic at hand, you could publish it on a "hidden service" on tor?

Re:Pot kettle spy.

[SpaceLifeForm]

You will all see different cookies because they are coming from various machines on the net. Upstream intermediates are inserting them on the fly.

Re:Pot kettle spy.

[Maow]

Hi Joanna,

A typo from the linked-to page:

8. This will open a new tab with a long strong of text. This is the data that you will need to copy and paste into the box below.

Should be:

8. This will open a new tab with a long string of text. ...

Good luck with the project, it's an interesting one.

Re:Pot kettle spy.

It's not called the Grauniad for nothing.

Re:Pot kettle spy.

[tehcyder]

Guy below has 12, so Mr "I've got 9" ain't all that either. Hope that cheers you up!

Re:Pot kettle spy.

[FatLittleMonkey]

Eh? If Ms Geary puts it anywhere public online, google can see it anyway. (As can the actual NSA.) So unless you're saying that Google will censor her work, your comment makes no sense.

Re:Pot kettle spy.

[_0xd0ad]

Nope.

document.write("<script type='text/javascript'>");

works just fine. You're thinking of the closing tag:

document.write("</scr"+"ipt>");

is a necessity to get past the HTML parser.

Re:Pot kettle spy.

[Janek+Kozicki]

How did you block them?

I was thinking about adding null direction to 127.0.0.1 in /etc/hosts file, but perhaps there is a better way?

Re:Pot kettle spy.

[FatLittleMonkey]

Firefox + Ghostery

+ABP +NoScript +WOT +no-third-party-cookies...

I didn't think I was especially paranoid (I have a google account, don't use on-disk or in-mail encryption, etc) until I realised that this isn't how most people think.

Cookieculler

[MLCT]

Bit of a shoutout for the firefox extension cookieculler.

I have never found anything that matches cookieculler for features: it doesn't just purely delete cookies, it operates with a white-list based system (the way everything on the web should work). Cookieculler deletes all cookies each time you close the browser, except the ones you have whitelist "protected", that keep login information etc. as you choose.

Along with noscript, cookieculler is the main reason I stay on firefox.

Re:Cookieculler

[Lucky75]

I've found "Ghostery" to be pretty damn good. Blocks them rather than allowing+ deleting them.

Re:Cookieculler

[emilv]

How is cookieculler different from setting a default policy in Firefox and then using the built-in whitelist in Firefox to give permissions for certain sites?

Re:Cookieculler

I use CCleaner the same way. I keep cookies for gmail/forums via whitelist and nuke everything else.

But this is a step up. I might decide to use CCleaner when I think of it or have something to hide on the surface.

Re:Cookieculler

[MLCT]

Granted firefox can offer something close, but not quite. Cookieculler offers finer control, because you can whitelist the *cookies* rather than the domain. So I can (and do) choose to protect my /. cookie, but not anything else that /. place in my browser (hypothetical example, as /. don't place any other cookies).

Re:Cookieculler

[mlts]

I like going one step beyond CCleaner. I use sandboxie on my browsing sessions. This provides four benefits:

1: My Web browsing is redirected to another volume. This means that cookies and other stuff are not stored on my main application or data drives, but are separated. This keeps potential malware as separated as one can get from the system without resorting to actualy VMs.

2: When I close the Web browser, all stored stuff is gone, guarenteed. There is no worry about hidden cookies, LSOs, or any other third party application crap that may be stored, but might get missed by cleaning utilities. Any writes to the Registry or files are redirected and then purged at the end of the session.

3: It provides a restricted context, so malware that gets control of the Web browser doesn't get control of the rest of the user account. This is important, because newer malware can do 90% of its nasty stuff without needing root/admin rights (such as reading files and uploading them, running a botnet client as a user, spamming, DDoS-ing, and other stuff.)

4: I can block volumes and directories from access by the sandbox. This keeps malware from reading documents or being able to see drives it shouldn't. Some applications can be restricted with Net access.

