Join 3,424 readers in helping fund MetaFilter (Hide)


You’re not anonymous
December 12, 2012 3:37 AM   Subscribe

Sumit Suman recently visited a site, did not sign up for anything, did not connect via social media, but got a personal email from the site the next day. Here’s how they did it.
posted by Foci for Analysis (52 comments total) 44 users marked this as a favorite

 
Previously
posted by RonButNotStupid at 4:01 AM on December 12, 2012


Oh. Good. Sometimes I want to find a hermit's cave. Possibly in the middle of the Gobi, at this point.

Aaaaaaanywho. Does anyone know if incognito browsing would do anything to combat this? What about Tor or installing Adblock? It seems like turning off cookies would work but at this point that breaks so many sites and it's really impossible to tell what's vital for the site to function and what's just there to track you.
posted by Diablevert at 4:30 AM on December 12, 2012 [1 favorite]


A bit more subtle than the old Siteguest.com trick from 2001, that relied on Netscape Communicator sending an e-mail from JavaScript with no human intervention.
posted by scruss at 4:30 AM on December 12, 2012 [1 favorite]


This is why we can't have nice things.
posted by Thorzdad at 4:52 AM on December 12, 2012 [6 favorites]


Does anyone know if incognito browsing would do anything to combat this?

Probably won't help at all. Using Chrome+Ghostery+Adblock Plus should do the trick (provided javascript is used to do the tracking).
posted by Foci for Analysis at 4:53 AM on December 12, 2012 [1 favorite]


A-ha: that's why I started getting e-mails from Compete.com. I thought I'd gone aphasic and signed up without remembering. Gross.
posted by Lentrohamsanin at 5:02 AM on December 12, 2012


Well, I'm finally pissed off.
posted by zeek321 at 5:14 AM on December 12, 2012 [1 favorite]


Brett should go fuck himself.
posted by Mezentian at 5:21 AM on December 12, 2012 [1 favorite]


A real-world analogue would be this scenario: You drive to Home Depot and walk in. Closed-circuit cameras match your face against a database of every shopper that has used a credit card at Walmart or Target and identifies you by name, address, and phone. If you happen to walk out the front door without buying anything your phone buzzes with a text message from Home Depot offering you a 10% discount good for the next hour.
Farfetched? I don’t think so.


I am sure I have seen this technology posited.
posted by Mezentian at 5:23 AM on December 12, 2012 [2 favorites]


Most of the problem here is that your browser, as part of its standard operating procedure, gives away enough information to sites that makes you uniquely identifiable. This company is just building a database that matches the unique browser "fingerprints" of users to to the information those users have submitted to participating web sites.

Blocking cookies doesn't prevent this, and neither does installing Adblock or using VPNs. The only way we can stop this (short of getting everyone to use Tor) is to make it less possible to associate users with people by reducing the uniqueness of browser fingerprints. There's a proof-of-concept Firefox plugin named Firegloves which alters your User-Agent string and blocks sites from requesting additional information about your browser via javascript. There's also active development in the Firefox community to change browser behavior to limit the amount of information that can be obtained.
posted by RonButNotStupid at 5:29 AM on December 12, 2012 [23 favorites]


I don't even want to click on the link in the FPP now.
posted by elizardbits at 5:29 AM on December 12, 2012 [1 favorite]


I'm increasingly freaked out by the number of websites that know when and what I have left in my shopping cart, and then e-mail me about it, even though I don't have a registered account with that website.

I'm talking to you Pottery Barn. Please stop reminding me about the Serena Armoire I put in my cart because I just wanted to feel what it's like to put something so beautiful in my cart, but will never buy because holyexpensivepricetag+shipping, Batman. Must you continually crush my spirit with every reminder e-mail, PB?
posted by raztaj at 5:43 AM on December 12, 2012 [6 favorites]


Blocking cookies doesn't prevent this, and neither does installing Adblock or using VPNs.

Ops, this is true. Even a script disabling or Flash blocking browser plugin probably wouldn't change your browser fingerprint sufficiently enough.
posted by Foci for Analysis at 5:56 AM on December 12, 2012


It makes one wonder just how different our brave new digital world would be without the influence of marketing driving so much "innovation".
posted by Thorzdad at 6:06 AM on December 12, 2012 [3 favorites]


Jeebus.

