The judge can rule about lawfulness, otherwise it looks like they are a investigative reporter that just found out about the technical capability to track users in such a way.
One source that "can" is ok here: https://en.oxforddictionaries.com/usage/can-or-may
I didn't realize that this use of "can" is something that would cause confusion. Maybe there's a regional difference? I'm from the western United States.
https://wiki.mozilla.org/Security/Contextual_Identity_Projec...
It lets you run multiple sessions in one window, where each tab belongs to a specific session with separated cookies and such.
I've got a bunch of tabs where I'm logged in to Facebook, another set where I'm logged in to Google and the rest of them where I'm not logged in to either. Of course they can still use IP matching to track me, but at least it's something...
Your user agent plus unique plugin installations plus fonts installed equals a unique fingerprint across IP addresses. The above isn't an exhaustive list, either. There are dozens of tricks to track you.
Plus it's super slow, encouraging me to not spend too much time on Facebook...
But it's not just that. It let you easily open several accounts in parallel. I have 3 github accounts, and can open 3 tabs in 3 clicks with the 3 account in parallel. Before than I had to use profiles and it was a pain.
Just a warning: not if you have enabled multiprocessing.
SDC (and other similar addons) can't monitor LocalStorage when e10s is on, only cookies. (Source: "Frequently Asked Questions and Common Problems" at https://addons.mozilla.org/en-US/firefox/addon/self-destruct...)
Along with that, it will still be necessary to fix some browser information leaks that could be used for fingerprinting
If someone is tempted to beat me to it, go for it!
Having multiple container tabs on the same window can be hard to manage & track, at least with the way brave presented it with their numbered session tabs.
This is really annoying when you always use your web browser in private mode, but don't close it regularly. It means that e.g. youtube already builds a profile about me from my previous searches even though I'm not logged in. If I were that concerned I would close Firefox, but the usability issue is just too big for me. Having the best of both worls would be awesome.
Meanwhile, my personal container won't log me with my gmail/work account when I watch cat videos on youtube.
If I used facebook, I'd have a facebook-specific container. Just open a tab in it, and I'm logged in, but no cross-container tracking.
Also, history is retained, and all in one big pool (unlike having actual separate profiles).
1) “Facebook’s intrusion could have easily been blocked, but plaintiffs chose not to do so,”
This seems like a dangerous precedent. So if we can block surveillance attempts and we don't try, then it's our fault?
> “The fact that a user’s web browser automatically sends the same information to both parties does not establish that one party intercepted the user’s communication with the other,”
This makes no sense. Nothing happens "automatically", someone wrote the code for that to happen, in this case, Facebook.
But, at the end of the day it's just an embedded thing in a bunch of websites. I don't see anyone suing Google about AdSense. I mean I despise Facebook, but unless they're doing something more nefarious than getting a GET request on page load, then I'm not sure that I care enough. Get a blocker.
Here's a good demo which uses fingerprinting to show how ineffective incognito mode is: http://www.nothingprivate.ml/
your browser is leaking a lot of data, from the plugins you have installed to the fonts & you need to take initiative to patch the holes
here's a website you may find useful: https://browserleaks.com/
Maybe put it at a tier above private, "ghost" mode.
This BS has gone on too long
https://addons.mozilla.org/en-us/firefox/addon/privacy-badge...
https://chrome.google.com/webstore/detail/privacy-badger/pke...
Do they require that it be from a previously used IP/user-agent or something?
Edit: received FB email about "login from unknown device".
https://fstoppers.com/photojournalistic/supreme-court-rules-...
It's not like people should have exclusivity over who has access to the photons that hit them...
In many, if not most European countries you can get a ticket for not protecting your vehicle. If you leave your car unlocked and someone steals it, it's your fault. Police if have to investigate it etc, but they also give you a ticket, because it not thoughtlessness, they wouldn't have to do it.
Getting a ticket for that does not mean the theft gets blamed solely on the owner so that the thief is not even considered committing a crime. It's just the owner may have violated a law, too. How about you a.) quote those laws, and even assuming you are correct in how you put it, show how b.) one instance of victim blaming would justify another. To me that's like drinking a second bottle of bleach because you already downed one. That runs so much counter my own intuition I'm kind of intrigued.
Block as many ads as you can, in order the starve the best.
After reading that (in 2011) I decided to block all third-party cookies.
[1] https://chrome.google.com/webstore/detail/vanilla-cookie-man...
[2] https://bugs.chromium.org/p/chromium/issues/detail?id=78093
[3] https://bugs.chromium.org/p/chromium/issues/detail?id=589586...
since Chrome is such a memory hog on macs my principal browsers are opera and brave, both of which work very well on my elderly macbook air.
I have no idea if my somewhat paranoid tracking avoidance is effective against FB though. I see that when I go to the log in page in safari that FB knows how many 'posts' I have stacked up to consume (the little Pavlov's dog red circle with a number in it). I'm assuming I'm being tracked despite being logged out...
HTTP requests sent from my browser page when viewing Foo.com to Bar.com have no cookies. Javascript is available to create an explicit pop-up requesting permission to share your cookies with Bar.com.
When I go to Foo.com, my relationship is with Foo.com. I'm okay with being tracked by Foo.com when I'm on Foo.com, but if bar.com is going to track me then I want to be asked.
That said, Foo and Bar could still share information about me directly without going through my browser, but without the cookie feature it would be very hard for Foo and Bar's profiles on the person Pxtl are the same person.
Media did it to itself--it just gave away it's audience for free. No wonder it can't make enough money via advertising.
Yes, you could do that all on the computer itself, no need to run it on the router. I guess the benefit of having it all on a router is that it would be a plug and play solution for the privacy conscious but technically limited individual.
Or are the sneakier ways sites track users something that can get by the OOTB settings?
If that isn't already enshrined in case law, hopefully it signals that we will not get laws passed requiring users to allow tracking, and the courts will hopefully invalidate terms and conditions requiring tracking.
Having lived through the rise of DMCA, I live in fear of an emboldened industry getting laws passed that make the use and distribution of blocking software illegal.
The day that happens I'm joining the dark side.
Actually, the problem is [add: after the website is created, and tracking code is put there by someone] that it all happens automatically.
See, there is another perspective into this. Not exactly correct (I admit, there is some stretching and it's not all solid), but just the general idea...
The semi-forgotten term for the browser is user agent. Point is, it really should act on behalf of the user. It's an automation that should be programmed to do what the user wants it to do (browsing the web, displaying the pages, etc), sparing user of mundane choices and gory technical details.
If the agent is configured to willingly accept and execute arbitrary third-party instructions, and provide detailed information - and it can be configured differently - isn't the problem with the agent configuration? If you didn't want that GET request, why agent did it? And it's not that the agent was tricked (hacked) into doing so - all the APIs (cookies, XHR, etc) are well-documented. Sure, there is some shady stuff sometimes going on - like browser fingerprinting, but it's not the core issue.
Maybe we should actually start blaming browser vendors for shipping badly pre-configured software with the defaults that consciously and willingly trade privacy for "not breaking" the web?
Remove the automation and just imagine users themselves would somehow connect to the web, and the site would tell "hey, now go talk to Facebook server and do whatever they say" - and they do. (And this is what actually happens!) Surely, the tracking would be a non-issue.
This.
The writing was on the wall when the conversation became about "balancing" the interests of users and huge content factories. And now web-DRM is a standard.
Fuck that; my computer, my rules.
I had a funny conversation recently with someone who was arguing that I was breaking etiquette, or perhaps an implied contract (it wasn't clear) by messing with cookies. He realized the absurdity about the time I asked if I was ethically obligated to back up and restore the cookies in case of drive failure, but people have some really odd notions about their right to control state on my machine.
In some ways I prefer the black-hat types; at least they're aware that they're working against my interests and don't become indignant when I point it out.
The user agent concept is long dead and buried. Modern web browser is more like a virtual OS, a platform for running arbitrary code loaded from the internet, a hosting environment for temporary lending computing power of user's device and its network access to whomever was able to lure the user to their website.
The website you are visiting has to deploy Facebook's code though. So the website owner has to allow it (assuming the know the implications of what they are doing).
You could assume it but it's not necessary the same people who designed the web page that add those facebok "features". From my impression, often than not you have some "social media marketing expert" that does this. And they do not give a rats ass about any nefarious tracking and will continue to be blissfully ignorant about the users privacy unless it becomes a corporate policy to care about those things.
Do we assume everyone reasonably knows how to block surveillance attempts by Facebook/Google?
Shouldn't privacy be a default right, and that users can opt-in (to be tracked) with their expressed consent instead?
