Slashdot Mirror

← Back to Stories (view on slashdot.org)

How a Lone Grad Student Scooped the FTC On Privacy Issue

Posted by Soulskill on from the dear-ftc-please-hire-people-like-this dept.

Pigskin-Referee sends this excerpt from an article at ProPublica: "Jonathan Mayer had a hunch. A gifted computer scientist, Mayer suspected that online advertisers might be getting around browser settings that are designed to block tracking devices known as cookies. If his instinct was right, advertisers were following people as they moved from one website to another even though their browsers were configured to prevent this sort of digital shadowing. Working long hours at his office, Mayer ran a series of clever tests in which he purchased ads that acted as sniffers for the sort of unauthorized cookies he was looking for. He hit the jackpot, unearthing one of the biggest privacy scandals of the past year: Google was secretly planting cookies on a vast number of iPhone browsers. Mayer thinks millions of iPhones were targeted by Google."

13 of 120 comments (clear)

  1. What are "secret cookies"? by DogDude · · Score: 5, Interesting

    What are "secret cookies"? Does anybody know what in the hell this means? Last I checked, cookies were plain text files stores in a specific place on a computer. How can a cookie be "secret"?

    --
    I don't respond to AC's.
    1. Re:What are "secret cookies"? by BitZtream · · Score: 5, Insightful

      You don't use a cookie.

      You use an image and some nifty tricks to figure out if it was cached and long story short, you trick the browser into giving you info because of how it responds to cached documents.

      This was on slashdot when the story originally came out with a much better description.

      And I seem to recall that it was pretty clear at the time by looking at the java script that it was probably purely accidental rather than intentional.

      Unfortunately, with CmdrTaco gone, sensationalizing of stories has shot up tremendously. You pretty much have to assume the summary is a lie now days. Not an error, an intentional lie.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    2. Re:What are "secret cookies"? by AliasMarlowe · · Score: 5, Informative

      when the locked-down computer/device prevents you from seeing them?

      Not sure if that's what's going on here - but being plain-text does not necessarily mean readable. I don't know how to see/read cookies on my ebook reader, for example.

      A good argument for knowing something about how your device works. I don't have an e-Reader, so don't know whether it's even possible to clear cookies (maybe they're needed to maintain access to purchased ebooks). Anyway, this whole rigmarole strongly reinforces Eben Moglen's recent suggestion. The spying behavior of locked-down devices is making his case very clearly.

      On a PC (not yet locked-down by UEFI), it's not sufficient just to clear cookies and LSOs. We have Opera set to delete its entire cache as well when you exit, and the kids know to clear their browsing history regularly (curious how quickly they learned that one). Firefox is also set to clear its cache and browsing history automatically on exit. On Chromium and Chrome, it's necessary to manually clear the entire cache and browsing history.

      FWIW, this site will tell you what can be discerned from your browser just visiting a page. It's likely to increase your paranoia level a bit, especially when this site tells you just how unique your browser is. Ours all appear to be unique, probably largely due to the installed fonts and plugins.

      Has anyone else noticed the appalling sensationalism in headlines these days? Slashdot is in danger of becoming just another gutter-press gossip site.

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    3. Re:What are "secret cookies"? by phantomfive · · Score: 5, Informative

      No, that is a different technique. This one does use cookies, but it gets around the restrictions in Safari by doing a POST in the iframe. Details here, the Wired article is useless.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:What are "secret cookies"? by Anonymous Coward · · Score: 4, Interesting

      There are some things that need to be added to this.
      1) Browser history clearing should not be necessary. If a browser leaks history information that is a vulnerability that needs to be addressed. But I've found the ability to search the history very valuable and it isn't something you'd want to deprive yourself of.
      2) Most websites that would abuse potential leaks are blocked by ad blockers. You might also want to run PeerBlock.
      3) Sites don't need your browser history to fingerprint you anyway. (You hinted at this, but I might as well make explicit that clearing your history or using a secure browser ultimately may not matter.) Browsers send websites too much data; browser developers must put a stop to that. Stop sending user agents; stop sending plugin details.
      4) It doesn't matter if you can view the cookies you have. Most of the time they're filled with seemingly gibberish. If you can't read them, they're still secret. But remove them and the site stops working. This will only change if browser developers start blocking cookies by default, and make it impossible to simply whitelist all websites. Again, browser developers, get of your arses.
      5) What the EFF site you linked doesn't show is that there's potentially much more data to be harvested from the JavaScript environment. You can probably detect certain browser extensions that modify styles or inject elements for example. And you can check the size of the browser window (you can safely assume it will be maximised since nowadays almost no website works if it isn't, sadly). All harvested information can be passed back to the website silently through the magic of XmlHttpRequest. So either XmlHttpRequest will have to go, or we'll need to virtualise the environment a website's JavaScript sees (lie about active CSS and fonts, hide injected elements, ...) to a much larger extent than we're doing now.
      6) Carrying on from the previous point, I'd advise people to disable JavaScript altogether if I didn't know that most websites will break and it'll make you even more unique. But again, this will change if major browsers start blocking JavaScript.
      There are many more things, but they're not worth discussing until headway is made on the points above.

