[PrivacyBadger] Pushing Privacy Badger's buttons, part 2
'Don Marti'
dmarti at zgp.org
Mon Sep 12 09:13:08 PDT 2016
begin Mike O'Neill quotation of Mon, Sep 12, 2016 at 03:21:22PM +0100:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Don,
>
> How does an extension check for it? Does it block the resource or clear the cookie?
That's the hard part.
I don't want to tell users who are already making an
effort (cookie management, double-keying, refusing
third-party cookies, or blocking entirely) to go do
something else. It's just important to get people to
the point where they're not trackable across sites,
however that happens.
So you can avoid an Aloodo "tracking detected" by
* blocking ad.aloodo.com (Disconnect)
* refusing the third-party cookie (Apple Safari)
* double-keying the cookie (AVG Crumble for Google
Chrome)
* clearing the cookie between sites (Self-Destructing
Cookies for Firefox)
(For "cookie" add LocalStorage)
There are a lot of site-friendly policies, and it's
better to encourage experimentation than to tell
privacy people (who tend to be independent-minded) to
run a particular one.
I want people to say, oh, good, my favorite privacy
tool passes the test, therefore the test measures
something that matters.
> I looked at your blog post and there is (in ad.aloodo.com) a cookie name "site" value the parent site domain and a cookie named [ object Object] which looks like it’s a javascript error (you must be writing an object to document.cookie somewhere). Neither of them are high entropy so PB will not ordinarily see them as tracking (is that right Cooper?).
PB does pass the tracking protection test...
http://www.aloodo.org/test/
so the "site" cookie is high enough entropy by the time
it has 3 hostnames listed.
> I think it would be a good idea to come up with some standard cookie names. There is a proposal for an amendment to RFC 6265 for "well known" cookie names prefixed by "__" e.g. __Secure
>
> I suggested one (__DNT=0) to override DNT:1 for browsers that don't support the API. You could only declare "web wide" consent with that, and takes the pressure off them from implementing the API so it is not very useful and I am not pushing it. Cooper suggested a standard name for the advertiser's opt-out cookie which would be a good idea, but perhaps a distraction from them just respecting DNT
>
> How about __BlockMe?
The name and content of the cookie are subject to
change. If I find that somebody is special-casing
test cookies I'll change it up a little.
> If you can return a Set-Cookie header couldn't you also return Tk: D ?
The un-tracking pixel does.
> Mike
>
> - -----Original Message-----
> From: 'Don Marti' [mailto:dmarti at zgp.org]
> Sent: 12 September 2016 14:19
> To: Mike O'Neill <michael.oneill at baycloud.com>
> Cc: 'Cooper Quintin' <cooperq at eff.org>; privacybadger at eff.org
> Subject: Re: [PrivacyBadger] Pushing Privacy Badger's buttons, part 2
>
> I have made some progress on this.
>
> There is now an "un-tracking pixel" that will just set
> the Aloodo cookie -- no third-party JavaScript
> required.
>
> Faster than running the whole script. And it comes
> with a long "Expires:" time, so the browser won't
> re-load it for every page.
>
> http://blog.aloodo.org/misc/howto/#pixel
>
> Good for
>
> * sites that want to help but don't want to show
> tracking warnings
>
> * sites that are concerned about load times and
> bandwidth
>
> * sites that don't want to run 3rd-party JS
>
> * sites that can add an image but not a script (for
> example, those hosted on Wordpress.com)
>
> So now there can be some sites running the whole
> Aloodo script, to warn users, and some sites just
> running the pixel, to pre-prime the browsers so the
> script can get better results.
>
>
> begin Mike O'Neill quotation of Sat, Apr 16, 2016 at 05:19:04PM +0100:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Thinking about this I think a better "block me" response would be a Tracking Status Value of "D", which means the web application is "Disregarding" DNT.
