The REAL Social Media SCAM
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2018-03-20 10:31 by Karl Denninger
in Technology , 1351 references Ignore this thread
The REAL Social Media SCAM
[Comments enabled]

The usual nonsense from the various social media companies has started up once anew.

It's very important you understand how they steal data on you, the scope of that theft, and why it matters along with why you not only didn't consent you can't consent.

To understand this you must understand how the web works.

Let's say you go to https://market-ticker.org and read some pages there.  That's this blog, by the way.

If you're new around here you will see a highlighted bar telling you that signing in will improve your experience.  This is because if you create a (free) account and sign in you can customize how the system displays things (the control panel's options are quite-extensive), you can ask it to notify you if topics you're interested in get new user comments and more.

If you sign in you would assume (and the TOS tells you) that the system will store a "cookie", which is just a numeric identifier, on your machine.  That's how it knows who you are when you click a new page, or when you come back to the page later.

But this is not limited to when you sign in.  Any site on the web can and most do send down other cookies.  This software, for example, sends done what is known as a "UUID", or "unique user ID".  It's simply a random, unique (and very long) numeric code that identifies your machine.  Why?  Because it's useful for the software to be able to do things like enforce rate-limiting (that is, to prevent spam-bots from overloading the system and doing other nasty things they would try to do), specifically.  It also allows the software to correlate accesses whether you're signed in or not, which helps security (e.g. if you lose your password the system has a decent idea if you really are who you're trying to get a validation email for!)

Why is this important?  Because any access to a page on the site for which the cookie is valid will have the cookie sent with the request, no matter what page you are accessing on the Internet, and in addition the exact URL you visited is also sent that generated the request.

What's important to understand is that the site you're reading does not generate that request -- your browser does.  Your browser gets a line that says "<script .....>", "<img ....>" or similar and it sends a request for that resource to the specified place.  In the request is the source page (where the request came from) and any cookies your browser has that are valid for the address to which the request is sent.

So let's assume you're Facesucker.  You make it "easy" for site owners to put "likes" and even use sign-on features from Facebook's authentication on your page.  Say, you're a newspaper.

Ok, so I go to www.mylocalnews.dirtbag/my-local-jackass-city-council.html.

As the page loads it requests the "like" buttons from Facebook for the articles, and in addition requests the sign-in box for comments.  Both of those generate a request to Facebook's computers and in that request is the exact URL I am reading -- that is, from where the request came.

Now here's the important part: If I have signed into Facebook at any time in the past from that device then the company has stored one or more cookies on my machine that uniquely identify me.  Since the request to Facebook's servers match the place where the cookie came from they now get the exact article I was reading and my identity even though I did not sign into Facebook to read the article.  I have given no consent to this, I cannot opt out of it and every single place on the Internet that has these buttons and/or sign-on boxes causes this to happen.

What's even worse is that I don't have to actually have signed into Facebook, ever, or even have an account in order for this to occur.  The first time that request goes to Facebook if there are no cookies sent Facebook can assign me one and check my browser's characteristics, including the IP address I'm coming from.  I now am "branded", in that the same cookie will be used to track me forever, and if I at any time in the future sign into Facebook or otherwise use any of their facilities I will then retroactively associate all of that browsing data with my person.

Now you know why Facebook allows (for "free") the user of the OAUTH sign-on facility and promotes "like" buttons all over the web.  It is not about increasing your social experience.

It is about snooping on everything you do online so they can sell and use that data without your knowledge or consent and in fact it is impossible for you to give prior consent because you have no idea the buttons are there before you visit the page!

You can defend against this by clearing all your cookies every time you use your computer, which will cause new cookies to be generated for each visit, but few if any people will.  Never mind that on a phone this happens too and there they can often determine at least coarse location without even having a "location" permission turned on (simply by what network and IP you're on.)  Note that many so-called "apps" are really not much more than a "front" for web accesses to special URLs that know how to parse what comes back and thus obey the exact same conventions regarding cookies.

could do this sort of thing here on the Ticker as my web servers get the same data theirs do on every request but I don't -- on purpose -- because I consider it an outrageous invasion of your privacy and rights.  A few years ago I removed the "Like" and similar buttons for Facebook from the Ticker for this very reason, after a fairly-careful study convinced me they were indeed abusing that data in exactly that fashion.  For right now Twitter's are still present but can be opted out of if you create a login here via the control panel options (that is, if you are signed in you can disable the script loads and thus Twitter's ability to "see" that you read the page.)

This sort of "data mining" needs to be prohibited as a matter of criminal law. Fines will do nothing as they are simply a cost of doing business.  Instead, any firm that does this since consent is impossible must have their corporate charter revoked and their entire board tossed in prison for gross and outrageous invasions of privacy and personal rights.

But -- doing that would shrink Facebook's data stream to a tiny fraction of what it is now and basically all of its market cap exists only because it can and does personally profile anyone that touches any resource that uses its "like" or sign-on functions and sells that.

