Google is tracking every device you use - how do they do that?
-
- KVRAF
- Topic Starter
- 6425 posts since 22 Jan, 2005 from Sweden
Are browsers like Google Chrome spyware sending mac addresses, or?
Or how do they identify that?
"Security alert, new device logged into you account!" and similar.
I thought browsers were supposed to be safe to use on internet, nothing local revealed, or?
Thanks.
Or how do they identify that?
"Security alert, new device logged into you account!" and similar.
I thought browsers were supposed to be safe to use on internet, nothing local revealed, or?
Thanks.
-
- KVRAF
- 5716 posts since 8 Jun, 2009
Browsers send a fair amount of information to the server when they connect but none of it directly personal. Things like available memory, plugins, browser version, geolocation, IP address (and from that ISP). Google (and others) maintain large databases of these combinations and compare them to see if they've seen that browser before. You will often get "new device, who dis?" at times with a device that's been tagged as known is because you are accessing in a different location or from a different ISP.
-
- KVRAF
- Topic Starter
- 6425 posts since 22 Jan, 2005 from Sweden
Thanks.
At least good if not violating by single thing like mac address.
I thought at first it was on user agent, http headers, which I use a swither since some sites work better if I identify as a Mac with Chrome or similar, even being on old XP computer. Some forums work better also regarding was you say - but same browser in the core.
At first I thought it was all about this - but seems not.
I tried blocking that javascript was not to access certain hosts, and just partly worked.
Looking in tcpviewer I can see which host have connections etc.
But turning off javascript completely works rather well, better than expected.
I looked at these extensive firewalls, where you can set to having to allow every ip address and host that are ok. So downloaded a bunch of those.
I don't mind Google tracking places financed by commercials, it's all the rest that bother me. "I'm not a robot" is one I resent. Why should Google know I contacted this and that company's support or customer service - I am furious over this. How companies just jump on anything Google.
And the war continues....
At least good if not violating by single thing like mac address.
I thought at first it was on user agent, http headers, which I use a swither since some sites work better if I identify as a Mac with Chrome or similar, even being on old XP computer. Some forums work better also regarding was you say - but same browser in the core.
At first I thought it was all about this - but seems not.
I tried blocking that javascript was not to access certain hosts, and just partly worked.
Looking in tcpviewer I can see which host have connections etc.
But turning off javascript completely works rather well, better than expected.
I looked at these extensive firewalls, where you can set to having to allow every ip address and host that are ok. So downloaded a bunch of those.
I don't mind Google tracking places financed by commercials, it's all the rest that bother me. "I'm not a robot" is one I resent. Why should Google know I contacted this and that company's support or customer service - I am furious over this. How companies just jump on anything Google.
And the war continues....
-
- KVRAF
- 5716 posts since 8 Jun, 2009
The sniffer code can to a reasonable degree determine faked headers based on the capabilities the browser reports. It doesn't matter to how the server that provides the HTTP response, which will generally comply with what it's told but it will go into the database results. It can also be handy for detecting possible attacks.lfm wrote: ↑Tue Aug 11, 2020 4:40 pm I thought at first it was on user agent, http headers, which I use a swither since some sites work better if I identify as a Mac with Chrome or similar, even being on old XP computer. Some forums work better also regarding was you say - but same browser in the core.
-
- KVRian
- 972 posts since 22 Apr, 2004 from Switzerland
Isn't this the company's fault that they add some pixel on the webpage so you will show up in Google Analytics or something like that?lfm wrote: ↑Tue Aug 11, 2020 4:40 pm I don't mind Google tracking places financed by commercials, it's all the rest that bother me. "I'm not a robot" is one I resent. Why should Google know I contacted this and that company's support or customer service - I am furious over this. How companies just jump on anything Google.
And the war continues....
At first I bought in at the "don't be evil" bs from Google, but now I try to stay away from it as much as possible. It's just Google Maps that's so good compared to the others at this point.
- KVRAF
- 5752 posts since 29 Sep, 2010 from Maui
You guys gotta watch the netflix series "Connected" the first episode "surveillance" touches on this topic,
it's crazy the amount of stuff they track about you. Sadly, there is not much you can do about it, it's
the times we live in, it's only going to get worse unfortunately. Going off the grid and living in the wilderness, is about the only way one could possibly get around it.
it's crazy the amount of stuff they track about you. Sadly, there is not much you can do about it, it's
the times we live in, it's only going to get worse unfortunately. Going off the grid and living in the wilderness, is about the only way one could possibly get around it.
- KVRian
- 989 posts since 6 Jun, 2016 from San Marcos, Texas
Chrome is closed source, it's a black-box.
There's nothing stopping google from fingerprinting every instance of Chrome; having each 'phone home;' communicate with sites in specific ways ... whatever you can imagine.
Then, simply login to your google account--because of course you have one--and your identity is linked to your Chrome browser.
That's one way of doing it.
Also, consider how many websites use third party javascripts. Most notably, google libraries! Furthermore, most sites will link to these scripts to save on bandwidth.
By the way, none of this is illegal, or wrong doing. I might call it black hat techniques, but it's not criminal hacking stuff. Besides, whatever the case, you agreed to it by license.
