Refusing all cookies, still targeted by ads. How?

Cookies was a simple concept that politicians could glom on to and legislate around, but, yes, they're quite unimportant in the grand scale of things.

In the end, you've got two things to work with: Things you can convince the browser to actively identify itself with, and the things you can track regardless.

Cookies are in the first category, but they are not alone. You can get things as simple as presenting an entire site with customized URLs that track a user through querystrings being appended to everything with an identifier. You can track certain caching differences. You can program a website to use local storage and submit a token on every URL click with a fairly simple handler. This isn't even remotely a complete list.

In the second category, you've got IP address, browser versions, various settings... see something like https://www.amiunique.org/ .

In a nutshell, your rich browser experience leaks so much data along so many axes that it is essentially inconceivable that you could ever prevent yourself from being fingerprinted. What you can do is try to detach that fingerprint from a real person, to a certain extent rotate what you can, etc. But in reality you can't be shipping up kilobytes of header information on each web request and expect there isn't something in there that can track you.

https://www.amiunique.org/fingerprint says I'm 100% unique; with all the red lighting up I'm not surprised.

Fingerprinting.

Everything about you that isn't identical to everyone else can be combined to guess who you likely are. Your exact browser version, OS, supported APIs, your IP address, your latency to Google servers... Anything that isn't a complete match to everyone else.

You may have a new install, but your IP and latency match your old install. What are the odds you're not the same person?

It's all probabilistic. But Google has a lot of incentive to get really good at making those guesses.

The current techniques pushes as many signals as possible to get a device fingerprint, which is then correlated with activity. It uses the pre-LLM machine learning methods to get such a picture.

Sources of these signals are often abuses of protocols used to enhance UX across devices. Examples include:

- Fonts installed (https://gist.github.com/szepeviktor/d28dfcfc889fe61763f3)

- Power saving telemetry (https://developer.mozilla.org/en-US/docs/Web/API/Battery_Sta...)

- Screen size - https://developer.mozilla.org/en-US/docs/Web/API/Screen

- Deep Packet Inspection — not just IP addresses anymore - https://en.m.wikipedia.org/wiki/Deep_packet_inspection

These are all tools meant to help users, but they can be used for collecting signals for targeted ads.

I am sure there are more techniques that are just not publicly talked about.

I have been asked by extended family members about blocking transmissions from devices so they cannot be tracked. There really is an illusion that the device actively listens on the microphone in order to target ads. I told them that, some places don’t need to transmit microphone in order to collect signals for device fingerprinting, and that is scarier.

https://amiunique.org/

https://coveryourtracks.eff.org/

Recently, I discovered that SwiftKey keyboard (I assume) was leaking tracking data from Incognito on Android. I would open an Incognito tab in Chrome, the keyboard would show up in "anonymous" mode, but products I searched for still turned into ads in Facebook/Instagram and AdSense in a couple of minutes.

I assume it was SwiftKey since it was the only piece of software that had access to those keywords besides Chrome itself (which I assume is not the leaker since it never leaked data from Incognito on desktop and because it also happened in Firefox Private Browsing). The "Am I Unique" fingerprint for an Incognito vs a regular tab is also different, so I assume it's not a matter of fingerprinting with server-side tracking.

We are being tracked by the least suspicious pieces of software nowadays, it's becoming more and more difficult to know where the actual tracking came from as we add more and more layers of complexity into our computers. It's scary to think about.

There are so many ways to track you. Think about the combination of ip address, user agent string, display resolution, supported apis on your browser version. They might already be unique among everyone who uses your ip.

Cookie sharing networks never actually needed to use cookies to share information about you. It’s ironic, but true. The disclaimers about using cookies and the regulations about providing those disclaimers never actually did anything to protect your privacy.

Use a vpn and disposable VMs and then you can even allow cookies. If that isn't practical you will have to disable js to prevent fingerprinting.

Although, while fingerprinting is a thing, most people get targeted because they use their home IP. This is one good reason why a good vpn provider is better than wireguard on a vps.

If you are at all concerned with privacy, why are you using Chrome? It should be no surprise that the browser built by one of the largest data-harvesting companies in the world is pretty good at harvesting your data...

