Google Is A Serial Tracker

An anonymous reader writes: Two Princeton academics conducted a massive research into how websites track users using various techniques. The results of the study, which they claim to be the biggest to date, shows that Google, through multiple domains, is tracking users on around 80 percent of all Top 1 Million domains. Researchers say that Google-owned domains account for the top 5 most popular trackers and 12 of the top 20 tracker domains. Additionally, besides tracking scripts, HTML5 canvas fingerprinting and WebRTC local IP discover, researchers discovered a new user fingerprinting technique that uses the AudioContext API. Third-party trackers use it to send low-frequency sounds to a user's PC and measure how the PC processes the data, creating an unique fingerprint based on the user's hardware and software capabilities. A demo page for this technique is available. Of course, this sort of thing is nothing new and occurs all across the web and beyond. MIT and Oxford published a study this week that revealed that Twitter location tags on only a few tweets can reveal details about the account's owner, such as his/her real world address, hobbies and medical history. Another recently released study by Stanford shows that phone call metadata can also be used to infer personal details about a phone owner.

Joke's on them!

[U2xhc2hkb3QgU3Vja3M]

I don't even have a computer!

Sent from my iPhone 6.

Re: Joke's on them!

Jokes on you! I don't even have a phone.

Sent from my pager.

Re:Joke's on them!

Joke's on you! I don't even have a sense of humour!

Re:Joke's on them!

[hcs_$reboot]

You're joking, obviously. But tracking can be convenient. The other day I was in a hurry, and had to enter some data in a form. I just googled "what was that secret and private account number of mine in Panama, please?" and voilà, form filled!

Re: Joke's on them!

No shit Sherlock. That's the joke.

Re: Joke's on them!

Jokes on you! I don't even own any digital electronics!

Sent from my abacus.

Re: Joke's on them!

I am not even here, but AI posts ...

Re:Joke's on them!

[tepples]

Computer yes, personal computer no. An Android tablet is a personal computer, as the person who owns it can control what computing is done on it by installing an app for making apps, such as AIDE. An iPhone or iPad is controlled by Apple unless paired to a Mac running Xcode.

The joke is that many non-technical users misuse "computer" to mean "personal computer". But many users who know just enough to be dangerous can't tell certain differences that bear on their continued freedom to compute.

Re: Joke's on them!

[davester666]

Jokes on you! I'm not even alive!

Sent from my grave.

Re:WTF!? Demo Page Uses Google APIs

[mrchaotica]

I use requestpolicy [continued] too, but I had ajax.googleapis.com whitelisted because almost every damn site needs it so the test worked on my browser. : (

it get worse...

If you do your damned best to block Google's tracking - not loading their scripts and so on - the Web is broken. So many sites use Google scripts for required functions that things just don't work any more. "The open Web" is now "The Google Web".

There might be hope though. Some people have packaged up the Google scripts (sanitized?) so that your browser can load them locally, and you can still block Google IP ranges without breaking every fucking site on the web.

Letting one company become THIS pervasive? Not so good for fault tolerance, privacy, and decentralization of control.

Re:it get worse...

[KiloByte]

You want this.

Re:it get worse...

Decentraleyes is a start but it doesn't keep local copies of everything.

It also doesn't play well with other stalker-blockers because it intercepts the access to the actual website. So if adblock stopped the browser from even trying to go to the website then decentraleyes doesn't get a chance to do its thing. But if you completely unblock the website than anything decentraleyes misses ends up going to the real website.

Re:it get worse...

[tinkerton]

Let's call it a joint venture. But I agree NSA will simple join up with Google instead of developing everything in parallel. Eric Schmidt certainly doesn't mind.

Re:it get worse...

[Dadoo]

Given that 3 or 4 articles before this one is another article about Google's self-driving cars, I have to ask: has it occurred to anyone besides me that Google might want to use those cars to track you in the real world, as well as online?

Re:it get worse...

[Gr8Apes]

ISPs can do way much better tracking especially if that ISP is Google.

You didn't think Google was building out fiber networks with reasonable charges because it was good, did you?

yes, i used to see women's intimate ads

[known_coward_69]

between my wife and kids and I we have almost a dozen laptops, phones and tablets at home. My wife used to buy underwear for herself on the macbook at home. week later on my lenovo at work i'm seeing ads from the same sites she visited. same with Fredricks of Hollywood. she bought a costume there for halloween and i saw their ads at work with half naked women on my slashdot page.

Re:yes, i used to see women's intimate ads

[viperidaenz]

half naked women on my slashdot page

I'm failing to see a problem with this

Re:yes, i used to see women's intimate ads

[exomondo]

This just proves that their tracking of individual users doesn't work very well.

Re:yes, i used to see women's intimate ads

[SeaFox]

... week later on my lenovo at work i'm seeing ads from the same sites she visited. same with Fredricks of Hollywood. she bought a costume there for halloween and i saw their ads at work with half naked women on my slashdot page.

Why aren't you blocking ads to begin with on a machine you're using at work?

Re:yes, i used to see women's intimate ads

[exomondo]

"Your wife would like this" :)

That's a nice attempt to excuse the poor tracking but the fact is it simply does not work well.

