How prevalent is non-cookie-based web tracking today?

Question

I just started reading about things like Header Enhancement and SuperCookies and find them to be quite egregious. Does anyone know how much of this activity is being used by big known companies?For example, I just found out that my account settings at Verizon Wireless were allowing them to use Header Enhancement (UIDH) adding a unique identifier on every http request I sent. So, if I log in to a site, they can associate the UIDH with my account so next time I&rsquo;m in browser incognito mode, they already know who I am (or have a good guess).

mirimir · Accepted Answer

Trying to circumvent tracking at the browser level is hopeless.
The only effective approaches that I know of are 1) using Whonix (best in Qubes) to connect via Tor; and 2) using multiple OS-level VMs that connect via different nested VPN chains.
And even then, there are risks from fingerprints that depend on GPU and virtual graphics drivers in VMs.
So when compartmentalization really matters, it's necessary to use different host machines, on different LANs (or at least vLANs).
Using Tor is rather painful, given all the CAPTCHAs. And the learning curve for Qubes is a little steep.
But using multiple VMs with different nested VPN chains is actually quite convenient, once you've set it up. I use a pfSense VM as the gateway router for each VPN service. So creating nested VPN chains is easy: You just create virtual networks of the pfSense VMs, with Linux workspace VMs wherever you like.
With a decent host machine, I can work ~seamlessly as a few low-isolation personas via nested VPN chains, and another few high-isolation personas via nested VPN chains and Whonix instances.

dharmab · Answer

I don't want to go into much detail, but I work for a major company in this space and nost companies in the industry can track you with reasonable success even if you are logged out over multiple devices. Your (approximate) location, browsing habits and patterns are good enough data to predict what kind of stuff you buy.If you want to not be tracked, turn off JavaScript for a start.

oil25 · Answer

By far the biggest tracking offender is Javascript. Enabling it could reveal your operating system, cpu/gpu architecture, screen resolution, draw a precise and unique canvas fingerprint, etc. There are also mutable browser headers like user-agent and of course your IP address. However, the more advanced and insidious tracking is based on your behavior - what time you're active, what wifi networks are in range, who you communicate with, what is your writing style, and so on. Most of that collection happens on mobile phones, so I strongly advise against signing in on Android/iOS devices if you don't want to be tracked across the Web and beyond, or using telemetry-free open source mobile operating systems altogether.

lucb1e · Answer

You give a USA specific example, so I'll give one from where I live: aside from a few (like Google, Facebook, LinkedIn) that I suspect do things like recommendations or friend suggestions based on our static IP address, in the Netherlands it's virtually nonexistent. And illegal, at least without telling us that they do tracking (no matter if it's through cookies, the law never even mentions cookie). Header injection (MITMing traffic) is something I only hear about from far away and seems very invasive to me.
Same in Germany, but there they have rotating IP addresses (which is both a pain (hosting) and a blessing (privacy)).
Hmm, although, would MAC address tracking count? That happens here and there (by roughly the same amount in any EU country, as far I can tell, which is not very much), mostly with WiFi captive portals where you sign away your soul in the terms of service. I'm not sure about the legality (hiding GDPR consent in the TOS) but it happens. From experience, I can say that if you find out and you send them a letter with a copy of your ID, they'll happily give you all the data they have on any MAC address you claim.

joyjoyjoy · Answer

Use browser plug ins* ublock origin* no script* cookie auto delete plug in, deletes cookies if tab is closed* (I use also I don't care about cookies for the EU cookies clusterfuck)* Canvas blocker* Privacy badger* Glyph detection blocker* Decentral eyes* Privacy settings* Privacy-Oriented Origin Policy* WebRTC leak protection* https everywhere* I have a browser spoofing plug-in too but don't think it works so well.Use VPNuse different browsers for different purposes.use startpage.com instead of googleHere, try your luck:https://amiunique.org/https://panopticlick.eff.orgDoes not work so well. Instead of preventing canvas, fonts, browser ID etc., the plug-ins should randomize it.

ignoramous · Answer

Apart from the usual canvas / webrtc in-browser shenanigans, the most surprising one that I found was using a dns cookie to track users across browsers and devices discovered/invented/disclosed by u/DanielDent: https://news.ycombinator.com/item?id=20219878
> As with traditional HTTP cookies, DNS cookies can be used to track users on the web. They have no concept of "first party" or "third party" and can be read across different websites or from a different browser. They can also be used outside the web environment, for instance to track a web conversion which occurs after reading an email but not clicking on a link, or to track a sign-up in a mobile application after viewing a website. They also have application in DDoS mitigation - especially on IPv6 networks.
I am curious what other techniques are in active use to track a user across devices / software...

soared · Answer

Excellent reading for anyone interested the subject from a technical and business/enterprise point of view. This gets rid of the FUD 'browser fingerprinting' and uses actual industry terms.
https://blogs.gartner.com/martin-kihn/how-cross-device-ident...
https://blogs.gartner.com/martin-kihn/how-cross-device-ident...

soumyadeb · Answer

I would think Header Enhancement is not widely used (only few ISPs or so use it) but Browser fingerprinting must be quite wide-spread. It is hard to detect from the client-side so hard to say how wide-spread is it
Here is a study of fingerprinting effectiveness. Not what you wanted but a worthwhile read.
https://medium.com/slido-dev-blog/we-collected-500-000-brows...

air7 · Answer

I can't provide stats on your questions, but as per your example, your ISP can only add headers to non SSL traffic. Any website you access with HTTPS is safe from this type of privacy violation.
So as "Encrypted web traffic now exceeds 90%" [0] I'd guess at least this type of tracking is gone.
[0] https://news.ycombinator.com/item?id=21421195

soared · Answer

The most common non-cookie based tracking are cross-device graphs that are registration based (reg based) and run by facebook/google/linkedin/pinterest/etc. If you've ever logged in to facebook (or haven't logged in) and a site has a fb pixel or share button, its much easier for them to track you.These all have cookie/nonreg-based components, and there are plenty that don't rely on reg based data at all.

Left4Yee · Answer

Google Captcha only works if webgl canvas is available. If its not available they give me infinite captchas and never let me through.

Cactus2018 · Answer

FYI about these two websites that demonstrate the various data your browser shares:https://browserleaks.com/https://webkay.robinlinus.com/

fonosip · Answer

Here's an option for adblock + vpn. https://ba.net/adblockvpn