> >
> > T could be a valid TSV when Tracking for one of the permitted uses is happening, although the particular permitted use must be declared in the "qualifiers" property. PB could check for a T along with an absent "qualifiers" property, or one that does not have one of the permitted use codes, but that seems long winded. A "D" would be simpler.
> >
> > So either the TSV includes:
> >
> > { "tracking": "D", ... }
> >
> > Or there is a response header "Tk: D"
> >
> > I am writing an implementers guide to DNT (for the TPWG) that will include that suggestion.
> >
> > Mike
> >
> > - -----Original Message-----
> > From: PrivacyBadger [mailto:privacybadger-bounces+michael.oneill=baycloud.com at eff.org] On Behalf Of Cooper Quintin
> > Sent: 12 April 2016 02:56
> > To: privacybadger at eff.org; Don Marti <dmarti at zgp.org>
> > Subject: Re: [PrivacyBadger] Pushing Privacy Badger's buttons, part 2
> >
> > Actually this seems like a pretty good solution to Don's problem and one
> > that we should maybe adopt anyway. There are other benefits to reading
> > the TSR as well such as getting a list of first parties. I would likely
> > support this change.
> >
> > - - Cooper
> >
> > On 04/09/2016 11:31 AM, Mike O'Neill wrote:
> > > Why not agree on a "block me" signal. Any reference to a third-party marked in a particular way will cause the request to be blocked by tracking protection i.e. PrivacyBadger
> > >
> > > The Do Not Track (candidate) recommendation contains such a signal. A TSR (a JSON resource at //ad.aloodo.com/.well-known/dnt ) with Tracking set to "T" ( { "Tracking": "T", ... } when accessed with the DNT set (DNT:1), would signal refusal to stop tracking, i.e. block me. You could also do it by returning a Tk: T to any ad.aloodo.com resource.
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: PrivacyBadger [mailto:privacybadger-bounces+michael.oneill=baycloud.com at eff.org] On Behalf Of Don Marti
> > > Sent: 09 April 2016 18:48
> > > To: privacybadger at eff.org
> > > Subject: [PrivacyBadger] Pushing Privacy Badger's buttons, part 2
> > >
> > > Still working on tools that a web site can use to
> > > notify users when they're vulnerable to third-party
> > > tracking.
> > >
> > > Here's the problem.
> > >
> > > * If the script warns the user when a third-party
> > > iframe loads, it will falsely notify some users
> > > of an "untrained" Privacy Badger.
> > >
> > > * If we wait to notify until we're sure that a
> > > third-party cookie can be set and read on three
> > > sites, then we miss a chance to notify some users
> > > of list-based protection who haven't been to enough
> > > sites that include the iframe.
> > >
> > > One solution is...put the https://ad.aloodo.com/track/
> > > iframe everywhere!!1!1 Even if you don't want to run
> > > tracking notifications on your own site, the iframe
> > > will train Privacy Badger to block it, so the cookie
> > > test will work when the user goes to a site that does
> > > do notifications. Still looking for other solutions.
> > >
> > > Anyway, more here:
> > >
> > > http://blog.aloodo.org/posts/track-js-script/
> > >
> > > Comments and suggestions welcome.