This "business model" is nothing other than an outrageous invasion of privacy, it occurs without your consent, you'd never consent to it if you did understand it fully and exactly how-accurately they can measure everything about you and you get directly screwed by various firms as a result to the tune of hundreds or thousands of dollars a year.

My reason to believe the latter?  Their ARPU could not possibly exist unless you're getting hosed for at least 10x that amount, since most "advertising" does not in fact drive behavior and is worth zero.  The small percentage that actually results in a conversion (sale) thus must support the entire ARPU generated or their business instantly collapses.

Go to responses (registration required to post)
 

 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
Showing Page 1 of 2  First12Last
User Info The REAL Social Media SCAM in forum [Market-Ticker]
Beango
Posts: 772
Incept: 2009-06-05

Report This As A Bad Post Add To Your Ignored User List
Regarding the case where you do not have an account at all: they may be able to track you via IP address (which is still plenty bad), but I thought they should not be able to get any personally identifiable information from it. Do you think they have special access to a lookup service to resolve that info?

Anyway, I've got a blacklist going right now in my hosts file for some of these sites. But we really need a secure-by-default whitelist solution.

Tickerguy
Posts: 152436
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Quote:
They may be able to track you via IP address (which is still plenty bad), but I thought they should not be able to get any personally identifiable information from it. Do you think they have special access to a lookup service to resolve that info?

WRONG!

Once a cookie is set (and it can be set on ANY resource that comes down) it is stored in your browser (with a possible expiration date.) On any future request to that host or domain (you can set one with a superset of the host you are sending it from) that cookie is RETURNED.

Now if you in ANY WAY manage to associate your PERSON with that cookie you're permanently ****ed, and if there is ever any OVERLAP between cookies from the same or DIFFERENT domains that share data you're ALSO ****ed.

Example:

You read "market-ticker/****-you-facebook".
Facebook has a "like" button on the page.
WHEN YOU READ THE ARTICLE a request is generated to Facebook's servers. If there is no cookie IT SENDS ONE (say, "12345") with the Like button. YOUR BROWSER STORES THAT.

Now you got to "i-love-jihad.kill"
It ALSO has a like button from Facebook. AS SOON AS YOU BROWSE THERE the cookie "12345" GETS SENT TO FACEBOOK along with the URL (i-love-jihad.kill) that generated the request. They store THAT too.

Now, later on, you in some way ASSOCIATE YOUR PERSON on a site that uses Facebook's OAUTH, OR YOU SIGN INTO FACEBOOK. Doing so *ALSO* sends that "12345" cookie and now, since it's associated, you're ****ed.

It's almost impossible to prevent this from happening and what's even worse is that browsers have "fingerprints" that are, in many cases, unique. Your specific extensions, fonts and similar can be requested and in MANY (but not all) cases identify a UNIQUE DEVICE. If it's not unique it's hellishly-narrow compared against everything else (e.g. You have an iPhone, it's running a SPECIFIC IOS patch level and your Safari patch level is Y as well)

Between all of this given a relatively modest amount of TIME it is nearly-100% certain that you can be UNIQUELY identified down to EXACTLY WHO YOU ARE. Not just "user 213456" but YOUR SPECIFIC IDENTITY AS A PERSON.

----------
Winding it down.
Goforbroke
Posts: 7335
Incept: 2007-11-30
A True American Patriot!
Time to feed the chickens.
Report This As A Bad Post Add To Your Ignored User List
So what you are saying is that if I load a page and it has the Facebook "Like" thing on it, the fact that I visited this page is sent back to Facebook, even without me clicking on the "Like" button?

----------
Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our Light, and not our Darkness, that most frightens us. -- Marianne Williamson
Beango
Posts: 772
Incept: 2009-06-05

Report This As A Bad Post Add To Your Ignored User List
I should have clarified, my question was specific to the case where you do not have a FB account and never login via oauth. It was my understanding that modern browsers do not allow scripts loaded from a 3rd party origin to access cookies from other domains. But I guess if the uuid is tied to ip address, its a short leap from there to get personal info.
Elkad
Posts: 386
Incept: 2009-09-04

Report This As A Bad Post Add To Your Ignored User List
https://www.eff.org/privacybadger

It learns which sites are tracking you and starts blocking them.

For things like a Facebook widget, it blocks FB and puts up a fake widget. Only if you actually click it does it allow you to connect to the FB servers.

So you can still click "like" (which of course gives your data away), but if you just wander past a site with a FB widget, FB doesn't know.

Incidentally, it also manages to block some ads, even on sites that have anti-adblocker restrictions you normally can't get by. (motortrend.com is one I found last night - had to disable uBlock to get videos to play, but with Badger running I still saw no ads.) It's not as good as an actual adblocker, but sites don't notice it as much either.
Robodog
Posts: 277
Incept: 2011-06-12

Report This As A Bad Post Add To Your Ignored User List
Two points:

- thanks to the host for exercising discretion in refraining from being part of this problem & elucidating on what goes on behind the camera

- wonder if the tracking & data parsing/sharing subterfuge now seeing some light of day, will prompt the equal & opposite reaction (rhetorical) ?