I remember when everyone lost their shit because Wired (and many others) were coding "web bugs" into their sites.
posted by notyou at 6:23 AM on December 12, 2012 [3 favorites]


I revisited previously in the first comment. My "browser fingerprint appears to be unique among the 2,579,934 tested so far."
posted by hexatron at 6:33 AM on December 12, 2012


I'd pay for a browser that neither collected nor left a fingerprint.
posted by xjudson at 6:33 AM on December 12, 2012 [8 favorites]


It's like the whole world is now a giant Radio Shack, but there isn't even a battery of the month club.
posted by thelonius at 6:33 AM on December 12, 2012 [10 favorites]


To help protect yourself: But they'll still be able to track you, just not as reliably. How? Web bugs. And the only way to stop them is to disable loading of images which is probably not a viable option at this point in our web browsing expectations.

To be honest, if you follow all the above steps (which I have) then things will become quite frustrating to everyone but the most stubbornly focused people out there. Whole web sites rely entirely on javascript and cookies to provide legitimate services, but will appear as blank screens the first time you visit them and will remain so until you allow the sites to pass through your various browser plugins and settings. Many web sites now rely on third-party services (jquery, google services, youtube, etc.) to provide functionality within their web site. You may allow the web site your visiting to execute javascript, but it still won't work and won't keep working until you find the right combination of third-party sites to also allow.

You could always give Tor a go. But some times it will be slow and sometimes it will be not entirely slow. And keep in mind that when you're using it, your data is bouncing through 4+ nodes out there that you have no control over. Who is watching? Maybe even manipulating your data? SSL helps (in theory), but I would never perform any kind of transaction that requires a credit card or any other personal information using Tor. It will, however, get around the web bugs issue quite nicely.
posted by ruthsarian at 6:43 AM on December 12, 2012 [37 favorites]


I'd pay for a browser that neither collected nor left a fingerprint.

Not leaving a fingerprint is a fingerprint.

It's better to have a browser that leaves the same fingerprint as thousands of other users.

Here's an interesting discussion on StackExchange from last year about how viable browser fingerprinting is. And here's a fairly comprehensive (though somewhat lacking of details) list of the possible mechanisms through which it may be done.
posted by RonButNotStupid at 6:43 AM on December 12, 2012 [5 favorites]


But they'll still be able to track you, just not as reliably.

Nothing you mention other than using Tor and noscript will even hinder this kind of tracking. That's why it's so insidious.

This kind of tracking works by exploiting various heuristics that exist for software compatibility and interoperability such as requesting a list of the various fonts and plugins installed on your system. Install a particular bank's plugin and you're one of a hundred thousand people who have that plugin. Install a particular Klingon glyph font, and your one of ten thousand people who have that font. Install both, and you're maybe one of only a thousand people who have the plugin and the font.

Add in other reportable details like your timezone offset, your browser's make and model number, your preferred language, ... and there's a very good chance someone can uniquely identify you without even having to resort to cookies, web bugs, or other overt means.
posted by RonButNotStupid at 7:02 AM on December 12, 2012 [4 favorites]


I'd pay for a browser that neither collected nor left a fingerprint.

I'd prefer an approach that is a little more technologically aggressive towards those that would track everyone in a database: a browser that left a different random, valid, unique, single use fingerprint for every single page view. Let them try to track trillions of fingerprints with no idea how many of them are distinct users.

So many useful technologies were ruined by spammers (anyone remember when return receipts were still safe?), it's time we gave them a taste of their own medicine.
posted by ceribus peribus at 7:06 AM on December 12, 2012 [9 favorites]


The call is coming from inside the internet!
posted by dhartung at 8:08 AM on December 12, 2012 [6 favorites]


Disable third-party cookies in your browser. This will break some CAPTCHAs.
This will also, in many cases, disable things like commenting systems that aren't run/hosted by the website itself. Like Disqus, for instance.
posted by Thorzdad at 8:22 AM on December 12, 2012 [1 favorite]


ruthsarian: "But they'll still be able to track you, just not as reliably. How? Web bugs. And the only way to stop them is to disable loading of images which is probably not a viable option at this point in our web browsing expectations. "

This is exactly what Ghostery handles. I use it. It works. It can interfere with some desirable features (like Disqus), but you can whitelist things like that.
posted by adamrice at 8:41 AM on December 12, 2012


There doesn't seem to be much new here in terms of tracking people's site visits. It seems like the real issue is how the websites subscribing to this tracking service are intentionally providing it with email addresses, right?
posted by orme at 8:43 AM on December 12, 2012


This will also, in many cases, disable things like commenting systems that aren't run/hosted by the website itself. Like Disqus, for instance.

