Digital Fingerprinting and Poison Cookies
Feeding Your Social Credit Score Without Consent
Introduction
We are not talking about rolling an inked finger on police paper or Grandma’s chocolate chip cookies, but the web-technology that allows websites to track you. They track every move you make, more so then you ever thought.
We are going to explore the origin of website cookies, how websites share your visits with over 100-200 tracking organizations, and how third-party cookies can determine who you are without you even entering your email or username/password into a website; as they can now determine who you are even if you visit the site anonymously!
Marketing organizations have over 300 million user profiles collected from third party cookies and their biggest customers are the US political parties including both the Democratic and Republican parties. They use this information to determine how neighborhoods will vote from all from your web surfing habits.
Your online habits are also ripe to become the foundation of your Social Credit Score.
We will finish the article with tips on how to protect yourself. It is a long article, but it is better to be informed then be the frog in the pot.
In the Beginning
In 1994, Netscape Communications originally designed cookies to manage sessions mainly for newly emerging online shopping carts. Cookies enabled websites to remember information about visitors, facilitating a more personalized browsing experience by storing preferences, login states, and tracking user behavior across website visits.
Why do tech companies take every technical advancement that could make our lives better and use it for excessive financial gain and unwittingly government control?
Every time I open a web browser it makes me grumpy. Cookies started out by making websites delicious and now it just makes tech companies fat and in turn the government feasts on our private online lives.
Cookies started out with only the website that dropped the cookie could read it. As soon as cookies could be read by third-parties, this started the massive invasion of privacy as cookies also enabled the tracking of your online activities across different sites.
What are Third-Party Cookies?
Third-party cookies are designed to recognize your browser which enables advertisers and analytics companies to collect data about your browsing habits and preferences across multiple websites. This invasion of privacy (legal or not) helps them create a detailed profile about you, which can then be used for targeted advertising, personalized content delivery, analytical purposes, and market research. Market research really means spying on citizens. Third-party cookies have raised significant privacy concerns among users and regulators, but governments have not really done a thing because they are the biggest consumer of this data collection.
Sharing Cookies
Popular websites can have over 200 third party cookies. Which means your website visit could be shared with over 200 advertisers and data collectors. And to make matters worse, they each sell your information to each other to make sure they have the largest database possible of your online activities.
For example, when visiting MSNBC you agree to share your activity with over 100 companies. Every article you read on that site and sites like Fox News or CNN are tracked in a similar fashion. Even checking your Outlook.com email, you authorize over 150 tracking cookies.
Anonymous Is Not Anonymous Anymore
With the amount of data that is now collected by third-party cookies, websites know who you are without you even logging in or giving them your email address. Companies like retention.com buy the data from all these tracking companies and put them into a master database which they then sell back to websites and government organizations. I have personally seen this in action, and it is scary. With the cookies on your computer and your browser’s digital fingerprint, they know who you are, where you live, and can give a probability of how you would even vote.
How did this happen?
Third-party cookies married with universal logins (like Google or Facebook), can now pinpoint who you are without even asking you. More sites that use Google or Facebook as a login option makes it easier to determine who you are. They are all in it together.
How #1: Device and Browser Fingerprinting
Websites use techniques to recognize specific characteristics about your device and web browser. While this method may not directly reveal your name, it can be used in conjunction with other data points to determine your identity or link your activities back to a known user profile.
How #2: Data Brokers and Partnerships
Popular websites purchase data from brokers or engage in partnerships where user information is shared and horse traded.
Extent of Data Sharing Nightmare
Here are all the third party companies which Microsoft shares your surfing habits with by just visiting Outlook.com. If this does not make you want to puke up your milk and cookies, then you are part of the problem.
Legal But Scary Cookie Policies
When looking at the actual cookies policies, which you legally agree to every time you visit a website, there are a few I wanted to highlight when you click “Accept All”.
Nightmare #1: Match and combine data from other data sources
“Information about your activity on this service may be matched and combined with other information relating to you and originating from various sources (for instance your activity on a separate online service, your use of a loyalty card in-store, or your answers to a survey).”
Note: You agree to let them take your data and mix it with data from anywhere to do anything with it they wish. And you think the web is free!
Nightmare #2: Link different devices
“Your device might be considered as likely linked to other devices that belong to you or your household (for instance because you are logged in to the same service on both your phone and your computer, or because you may use the same Internet connection on both devices).”
Note: They are allowed to determine all the devices you own and they collect all your surfing habits on all your devices.
Tip: You have to make sure you surf privately on all your devices, just not one!
Nightmare #3: Store and/or access information on a device
“Cookies, device or similar online identifiers together with other information (e.g. browser type and information, language, screen size, supported technologies etc.) can be stored or read on your device to recognize it each time it connects to an app or to a website.”
Note: Even without cookies your browser/device fingerprint is unique for ever 260,000 users. Using this fingerprint with very little crumb cookies, they know who you are.
Nightmare #4: Use precise geo-location data
With your acceptance, your precise location. Your address. Where you live is theirs to record and share.
Note: They know exactly where you are and share that with tons of companies.
So What ?!?
