Follow

In 2021 german publishers and shops widely started to use a cookieless tracking technology.

It's based on your e-mail and login information, so you should know about it. Especially as you are even tracked without login.

How identity providers work
⬇️[Thread]

Identity Providers are basically recording your login and sharing this information with other pages. Here GMX sends your login ID "tpid" to Adition which shares its own cookie with several ad tech companies using a classic cookie matching. In this case only with your consent.

Other Publishers like Spiegel Online, BILD and SPORT1 track households based on the IP address (also with consent).

The ID in the first screenshot is stable against deleting cookies, changing browsers and devices. It probably gets long term persistence by logins from other household members.

Not all pages are asking for consent. In the second screenshot you can see Gutefrage.net working together with Berlin based startup Zeotap to send the hashed e-mail from a login to Google, Xandr, Mediamath, Adition and The Trade Desk.

Regarding privacy, everything is lost now.

In this video Zeotap founder Daniel Herr explains a interesting part of his business model: Selling behavioural data from marketplaces like Autoscout24 to automotive brands like BMW. Publishers using Zeotap are getting paid for this insights.
youtube.com/watch?v=mrZ0HLd0Ls

Indeed: The hashed e-mail from a autoscout login is transferred to Zeotap without consent.

This data is probably part of the automotive interest data that Zeotap is trying to sell on audience marketplaces.

Now it's getting criminal:
Watch the biggest identity provider Liveramp stealing a e-mail address from a hidden login field without consent and without login.
It was prefilled by the default Firefox password manager.

Read more about this interconnected login matrix in my in-depth article at @kuketzblog:
kuketz-blog.de/tracking-durch-

Or in a easy understandable version in the newspaper Süddeutsche Zeitung (both German).
sueddeutsche.de/wirtschaft/coo

@rufposten@social.tchncs.de would things like noscript even protect against this? i saw in one of the screenshots, image tags were used so maybe users should block media from such domains? (e.g. by setting these domains to "untrusted" in noscript)

@Johann150
Practically yes, most systems work just with javascript because of easy implementation, also the pixel iframe in the screenshot.

But remember that large companies also use identity providers to feed their customer data into marketing channels. So unique emails (eg with "catch-all") are the best solution.

@rufposten Unique mails plus avoiding browser's built-in password manager and use KeePassXC in a security aware way instead: I.e., don't have KeePass pre-fill your logins automatically, but use the clipboard, with clearing after 10 sec's (or similar). It's a bit inconvenient, but like with wearing an FFP2 mask covering your nose and mouth completely and the mask pressed to your face, it depends on the strength of your will to apply the responsible tool, not of the tool itself. The user decides either for the inconvenient but responsible way, or the lazy way. @Johann150

@mupan @rufposten @Johann150 I'm using KeePassXC with Firefox plugin.

This setup does not autofill credentials, but hovers a KeePassXC icon: when clicked, credentials are then filled.

Is this setup not of a similar/greater security than copy/pasting?

@douginamug @rufposten @Johann150 I really don't know. I generally distrust automatic processes in security, but, on the other hand, KeePassXC never disappointed me before. And, not to forget, the real thing currently is MFA. If the web application supports that, I'm fine with some more convenience.

@mupan @rufposten @Johann150 Fair enough.

I just remember looking into copy-paste with KeePassXC vs the browser plugin, and it seemed the plugin has overall better security, since then the only place your password is unencrypted is the the credential box.

@rufposten @Johann150 Is there already a list of this domains somewhere out in the wild ? Random email adresses should also help.

@rufposten
Many thanks for your article. Really good to read and interesting.
I use simplelogin.io/ for multiple use cases if I need a new or throwback alias. My 25 mailboxes.org aliases are too valuable :)
@kuketzblog

@800mi @rufposten @kuketzblog A similar service is <spamgourmet.com/index.pl>. I've used it since the early years of this century, and it works well.

Matthias, many thanks for exposing this tracking. It's an outrage.

@800mi @rufposten @kuketzblog
Mit anonaddy.com/ gibt es einen ähnlichen Dienst wie simplelogin, der mit eingeschränkten Features auch kostenlos nutzbar ist oder sich sogar selber hosten lässt.

@rufposten
Super report! incredible perversion of the original WWW.
What about other PW Managers compromising credentials, like KeePass or Bitwarden i this context?

@kuketzblog

@rufposten Does it have any method to survive cookie deletion beyond IP address? Because that seems like it would be fairly straightforward to poison by running something similar to a Tor exit node. Or maybe just sharing logins.

@rufposten this is a chaining attack, I've written one in the past.

You find a piece of persistent ID then link it to temporary identifiers like IP. If another service matches the temporary identifier, it can link their persistent IDs together.

The second those IDs are matched everything is tracked, and it's difficult to remove. Before that point it's a mess.

I've seen tools block identifiers based on how regularly a site is tracking it for you. I wonder if you could do similar here.

@rufposten As you've done, if you know that the cookies are generated on site A, it should be possible to block that cookie being sent to anything except site A.

@rufposten you'll find some challenges on the site as it's become common to host analytics platforms on subdomains.

So you'll host analytics.site.com and data.site.com, so you have to be really specific on what's useful and what's not. Usually it's all the same subdomain name though, because that's what the provider tells you to do :')

@rufposten
I seem to recall that GDPR considers IP address to be PII. The U.S. does not. I can see these techniques working under U.S. law, but don't they violate GDPR?

@Photorat
Yes, the ones that don't ask for consent violate GDPR for sure.

@rufposten I felt compelled to add them (CrowdControl was already on it) to my blocking list. ;-)

@rufposten Are they doing this in a way that is compliant with the GDPR?

@loke Well, the majority is using consent tools but there are still too many who don't. But I doubt that people really understood what they consent to, most would think it's only about cookies.
Also there is too much uncontrolled 3p data exchange after the collecting.

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!