The OTHER Half Of The Social Scam (MUST READ)
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2018-03-23 07:00 by Karl Denninger
in Technology , 603 references Ignore this thread
The OTHER Half Of The Social Scam (MUST READ)
[Comments enabled]

Folks, cut the crap ok?

I know what you're thinking -- I'll just turn off "third party cookies" and all will be ok (in relation to my previous article.)

Incidentally, that is not the default for Chrome and other browsers.  Gee, I wonder why?  Who runs all sorts of third-party ad networks again?

But that aside this doesn't work.

The reason is an HTTP field called an "Etag."

Etags, along with expiration dates and "If-Modified-Since" allow a browser to quickly check with a host whether or not content has changed, without re-downloading it.  Let's say you get an image on the web.  Later, you go back to the same page and the same image is there, since it has not changed.  If the image is still in your cache it is very wasteful to send the whole thing again -- which could be several megabytes.  Instead, if it hasn't changed, you can just display what's in the cache.

Well, to know that, you need to know if the resource changed on the server end.  There are two ways to do this -- using a date stamp, and using what's called an "Etag."

The latter can be attached to any resource, although it's usually attached to images.  The server sends down an Etag: field with the image in the HTTP headers, which is an opaque identifier.  In other words, from the browser's point of view it does not care what the string is; it doesn't represent a time, date, or anything other than a promise from the server that it shall change if the content has changed and needs to be re-sent.

If this sounds like a cookie that's because it can be abused to become one, and you cannot shut it off unlike cookies!

So let's say you disable third-party cookies.  Fine, you think.  Nope.

I have a "Like" button.  Said button has an image.  That image is the finger pointing up, of course, and you must transfer it at least once.  I send an Etag with it, but instead of it being a change index it's unique to you!

Now, every single time you request the button you send the Etag for the image.  If it hasn't changed (and it basically never will, right -- it's an upturned finger!) I send back "Not modified".  Except.... I just pinned to you, personally, that access to the page and you have third-party cookies turned  off!

So I send back "Not modified" but you just told me who you are, what web page you were viewing, and your browser ID and IP address.

I get all of this for every page you visit where such a button or function is present even if you never use it.

Surprise!

Oh by the way this works with beacons of course, since they're 1-pixel transparent images.  And no, I wasn't the first to figure this one out many years ago, and it's been known and in active use on the web for a long time.

The premise that blocking third-party cookies prevents these folks from being able to figure out who you are and what arbitrary web content you are viewing is false!  Nice switch Mr. Browser writer, too bad it doesn't solve the problem!

What this means is that you can be tracked specifically and individually, as you personally, with knowledge of who you are, where you are, when you clicked it and exactly what page you looked atwhenever you visit a page that has any such thing on it without your knowledge or consent should any such resource be included in that page.  It is inherently part of the web server's logs that the owner of the page you visit gets your browser ID, IP address and what you viewed.  But what you probably didn't know and certainly did not consent to is that through very trivial abuse any resource that comes from some other web property -- a like button, a sign-in option for other than a locally-stored account, even an ad can cause your system to obtain, store and regurgitate a unique identifier specific to you and your device whenever that resource is encountered, anywhere.  As soon as you do anything that links that identifier to you as a human that relationship is then known and never lost.  Indeed it can happen retroactively in that the tag can be generated one day and then days, weeks, months or even years later you might provide the missing component (your identity) on some other page that contains the same resource.

There is no way for you to consent because it happens before you can possibly know it will and thus you can't give consent.  You also can't know in advance where else that "capturing" system for your presence might be operating. It works exactly like a third-party cookie except that you cannot shut it off other than by operating system (or firewall) blocking of the entire domain or IP address involved or by clearing all cached data on every access, which is extraordinarily wasteful.  If you're on an Android phone or an iPhone, since both prohibit editing the /etc/hosts file that would otherwise make blocking such possible without too much trouble (e.g. through "Adblock") you cannot reasonably interdict this at all on the stock browsers.

