When you think of online tracking, chances are you think about third-party cookies that follow you from site to site. Third-party cookie handling has been a hot-button issue among the major browser vendors of late, with Google announcing that Chrome would deprecate them.

1/
But third-party cookies are just the most obvious way that your online activity gets tracked. Far more insidious is "browser fingerprinting," in which the unique characteristics of your browser and computer are linked to your identity and tracked.

2/
Browser fingerprinting and other de-anonymizing attacks are a reminder that the technical problems of anonymity are subtle and complex, which is generally true of all privacy questions.

3/
It's also a reminder that privacy problems can't be solved with code alone: to be private, you also need legal recourse against companies that cheat and spy on you.

4/
Finally, it's a reminder that we need independent security researchers, who can warn us about novel ways of attacking our digital privacy.

5/
Researchers like Jonas Strehle, who just published a fascinating proof-of-concept demonstrating how favicons (the tiny icons in your browser tabs) represent a serious privacy vulnerability.

github.com/jonasstrehle/s…

6/
Strehle calls this tracking-by-favicon "supercookies," and his demo shows that these trackers defeat incognito mode, VPNs, and ad-blockers.

vice.com/en/article/n7v…

7/
His work builds on an academic U Illinois Chicago paper from Network and Distributed Systems Security, published in 2020: "Tales of FAVICONS and Caches:Persistent Tracking in Modern Browsers"

cs.uic.edu/~polakis/paper…

8/
Favicons are stored locally in a database called the F-cache; if a user requests a favicon from a site, the site can infer that the user has never visited the site before (or that the gap since their last visit was so long that the cache expired).

9/
"By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client."

10/
"When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser."

11/
This confirms the original paper's theoretical prediction that favicon attacks "allow a website to reconstruct a 32-bit tracking identifier in 2 seconds."

Image: Thomas Hawk
flickr.com/photos/5103555…

CC BY-NC:
creativecommons.org/licenses/by-nc…

eof/

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Cory Doctorow #BLM

Cory Doctorow #BLM Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @doctorow

10 Feb
In "Dependency Confusion," security researcher @alxbrsn describes how he made a fortune in bug bounties by exploiting a new supply-chain attack he calls "dependency confusion," which allowed him to compromise "Apple, Microsoft and dozens of others."

medium.com/@alex.birsan/d…

1/ Image
Dependency Confusion is incredibly, delightfully clever. It is grounded in the fact that software developers rely on "dependencies" (prebuilt, modular code libraries) when they build new versions of their software.

2/
The javascript files used to build new versions are often public, and by looking inside them, you can find out the names of the libraries used to build popular applications, from Uber to Yelp to Netflix.

3/
Read 9 tweets
10 Feb
Today's threads (a thread).

Inside: Crooked cops play music to kill livestreams; Duke is academia's meanest trademark bully; Tory donors reap 100X return; A criminal enterprise with a country attached; and more!

Archived at: pluralistic.net/2021/02/10/duk…

#Pluralistic

1/ Image
This weekend, I'll be participating in Boskone 58, Boston's annual sf convention, where I'm doing panels and a reading.

boskone.org

2/ Image
Crooked cops play music to kill livestreams: Beverly Hills Police Department Sergeant Billy Fair blasting Sublime's Santeria.



3/ Image
Read 20 tweets
10 Feb
The Grand Duchy of Luxembourg is a founding member of the EU, but it's also a rogue state, enabling massive corruption throughout the trading bloc; while Cyprus and Malta will sell any corrupt robber-baron EU citizenship, it's Luxembourg that leads in laundering their money.

1/ Image
As the @TaxJusticeNet's @nickshaxson memorably put it, Luxembourg is "a criminal enterprise with a country attached" - a country where corporations are guaranteed "an easy ride on taxes, disclosure, financial regulations, and criminal enforcement."

taxjustice.net/2019/11/01/if-…

2/
2014's #Luxleaks exposed some of the worst corruption, whereby @PwC worked with Luxembourg officials to secure illegal tax benefits for major corporations and the world's richest people.

en.wikipedia.org/wiki/LuxLeaks

3/
Read 10 tweets
10 Feb
Walmart founder Sam Walton had an iron-clad rule: his buyers were not allowed to take so much as a glass of water from salespeople. He understood that favors create an involuntary urge to reciprocity, and even the tiniest kindness from a salesman would corrupt his buyers.

1/ Image
Walmart is a prolific campaign contributor, funneling millions to lawmakers under the fiction that this will not corrupt them or cloud their judgment so that they legislate to Walmart's benefit and the public's detriment.

opensecrets.org/orgs/wal-mart-…

2/
This story epitomizes the contradiction of corporate lobbyists and their tame lawmakers: when corporations manage their own affairs, they place strict limits on conflicts of interest; but in the public sphere, they insist that these conflicts are immaterial.

3/
Read 8 tweets
10 Feb
Two of the most astute IP scholars I know also happen to be two of the best legal writers I know, and also happen to work at one of the worst IP abusers in the country: Jennifer Jenkins and @publicdomain, of @DukeU, the nation's leading academic trademark abuser.

1/ Image
Duke has a universal reputation for being a serious trademark abuser, but Jenkins and Boyle wanted to empirically investigate that reputation. The result is "Mark of the Devil: The University as Brand Bully," forthcoming in Fordham IPLJ.

papers.ssrn.com/sol3/papers.cf…

2/
To do empirical work, you have to find stuff to count. The problem is that questions like "who is the biggest bully?" are stubbornly qualitative, and quantizing Duke's conduct risks incinerating the most important elements in the quest for some kind of quantitative residue.

3/
Read 25 tweets
10 Feb
Anita Ekberg in Screaming Mimi (1958) gameraboy1.tumblr.com/post/642690121…
Anita Ekberg in Screaming Mimi (1958) gameraboy1.tumblr.com/post/642690121…
Anita Ekberg in Screaming Mimi (1958) gameraboy1.tumblr.com/post/642690121…
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!