I've found in my personal experience that AdBlock, SpywareBlaster (which adds kill bits and adds to browser cookie deny lists), combined with sandboxie and a decent Web browser (Chrome or Firefox) have done a great job at keeping malware at bay. AV programs are nice, but they tend to be pointless with how fast zero-days get developed.

Re:Cookieculler

FYI: Ghostery has some "built-in" whitelists for companies that pay them for this. Unless you are running noscript as well, you won't see this.

Re:Cookieculler

[plover]

Citation really needed.

I don't see the irony in it

[Hentes]

Protect yourself from tracking websites by this addon that collects all your cookies and sends it to us!

Re:I don't see the irony in it

[arth1]

That was my reaction too.
Combined with the technology being used, not installing it was a given.

Re:I don't see the irony in it

[joannageary]

It's really about understanding a bit more so that you can then take action to protect yourself if you want to. But yeah... I get the irony. The reason why I still thought it was worth going ahead with the protect was twofold: the aims of the Collusion team to educate and inform AND that all the information sent to us is anonymous. I would love to say we could identify people by the sites they visit, but in aggregate it seems like everyone likes internet shopping and porn. :)

Cookies or COOKIES!?!?

Anyone else read the title and thought people were taking a deeper look at why those delicious baked goods are so tantalizing?

Bah ...

[oneiros27]

I read the title, and get all excited ... and then read the summary to find they're not talking about the Girl Scouts, Nabisco, or other things that might involve sugar and chocolate chips.

And now that I got my hopes up, I'm going to go see what's in the vending machine. There's usually animal crackers, at the very least.

Re:Bah ...

[Cinder6]

It depends on if they track the cookies from the Girl Scouts website.

Internet marketing

[Roberticus]

If average folks become aware of how many cookies get set (along with getting a user-friendly way* of turning them off), that could have a huge and entertaining effect on the world of Internet marketing**.

For example, right now, I can assume enough website visitors have JavaScript enabled to make it almost 100% (and not worth writing HTML for the case where they don't). But if I can only reasonably assume, say, 50% of my visitors/email through-clickers/etc. have cookies active, that plays havoc with my reporting.

* "User-friendly" defined as "something my dad can do without asking me for help".
** I spend all day every workday in this world.

Re:Internet marketing

Browsing this topic, I see a cookie from Slashdot but another one from Scorecardresearch.

Not sure what any Javascripts may be doing as far as sending data to additional entities or doing additional tracking.

Also, I am interested in files in my browser cache that look like this: tpc=internet;tpc=yro;tpc=slashdot;tpc=mozilla;tpc=technology;tpc=privacy;u=20120416_research-to-reveal-the-unseen-world-of-cookies_internet;ord=2044350982235341[1].7

Why so many extra parameters?

Facebook

[Lucky75]

You'd be shocked at how many cookies come from facebook across multiple sites. I use an extension called Ghostery (https://addons.mozilla.org/en-US/firefox/addon/ghostery/) to block most of them.

Re:Facebook

[19thNervousBreakdown]

Spoiler: It's practically every site.

Re:Facebook

[Zocalo]

Yeah, social media sites are particularly obnoxious; you'll often get one cookie for every site that has one of their "Like", "+1" or whatever buttons on a page. Analytics sites are another obvious example where this is going to happen more often that not. "Screw 'em" was my response too, but I went for a deny all by default and whitelist approach rather trying to manage them on a per domain basis.

I've been doing that for a while now as it's much simpler and, once you've gone through the initial setup of your whitelist for frequently visited sites, not as painful as you might think. No addons required. It seems like few sites actually need cookies any more, although on many sites you'll get a better experience with them enabled, particularly so on those that use logins. If it's worth the benefit, I may enable those for the the "Session" option in Firefox, but very few sites get the "Allow" option.

Re:Facebook

Ghostery, Ad-block plus, HTTPS everywhere, and a proxy that blocks *.google.com and *.google.ca....