Nearly all of these snares come by consent.
Good news though, Firefox and Chromium exist. I don't know why everyone flocked to Chrome circa 2009-10? I was doing IT full-time then and recall it happening suddenly that everyone decided Chrome was the thing to use.
Then there's this thing called Android ...
Anyway, at least with open source, sneaky stuff like this can't be hidden for very long.
There's nothing stopping google from fingerprinting every instance of Chrome; having each 'phone home;' communicate with sites in specific ways ... whatever you can imagine.
Then, simply login to your google account--because of course you have one--and your identity is linked to your Chrome browser.
That's one way of doing it.
Also, consider how many websites use third party javascripts. Most notably, google libraries! Furthermore, most sites will link to these scripts to save on bandwidth.
By the way, none of this is illegal, or wrong doing. I might call it black hat techniques, but it's not criminal hacking stuff. Besides, whatever the case, you agreed to it by license.
Nearly all of these snares come by consent.
Good news though, Firefox and Chromium exist. I don't know why everyone flocked to Chrome circa 2009-10? I was doing IT full-time then and recall it happening suddenly that everyone decided Chrome was the thing to use.
Then there's this thing called Android ...
Anyway, at least with open source, sneaky stuff like this can't be hidden for very long.
Last edited by lunardigs on Thu Aug 13, 2020 4:10 am, edited 11 times in total.
-
- KVRAF
- 2008 posts since 11 Aug, 2012 from omfr morf form romf frmo
Google's business model is predicated on user data. We are Google's product, sold to advertisers (in aggregate). It is in Google's interest to protect user data. If users do not feel they are safe with Google holding all this information on them, Google no longer has a product.
Facebook does the same thing but they know people are more captive there so play fast and loose with privacy. And they own Instagram too so they get all that facial recognition data on you and your kids before they are old enough to consent.
If you are using Chrome you are giving Google your entire browsing history. I find it insane this is the world's most popular browser. You can block Google Analytics via uBlock Origin or whatever, but then the most random sites will require reCAPTCHA.
Your ISP is likely tracking your browsing history too and there is little you can do about it without encrypting DNS (and avoiding a middleman attack) or using a VPN and configuring and trusting one of their DNS servers. Firefox released DNS-over-HTTP back in February which is a big help. Too bad they laid off 250 employees.
What's left of the free and open internet looks like it may die. Nope, using browsers other than Firefox won't help, all the other browsers use Chromium (the engine), even Microsoft Edge and Opera. Do we really want Google deciding all the web standards?
As for how they determine who you are, web browsers can be fingerprinted by things the browser is telling the other end minutia you don't know even exists. This is not an inherently bad action, it can be used to prevent attacks as well, which is what you face when you receive that notice. Imagine an attacker using their device to access your account. You'd want them to be challenged and you to be notified, right?
Facebook does the same thing but they know people are more captive there so play fast and loose with privacy. And they own Instagram too so they get all that facial recognition data on you and your kids before they are old enough to consent.
If you are using Chrome you are giving Google your entire browsing history. I find it insane this is the world's most popular browser. You can block Google Analytics via uBlock Origin or whatever, but then the most random sites will require reCAPTCHA.
Your ISP is likely tracking your browsing history too and there is little you can do about it without encrypting DNS (and avoiding a middleman attack) or using a VPN and configuring and trusting one of their DNS servers. Firefox released DNS-over-HTTP back in February which is a big help. Too bad they laid off 250 employees.
What's left of the free and open internet looks like it may die. Nope, using browsers other than Firefox won't help, all the other browsers use Chromium (the engine), even Microsoft Edge and Opera. Do we really want Google deciding all the web standards?
As for how they determine who you are, web browsers can be fingerprinted by things the browser is telling the other end minutia you don't know even exists. This is not an inherently bad action, it can be used to prevent attacks as well, which is what you face when you receive that notice. Imagine an attacker using their device to access your account. You'd want them to be challenged and you to be notified, right?
-
- KVRAF
- Topic Starter
- 6425 posts since 22 Jan, 2005 from Sweden
There seems to be some rebellion about the Brave browser, seems very good too.
A gather bit like DuckDuckGo search engine, and picking up on recent development in how people react to this tracking business.
A couple of months ago I started download everything YT, works really well. No ads unless the channel has their own sponsors.
A gather bit like DuckDuckGo search engine, and picking up on recent development in how people react to this tracking business.
A couple of months ago I started download everything YT, works really well. No ads unless the channel has their own sponsors.
- KVRAF
- 1943 posts since 17 Jun, 2005
A good test for your browser and browsing environment is https://panopticlick.eff.org
Especially see the full fingerprinting statistic.
"Your browser fingerprint appears to be unique among the 299,046 tested in the past 45 days." Uh oh . This is my personal Vivaldi installation, unsurprisingly uniquely trackable. See your combined statistics and the frequency the constituent parts show up on systems, and it demonstrates very well how easy it is to form a unique fingerprint these days.