You also cannot block this on desktop or tablet browsers without severely damaging your browsing experience.  Specifically, while you could conceivably load an extension to block all Etag headers doing so would probably get you blackballed on many sites (it sure would here and probably automatically as the system would consider it abuse!) because doing that would result in your data transfer requirements from the site skyrocketing as every single image would have to be sent on every access even if you already had an unaltered copy in your local system's cache in memory or on disk.

Facebook's entire business model relies on this.  That is why they "offer" their sign-on system to newspapers, blogs and other web sites all over the world.  It is also why they have their "like" buttons everywhere.  It is through those "features" that they track everything you do online, even if you don't have an account with them, and all of that tracking processing and sale of whatever they learn of your personal life is done without any consent because it is not possible to consent to what you're not aware of in advance.

This is why the only solution to Facebook's data mining, and they're not alone in this (and yes, it has to apply to all of these firms and those yet to come), is legislative.  This sort of activity -- collecting anything from those places where "like" buttons or any other third-party content is placed, or where sign-on credentials are used, and where that data is either used to inform decisions (e.g. advertising) or sold must be considered a felony criminal offense punished with the revocation of corporate charters and indictment of every officer and director of the firm involved.

could trivially commit this sort of abuse, by the way, on The Ticker.  It would require a hell of a lot of storage, but it would be easy to do. 

I don't do it because it's wrong.

Others don't give a crap if it's wrong.

Zucker****er is one of the worst.  His latest missive is especially damning, in that it deliberately omits the fact that Obama's 2012 campaign used such data mining.  He didn't object then because they wanted the Democrats to win.  Note that he takes no credit for that, nor does he accept blame.  He simply lies by omission.

No, you can't fix this by not having a social media account personally since you don't have to sign in for you to be tracked and the tracking not only happens on the site in question it happens anywhere connections to that site are found such as images, buttons or other related functionality.

For this reason the problem can only be fixed legislatively or if all of said firms are driven out of business due to mass-revulsion by the people -- either way the only fix is if pulling this crap is an instant corporate death sentence right here, right now.

Go to responses (registration required to post)
 

 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
Showing Page 1 of 2  First12Last
User Info The OTHER Half Of The Social Scam (MUST READ) in forum [Market-Ticker]
Bodhi
Posts: 364
Incept: 2008-02-23

Georgia
Report This As A Bad Post Add To Your Ignored User List
Can this sort of abuse can be blocked in the hosts file? Of course that's assuming one can determine where the data is being sent.

I have at least 200 advertiser, marketing and other assorted sites blocked in the hosts file of my desktops. At last check none of these sites have set any cookies on my systems. I also have several blocked from outgoing access in my router. In addition I run Ghostery and ScriptSafe on my Opera browser which has a built-in ad blocker. Is there more I need to do?
Nadavegan
Posts: 113
Incept: 2017-05-03

The South
Report This As A Bad Post Add To Your Ignored User List
Would love to see legislation proposed that would require affirmative consent on line every single time a beacon is activated, or data is sent/stored/ accessed without prior knowledge. Not because I think such a thing is achievable, but rather because I would love to see the tech companies have to fight against it because having to do so would grind the internet to a halt, and maybe wake people up to how pervasive this is.
Tickerguy
Posts: 152455
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
@Bodhi -- yes, provided you get the host where the image is coming from. This of course precludes using that site for anything (e.g. Facesucker) and they can get cute and rotate their hostnames, of course....

----------
Winding it down.
Jkc054
Posts: 99
Incept: 2007-09-28

Greenfield, IN
Report This As A Bad Post Add To Your Ignored User List
Isn't that just peachy! I suppose using a VPN would not help at all?

----------
Power corrupts and absolute power corrupts absolutely.
Tickerguy
Posts: 152455
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
That is correct - a VPN is worthless.

----------
Winding it down.
Remembergoliad
Posts: 8
Incept: 2009-05-27

south Texas
Report This As A Bad Post Add To Your Ignored User List
Nuts-and-bolts Neanderthal here...I'm one of those who use the internet reasonably well, but have very little understanding of the under-hood mechanics of it outside of your very easily understood writings.