That sounds like a feature.
posted by Mars Saxman at 8:58 AM on December 12, 2012 [3 favorites]


Stuff like this is why I'll probably never switch from Firefox to Chrome. Yeah, you have to tweak stuff and add some extensions to get FF to do what you want, but Google is getting less and less trustworthy.

NotStupidRon, you sound like you're involved in researching and creating these parts of FF. If so, here's a big "Thank You" from me.
posted by benito.strauss at 9:52 AM on December 12, 2012


This has nothing to do with Chrome, you know. Firefox is just as susceptible to this sort of tracking.
posted by gilrain at 10:03 AM on December 12, 2012


Here's the difference between Chrome and FF. Mind you, that was 2009, and in 2012 it looks better. But I still get the feeling that the FF culture values privacy as an end in itself, more than Google does.
posted by benito.strauss at 10:36 AM on December 12, 2012


The Europeans have the regulatory authority and volume of web users to crack down on this. The problem in the US is that it is unclear to what degree the FCC and OGAs have regulatory authority and enforcement.
posted by humanfont at 10:46 AM on December 12, 2012


An ff/chrome plug-in to disable this type of tracking already exists: Ghostery. (right??)
posted by raihan_ at 10:57 AM on December 12, 2012


I use the usual suspects like adblock plus et al

However, this explains but doesn't explain how they did it.

I signed up using my throwaway gmail account and NO details at a website and then never used it. How did their VP link that to my real name, job and write me a sales email ? How were they able to specifically connect a noname gmail in a blank profile to an Italian design studio I often collaborate with and request an intro?

the site was visual.ly
posted by infini at 10:58 AM on December 12, 2012 [1 favorite]


I agree that the culture and nature of Mozilla is healthier for web users than Google. I'm actually a huge fan of Mozilla. It just seemed like you were implying that this issue is with Chrome, rather than with web browsers in general, which isn't accurate.

And yeah, as you note, Chrome now has general parity with the main privacy add-ons. I recommend this one for a NoScript-alike, although I prefer Ghostery myself.
posted by gilrain at 10:59 AM on December 12, 2012


> How did their VP link that to my real name, job and write me a sales email ? How were they able to specifically connect a noname gmail in a blank profile to an Italian design studio I often collaborate with and request an intro?

The idea is that this is a network. If any other site at which you signed up with that information was part of one of these networks, then the site you signed up at without that information also had access to that information.
posted by gilrain at 11:04 AM on December 12, 2012 [2 favorites]


Ghostery breaks Google Reader...I"ve had it off for the past few days...Is this a thing or I simply need a browser upgrade? Firefox btw

I've been increasingly feeling I need to pull out of Google. Is there a replacement for Gmail or shall I just be using separate browsers on a machine or separate machines?
posted by infini at 11:05 AM on December 12, 2012


Ghostery breaks a lot of sites, yes. You'll need to whitelist the sites (or individual scripts) you still want to use.
posted by gilrain at 11:08 AM on December 12, 2012 [1 favorite]


gilrain, THANK YOU

I received the email yesterday and had been disturbed by the whole interwebs since. This helps me a lot to figure out what and how and why.

Don't they realize they're raising a barrier to themselves when they pull bullshit like this and creep you out with such emails and you're NOT gonna do business with them?
posted by infini at 11:08 AM on December 12, 2012 [2 favorites]


I'm increasingly freaked out by the number of websites that know when and what I have left in my shopping cart, and then e-mail me about it, even though I don't have a registered account with that website.

Pottery Barn did that to me just a few days ago!

I am increasingly tempted to just randomly put stuff in every cart at every website that sells stuff, and sit back and see who emails me. And then politely write them a note saying that stalkery crap freaks me out and they just lost my business forever.
posted by ambrosia at 11:12 AM on December 12, 2012 [1 favorite]


I use TrackerBlock ff plugin, it seems to do what it says but really have no idea, installed and forgot about it. Maybe Ghostery is better?
posted by stbalbach at 11:18 AM on December 12, 2012


Oh yeah if you're using Firefox 17.0.1 some of the tools will modify/disable the dom.storage parameter (seen under about:config) since this is used as storage space to track across sites. However turning off dom storage will break Google searches with this ver of FF. Took me a while to figure that connection out.
posted by stbalbach at 11:26 AM on December 12, 2012 [1 favorite]


It just seemed like you were implying that this issue is with Chrome, ....

