Facebook today launched the "Off-Facebook-Activity"-Tab for everyone. Now you can see which companies forwarded data about your external activities to FB:
It seems to be a first step to stop GDPR fines on companies using the business tools.
But as announced it's only the summary of the data collected. If you didn't give consent on it (especially while visiting websites/apps without login), you can file a GDPR complaint against those companies. Useful nonetheless! (1/2)

Axel Voss denkt sicher auch, wenn er nur ein Auge zumacht ist er unsichtbar, aber sieht trotzdem noch alles.

(Aus dem neuen "Manifest" von Axel Voss für Europas digitale Souveräntität axel-voss-europa.de/wp-content).

Via twitter.com/WolfieChristl/stat

Twitter beendet zum 30. Januar 2020 die Funktion "Audience Insights". Vermutlich eine Reaktion auf das Urteil zu Facebook-Fanpages: Der eingebaute Analysedienst war Haupargument für den EuGH, dass eine Beteiligung des Seitenbetreibers an FBs illegalem Tracking vorliegt.

So testet man in Chrome/Firefox:
1. Neues Fenster, Shift-Strg-I
2. URL eingeben bzw. neu laden
3. Netzwerk-Requests durchsuchen nach "google-analytics"
4. Jeder Fund ein Treffer.

Show thread

Die SZ bringt heute eine hervorragende, anschauliche und aufwändige 24h-Reportage darüber, wie Smartphones unsere Daten sammeln. Macht heute oder morgen diesen kleinen Spaziergang zum Kiosk, es könnte ein guter Start sein, um etwas weniger mit den eigenen Daten zu bezahlen.

Beyond evil: This month Facebook started to scrape sites that use 'pixel' for all kinds of information. Including personal information about the visitors. People could be identified even without cookies by name or email. This affects also non FB Users. developers.facebook.com/docs/f

(Via nitter.net/WolfieChristl/statu)

Seems to be currently live on booking.com and airbnb.com. Here personal information like name, email and phone number is sent to facebook during registration at airbnb.

Hier ein Screenshot von der Liste der Werbeanbieter, die hamburg.de in seiner Datenschutzerklärung auflistet.

Show thread

After beeing viewed more than 100k times on twitter and mastodon, I "archieved" the tiktok story to my blog. This night it got rolled over by 30k visitors because it got #1 on hacker news. No problem for the Uberspace server. Thanks for the interest!

Bytedance told me that they use this fingerprinting to identify malicous browser behaviour. I don't believe, because the website still works if the script is blocked. Also they use Akamai's fingerprinting technology already on the server (which is another story to investigate).

Show thread

They also use audio fingerprinting to identify visitors. This doesn't mean they actually use your microphone or speaker. Instead they generate a sound internally and record the bitstream, which also differs from device to device. This is what it sounds like.

Show thread

One of them: Canvas Fingerprinting. They draw an image in the background using vector graphic commands. Afterwards they save the image to a rasterized PNG. This data is quite unique among different devices depending on settings and hardware.

Show thread

But they also track who is watching the video. Among common trackers (Google Analytics) they use the highly controversial method of device fingerprinting to set a mostly unique hash to the cookie s_v_webid. This is done by combining typical hardware and browser characteristics.

Show thread

I also checked the website which is important as all shared videos (via messenger or social media) are viewed there. The short URL e.g. vm[dot]tiktok[dot]com/9uTpDV will be resolved to a URL which contains the installation ID. Tiktok will be able to check who shared which video.

Show thread

Hard to believe that this is covered by "legitimate interest" and transparency: Entered search terms are sent to Facebook.

Show thread

This is my setup: I used mitmproxy to route all app traffic for analysis. See in this video how device information, usage time and watched videos are sent to Appsflyer and Facebook.

Show thread

Good news for the : The mobile API from @pixelfed (the Instagram replacement) is finally live on flagship site pixelfed.social. Apps like @Tusky or @fedilab can post fotos to your pixelfed account. A native pixelfed app will follow.

Der "Erweiterte Datenschutzmodus" ist auch so eine Trollnummer von Google:

"Privacy Enhanced Mode allows you to embed YouTube videos without using cookies that track viewing behavior."

Ok - keine Cookies. Aber dafür eine eindeutige ID im Local Storage 🙄

Show more

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!