So what I'm understanding is, if you have EVER had a FB (or related) account, your set of data collected is already identified by name and updated each time you visit any site with a FB-supplied button on it? And the only recourse is "Power off" and walk away, permanently? (Oh, and toss the smartphone, if you've ever clicked on a link on it?)

----------
I tried working within the system...but then I realized it's a septic system.
Tickerguy
Posts: 152455
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Yep.

----------
Winding it down.
Bagbalm
Posts: 5412
Incept: 2009-03-19

Just North of Detroit
Report This As A Bad Post Add To Your Ignored User List
Karl - If you can't stop this is there at least some way to make your machine LIE about who you are? Spoof a false identity?
Bodhi
Posts: 364
Incept: 2008-02-23

Georgia
Report This As A Bad Post Add To Your Ignored User List
Quote:
@Bodhi -- yes, provided you get the host where the image is coming from. This of course precludes using that site for anything (e.g. Facesucker) and they can get cute and rotate their hostnames, of course....


Yep, that's why I regularly check my Internet logs, browser cache, firewall logs, etc

This might be a bit off the track of your blog post, but in recently digging through the file system of my Netgear router I found a link to a long list of IP addresses for Tor servers. I can't figure out why in the world that would need to be in the router code, but I doubt it's benign.

Thanks Karl. Your expertise is much appreciated. smiley
Maynard
Posts: 588
Incept: 2007-11-27

On the Road Again
Report This As A Bad Post Add To Your Ignored User List
So we not only need burner phones to remain anonymous but also burner laptops and routers if you are surfing the spy-network (Internet). And don't forget to not log into anything. suck.
Swampcollie
Posts: 18
Incept: 2009-08-02


Online
Report This As A Bad Post Add To Your Ignored User List
Wow. Does that mean that the FB account I had set up under my dog's name is tied to me despite never disclosing my name or information? I got busted when Georgia Goodpuppy tried to join a rescue group and forgot to tell them it was me. FB closed my account and wanted all sorts of ID to re-open it. So I noped...

----------
Life would be so much easier if we could only see the source code.
Analog
Posts: 1540
Incept: 2010-12-29

arkansas ozarks
Report This As A Bad Post Add To Your Ignored User List

Now THERE's laugh on anybody who thought their browser's "Private Window" let them cruise porn sites anonymously !

" It knows if you've been bad or good.."

----------
Never trust a computer with anything important.
Asimov
Posts: 109819
Incept: 2007-08-26

East Tennessee Eastern Time
Report This As A Bad Post Add To Your Ignored User List
Remembergoliad: And they more than likely have you identified even if you never had a FB account. Probably nearing 100%.

----------
It's justifiably immoral to deal morally with an immoral entity.

Festina lente.
Mikebrandt
Posts: 1
Incept: 2018-03-23

Report This As A Bad Post Add To Your Ignored User List
Anyone, why wouldn't a VPN work, at least to block my IP?
Gonewest
Posts: 32
Incept: 2015-02-26

PacificNW
Report This As A Bad Post Add To Your Ignored User List
My opinion is that they will try something, perhaps legislative or in their TOS, to fix this abuse but continue collecting the data. Otherwise, they are out of business.

But if the data is collected and available, it will be used and abused. Facebook, Google, NSA, ...
Gnoob
Posts: 1
Incept: 2018-03-23

Report This As A Bad Post Add To Your Ignored User List
You're correct that 3rd-party cookies aren't enough, basically you have to disable js + all third party requests, which would take care of 99% of the marketing-related data hoovering.

In Firefox, this would be done by NoScript + RequestPolicy ( or something similar to these two) plus disabling third party cookies. Limited whitelisting will take care of persistent trouble spots.

I have run this for years in my default browser profile. It's quite pleasant and non-bandwidth-intensive way to browse, if you're content-focused like me.

Of course, it breaks almost every website you want to actually interact with (instead of just passively browse), but that's what multiple browser profiles are for.