Oh, I see. Nope, it's just that Chrome is the only other browser I'd ever think of switching to. I'd assume IE and Opera are also susceptible. And I hope that somewhere there's an insane hacker adding javascript support to lynx, which would then be at risk too.
posted by benito.strauss at 11:29 AM on December 12, 2012


However turning off dom storage will break Google searches with this ver of FF....

I was playing around with some privacy settings, and had disallowed cookies for the google.com domains. While I could get the first page of search results, I couldn't click to the second, third, or any later pages. I expect this to become a trend with Google willing to not work unless you have X, Y, and Z enabled.
posted by benito.strauss at 11:35 AM on December 12, 2012 [1 favorite]


Don't expect it, speaking from experiencing google across continents and countries in just this year (when all the massive changes started imho at least visible to us end users), get used to it and prepare.

That will be my task this weekend. One clean machine at least and possibly changing email address. Yes.
posted by infini at 11:46 AM on December 12, 2012


Heebee-jeebees. I have them.
posted by stoneweaver at 12:10 PM on December 12, 2012 [1 favorite]


Just ask yourself why you need to wait to log into Youtube in order to check your email. Broadband speeds never show what google holds up the way sitting in an African village tethered to your phone does.

Should I just reformat the whole laptop to start over or will deleting firefox and starting over with every log in and account do?
posted by infini at 12:48 PM on December 12, 2012


Thorzdad: This is why we can't have nice things.
Yup. Been this way since we learned to put a sharp end on our sticks. Technology allows the users to defeat the otherwise secure non-users.

Sometimes it's used to make an enemy surrender in war; sometimes to sell Brand X; sometimes to win an election; sometimes to con the naive into wiring money to Nigerian princes. But it's not new.
posted by IAmBroom at 12:52 PM on December 12, 2012


RonButNotStupid: The only way we can stop this (short of getting everyone to use Tor) is to make it less possible to associate users with people by reducing the uniqueness of browser fingerprints. There's a proof-of-concept Firefox plugin named Firegloves which alters your User-Agent string and blocks sites from requesting additional information about your browser via javascript. There's also active development in the Firefox community to change browser behavior to limit the amount of information that can be obtained.
And this is why we do have nice things: because after the pointy stick, someone else thought up the fire-hardened stick point.
posted by IAmBroom at 12:54 PM on December 12, 2012


An ff/chrome plug-in to disable this type of tracking already exists: Ghostery. (right??)

I don't think Ghostery or any of the other addons mentioned offer any protection against tracking via browser fingerprinting. The only addon that I've been able to find which makes an attempt is Firegloves and as its authors are quick to point out, it's just an experimental plugin that's no longer being developed and is by no means a complete solution.

For instance, according to the the EFF's panopticlick, the most identifying part of my browser's fingerprint is the enumerated list of plugins returned by navigator.plugins which is unique within the EFF's sample data. I can set Firegloves to disable navigator.plugins, but then I become one of the miniscule number of people running Firefox with a navigator.plugins that doesn't return a list of plugins, and that in combination with the other bits of my fingerprint renders me just as identifiable.

benito.strauss : Thank you for the compliment, but I'm neither involved with the Firefox project nor any group promoting internet privacy. I just happened on the FFP and was curious enough to do a little research. I do agree that the people who are working on this should have our gratitude.
posted by RonButNotStupid at 12:57 PM on December 12, 2012 [2 favorites]


However turning off dom storage will break Google searches with this ver of FF. Took me a while to figure that connection out.

In what way? Search just doesn't happen? Or Google no longer remembers your search history?
posted by Thorzdad at 4:41 PM on December 12, 2012


Ideally you'd want Firegloves to always return whatever a fresh install of FF looks like cycled with maybe a few common add-ons like flash.
posted by Mitheral at 4:51 PM on December 12, 2012 [1 favorite]


Any recommendations for cross site scripting limiters like Ghostery, JavaScript Blocker (Safari), NoScript (FireFox), etc. for Android based Browsers? I've found zilch for Android's default browser and Android's FireFox doesn't like the usual Android plugins.
posted by jeffburdges at 11:02 AM on December 20, 2012


« Older 'Homeland,' Obama’s Show....  |  Audio recordings usually inclu... Newer »


This thread has been archived and is closed to new comments