If this is a concern for you, maybe consider Firefox? Then grab some extra privacy-conserving extensions like ublock, adnauseam, privacy badger, privacy possum, ghostery, decentraleyes, clearURLs, IStillDontCareAboutCookies, etc.

I get that this is a work machine and you may not have admin rights to install Firefox but any IT manager worth their salt won't refuse a request to change browser, especially if the motivation is personal security.

If they really don't budge (or you are too welded to the Google ecosystem to part with their browser) then maybe you could look for some of the extensions I mentioned above on Chrome?

> I could think of sophisticated methods, but maybe the simple answer is that refusing cookies doesn't actually do anything?

This is a great opportunity to conduct a double blind experiment! Set up three Chrome profiles: your current one, one that's totally fresh, and one that's connecting from a different IP over a Socks proxy. Write a script to randomly start Chrome with one of these profiles; every hour quit the browser, restart it with a random profile, and record the ads you see. Do they all get the same distribution of ads? Do they start out different, but eventually converge?

You need tracker blocking extensions, and/or a "degoogled" version of Chrome like Thorium or Brave.

My usual loadout is Thorium + the EFF's Privacy Badger extension, and sometimes UBO.

I've noticed Google now syphons data from my searches to feed my youtube recommendations, always felt like two separate systems until about a month ago.

- IPs are relevant

- Your DNS server is relevant, especially if it's google's or cloudflare's or youe ISP's DNS

- ETags can be used like fingerprints

- LastModified can also be used for fingerprints

- Pragma can be abused for long-living fingerprints in your Browser Cache

- AdMob has ultrasonic support. Not kidding, ads can be delivered to your phone while you watch TV - via unhearable sound signals. [1] usually called uXDT or XDT.

- Chrome has multicast DNS support to discover surrounding devices (and Browser instances). Check DNS-SD for details, and what can be discovered.

- Also the data for Chrome's locally trained neural net (aka FLoC) is inside the profile folder but won't be cleared with Browser History.

- (unlikely) TLS fingerprint is usually coupled with User-Agent on the server side, so rotating your User-Agent is pointless if you don't change the TLS fingerprint (which you can't without recompiling the Browser Engine).

Welcome to the new world. I miss the good ol' HTTP/1.1 days.

[1] (German) https://de.m.wikipedia.org/wiki/Cross-Device_Tracking

It doesn't depend on cookies or any other site settings. just use an ad-blocker.

> maybe the simple answer is that refusing cookies doesn't actually do anything?

I agree with all the other comments that are saying this is probably fingerprinting, but you can check whether refusing cookies is doing anything. Two ways:

1. On a page where you refused all cookies but are seeing targeted ads, open developer tools and go into the "Application" tab. Open up Storage > Cookies. Do you see anything listed? You should see nothing there. You also shouldn't see anything in the rest of storage, since "cookie" consent is really "client-local storage consent".

2. You can check whether cookies were sent on particular network requests, like the ones to the ad companies. Open a new tab, open devtools, open networking. Then paste the URL in the url bar. Find an ad request in the networking tab: do you see a "Cookies:" header? If so, it sent a cookie for you.

If you don't use DNS over HTTPS, (available in Firefox, maybe in some other browsers too) then all the pages you browse are leaked to your ISP, who is happy to sell that information to data aggregators. Since I started using DNS over HTTPS and uBlock Origin on mobile, I hardly ever get any relevant adds.

I allow cookies at least for the session or until the browser closes and I take simple steps to block ads and I never see them on either my PC or Android phone.

I used to use stricter methods such as blocking cookies outright or having them automatically delete upon receipt and changing the browser's user agent but it's not necessary to go to those lengths.

If one wants to see ads then fine, if you don't then you don't have to, even YouTube ads can easily be avoided. As this ad problem arises so frequently and as the solutions are so simple one has to ask why is it so difficult to get the point across that getting rid of ads is simple.

An easy fix is to use something like mullvad-browser:

https://mullvad.net/en/browser/mullvad-browser

Though it's annoying having bars around browser to prevent display resolution fingerprinting.

You'll also not be able to login to some sites like tiktok (and probably others) which I don't know the fix for without just disabling all tracking protection.