    5. Re:What are "secret cookies"? by AliasMarlowe · · Score: 4, Informative

      There are some things that need to be added to this.
      1) Browser history clearing should not be necessary. If a browser leaks history information that is a vulnerability that needs to be addressed. But I've found the ability to search the history very valuable and it isn't something you'd want to deprive yourself of.

      Actually, it's still best to clear out your history regularly. The old methods for a web site to trawl through it using Javascript and CSS exploits (tested in the browserspy.dk site I linked to) don't work with relatively modern browsers, but this method does.

      4) It doesn't matter if you can view the cookies you have. Most of the time they're filled with seemingly gibberish. If you can't read them, they're still secret. But remove them and the site stops working.

      I remove my cookies regularly (all of them), and they are always deleted when the browser exits. Sites don't "stop working"; at most, you have to log in again the next time you visit. However, this should be the default (as it is for banking sites and for making purchases at reputable sites), and not the "keep me logged in so I can forget my userID and password" option that is preferred by those who don't know or don't care about how easily they can be tracked.

      Some of your other points are partly valid (the parts alluded to in my post), but there is much that you got wrong, also. For example, I don't use any of my browsers maximized on any of our Linux PCs at home or on the Windows PC at work, and have never encountered a website which required my browser to be maximized. Are you perhaps using a screen with an insufficient resolution, and making an unsupportable generalization therefrom?

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
  2. from the dear-ftc-please-hire-people-like-this.. by Anonymous Coward · · Score: 5, Insightful

    from the dear-ftc-please-hire-people-like-this dept.

    I doubt that the FTC would pay them well enough to make it worth their while.

  3. Shocker by Stickerboy · · Score: 4, Insightful

    Always follow the money... do you think Google, or Facebook, or any other company that feeds itself on ad revenue really cares about your privacy? Their hard work is to find new ways to either take it from you or sell it to them for a new shiny widget. Is the big money from Google TV and Apple TV going to be selling low-margin boxes, or in selling your viewing habits?

    You are not the customer. You have never been the customer. You're just the meat.

    --
    Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
  4. Wired distorts it by phantomfive · · Score: 4, Interesting

    If the annoying "gifted computer scientist" and "scooping the FTC" rhetoric is too much for you, the tone come from the Wired article.

    The original post by the 'gifted' man is much more reasonable. Safari by default blocks third-party cookies (you can turn it off in the settings). This post explains how Google, and others, get around it. Quote, "if a cookie is sent with an HTTP request, Safari’s blocking policy will allow the response to write cookies." So when they load their iframe in the background, the first thing it does is a POST. If that doesn't make sense to you, the summary is Google used technical means to get around Safari's limitations. Here is Google's response.

    Most hilarious, irrelevant, line from the article, "Earlier this year, it was revealed that Target realized a teenage customer was pregnant before her father knew; the firm identifies first-term pregnancies through, among other things, purchases of scent-free products."

    --
    "First they came for the slanderers and i said nothing."
  5. Re:Privacy assured... by betterunixthanunix · · Score: 4, Insightful

    Why do people keep pushing these ridiculous false dichotomies? Nobody is saying that we should all be isolated, secretive hermits who keep everything we do secret from everyone else. The problem is that we have these companies amassing vast amounts of information on people, with horribly inadequate limitations on how that information can be used, how long it can stored, or what should be done if a person objects to the storage of that information. It is clear that these companies do not really respect the wishes of their users to not be tracked, because they are using these sorts of tricks to evade browser settings.

    If you think there is no difference between people in my town knowing who I am dating and a company like Google keeping track of everything I read, watch, purchase, and say, then you are not paying attention. We are not talking about gossip here, we are talking about companies amassing power over everyone (by collecting information) without any check on that power.

    --
    Palm trees and 8
  6. Re:google's chrome by Quince+alPillan · · Score: 5, Informative

    http://www.mattcutts.com/blog/google-chrome-communication/

    http://www.google.com/chrome/intl/en/privacy.html

    Really? The Google paranoia is pretty heavy around here and is completely unnecessary. If you're not going to bother to become informed, you should avoid telling the world how uninformed you are.

  7. Chrome transfers every action to google by goombah99 · · Score: 4, Informative

    How do you think google is able to have the bowser on your phone, computer and tablet sync the open taps and pre-fetch all the entries in each instances history? Chrome definitely records every webpage you look at and sends it to google.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  8. Re:Privacy assured... by mrchaotica · · Score: 4, Insightful

    Or in other words, the analogy here is not that we're trying to isolate ourselves from casual observation, but rather that we're trying to fight back against a stalker.

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz