Primer on Privacy and Tracking

Introduction – The Concept of Consent

I have a friend in Texas. Like much of this country (The United States of Capitalism), the sex education taught in Texas public schools is rather poor, and in fact I suspect it is poorer there than most places.

She teaches sex education for adults, many of whom are seriously lacking in what they know as a result of our education system. She goes way beyond just the anatomy and biology, she also educates about attitudes towards sex.

One thing she taught me is a definition for consent that really makes a lot of sense. Consent can very concisely be defined with three fundamental concepts:

  1. Consent is always informed. All parties involved have full knowledge of what is to take place before it takes place.
  2. Consent is always enthusiastic. All parties involved are willingly participating because they want to.
  3. Consent is always revocable. At any point, anyone involved has the inherent right to stop what is happening and back out.

That definition of consent is beautiful, and applies to far more than just sexual situations. It should apply to the handling of personal data collection as well.

In order for any consensual personal data collection to take place, the user has to have full knowledge that it is being collected and who is collecting it.

How Tracking Cookies Work

Most people have heard of tracking cookies, but my experience is that very few people actually know what they are or how they work.

When the World Wide Web was invented, web pages were completely static. What this means, a web page was like a book at a library. Many different people could look at the same book and they would all get the same, identical content from it. The pages of a book do not change depending upon who was looking at it. If a user needed the same book but with differences, the user would have to get a different version of the book.

Web pages are digital data, and digital data is easy for computer programs to create on the fly, so dynamic web pages soon started popping up. But the only way a dynamic web page could create custom information for the user is if the program generating the content knew information about the user. That is why the cookie was invented.

Screenshot showing Facebook cookieA cookie is a small piece of data that a server sends to your browser when your browser connects. Your browser saves that data, and then anytime your browser then connects to the server, it sends the small piece of data back to this server.

This all happens without the user seeing any of it. Most users are completely unaware of what websites have created cookies.

Cookies are a very important part of interactive web designs, they are how the web server knows who is requesting information so the web server can tailor the response.

Third Party Cookies

So what is a Third Party cookie?

You are the first party. The domain in your URL bar (notrackers.com in the case of this site) is a second party. Any other resource included in the web page, such as images or scripts or fonts, that either do not come from your local machine (first party) or from the domain in the URL bar (second party) is called a Third Party.

When your browser requests those third party resources, if your browser has cookies associated with those domains, they will be sent with the request. Not only will they be sent with the request, but a special kind of HTTP header called a HTTP Referer will also be sent.

The image I posted shows all of the cookies in my browser that are from the domain facebook.com. The content of most of them is very unique to me, and allows Facebook to identify my account as the account that belongs with request.

So when I visit a website that is NOT facebook but that site has anything from Facebook, whether it is a Like or Share button or a piece of JavaScript or an image or whatever, Facebook is a third party resource and my browser will not only send all of those cookies with the request, but it will also send a HTTP Referer header telling Facebook what website I was visiting.

When Mark Zuckerberg said people were voluntarily giving Facebook their information, that’s what he meant. You visit a hypothetical website “WeirdFreakySecretThings.net” and you may not want it known that you are visiting that website, but if that website has a Facebook “Like” button or anything hosted by facebook – even an image someone posted – and guess what, your browser just told Facebook that you were at that site and when you were at that site. There’s a good chance you were not even aware that site had resources from facebook when you visited.

How is that sharing of information either informed or enthusiastic? And how is it reversible? You were basically tricked into sharing that information with Facebook.

Parents – don’t let your daughters date guys who have the same concept of consent that Mark Zuckerberg has.

The Fraud of Web 2.0

Web 2.0 is a term that was first coined by Darcy DiNucci in 1999 and initially popularized by Tim O’Reilly and Dale Dougherty in 2004. From there, it became a popular marketing term to describe websites with a lot of social media interaction and user generated content, such as Myspace and Facebook and Yahoo! and others.

The reality is the term was intentionally abused for the psychological effect it had on users. Do I have a study to back up this claim? No, so feel free to put some salt on my claims.