And you're also right, not many people will do this, but most people don't care about 3rd party tracking in the first place.
Supertruckertom
Posts: 1829
Incept: 2010-11-07

USA
Report This As A Bad Post Add To Your Ignored User List
So a clean new machine or Virtual machine wouldn't stop it?




----------
Preparing to go Hunting.
Jacksparrow
Posts: 40
Incept: 2016-04-15

4116 Libby Rd NE, Olympia WA 98506
Report This As A Bad Post Add To Your Ignored User List
Sounds like that social score system used by the Chinese government is headed here. Maybe not by our government for now, but Citibank is now telling businesses they can't sell guns to those under 21, Google prevents search results of things they don't like such as who sells a bump stock. Conservatives are now "de-monitized" on YouTube. Certain videos gun related are banned. You have uber and left trying to ban cars besides theirs of course from cities. You have Bill Gates building a city of strict conformity. The liberal left hates freedom, and hates anyone who disagrees with their racist white hating, baby killing agenda.

The rate of increase on this crap is way past frightening. It's like we are living in a simulation where the ones at the controls are trying to find the societal breaking point.
Rollformer
Posts: 268
Incept: 2013-02-13

Report This As A Bad Post Add To Your Ignored User List
Zero Hedge is reporting that Elon Musk has deleted the Tesla and SpaceX Facebook pages.

Given what Tesla does with its usage data, I wonder if that is less to do with outrage of Facebook's privacy practices than jealousy that Facebook actually makes a profit?
Flaps10
Posts: 6869
Incept: 2008-10-17

PNW
Report This As A Bad Post Add To Your Ignored User List
interesting data point. Within ear shot of my cube are three conversations about deleting facebook accounts.

Edit: As suggested above, if you can't scrub data about you can you overload it with BS data to contaminate data being collected?

Basically, start making a cookie full of rat droppings.

Asimov
Posts: 109819
Incept: 2007-08-26

East Tennessee Eastern Time
Report This As A Bad Post Add To Your Ignored User List
Quote:
Anyone, why wouldn't a VPN work, at least to block my IP?


Because you still log into the same sites with the same username. Because your browser is likely pretty identifiable in the information it returns. Hell, there's a good chance a bunch of the VPN places are selling the data off anyway. There's so much money in it.

----------
It's justifiably immoral to deal morally with an immoral entity.

Festina lente.
Vernonb
Posts: 2058
Incept: 2009-06-03

East of Sheol
Report This As A Bad Post Add To Your Ignored User List
Nadavegan said:

Quote:
Would love to see legislation proposed that would require affirmative consent on line every single time a beacon is activated, or data is sent/stored/ accessed without prior knowledge. Not because I think such a thing is achievable, but rather because I would love to see the tech companies have to fight against it because having to do so would grind the internet to a halt, and maybe wake people up to how pervasive this is.


Yes in addition they must inform the user how giving consent can be used to bring harm to the user. Treat these sites as the equivalent of a pack of cigarettes. If people wish to continue to use them they are free to do so as adults but the harm caused is solely by their own CONSENTED choices. Gathering information on minors should be explicity illegal as thye can not legally consent to anything.


Those that freely consent deserve to be reamed with a bridge pylon pounder. (A salt encrusted rusty one too). ;-)


----------
"Mass intelligence does not mean intelligent masses."
Anicolici
Posts: 18
Incept: 2010-05-20

Report This As A Bad Post Add To Your Ignored User List
Karl - would a service like privateinternetacess.com (a VPN service that encrypts traffic and provides a random IP address) help to solve these problems? Or is the mere fact that you are REQUESTING something (by clicking on the vote button) necessarily mean that you are surrendering information? Thanks.
Tickerguy
Posts: 152455
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
@Anicolici no, a VPN does nothing at all to help. The issue isn't in transport, it's on your end and how the web works!

THE ONLY FIX IS EITHER LEGISLATIVE OR MASS DESTRUCRION EITHER BY MASS SHUNNING OR WORSE.

----------
Winding it down.
Login Register Top Blog Top Blog Topics FAQ
Showing Page 1 of 2  First12Last