Identity Providers are basically recording your login and sharing this information with other pages. Here GMX sends your login ID "tpid" to Adition which shares its own cookie with several ad tech companies using a classic cookie matching. In this case only with your consent.
Other Publishers like Spiegel Online, BILD and SPORT1 track households based on the IP address (also with consent).
The ID in the first screenshot is stable against deleting cookies, changing browsers and devices. It probably gets long term persistence by logins from other household members.
Not all pages are asking for consent. In the second screenshot you can see Gutefrage.net working together with Berlin based startup Zeotap to send the hashed e-mail from a login to Google, Xandr, Mediamath, Adition and The Trade Desk.
Regarding privacy, everything is lost now.
Now it's getting criminal:
Watch the biggest identity provider Liveramp stealing a e-mail address from a hidden login field without consent and without login.
It was prefilled by the default Firefox password manager.
Read more about this interconnected login matrix in my in-depth article at @kuketzblog:
Or in a easy understandable version in the newspaper Süddeutsche Zeitung (both German).
And the whole thread on my website for convenience: https://rufposten.de/blog/2021/12/05/how-you-are-tracked-without-cookies-using-identity-providers/
@email@example.com would things like noscript even protect against this? i saw in one of the screenshots, image tags were used so maybe users should block media from such domains? (e.g. by setting these domains to "untrusted" in noscript)
But remember that large companies also use identity providers to feed their customer data into marketing channels. So unique emails (eg with "catch-all") are the best solution.
@rufposten Unique mails plus avoiding browser's built-in password manager and use KeePassXC in a security aware way instead: I.e., don't have KeePass pre-fill your logins automatically, but use the clipboard, with clearing after 10 sec's (or similar). It's a bit inconvenient, but like with wearing an FFP2 mask covering your nose and mouth completely and the mask pressed to your face, it depends on the strength of your will to apply the responsible tool, not of the tool itself. The user decides either for the inconvenient but responsible way, or the lazy way. @Johann150
@douginamug @rufposten @Johann150 I really don't know. I generally distrust automatic processes in security, but, on the other hand, KeePassXC never disappointed me before. And, not to forget, the real thing currently is MFA. If the web application supports that, I'm fine with some more convenience.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!