Cookieless Web Tracking Using HTTP's ETag 212
An anonymous reader writes "There is a growing interest in who tracks us, and many folks are restricting the use of web cookies and Flash to cut down how advertisers (and others) can track them. Those things are fine as far as they go, but some sites are using the ETag header as an identifier: Attentive readers might have noticed already how you can use this to track people: the browser sends the information back to the server that it previously received (the ETag). That sounds an awful lot like cookies, doesn't it? The server can simply give each browser an unique ETag, and when they connect again it can look it up in its database. Neither JavaScript, nor any other plugin, has to be enabled for this to work either, and changing your IP is useless as well. The only usable workaround seems to be clearing one's cache, or using private browsing with HTTPS on sites where you don't want to be tracked. The Firefox add-on SecretAgent also does ETag overwriting."
Secret Agent (Score:5, Interesting)
Here we come. :-)
Add this feature to a chaff-creating plugin, to crapflood servers with fake tags.
Just clear the cache... (Score:4, Interesting)
Also, I occasionally clear all private data while browsing in Opera, including the cache, cookies, history, and so forth (passwords are never saved by the browser). Obviously, I have to log in again the next time I visit slashdot.
Re:Secret Agent (Score:4, Interesting)
The way I'd detect it would be with some extra background probes after a page has been loaded. The background probes start once the browser has finished loading and has become idle. Then the browser could open another connection and request the same resources again without sending any information, that could be tracked. If it receives a different ETag or different content this time around, it empties the cache for that domain and disables caching for that domain for a few hours.
They just don't seem to get the message (Score:5, Interesting)
I always imagine the webserver as having an internal conversation that goes sort of like this...
You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways. All these technologies have valid uses but have been so abused by corporations and marketing that people increasingly don't trust it anywhere. It just further antagonizes the very people they are trying to connect with. And then they wonder why they lose the respect and trust of their customers, resulting in an ever-more aggressive relationship between the two.
Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising. What repercussions might that have had on the world as a whole?
Panopticlick is another method (Score:5, Interesting)
The ETag method is a clever solution to cookieless tracking. I find this method I stumbled upon a couple of weeks ago a bit startling. I had no idea the amount of information routinely sent from my browser/computer to web servers-- information about plug-ins, time zone, screen resolution, accepted headers, etc WITHOUT letting me know. It is enough to give more than 21 bits of identifying information and uniquely identifies me among the 3M visits.
https://panopticlick.eff.org/ [eff.org]
Re:Just clear the cache... (Score:3, Interesting)
delete all cookies etc. every time they exit.
I have to log in again the next time I visit slashdot.
Too much work. Well, except if I'd never quit the browser but then it wouldn't make any difference.
Re:They just don't seem to get the message (Score:4, Interesting)
You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways. All these technologies have valid uses but have been so abused by corporations and marketing that people increasingly don't trust it anywhere.
I'm honestly curious here. Advertising isn't going away. It's what keeps the Internet "free". So you're saying you'd rather have completely irrelevant advertising than stuff you may actually be interested in? When I'm in the market for any kind of product, I actively seek out sources of advertising to survey what's available. Being flooded with irrelevant information and advertisements (like happens on the radio and television) is personally unnecessary but financially necessary noise to provide the content I want. I'll take trackers any day over having to pay for every single site I visit.
Re:They just don't seem to get the message (Score:3, Interesting)
Yes, that's what I'm saying. I don't want these people to know what I want. They have proven that they will take advantage of that, and try to make me impulse-buy things when I'm at my most vulnerable to targeted ads.
Ads are not a good way to form a worthwhile opinion on what product is the best for you, the consumer. They're designed to drown out the competition and are practically worthless for making a judgement call, unless you happen to notice it's something you already wanted that has a special-offer.
Without competition, ads are no more relevant than they were without being targeted. I've seen no evidence of more competition with more targeted ads. I just get the same products over and over, from whomever can afford the most ads. It's not a healthy situation for commerce.
Plus, if it's something I'm going to buy, I'll buy it. I don't need an ad asking me to click on it while I'm doing other things. I'd rather the business model was revamped than the customer's privacy model.
If ads can sustain the web as-is, then I don't see a need to "upgrade" them. And if they can't, then it's just another reason to revamp the business model instead of desperately clinging to it.