Tracker

[Livius]

They misspelled "stalker".

Where is the government?

This is where regulators need to step in. Simple legislation is all we need: if you don't own a domain, you can't track people on it, unless it's something like an OAuth login.

Re:Where is the government?

[tepples]

if you don't own a domain, you can't track people on it, unless it's something like an OAuth login.

Loophole: Google could encourage website operators to add "[G+] Sign in with Google" and "[+1] Share on Google" buttons in order to claim that the tracking is to more strongly authenticate users of the OAuth-based OpenID Connect protocol.

Re:Where is the government?

[godel_56]

This is where regulators need to step in. Simple legislation is all we need: if you don't own a domain, you can't track people on it, unless it's something like an OAuth login.

They are stepping in. Their intelligence services will be taking full advantage of it.

Shame on you, web masters!

Who makes their own web site dependent on a third party server just to load some static script library files? Almost everybody, that's who. There isn't a system simple enough that blithering idiots like you lot can't subvert and ruin.

And there's no escape...

[ndykman]

I can use OS/X, Linux. With all the fervor over Windows 10, there's still Windows options to reduce or turn off telemetry off (in some versions). Google's been doing this forever, making billions for it, and there's no escaping it. Why won't Microsoft get in on the trend to make a better OS?

No option to self host your own Google software, no way to get them to truly honor your preference not to track you, nothing. I can't even pay them to do so. And if my employer or school uses their applications, I have to trust them that they don't track those users, but if some of the current lawsuits against them turn out to be true, that trust was misplaced.

Look, if you want to make software services, just do so. But Google can't let go of ads or advertising revenue and are dragging other software companies with them. Frustrating. But, go ahead, keep using Chrome and making fun of MS or Apple for having their own browsers and cheer as their market share goes down.

Serial...?

[MobileTatsu-NJG]

I think parallel is a much better word....

Re:Serial...?

[SeaFox]

It certainly has much wider adoption.

Well duh

They bought doubleclick.net ten years ago when it was probably the most notorious tracking site around, *and* they have Google Analytics which they've been peddling to web sites forever.

Re:Well duh

[ChrisMaple]

Google Analytics is particularly abusive. Many streaming audio sites won't work until G.A. is allowed, even though it has nothing to do with the streaming.

Re:Well duh

[gweihir]

I just move on in that case. I need their content less than they seem to need me.

Re:Well duh

[KozmoStevnNaut]

I have never had an issue with streaming sites while blocking Google Analytics, using Privacy Badger. I also have the GA opt-out cookie set, just in case it slips through anyway.

Re:Well duh

[Gr8Apes]

I also have the GA opt-out cookie set, just in case it slips through anyway.

I'm sure that won't be tracked!

Re:Well duh

[KozmoStevnNaut]

Well, obviously you have to trust that Google are actually telling the truth when they say it opts you out of GA. That's why I use uBlock and Privacy Badger, too :-)

And if they're tracking "hey, this guy doesn't want to be tracked by GA", that's OK with me.

Re:WTF!? Demo Page Uses Google APIs

[PPH]

Oh well. It doesn't run on my iBook G4. You think I'm going to play with tracking sites using my primary system?

I ain't clickin' that shit, .....

And you were all worried...

... about the NSA

Oscobo....No Tracking. Just Search.

[zenlessyank]

Try this search engine.... https://oscobo.co.uk/

What is said vs what is done...

[QuietLagoon]

If the advertisers truly believe what they say, i.e., that computer users want to see advertising that is relevant to their interests, then why do advertisers feel the need to act so surreptitiously in their tracking practices?

Cereal tracker

[ChunderDownunder]

We're out of corn flakes and don't forget the milk!

Google is Evil

[seoras]

Oh the irony. "Don't be evil". Perhaps Larry & Serge should have paid attention to Friedrich Nietzsche
"He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you."

Google

[Archfeld]

They went from Don't be evil, to Do only evil in record time. Wonder which one made them more money ? Google makes Microsoft look like amateurs, though to be honest it doesn't take much to make Microsoft look like amateurs.

Re: WTF!? Demo Page Uses Google APIs

[shione]

See the other AC's reply. I ran the demo page on firefox and chrome and the fingerprint is vastly different. You can try it for yourself. It seems like the browser has a significant effect on the results.

Re: What about something like Disconnect?

Thank you.

Incognito

[hcs_$reboot]

Any sensitive page should be opened in Incognito (Chrome) / Anonymous. Chrome ( == Google) could secretly track Incognito as well - deceiving the user - and some people fear that, but that would actually mean the end of the browser, if someone finds out.

Re:Incognito

[nyctopterus]

Does that prevent the fingerprinting techniques they use? I wouldn't have thought so.

Re:Incognito

incognito only helps you hide your browsing from a snooper on your own pc,
it doesn't do shit to prevent tracking through clientside scripting (which is most tracking)

Re:Incognito

[hcs_$reboot]

Any reference?

Re:Incognito

[hcs_$reboot]

User agent, IP address... of course the incognito session is started using Chrome UA spoofer after the VPN has been successfully launched.