With services like startpage.com/ixquick and duckduckgo, there's really no reason to directly access google anymore. Same deal for bing, yahoo, etc.

Although I have to admit I haven't found a good alternative for google maps, which doesn't work well via anonymous web proxies.

Re:Facebook

[Zocalo]

If you want detail beyond just the road network, then give Bing Maps a try, although if you are on Windows you may want to use IE as it occassionally has issues with other browsers. It varies from country to country, but for the UK they use the full Ordnance Survey maps which are so much better than Google's it's not funny, so YMMV depending on what area of the world you are interested in maps for. Open Street Map is also heavy on the street detail in areas where Google Maps might only show a single road, and no, that doesn't necessarily mean in the middle of nowhere, for instance here's Sarajevo at a similar level of zoom in Google Maps and Open Street Map.

Re:Facebook

[Jah-Wren+Ryel]

You'd be shocked at how many cookies come from facebook across multiple sites. I use an extension called Ghostery (https://addons.mozilla.org/en-US/firefox/addon/ghostery/) to block most of them.

I use Ghostery plus RequestPolicy which gives you control over every single external request that a web page makes. It is like a noscript for cross-site references of any kind.

Re:Facebook

[stridebird]

+1 for RequestPolicy, although I have to say when I restart my browser, then immediately find my self staring at a FUBAR page, I usually just hit "temporarily allow all requests" and get on with life, tracked as I may be. I do log out of facebook each time and delete facebook.com cookies, but I suspect that facebook still tracks me on other domains they control. I am like a tiny tiny person shaking a tiny tiny fist at the giant.

Re:Facebook

[_0xd0ad]

I use AdBlock Plus to nix the Facebook tracking. At the cost of seeing "Like" buttons everywhere I go (yes, that's a joke), these filters or some similar will do the trick:

||facebook.com^$third-party,domain=~facebook.net|~fbcdn.com|~fbcdn.net
||facebook.net^$third-party,domain=~facebook.com|~fbcdn.com|~fbcdn.net
||fbcdn.com^$third-party,domain=~facebook.com|~facebook.net|~fbcdn.net
||fbcdn.net^$third-party,domain=~facebook.com|~facebook.net|~fbcdn.com

You will occasionally see a button when the image is hosted on the website you're visiting, but the Facebook connect js won't load and the button will be non-functional. When that bothers my sense of aesthetics, I usually write an element-hiding rule to get rid of the button, e.g.

#a(href*=facebook.com/sharer)
#a(href*=plus.google.com/)
#a(href*=twitter.com/intent)
slashdot.org##*.comment_share
slashdot.org##*.comment_share_toggle

Oh snap!

>2012
>Voluntarily sending one's browsing habits to a news agency who will 'help you to track the trackers'.
>ISHYGDDT

Yo Dawg

[Z80xxc!]

Yo dawg... I heard u dislike being tracked, so we put a tracker in your trackers so you could be tracked while we track.

"What Data they are monitoring and why"

[dmomo]

It will be interesting to see not only the results of this analysis, but also how they came any conclusions that they do.

Many cookies are used only to store a unique identifier. They data about a user many websites actually store is housed and maintained on their server, keyed by the unique id. This could include "pages visited", "duration of visit", "browser/system specs/settings" along with any derived demographic data.

It would be hard (though not necessarily impossible) to determine this from a cookie analysis.

Collusion is quite fascinating...

[dryriver]

I found out using its automated "graph-builder" that the 3 - 4 supposedly "safe" sites I visit most often, actually pass my user data on to Google, Facebook, DoubleClick, Mediaplex, Adroll and other services. Its quite educational to watch the graph go from a blank page to a fairly complex network of interconnections as you continue to browse. Its going to be interesting to see what results from this when the Guardian gets all the aggregate data from Collusion. It does seem indeed that there is such a thing as a "secret world of cookies" out on the internet, and I personally support that this "secret world" be uncovered fully, so we get to see what entities are clandestinely mining our supposedly "private" user information as we surf. --- The whole thing also reminds me of the book "Brandwashed", where the author explains at length how commercial establishments collect all sorts of data on us, and exploit it to sell us more products.