> > >
> > >
> > > _______________________________________________
> > > PrivacyBadger mailing list
> > > PrivacyBadger at eff.org
> > > https://lists.eff.org/mailman/listinfo/privacybadger
> > >
> > _______________________________________________
> > PrivacyBadger mailing list
> > PrivacyBadger at eff.org
> > https://lists.eff.org/mailman/listinfo/privacybadger
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > Comment: Using gpg4o v3.5.54.6734 - http://www.gpg4o.com/
> > Charset: utf-8
> >
> > iQIcBAEBAgAGBQJXEmX3AAoJEOX5SQClVeMP1hkP/jxYepxjFAwZe0k4Q6o2F1ny
> > xbNRJ9i2AqggxOwwG8+SofVaSFsrNboF7iAq2kvR0t5hdOJZOCUFEhE4AVJtevQG
> > gbjpBm4sxcecoroTbop1DVRAJ3zMkvt1sWBsi857uo2qR2uqivnDi3g7eyw/FKuP
> > C8ySGKpnS2BBE1cTIbvaoIk7FX1joBJHn1UXL2ESfPAkt747d6Kq/g40/Cr/nIA7
> > u60MHB5BRDInHYNj+ZgHpZD6ChzTrWhbhSsde0qZnv7MHn7G5dfcUmNrC7kWG4yk
> > q0MiRQ7eEFeYLgttvVUFO4qj/9Wr3SJLazi1EusIIFgBugX9mqSM8EfGjOcF2+WP
> > M99AlM8c1ijaFZfBYkuwMepMlEjPv77JuvIZLbItZZilcfsGrao4KKBEV4ogEbsl
> > 3CxDWkPcTG/0z4A8grLuhrECWD37PMRk4/bMWexo5GlMJ4k4wx9dHS2Hh3Is/5sg
> > 8NjQlKNL4O0SnTQECo4l9/A3xVfLRKI1HdrlIbcZuIPSsuGAzuXN0HnYn9XkUxIu
> > Isd/+iE4+YavZ9e+ijQu/hYPsUHnjH+AxYas0C8yocMP6lQ8cO6O+hiB7hFZekBA
> > nLXJu2CU6msx7d7h/tqIMnxeCc8jMqN8g/Sg+fb7EwvCll5WF3Dz00WunmI1SCxC
> > jK1ecbHjKGsByZWOWZ/l
> > =VmiJ
> > -----END PGP SIGNATURE-----
> >
>
> - --
> Don Marti <dmarti at zgp.org>
> http://zgp.org/~dmarti/
> Are you safe from 3rd-party web tracking? http://www.aloodo.org/test/
> -----BEGIN PGP SIGNATURE-----
> Comment: Using gpg4o v5.0.1.7428 - http://www.gpg4o.com/
> Charset: utf-8
>
> iQIcBAEBAgAGBQJX1rnhAAoJEOX5SQClVeMPXwwQAItENCeiTxJiz8u1BocYLhf1
> HBk/z/cftQpMPhr8nIn4FV6VBTy5NKZsTcDTO2kH25q76gMjuAlRA7YwtuoWpm4t
> d+4GoLDv3wmpewlXjibDcONmqtIG+fmksYSmKZAS/88A+4YuV2ldLqDmi+altGF1
> dckXUMfCzMtjQwmF0ABZtLv5xs/sdS5hNx6JTMvpofq2Ueq7N05AyadD/wfvhtwE
> VPMGMICVEDhIi+gJs44K9JRYbQrLrqM6hvaOMKGxjMSI5pCiFIu6bQJSePYRNzG3
> 9NtggvgzzdpwltNzeLRG7X2dsXesMYN9e3Pe9Eogq+QRpUmwXapWTczTSNSw5md8
> 5dZIZ2wX51R6vw0jG1x83wiIbGuZB5l7uyry8kqKFc0M9kLMfwdi3DxuaXBoLQMg
> kHx3/n8bj1cUNwVsGyn6NYxd2c5rWgublyhckXo4VCfIbx5AqJhAzQUNGiiSfeIM
> eMcQnQFnc2WWKGZJfVOab+pIuC/ud01idbcjGVIIlMt+eA+iB3ynAhbGV0NkJ/EP
> Iyfrbom4IpveFJPuD8Lbau7kCGnocer19JbhQ7XkSbXZvwEVcwFXj+mh5YNaz5vR
> wJGGEJ8GURbLOmgwuFdIVe4u+uv8KCCljwYp1s1eWjoflKTZJ4sG8GHY2URYify0
> MDA6352tg6o8RBEHt1OV
> =wA7a
> -----END PGP SIGNATURE-----
>
--
Don Marti <dmarti at zgp.org>
http://zgp.org/~dmarti/
Are you safe from 3rd-party web tracking? http://www.aloodo.org/test/
More information about the PrivacyBadger
mailing list