Re:Incognito

[nyctopterus]

So, it doesn't prevent the fingerprinting mentioned?

Re:What about something like Disconnect?

simple answer:
1) block all clientside scripting by default (if you don't you're privacy is basically gone, all clientside scripting gets abused to fingerprint you)
2) block all 3th party content by default
3) make sure your browser header are minimal (i.e. don't send useragent, referrer, accept-charset, accept-language, dnt, if-modified-since, if-unmodified-since, if-match, if-none-match, if-range headers)
4) selectively and minimally enable 3th party content and clientside script as needed by using something like umatrix

details:
- in firefox I use the folllowing addons for privacy: umatrix, ublock , self-destructing cookies, canvasblocker, decentraleyes, privacy badger
- a fair amount of sites give a 403 when you don't send the useragent, and a very very few give bogus content (seen that twice)
raries). I set the useragent in umatrix to empty string by default (that disables the useragent header), where needed i then disable the 'user agent spoofing' in umatrix per site
- you want to disable as many of the new JS-apis as you can to minimalise the amount of fingerprinting sides can do with js when you have it enabled for a site, in firefox that's the following about:config settings:
media.autoplay.enabled, dom.battery.enabled, beacon.enabled, geo.enabled, dom.netinfo.enabled, dom.enable_performance, browser.send_pings, dom.storage.enabled, gfx.downloadable_fonts.enabled, webgl.disabled, media.peerconnection.enabled

Re:What about something like Disconnect?

[mrchaotica]

In response to the fact that this audio fingerprinting -- at least the researcher's implementation of it -- relies on ajax.googleapis.com, I'm thinking that hosting all that shit locally and redirecting googleapis.com to 127.0.0.1. I have no idea if it would work, but it seems necessary. : (

Also, I don't trust "smart" blockers like Privacy Badger (or Ghostery, or Disconnect). Instead I use RequestPolicy Continued to block all cross-site requests by default and whitelist things manually.

Conscious decision

[doconnor]

At each ofl these 800 thousand domains, it was a conscious decision by each webmaster to put links to Google on their page.

Re:uBlock

[gweihir]

Good to know. If I run into content that I care about enough, I will have a look.

Or sign contracts with 20 social media sites

[tepples]

AddThis ostensibly exists to make it convenient for a website's viewers who are also members of social media sites to share URLs of HTML documents with their followers. Unless a particular social media site offers a keyless intent API, such as Twitter's Web Intents, the alternative is for each website publisher to maintain contractual relationships with a dozen or more different sites to get API keys and add their individual button codes, and not every publisher wants to spend time on that.

Subpoena basic telemetry in a fishing expedition

[tepples]

With all the fervor over Windows 10, there's still Windows options to reduce or turn off telemetry off (in some versions).

Only Windows 10 Enterprise, which most users are unlikely to have, includes anything resembling an "off" setting. The minimum setting on Home and Pro is "basic", which lets Microsoft see all installed applications, all installed device drivers, and the IMEI of your laptop's aircard if any. It may sound innocuous, but in some cases, the presence of a particular application or driver on a computer may incriminate a user if some big company decides to go on a fishing expedition and subpoena Microsoft for this data. An example of such an application is a video game console emulator. An example of such a driver is the driver for a video game cartridge reader (such as Kazzo) or for a capture card that happens not to enforce all of HDCP. These have noninfringing and infringing uses, but good luck affording to prove your noninfringement in a court of law.

Google's been doing this forever, making billions for it, and there's no escaping it.

One can block all Google-owned domains in a DNS resolver on localhost. (A hosts file alone can't do it because the hosts file format doesn't support wildcards.) Windows 10, on the other hand, includes a separate DNS resolver used just for updates and telemetry.

What they do with the information is much worse

[CustomSolvers2]

A curious episode that happened to me some weeks ago:
I was working on a data-analysis challenge in my spare time. The application was expected to deal with English expressions in a specific sub-field with which I am not too familiar. So, I was doing quite a few searches for certain terms (which I never do and have nothing to do with my work or my typical search activity) during some days at different hours. I used google.com and google.es without being logged-in in any site (I have various browsers, where I am logged-in with different accounts; one of them is unlogged from anywhere and this is the one I used here). During the next week or so, most of the advertisement being shown to me virtually everywhere (like in Twitter or here) was about that specific field of expertise; a type of advertisement which I rarely see anywhere.

In summary:
- They spend resources (to track, store, analyse, transmit, etc.).
- Act in the pure limit, if not legally at least clients-being-pissed-off speaking.
- Their activity is intuitively detected without any effort.
- And what is even much, much worse: they aren't able to show relevant-to-me advertisement!

This experience explains well what I think about private information being systematically stolen: it is certainly bad, but I honestly don't care. They are much more worried about collecting everything than about actually understanding what they have. Firstly, I did find the episode slightly annoying, but this feeling quickly disappeared. It was like seeing a not-too-honest-but-kind-of-nice trickster trying over and over to impress me and always failing.

Re:What stops hosts from doing it? Nothing

[tepples]

Someone who wants to, say, block all Google-owned hostnames can't block *.blogspot.com.