Just like cloud and blockchain, Web 2.0 invoked a positive feeling among users, it made them feel like they were part of something big that was happening, the next major evolution of technology. People like to feel like they are on the cutting edge, and con artists will often use that tactic to distract their target from what is actually happening. Seriously, think about it, why is every porn star called a porn star? Calling them a star makes it easy to make huge stacks of cash off of them without giving them their due, and that happens a lot. Why did Donald Trump suggest to Stormy Daniels that he could get her into his “mainstream” television series? It was all part of his con job to get inside her pants.

Web 2.0 had buzz, and that buzz was used to normalize both companies and users on the idea that it was okay for some tracking to take place in exchange for the integration of services from the Web 2.0 leaders like Google and Facebook and Amazon. Few people had any idea of the extent of tracking that was going to place. Some of us did and warned about it, and we generally were ignored and often mocked for not understanding the web.

Some common tricks used to get trackers placed all over the web:

Automattic purchased the company Gravatar, and then got Gravatar integrated into WordPress. This gave Automattic an instant massive source of worldwide tracking.

Facebook convinced both webmasters and bloggers that they really needed to have a “Like on Facebook” button on their websites. This installed Facebook trackers on websites all over the world.

Both Automattic and Google created services for blog comment subscriptions and convinced blogmasters to use them even though blogging software already had facilities for managing comment subscriptions. This was particularly insidious because the tracking information provided an e-mail address of users (even though blog privacy policies often said that wouldn’t be shared) and bypassed software like Privacy Badger that blocks tracking cookies.

Numerous WordPress plugins and themes include third party trackers, everything from fonts to scripts to images. The presence of these trackers is never disclosed on the description of the plugin, the blogmaster has to know to look for them, and most blogmasters simply are not that technically inclined.

A Partial Solution

As a user, there is something you can do. The Electronic Frontier Foundation has a tool called Privacy Badger.

Privacy Badger LogoPrivacy Badger is a browser extension that attempts to identify third party resources in a web page and will block them when it identifies them.

However it is only a partial solution. There are many methods used to identity a user beyond just a cookie, browser fingerprinting is one such method.

It is also reactive, and it does not work with every browser (e.g. Safari) or every platform (Android and is limited and iOS support seems to be non-existent).

And very often, websites break with Privacy Badger. A common method Google uses to track people is their Captcha service. Google is not providing that out of the goodness of their hearts, they are providing specifically to track. As a result, Privacy Badger does the right thing and blocks it, but then your interaction on those pages is blocked because you did not fill out the Captcha.

I like Privacy Badger, I really do, but we need more.

Websites that do accumulate user data need to honor the ‘Do Not Track‘ header that users can configure their browser to send. Remember the part about consent being both enthusiastic and revocable?

When companies like Google and Facebook blatantly ignore the Do Not Track header, they are making it clear that consent is not something they are concerned with.

We have a word for people who in the context of sex choose to blatantly ignore an expressed lack of consent. They are called rapists.

More Complete Solutions

When a person is sexually assaulted, sometimes there are things that person could have done differently that would have avoided the assault. In the Brock Turner case, for example, if the woman had not gotten as drunk as she was maybe he would not have had the opportunity to assault her. However it is both wrong and evil to blame the victim even when there are things the victim could have done differently.

Users can avoid some tracking by using tools like Privacy Badger, Private Browsing mode, frequently clearing cookies, etc. but that does not excuse the crime that happens to those who either do not know how to take those measures or who do not take those measures often enough.

Better data protection laws are one approach, but in the United States it is doubtful that will happen. Our political system has been set up in such a way that politicians no longer serve the people, they serve the corporations that pay them huge amounts of money. We are an oligarchy now with the facade of democracy.

Webmasters need to start making the choice to protect users without laws that require them to, and users need to start avoiding the Internet services provided by the giants that will refuse to stop tracking,

For example, instead of using Twitter, try Mastodon.

Tracking is only profitable because we, the users, exist to be tracked. The more of us that avoid sites and services that track, the less profitable tracking becomes.

Educate yourself on tracking, educate others on tracking, and join the Web 3.0 revolution – a World Wide Web for the users by the users where the value of the privacy of the many outweighs the profit of the few.

Leave a Reply

Your email address will not be published. Required fields are marked *

Anonymity protected with AWM Pluggable Unplugged