This site shows you how unique your system appears: http://panopticlick.eff.org/
When you combine things like screen-resolution, installed fonts, etc. you get a pretty-unique profile of each person.
Bruce Schneier addresses the topic here: http://www.schneier.com/blog/archives/2010/01/tracking_your_...
How UberVu mapped this back to an actual email address is a separate matter - but I'm guessing they used the profile of his machine and connected it to a matching profile they had access to from some site he does authenticate with.
Now extend that concept to Google. They've got their digital hooks on millions of sites using Google Analytics. They can map those hits back to an IP address that correlates to a GMail login and get a pretty good idea about where else their users browse.
I haven't done the math, but I have a feeling it just keeps dividing by the "one in x browsers have this value". Maybe it doesn't look at the intersections , for example: Using Totem as the default wmv player is rare and using Ubuntu is rare but reporting Totem as .wmv player is going to be a lot less rare amongst Ubuntu users that it is amongst Windows users.
My previous comment on this: http://news.ycombinator.com/item?id=4479876
Since the iPhone 5 makes up more than one in 200,000 of the Internet's traffic, even that "relatively low" uniqueness is worrisome.
I try to do most of my browsing in a different browser from the one I log into FB/Google with.
I did not have too much traffic from fb or twitter to think that is because I took their buttons out.
Anyway, I prefer to avoid those sites tracking my readers, savvy people can anyway share my content if they want.
So, if you want is http://www.garron.me :). Just kidding.
https://github.com/snowplow/snowplow/blob/master/1-trackers/...
I'm skeptical of its utility on its own - though when you add timezone, IP address and screen resolution, it may start to get mostly-unique.
Anyway we're waiting on some of out bigger users (millions of page views per day) to report back on its uniqueness - should be interesting...
[1] Excerpt: "Facebook seems to detect an active NoScript and replaces external links with tracked ones." from https://addons.mozilla.org/en-US/firefox/addon/google-privac...
I'm going to do it anyway, though on principle. And I encourage all of you to do the same. ;)
The only way DNT will work is if its legally mandated, and I don't think that's gonna happen (though I could be wrong).
Yep, that's nasty, but this is much worse still: getting visitor names & email contact info.
The LeadLander product seems to identify users by company name (most likely by checking the IP address/netblock) and then "integrates" with LinkedIn and Jigsaw in order to contact (spam?) the users by email (see: http://www.leadlander.com/web_analytics.asp).
Definitely interesting, but legal? Not very likely...
There is nothing in the US that makes this sort of activity illegal. The exceptions would include minors, health or certain financial information. Excluding that, unless it goes against something stated in their policies it is perfectly legal in the US.
f :: IPAddress -> [Maybe EmailAddress]
EDIT: talking about relead.com mentioned in a g+ reply.
As I read their pitch, they identify the company a visitor to your site represents, and then they suggest the contacts at that company and give you a bunch of info about the company and the key staff.
"Unmatched in quality and accuracy We can track exactly WHO is visiting your website, and how valuable or interested they are in your business"
"See complete company profiles of your visitors: Company Name, Industry, Size. We'll also be adding Credit Risk soon."
What do you mean by "connect"? Do you mean you didn't visit any of UberVu's social media pages, or that you didn't load any of the tracking-related assets that their website includes? Right now, Ghostery is reporting 5 tracking-related assets on their home page, including something called LeadLander. Click around a bit, and you might even come across assets that are loaded directly from a social media service that you use. Or maybe your browser willingly supplied personally identifiable information to them without telling you about it. Like auto-completing some fields in a hidden form, or automatically connecting to an identity provider that the website happens to support.
Every time I try Panopticlick [1], it tells me that my browser is unique among millions. I guess it means I'm leaving greasy fingerprints everywhere I go, even with AdBlock and Ghostery enabled, and even without logging in anywhere.
At least that is the worst offender to my identity, revealing 21.29+ bits of information.
For the life of me, I can't figure out how to link directly to a specific reply in Google+, but here's the reply from UberVU:
"Elisabeth Michaud Hi Sumit - Elisabeth from uberVU here (I also run the uberVU twitter account where we were chatting earlier). Niek is right that we have been using a tool called LeadLander (based in San Francisco) to help us connect with companies who visit our site. We take privacy very seriously and definitely don't want visitors to our site to feel we are overstepping our boundaries. As such, we've decided as a team to discontinue our use of LeadLander and focus our efforts on other ways to engage website visitors. You won't see any further emails from us, and these changes will be implemented globally.