We just learned when you click “Accept All Cookies”:
websites track all your activity and share it with 100s of other organizations
websites buy your surfing habits and add them to their own database websites that can determine:
who you are
your name
home address
email address
convert anonymous website visitors into known visitors
Do you have any issues with this information especially when you did not explicitly give it to a particular website?
When you click “Accept All”, that means you give the website you are visiting and all those other tracking companies full rights to your online activities.
Who are the keepers of all this data about you? When this data is mishandled or inadequately protected and sensitive information is exposed that leads to potential financial, reputational, or emotional harm, who is responsible? You gave them the rights to the activity or them because they had a breach in security? Ultimately, they pay a fine and your private life is now your public life.
What the Government Is Doing
Nothing except optics. They make websites have a pop up with “Accept All” as the default, big deal!
The outcry from the privacy community had governments enact regulations for the collection of private information. Regulations like GDPR (General Data Protection Regulation) in the European Union and CCPA (California Consumer Privacy Act) in the United States enforce stricter consent requirements but are a sad joke. When you boil down these regulations, they just need to ask you if it is OK for them to steal your data. Once they have it, it is in a black hole never to return.
Annoying cookie popups are just getting you to legally consent to data theft. As the government is the biggest customer for this data why would they really want to stop it?
Law enforcement agencies access data through legal processes (like warrants or subpoenas) but governments frequently are buying access to this data collected by third-parties. This should raise ethical and legal questions about undue surveillance and the potential for abuse. If it is all collected with your consent, it must be ok to profile its citizens.
Become a Cookie Monster
Steps to Protect Yourself
You need to be very vigilant as they use every possible method to track you. From cookies to device and browser fingerprinting, you must make sure your device and most importantly your web browser are setup to minimize data leakage. There are many layers of the privacy onion, but here are a few layers to consider.
What do I do?
VPN
I use a VPN when I surf. A VPN only limits location collection and stops my Internet providers from collecting web traffic logs but does not prevent third-party cookies. Some websites deploy technology so they know you are using a VPN and will even prevent you from signing up to their service. It is a privacy war and it’s on!
Never ‘Accept All’
When you get the cookie popup, only accept required cookies.
Privacy Focused Browser
This is mandatory! No Google Chrome! Use a privacy focused web browser like Brave or Tor. I use Brave. It limits JavaScript trackers and certain cookies. Brave also has a feature called Fingerprint Randomization.
Private Browser Windows
Open a different private window for each website. New website, new window! This way the cookies can’t be correlated, it looks like a different visitor in each window.
Be Careful with Social Media
If you use social media, make sure you use a different private browser for each social media site. For example, I use Firefox for my Facebook, and only use it for Facebook.
Tip: Don’t login into Facebook then visit CNN (for example), CNN will know who you are and share that info with their 100 top friends.
Precautions on Every Device
Practice private surfing on all your devices. If you don’t you might as well not do any safe surfing. They gather info on all your devices to help build a profile about you.
How well are you protected?
Go to https://coveryourtracks.eff.org/ and it will determine how protected your web browser is from fingerprinting.
Further Reading on Web Browser Fingerprinting visit:
https://www.pcmag.com/how-to/you-tossed-your-cookies-but-theyre-still-tracking-you-heres-how-to-hide
https://privacysavvy.com/security/safe-browsing/browser-fingerprinting/
In Closing
Online Surfing is Cruising to a Social Credit Score
We only touched on cookie tracking and how these collectors of your online activities share with one another to create a huge database. We did not go into how your Internet Service Provider, your Phone Provider, or how your desktop or mobile operating systems collect data on you as well.
There are ways to limit this collection, but they do not make it easy, as they have various methods to get the data they want about you, so stay vigilant.
Your online habits are constantly feeding the algorithm and even worse feeding AI about human online interests which allows them to adapt the narrative and determine if their messaging is working. This goes beyond advertising and ecommerce, but determining the sentiment of humanity.
Be a cookie monster, an online freedom fighter, and stop feeding the online profile database.
As all financial institutions, lenders, and any financial service now report your financial behaviors to the credit bureau to calculate your Credit Score, a number indicating your worthiness to receive financial assistance and services, this new collection of online habits will be the basis of a Social Credit Score.
Not only will organizations determine if they could extend you financial credit services but will determine if you are the type of customer they want. Many banks in Canada and the USA are de-banking people that have great credit scores, but their online opinions are too risky to be a bank customer.
The beginning of the Internet was to accelerate sharing, learning, and communicating, not for control and social programming. I am not even sure if a digital diet or digital detox is the answer anymore but simply a massive reduction of time online. I love the connected world, but maybe I will have to start leaving most of it behind.
Thanks for reading.
Amazing piece as always William! I appreciate the dumbed down version as I know topics like these can get very complex quickly. This is straight forward and to the point, but there is so much great (and disgusting) information that I can't stop reading it, I love it. This is in my top 3 favorite articles of yours.
I did almost throw up my milk and cookies when I saw the video (and how long you had to scroll) about all of the companies that were getting access to your data via cookies, that is absolutely insane!
I will be a cookie monster, online freedom fighter, and stop feeding the algorithm as much as possible. I appreciate the tip of always opening a new private tab while using a VPN, I will start doing that.
I too enjoy "some" of the connected world, but like you said "maybe I will have to start leaving most of it behind."
Cheers!