----------
I believe in only one thing: liberty; but I do not believe in liberty enough to want to force it upon anyone. ~ H.L. Mencken
Tickerguy
Posts: 152436
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Go for yes.

----------
Winding it down.
Goforbroke
Posts: 7335
Incept: 2007-11-30
A True American Patriot!
Time to feed the chickens.
Report This As A Bad Post Add To Your Ignored User List
Quote:
Go for yes

Wow.

----------
Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our Light, and not our Darkness, that most frightens us. -- Marianne Williamson
Mekantor
Posts: 151
Incept: 2009-01-12

Houston, TX
Report This As A Bad Post Add To Your Ignored User List
Extra bonus: if there is a facebook-sourced image (like button, photo, or tracker pixel) in an HTML email you get, and you allow it to load images that time or permanently, it would generate a request to their servers again, and possibly every other time you open a similar email, even an old one.
Tickerguy
Posts: 152436
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Yep.

----------
Winding it down.
Goforbroke
Posts: 7335
Incept: 2007-11-30
A True American Patriot!
Time to feed the chickens.
Report This As A Bad Post Add To Your Ignored User List
That is SO wrong.

How can Zuckerberg et al sleep at night knowing that they are doing this?

----------
Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our Light, and not our Darkness, that most frightens us. -- Marianne Williamson
Tickerguy
Posts: 152436
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Doesn't give a ****.

The basic functionality is how the web works it's his abuse of it that's the problem.

Oh I note how they're very quiet about it too....

----------
Winding it down.
Goforbroke
Posts: 7335
Incept: 2007-11-30
A True American Patriot!
Time to feed the chickens.
Report This As A Bad Post Add To Your Ignored User List
Could someone plant something the size of one pixel on a page (so it's basically unnoticable) and accomplish the same thing?

----------
Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our Light, and not our Darkness, that most frightens us. -- Marianne Williamson
Nickdanger
Posts: 711
Incept: 2011-06-12

Report This As A Bad Post Add To Your Ignored User List
Quote:
How can Zuckerberg et al sleep at night knowing that they are doing this?

He counts $$ instead of sheep...

----------
Grammar: the difference between knowing your **** and knowing you're ****.
Tickerguy
Posts: 152436
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Gofor yes that's done all the time it's called a beacon.

----------
Winding it down.
Bullitt5768
Posts: 22
Incept: 2009-05-12

NY
Report This As A Bad Post Add To Your Ignored User List
Beacons (invisible pixels) are everywhere.

It is how advertisers track their campaigns and measure reach.

----------
Less bad is the new good, pass the Brawndo 'tard!

"He that lives upon hope will die fasting." - Ben Franklin
Ckaminski
Posts: 4562
Incept: 2011-04-08

Mass-Hole!
Report This As A Bad Post Add To Your Ignored User List
Quote:
It was my understanding that modern browsers do not allow scripts loaded from a 3rd party origin to access cookies from other domains.


The Referrer URL is almost always passed when loading other artifacts on a page (scripts, images, etc).

This is how they know where you came from.
Tickerguy
Posts: 152436
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Correct it's not a third-party request.

Worse it's really easy to get around third-party cookie blocking

----------
Winding it down.
1crzydmnd
Posts: 3022
Incept: 2008-03-26

Bizarro World
Report This As A Bad Post Add To Your Ignored User List
Jeeebus...I thought I knew something about this. I know nothing. I feel like I've taken the red pill...

----------
BFYTW
Elkad
Posts: 386
Incept: 2009-09-04

Report This As A Bad Post Add To Your Ignored User List
There are browser extensions to block referrer URLs too. (or change the referrer to whatever you want, like the page you landed on, or "everything came from Google")

They often break things and are annoying, which reveals just how much the web depends on them.


But FB and others depend on people not knowing about their data collection practices. Or not caring. Or not knowing how to fix it even if they do.
Bluebird
Posts: 1831
Incept: 2008-05-02

SW Ohio
Report This As A Bad Post Add To Your Ignored User List
So even if I delete my Facebook account, Facebook keeps my data and cookies forever?
So Facebook would still be able to track the websites I visit to collect data about me?
Is there any way to get out this entrapment?
Tickerguy
Posts: 152436
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Yeah destroy the company or change the law.

----------
Winding it down.
Tickerguy
Posts: 152436
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
smiley

----------
Winding it down.
Mekantor
Posts: 151
Incept: 2009-01-12

Houston, TX
Report This As A Bad Post Add To Your Ignored User List
Beyond cookies, there is also something newer called Web Storage. Somewhat similar, but more data can be stored, and easier to use with Javascript.
Login Register Top Blog Top Blog Topics FAQ
Showing Page 1 of 2  First12Last