.png)
4 days ago
1
There are essentially two ways of tracking a user:
- Server side tracking
- Client side tracking
There is very little you can do against server side tracking aside from changing the data you send out (IP address, headers, etc) and the metadata that you dynamically generate while using services (i.e. any measurable and sufficiently invariable/unique metric from connection characteristics, OS, browser, etc).
Also this type of tracking is strictly undetectable from the user's point of view.
An example of this practice is showcased here. (Made by https://fingerprint.com, if you want to learn more about what solutions are offered commercially, this is a good example. It is chilling. The "GDPR Compliant" isn't a good thing, it does not mean they are honoring the intents behind the GDPR, but that they found a technical loophole to do what it was designed to prevent, and still not infringe on it...)
But most of the tracking happens on the client side. The reasons are plenty, but having everyone and their mom use ultra permissive browsers, with JavaScript on, and DOM storage enabled, while never bothering to even try to control (let alone understand) any of it; coupled to the fact that this is by far the most efficient way; is certainly one of the big ones.
Realistically, any tracking solution worth their salt will use a combination of the two, so that if a user tries to "cut short" to being tracked, a single omission on their part will allow the tracking party to make a link between the pre- and post- user profiles, and "consolidate" the two into one.
Now, the easiest way to have accurate client side tracking while not using client side storage (by means of cookies or DOM storage) is hardware fingerprinting, using JavaScript to generate (in milliseconds) a reproducible GUID from your GPU, CPU, or any other hardware. By fingerprinting you, a tracking party will be able to send themselves a few bits of information (128 to 512 bits, generally), and index your profile using this and only this. If you try to cut them short, as soon as you allow any JavaScript execution, they can fingerprint you again, and keep tracking you that way. The only protection against this, is literally refusing to run any JavaScript in your browser. Not very practical.
But then, if you browse online without any JavaScript, you will be untraceable, right? Not quite. Due to the fact that virtually everyone who goes online has JavaScript enabled, you will stand out almost instantly. Using this information and simple server side tracking would probably be enough entropy to single you out instantly, even if you have a dynamic IP address and/or accurate browser profiles that you use alternatively. Unless maybe, you live in a big city full of tech savvy privacy minded people, but even then, I would not be so sure.
If you want to test your browser, you can try this or this (there are more).
So, what can be done? Well, not much, and not very easily either.
- You can build a list of "virtual users" for yourself, each using different VPNs, computers, browser profiles, etc. The important bit here is not to leak any identifier between different "users", or you're immediately and irrevocably toast.
- You can only allow running JavaScript strictly based on a whitelist, with no exception
- You can try to "poison the well" by simulating bogus activity, when you know you are tracked (like ad nauseam does)
- You can limit your use of services that track you (spoiler: practically everything. This concretely means limiting your internet use)
- You can try to tell people to stop allowing JavaScript on every. single. website. and show them how to access read only data from sites that force users to allow JavaScript (using https://12ft.io, startpage's web proxy for anonymous reading, web caches, etc)
No matter how you approach this, it is a difficult problem to solve. Not only the vast majority of the population are apathetic about this, fail to comprehend the end game and the resulting criticality of it, but I have witnessed a seizable resistance, coming from individuals who enjoy having their responsibilities taken away, and fail to make the link between those responsibilities and their rights as citizen. The pursuit of ultimate comfort will get us all in chains.
Edit: added server side fingerprinting example.
