In 2021 german publishers and shops widely started to use a cookieless tracking technology.
It's based on your e-mail and login information, so you should know about it. Especially as you are even tracked without login.
How identity providers work
Identity Providers are basically recording your login and sharing this information with other pages. Here GMX sends your login ID "tpid" to Adition which shares its own cookie with several ad tech companies using a classic cookie matching. In this case only with your consent.
Other Publishers like Spiegel Online, BILD and SPORT1 track households based on the IP address (also with consent).
The ID in the first screenshot is stable against deleting cookies, changing browsers and devices. It probably gets long term persistence by logins from other household members.
Not all pages are asking for consent. In the second screenshot you can see Gutefrage.net working together with Berlin based startup Zeotap to send the hashed e-mail from a login to Google, Xandr, Mediamath, Adition and The Trade Desk.
Regarding privacy, everything is lost now.
In this video Zeotap founder Daniel Herr explains a interesting part of his business model: Selling behavioural data from marketplaces like Autoscout24 to automotive brands like BMW. Publishers using Zeotap are getting paid for this insights.
Indeed: The hashed e-mail from a autoscout login is transferred to Zeotap without consent.
This data is probably part of the automotive interest data that Zeotap is trying to sell on audience marketplaces.
Now it's getting criminal:
Watch the biggest identity provider Liveramp stealing a e-mail address from a hidden login field without consent and without login.
It was prefilled by the default Firefox password manager.
Read more about this interconnected login matrix in my in-depth article at @kuketzblog:
Or in a easy understandable version in the newspaper Süddeutsche Zeitung (both German).
And the whole thread on my website for convenience: https://rufposten.de/blog/2021/12/05/how-you-are-tracked-without-cookies-using-identity-providers/
@firstname.lastname@example.org would things like noscript even protect against this? i saw in one of the screenshots, image tags were used so maybe users should block media from such domains? (e.g. by setting these domains to "untrusted" in noscript)
But remember that large companies also use identity providers to feed their customer data into marketing channels. So unique emails (eg with "catch-all") are the best solution.
@rufposten Unique mails plus avoiding browser's built-in password manager and use KeePassXC in a security aware way instead: I.e., don't have KeePass pre-fill your logins automatically, but use the clipboard, with clearing after 10 sec's (or similar). It's a bit inconvenient, but like with wearing an FFP2 mask covering your nose and mouth completely and the mask pressed to your face, it depends on the strength of your will to apply the responsible tool, not of the tool itself. The user decides either for the inconvenient but responsible way, or the lazy way. @Johann150
@douginamug @rufposten @Johann150 I really don't know. I generally distrust automatic processes in security, but, on the other hand, KeePassXC never disappointed me before. And, not to forget, the real thing currently is MFA. If the web application supports that, I'm fine with some more convenience.
@rufposten Does it have any method to survive cookie deletion beyond IP address? Because that seems like it would be fairly straightforward to poison by running something similar to a Tor exit node. Or maybe just sharing logins.
I mean you've already logged in on their website.
@rufposten this is a chaining attack, I've written one in the past.
You find a piece of persistent ID then link it to temporary identifiers like IP. If another service matches the temporary identifier, it can link their persistent IDs together.
The second those IDs are matched everything is tracked, and it's difficult to remove. Before that point it's a mess.
I've seen tools block identifiers based on how regularly a site is tracking it for you. I wonder if you could do similar here.
@rufposten As you've done, if you know that the cookies are generated on site A, it should be possible to block that cookie being sent to anything except site A.
@rufposten you'll find some challenges on the site as it's become common to host analytics platforms on subdomains.
So you'll host analytics.site.com and data.site.com, so you have to be really specific on what's useful and what's not. Usually it's all the same subdomain name though, because that's what the provider tells you to do :')
I seem to recall that GDPR considers IP address to be PII. The U.S. does not. I can see these techniques working under U.S. law, but don't they violate GDPR?
@loke Well, the majority is using consent tools but there are still too many who don't. But I doubt that people really understood what they consent to, most would think it's only about cookies.
Also there is too much uncontrolled 3p data exchange after the collecting.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!