If you have any further concerns, don't hesitate to reach out to me at <redacted>"
It seemed like it would be effective overall, considering their product and audience, so I'm surprised they backed away from it so quickly.
Everyone should use Firefox and install/do these:
- BetterPrivacy (removes supercookies)
- RefControl (to stop sending http referrers)
- User Agent Switcher (just in case)
- HTTPS-Everywhere
- Disable third party cookies in Preferences > Privacy
- Use a VPN
- Change Google for StartPage
- Use fake accounts (eg: youtube) and emails (dispostable.com) whenever possible. This is very easy if you have a password manager like LastPass, you don't have to remember many passwords.
With all this, you can surf the web quite safely, unless someone with your ID is creating a shared database of fingerprint/ID pairs. In that case you will also have to remove all your other plugins or use NoScript.
It took me a half hour to explain how to use NoScript to a non-technical person the other day. This stuff is not intuitive, and it will take time to educate our friends and family. Now that Facebook has made it acceptable for normal folks to be social on the web, we must be persistent in teaching these people to protect themselves.
That would not prevent all types of tracking but it give people using panopticlick-like tracking techniques a few headaches...
A virtual machine or USB boot disk that allows nothing to be written to disk, and destroys all the memory contents on shutdown. Oh, and all connections are forcefully proxied through TOR.
What I would love to know is how they take that and get an email address out of it. Which 3rd party are they working with that 1) had the IP -> email address link, or this guy logged in and 2) is willing to share that data with a 3rd party?
Now, any site you visit that is able to check that 3rd party cookie knows all about you.
I don't know which 3rd parties do it, though.
That said, don't believe the sales copy on their websites. They will tell you that they can reliably identify the individual, but that is horseshit.
They usually maintain and/or purchase access to lists of people who work at companies and have relevant job titles. The lists are captured from multiple sources ranging from stuff pubically posted on company websites to business cards collected (and sold) at trade shows/conferences. There are lots of other sources and I'm sure this audience can think of many on their own.
Comapny/ip/id can be gleaned from either an ip block or someone who registered to download a free report or other content from a partner site at some prior time.
Sure you'll sometimes get the contact for the exact person that browsed the site, but you'll often get it wrong. That said, it could still be valuable to contact someone at the company about your services, because if one person is looking into it, then someone else might be interested too.
The tech/idea certainly isn't new - I've been getting pitched it for 5+ years.
That sort of information doesn't feel creepy to me, it's basically what you could do manually with info from the server logs and lots of searching (DNS, Google, LinkedIn).
If they are using information from another website where the user is logged-in to get the contact information it might be illegal, as it is likely that the first website's privacy policy doesn't say they are giving away that information. If company X uses LeadLander, and LeadLander gathers a user's email address from them, then gives that address to company Y when the same person visits, company X might be breaking the law because they are giving away personal information without stating it in their privacy policy. And privacy policies are required by California law.
Links to: plus.google.com
That's hilarious.
https://panopticlick.eff.org/browser-uniqueness.pdf
From the paper:
"By observing returning visitors, we estimate how rapidly browser fingerprints might change over time. In our sample, fingerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a fingerprint was an 'upgraded' version of a previously observed browser's fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%"
http://venturebeat.com/2012/12/08/anonymous-tracking-now-inc...
Sadly, the Internet is now full of companies who want to use it as a vehicle for advertising and who are obsessed with building up a dossier on as many people as possible, to exploit for financial gain. Your privacy means nothing to these companies; they will collect as much information about you as possible, with no regard for your wishes.
I take active countermeasures against these hostiles. I browse with javascript disabled. I don't have flash installed. I don't accept cookies blindly. I adjust my user agent. I run my own DNS server and cache and have hundreds of sites blackholed, including facebook, google analytics, and all the major ad servers.
It's some trouble to set all this up, and inconvenient at times. But unfortunately it's a jungle out there, and the default setup of browsers leaves you like a naked person in a mosquito-infested swamp.
This actually has fewer than the average for tracking cookies placed on a homepage yet they are able to uniquely identify you. Privacy isn't gone on the web, but it is getting harder by the day. Some data can be passed outside of cookies and just through loading the scripts, but in general this site seems to be much ahead of average. (~10 unique domained scripts and ~7 unique domained cookies).
Super creepy, chewed the sales person out and told them to go away. But this is a thing.