Research To "Reveal the Unseen World of Cookies"?

No research needed, the truth about the unseen world of cookies has been known since 1968. They're made in a hollow tree by elves.

Fight

Fight technology with technology ;)

Cookie scrambler

[flyingfsck]

I would like to have a FF plug-in that messes up cookie data to make it useless to the trackers. A little bit of revenge...

Re:Cookie scrambler

Bonus points if the cookies are deliberately malformed to crash their servers and/or corrupt their data.

Re:Cookie scrambler

Maybe send the cookies to a server (that mantains a pool for each site) that then rerturns a random one to send back to the site. That 'll be quite fun and efective.

porn

[Sperbels]

finding out what data are they monitoring, and why

Well, all the porn websites seem to know that I prefer brunettes over blonds.

Re:porn

[joannageary]

But do they also know that you buy your underwear from Marks & Spencers? That's the interesting sort of thing I'm hoping we'll find out - what companies are tracking over such varied sites and what information (if any) they then sell back to their clients.

Cookies not the only way to do this...

[isaac]

Cookies are not the only evidence of tracking. Even Flash LSO, HTML5 local storage, etc.

There's a surprising amount of identifying information in request headers and what's available to javascript. (see http://panopticlick.eff.org/ for a demonstration.) That means, one often needn't accept or store a cookie to be tracked.

A really comprehensive pro-privacy browser extension would munge request headers and enumeration of fonts, plugins, screen resolutions, etc. to match one of, say, the top 5 most common desktop browser fingerprints - and to change every so often (Changing per request would itself be a trivially detectable signature.)

-Isaac

Methodology Issues

[TaoPhoenix]

You know already who the "Big Players" are - Google, Facebook, Microsoft, your choice of a couple more related ones.

Then it descends into all these little companies. I would expect that some of them are subsidiaries of the big guys etc.

The ideal goal of each of these "thingies" (cookies, flash objects, etc etc) is to nail down who visits down to a unique user if possible.

So just copy the Ghostery block list, maybe the AdBlock block list, your choice of a couple more tools.

If you want a "market share per ad company" report then get one of those.

There's something bothering me with your study design but it's not clear yet.

Re:Methodology Issues

[FatLittleMonkey]

So just copy the Ghostery block list, maybe the AdBlock block list, your choice of a couple more tools.

Guardian does seem to be re-inventing the wheel a bit. Ghostery (Evidon/Better-Adertising/Direct-Advertising-Assoc) already has not just a public list of tracking companies, but a page of info about each one.

Whereas Collision seems more about displaying the connections ("collisions") between known trackers that you personally encounter, not collecting new info for a data dump.

I like the Guardian, and I appreciate the journo sticking her head in the lions den, but it seems to me she&they would achieve more working with Evidon/etc to make Ghostery's/etc list available in a human useful form on the Guardian's website. "See the web within the Web".

For example, using a web-crawler armed with Ghostery's/etc list to link trackers to websites, then show the underlying network in a (Collision-style) interactive 3d display.

She/they might also look at how different sites respond to AdBlock. I've noticed that with ABP in my user-agent header, many sites don't even bother to serve ads. The flip side of the advertising war to force themselves onto users, some sites actually try to respect user-preferences without being dicks about it, or hysterical "OMG u r stealing teh contentz!" (hello Facebook.)

C is for cookie, it's good enough for me

[bryan1945]

Gooble gooble gooble.
I love Cookie Monster. He taught me the best places to hide my cookies as a kid. ..Huh, what's that? Wrong type of cookies? Oh....

Ghostery started tipping me off to how much stuff I was missing. I'm in the process of whitelisting sites, which is a pain with all the underlying stuff lying around.

How about the unseen world of javascript?