Refusing all cookies alone may not completely prevent you from being targeted by ads. While cookies play a significant role in tracking user behavior and serving targeted ads, there are other methods that advertisers and platforms can use to target users. Here are a few reasons why you might still see targeted ads even if you refuse all cookies:

1. Device Fingerprinting: Advertisers can use techniques such as device fingerprinting to gather information about your device, browser settings, operating system, and other characteristics. This information can be used to create a unique identifier for your device, allowing advertisers to target you with ads based on your device's attributes rather than relying on cookies.

2. IP Address Tracking: Your IP address is a unique identifier assigned to your device when connected to the internet. Advertisers can use your IP address to approximate your location and deliver ads based on your geographic location.

3. Behavioral Tracking: While cookies are commonly used for behavioral tracking, advertisers can also use other methods like pixel tags, web beacons, and JavaScript code to track your online activities across websites. These techniques allow advertisers to monitor your browsing behavior and serve targeted ads based on your interests and preferences.

4. Contextual Targeting: Advertisers may rely on contextual targeting, which involves analyzing the content of the web pages you visit or keywords used in search queries to determine relevant ads to display. This approach doesn't necessarily rely on cookies or personal data but focuses on the context of the content you engage with.

5. Data from Third-Party Sources: Advertisers may obtain data from third-party sources such as data brokers, social media platforms, or other online services. These data sources can provide information about your interests, demographics, or browsing history, enabling advertisers to target you with personalized ads even if you refuse cookies.

It's important to note that different platforms and advertising networks have varying approaches to ad targeting and user tracking. While refusing cookies can reduce the effectiveness of certain tracking methods, it may not completely eliminate all targeted advertising.

To enhance your privacy and reduce targeted ads, you can consider additional measures such as using browser extensions or privacy-focused browsers, enabling ad blockers, adjusting privacy settings on your devices and online accounts, and being cautious about the information you share online.

This shit is so hard to control. The only way to control it is adblockers like uBlock and/or DNS-wide solutions like PiHole

There are plenty of ways to fingerprint you aside from cookies, as you’ve probably surmised (“sophisticated methods”).

Etags can be used to track you and likely are, especially at the network level. Additionally your network provider may be adding headers to your requests which enable you to be identified. Finally, your browser and device combination are probably configured in a way that gives you a fairly unique identifier.

You’re using Chrome.

Depending on your ISP you may be able to change the public IP tied to your router. I did this, and found it significantly reduced what websites were able to track about me...for a while at least, until they learned again. But also, use a VPN.

It's frustrating to see targeted ads even after refusing cookies. While I'm not an expert, I've read that other tracking methods like fingerprinting may still be at play.

I remember there was a site that showed all the characteristics that could make you unique. In my case, what gave me away was the unique id of the canvas.

The ad tracking industry has evolved to do server side fingerprinting (Network, device U/A, Address lookups), canvas based fingerprinting.

Do you mean you click reject in the analytics pop-up dialogs (or hide them with ad blocker), or that you disable cookies in the browser?

What do you mean exactly by "refuse all cookies?" The specific method you use will matter a lot.

If the first thing you do when you open the browser on a new machine is go immediately to Chrome's content settings and switch on "Block all cookies" then I'd be very very surprised to see successful tracking and remarketing.

If you just mean you're clicking "reject" on all of the cookie dialogs you see on various websites that's not going to do much.

balancer can do this with hash : https://plausible.io/data-policy#how-we-count-unique-users-w...

X-Forwarded-For, and/or unique IP, and/or client fingerprinting.

fingerprintjs has about a dozen separate techniques

https://github.com/fingerprintjs/fingerprintjs

A proxy tracker can fingerprint without you even noticing.

Cookies just scale better.

you use chrome thats why

In addition to the non-cookie fingerprinting mentioned by others that can happen, there is a loophole in the GDPR cookie control legislation that allows "legitimate interest" cookies to continue to be placed and tracked when you click Reject All.

You have to edit your cookie preferences for the site (assuming they provide the option) and deselect Legitimate Interest cookies proactively in order to block them.

This recent write-up on Reddit alerted me to this information:

https://www.reddit.com/r/YouShouldKnow/comments/14ddk4u/ysk_...