How a Lone Grad Student Scooped the FTC On Privacy Issue

Pigskin-Referee sends this excerpt from an article at ProPublica: "Jonathan Mayer had a hunch. A gifted computer scientist, Mayer suspected that online advertisers might be getting around browser settings that are designed to block tracking devices known as cookies. If his instinct was right, advertisers were following people as they moved from one website to another even though their browsers were configured to prevent this sort of digital shadowing. Working long hours at his office, Mayer ran a series of clever tests in which he purchased ads that acted as sniffers for the sort of unauthorized cookies he was looking for. He hit the jackpot, unearthing one of the biggest privacy scandals of the past year: Google was secretly planting cookies on a vast number of iPhone browsers. Mayer thinks millions of iPhones were targeted by Google."

What are "secret cookies"?

[DogDude]

What are "secret cookies"? Does anybody know what in the hell this means? Last I checked, cookies were plain text files stores in a specific place on a computer. How can a cookie be "secret"?

google's chrome

[jaiteace]

Why does chrome on windows phone home so often? I doubt that it is to check for updates, Once a day should be more than enough for that. Now that google is integrating all their services, what happens to the safebrowsing info that they must be collecting. Guess it goes into the pot too.

Wired distorts it

[phantomfive]

If the annoying "gifted computer scientist" and "scooping the FTC" rhetoric is too much for you, the tone come from the Wired article.

The original post [stanford.edu] by the 'gifted' man is much more reasonable. Safari by default blocks third-party cookies (you can turn it off in the settings). This post explains how Google, and others, get around it. Quote, "if a cookie is sent with an HTTP request, Safari’s blocking policy will allow the response to write cookies." So when they load their iframe in the background, the first thing it does is a POST. If that doesn't make sense to you, the summary is Google used technical means to get around Safari's limitations. Here is Google's response. [stanford.edu]

Most hilarious, irrelevant, line from the article, "Earlier this year, it was revealed that Target realized a teenage customer was pregnant before her father knew; the firm identifies first-term pregnancies through, among other things, purchases of scent-free products."

Re:Wired distorts it

[fast turtle]

irrelevant line huh? Guess that means I'm pregnant and in the first trimester. If I am, it's a damn problem because I've been buying Scent/Dye Free products for over a decade and I still haven't given birth to my baby. Main reason I buy them is the scent/dye free are classified as HypoAlergenic - meaning they're tested as allergen free. Of course I'm a guy with a great sense of smell and dislike the number of perfumes being added to things that don't need it like laundry soap. All I want my clothes to smell like is clean. No god damn perfumens to make my clothes stink like most Americans. Due to my job, I pretty much have to stick with perfume free products as my nose is to damn important and the stinking scents screw me up while trying to do my job.

It's gotten so bad that I actually bought a book on soap making just so I can ensure I've got something completely scent free. If I need extra cleaning power, I'll add a small bit of pumice (2 grams) to a 1 oz bar of soap. I keep them that small (travel size) because I add no damn preservatives or anything else and they general get used before they go bad. If not, then no big loss of product as the others are in vacuumn sealed packaging (food sealers work great).

Re:What are "secret cookies"?

[Anonymous Coward]

There are some things that need to be added to this.
1) Browser history clearing should not be necessary. If a browser leaks history information that is a vulnerability that needs to be addressed. But I've found the ability to search the history very valuable and it isn't something you'd want to deprive yourself of.
2) Most websites that would abuse potential leaks are blocked by ad blockers. You might also want to run PeerBlock.
3) Sites don't need your browser history to fingerprint you anyway. (You hinted at this, but I might as well make explicit that clearing your history or using a secure browser ultimately may not matter.) Browsers send websites too much data; browser developers must put a stop to that. Stop sending user agents; stop sending plugin details.
4) It doesn't matter if you can view the cookies you have. Most of the time they're filled with seemingly gibberish. If you can't read them, they're still secret. But remove them and the site stops working. This will only change if browser developers start blocking cookies by default, and make it impossible to simply whitelist all websites. Again, browser developers, get of your arses.
5) What the EFF site you linked doesn't show is that there's potentially much more data to be harvested from the JavaScript environment. You can probably detect certain browser extensions that modify styles or inject elements for example. And you can check the size of the browser window (you can safely assume it will be maximised since nowadays almost no website works if it isn't, sadly). All harvested information can be passed back to the website silently through the magic of XmlHttpRequest. So either XmlHttpRequest will have to go, or we'll need to virtualise the environment a website's JavaScript sees (lie about active CSS and fonts, hide injected elements, ...) to a much larger extent than we're doing now.
6) Carrying on from the previous point, I'd advise people to disable JavaScript altogether if I didn't know that most websites will break and it'll make you even more unique. But again, this will change if major browsers start blocking JavaScript.
There are many more things, but they're not worth discussing until headway is made on the points above.