[digitalaudiorock]

That's the one people should be the most concerned with. When I first started using NoScript, I was stunned at how many supposedly reputable sites were using javascript pulled from ten or twenty different unrelated sites. There's just NO good excuse for that at all.

Re:How about the unseen world of javascript?

[Kittenman]

That's the one people should be the most concerned with. When I first started using NoScript, I was stunned at how many supposedly reputable sites were using javascript pulled from ten or twenty different unrelated sites. There's just NO good excuse for that at all.

Agreed - quite amazing. And how insidious FaceBook is...

Slashdot uses DoubleClick, Google Analytics and

[John+Holmes]

ScoreCard Research Beacon. Without my consent.

Re:Slashdot uses DoubleClick, Google Analytics and

Well, you did give consent when you signed for your account. You just dont remember.

yahoo sucks

any time you use a starbucks they report the mac adddress to yahoo unless you edit your hosts file so that starbucks.yahoo.com resolves to something else

Sad

[oDDmON+oUT]

It's not compatible with 3.6, which I prefer over the UI of later versions.

Wonder how many data points that will lose them.

Phooey.

I wanted to give the Collusion add-on a whirl but, sadly, it is unavailable for Mozilla FireFox 3.6.28. sadface.jpg

Now please proceed to mod this post down to oblivion.

Re:Website

[TaoPhoenix]

Sure, why can't you host your notes at something like http://www.guardian.co.uk/JGeary/CookieStudy.html?

Then just keep uploading new iterations of the page.

And I figured out part of what was bothering me. You're asking for "data for research" but your initial article is "shadowed" - it reads like "give us data and we'll figure out what we want to write about".

Write two versions of your story: the Mass Market one "Look, it's 2012, we found all these cookies! They're evil!" and the other with a FAR More rigorous approach. (I'll let you off for not being a PHD academic, but tell us something we don't know - but remember your audience! I'm in the LOWER 50% and I already run Adblock and Ghostery and Collusion (from 2 months ago!) with screen shots of who Ghostery blocks. Chops that you said you want to do some "old time journalism" - then dig into the meat! "Obfuscated flash objects, zombie cookies, Firefox's Do Not Track vs it actually being followed, etc."

Regards,

--Tao

Mozilla lets Google track you

There are other ways you are tracked.

For example, go to https://addons.mozilla.org/en-US/firefox/

Yes, that's the Mozilla site for addons. Now click to see ANY addon (the default main page doesn't have this - but EVERY addon does).

Now in Firefox, click Tools and then Page Info. Click Media on the top. Notice that every page you go to has a Google recaptcha image embedded in it?

You don't think Google tracks those? Now Google knows which addons are more popular, what your IP address is, and which addons you installed... which might help out Chrome a little.

Chocolate chip spectroscopy, anyone?

[Gimbal]

>< n/t

Re:Website

I'm in the LOWER 50% and I already run Adblock and Ghostery and Collusion (from 2 months ago!) with screen shots of who Ghostery blocks. Chops that you said you want to do some "old time journalism" - then dig into the meat! "Obfuscated flash objects, zombie cookies, Firefox's Do Not Track vs it actually being followed, etc."

Regards,

--Tao

Good choices, I also run AdBlock Plus, NoScript, WOT, and Ghostery in Firefox, as well as Better Privacy.
I've also recently discovered DoNotTrack plus, by Abine.com, which blocks social network trackers, ad network trackers, and company tracking.
Since I installed it a few months ago, it has blocked 8,690 attempts to track my web browsing. That number goes up fast.
It blocked 4 trackers just on this slashdot page. ( Google Analytics, Doubleclick, & Comscore beacon, along with Ad tracker Dedicated Networks ).
Although, it also only saw 4 trackers on the linked Guardian page in the summary. The other 6 or 9 trackers on that page that other posts have mentioned may have already been blocked with NoScript or my other Firefox addons that I run as mentioned above.
But I'm not going to turn them all off and revisit the page to find out though...