Somewhat counterintuitively, if you tweak around in the settings of your browser, modifying its id and installing additions that change its behavior, in many cases it's more likely that you have created a (much) more easily uniquely identifiable client, not less so . If you make modifications and aim for a non-unique fingerprint, only make modifications that you know to be identical to a load of other browser installations out there as a whole.
Especially see the full fingerprinting statistic.
"Your browser fingerprint appears to be unique among the 299,046 tested in the past 45 days." Uh oh . This is my personal Vivaldi installation, unsurprisingly uniquely trackable. See your combined statistics and the frequency the constituent parts show up on systems, and it demonstrates very well how easy it is to form a unique fingerprint these days.
Somewhat counterintuitively, if you tweak around in the settings of your browser, modifying its id and installing additions that change its behavior, in many cases it's more likely that you have created a (much) more easily uniquely identifiable client, not less so . If you make modifications and aim for a non-unique fingerprint, only make modifications that you know to be identical to a load of other browser installations out there as a whole.
-
- KVRAF
- 2550 posts since 13 Mar, 2004
I think they set a cookie when logging in.
When I delete my cookies and log in again I get that ""Security alert, new device logged into you account!"".
edit:
While I do find that message kinda annoying (as I clear cookies regularly) I think it also makes sense getting a notification when your account is potentially hacked.
When I delete my cookies and log in again I get that ""Security alert, new device logged into you account!"".
edit:
While I do find that message kinda annoying (as I clear cookies regularly) I think it also makes sense getting a notification when your account is potentially hacked.
-
- KVRAF
- Topic Starter
- 6425 posts since 22 Jan, 2005 from Sweden
Some things are cookies others are listed among cookies, called service workers, as I found why they did not clear when clearing cookies. So these are databases that it seems are allowed since long.
I discovered since I got strange messages closing my good old xp machine, "cf notification" or something, that was transmitting this database somewhere. Since it was so big, browser was trapped if closing browser than immediately machine after that.
After I found this on disk and cleared that up, have a bat-command that do all that quickly, I have not had these messages closing computer. And also cookie listing disappeared for these as well.
Among cookies there are three types as I found, normal local storage, databases and service workers.
I think notify on logins are ok, amazon started doing, Microsoft and Google. Difference is that amazon do it when on amazon, microsoft when on microsoft com or xbox live. But Google do it everywhere else.
Since I have javascript turned off, I getting aware of places that demand you are logged in. I searched for answer to a windows question and clicked on answers.microsoft.com something, but they require to read that I must be logged in so they know who look at reply on that topic.
And I ask my self - is this innosent or is it something to avoid?
More and more answer is - I should avoid this.
By making it such a PITA to login, they also make you think twice before logging out or clearing cookies.
I feel more and more rebellion and will stay logged out everywhere. At least till I know more about how this is used.
Will I be a witness to a crime and be in court trial and something held against me regarding visiting this or that forum etc. Now public knowledge or something.
Will I be considered less reliable for being on KVR?
- this shady place on internet!
One never knows what will be held against me.....
I discovered since I got strange messages closing my good old xp machine, "cf notification" or something, that was transmitting this database somewhere. Since it was so big, browser was trapped if closing browser than immediately machine after that.
After I found this on disk and cleared that up, have a bat-command that do all that quickly, I have not had these messages closing computer. And also cookie listing disappeared for these as well.
Among cookies there are three types as I found, normal local storage, databases and service workers.
I think notify on logins are ok, amazon started doing, Microsoft and Google. Difference is that amazon do it when on amazon, microsoft when on microsoft com or xbox live. But Google do it everywhere else.
Since I have javascript turned off, I getting aware of places that demand you are logged in. I searched for answer to a windows question and clicked on answers.microsoft.com something, but they require to read that I must be logged in so they know who look at reply on that topic.
And I ask my self - is this innosent or is it something to avoid?
More and more answer is - I should avoid this.
By making it such a PITA to login, they also make you think twice before logging out or clearing cookies.
I feel more and more rebellion and will stay logged out everywhere. At least till I know more about how this is used.
Will I be a witness to a crime and be in court trial and something held against me regarding visiting this or that forum etc. Now public knowledge or something.
Will I be considered less reliable for being on KVR?
- this shady place on internet!
One never knows what will be held against me.....
- KVRAF
- 1801 posts since 23 Sep, 2004 from Kocmoc
recaptcha can go and die in a fire
Soft Knees - Live 12, Diva, Omnisphere, Slate Digital VSX, TDR, Kush Audio, U-He, PA, Valhalla, Fuse, Pulsar, NI, OekSound etc. on Win11Pro R7950X & RME AiO Pro
https://www.youtube.com/@softknees/videos Music & Demoscene
https://www.youtube.com/@softknees/videos Music & Demoscene
-
- KVRist
- 144 posts since 1 Jul, 2015
No there's few browsers that you can use if you don't like information flow, and even they have to be configured sometimes like probably Waterfox.
Isn't this offtopic to the site.
I second this
Isn't this offtopic to the site.
-
- KVRist
- 113 posts since 8 Oct, 2019 from Lannion, France
Edited : obviously not that simple
Some users also simply stay connected to their google account ; good catch to think about all the privacy implications.
Some users also simply stay connected to their google account ; good catch to think about all the privacy implications.