Users can easily block cookies themselves, but that is no excuse for the cookie intrusion, so every single website must display a pop-up warning that it uses cookies.
Imagine that: every single website you visit shows a pop-over or an extra top bar that you have to close. Every website.
That's the online life of the European netizen.
Whether you take reasonable steps to make something private does influence the degree of legal protection it gets.
If I can save your life, but choose not to, it's your fault.
On the other hand, it might be possible to devise a solution that works generally but employs white lists or other exceptions for sites that need certain IP-address behavior. That would take a fair amount of effort, but the approach has worked well in similar contexts, such as ad blockers.
The point is to not ever be different from others. Act like the rest of the crowd. By changing your UA every now and then, you stand out, and become easier to identify.
At the least, you could imagine having a shared session for all the tabs in a same window. But a new incognito window should be clear of any history.
From my understanding blocking 3rd party JS is largely insufficient for accomplishing this, regardless of DNT settings.
You may be right regardless that it's better to appear as much like a stock browser as possible, in terms of privacy settings, so DNT should stay disabled. But in practical terms it might not make of a difference.
Example: jQuery is sometimes hosted on Google CDNs. You can't block that request without breaking the site, right? But that request sends all your info.
And typically a request for something like jquery from a CDN will contain little more than your IP address and cookies. You can even prevent the cookies from being sent if you want. The only way they could get away with more than this would be to modifying the resulting script to grab more info from your machine.
You can test first-party isolation now by flipping the about:config pref "privacy.firstparty.isolate" to true. Beware that there are still bugs that break some sites, which is why the feature is not enabled by default yet. If you find bugs, please report them in Bugzilla! Here is the Firefox bug tracking the integration and known bugs:
If they employ some "social media marketing expert" who deploys tracking code, then that's still on them.
For a single browser session; this should work. Over months, it's harder. A tracker would needs to at least be quite aggressive and collect a lot of information to track you, and then be fairly clever in fuzzily matching that in the future if they want to track you over time.
Which isn't to say that short-to-medium term tracking is just fine, but it's not black and white either.
http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS1...
Use Tor Browser even if your not using Tor if you're looking for better privacy. It's modified to mitigate as much as possible. Facebook is just bad. Avoid it at all costs if you value privacy. And it's not just facebook. Sites like facebook, google, etc also use several 3rd party "advertising" (i.e. data gathering) companies to gather data and build profiles on users and share that data with each other. Even on your regular use browser I would highly recommend uBlock Origin and Privacy Badger.
Total is around 20bits (due to overlaps).
YMMV.
Not in firefox, or, at least not for me.
And yes, you're right if I log in on either one of two private windows then the other one is also logged in. That's actually a bug in FF afaic.
And in a VPN and I think you get at least some chance at some privacy. Hopefully.
Even Internet Explorer has File > New Session.
http://www.balough.com/internet-service-provider-must-disclo... in the case of an RIAA suit
Not uncommon in mobile carriers.
http://www.detectiveservices.com/2012/02/state-by-state-reco...
I decided to just cut it out and hope that I see those people again in real life. If not, then the road goes elsewhere. Feels a little more human.
Yeah, I occasionally go through a lot of post and click "don't see any more stuff from MYCATS" or whatever. But it's gotten to the point where you just can't stop it that way either. I think "like" now means "see more crap from here" otherwise how would so many people be viewing so much junk.
I'm in a similar boat. That's just how a lot of people I know communicate. Sure they have other ways to communicate, but they don't want to.
For everything else, there's email, sms, and a half dozen other social networks.
Are you going to follow everyone who's harming themselves in any way (alcohol, drugs, food, [insert any other vice]...) to chide about their behaviors?
Lots of people have problems with Facebook, and I was suggesting a solution to their problems which many people think is untenable, but works well for me. If you don't have problems with Facebook, my comments weren't directed at you.
There's some irony in jumping into someone else's conversation to tell them to mind their own business and stop chiding people for their behavior.
You can ask said email/sms/whatever. If the communication matters, you should have them anyway. If not, then those persons are not that important.
> There's a large number of people on Facebook that I interact with that I don't have email / sms / whatever for.
There you go ! Here is one of the other reasons that I stated before. Not the "those people I can only reach through facebook" bullshit.
Oh, I'd agree they're "not that important" but that doesn't mean "...and therefore I should cut them out of my life."
> Not the "those people I can only reach through facebook" bullshit.
It's not "bullshit" just because you disagree.