Web/Mobile Tracking

Introduction

Only listing a few common ways of tracking users on the web. The article linked at the bottom behind the one way mirror from the electronic frontier foundation lists many more.

General tracking.

Approach:

  • cookies
  • ip address based
  • url parameters
  • html5 localstorage, session storage
  • flash
  • silver light
  • etags

Mitigation: Incognito mode in your browser, will not store these after closing incognito mode.

Third party cookies

Approach: A third party cookie is any cookie being used on a website that are not from the current domain.

Mitigation: Clear your cookies for all sites, beware this may log you out.

Advertising identifier

Approach: Apple now has taken some great advancements to make tracking transparent.

With iOS 14, iPadOS 14, and tvOS 14, you will need to receive the user’s permission through the AppTrackingTransparency framework to track them or access their device’s advertising identifier. Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.

Examples of tracking include, but are not limited to:

  • Displaying targeted advertisements in your app based on user data collected from apps and websites owned by other companies.
  • Sharing device location data or email lists with a data broker.
  • Sharing a list of emails, advertising IDs, or other IDs with a third-party advertising network that uses that information to retarget those users in other developers’ apps or to find similar users.
  • Placing a third-party SDK in your app that combines user data from your app with user data from other developers’ apps to target advertising or measure advertising efficiency, even if you don’t use the SDK for these purposes. For example, using an analytics SDK that repurposes the data it collects from your app to enable targeted advertising in other developers’ apps.

Mitigation: Disable or change your advertising identitifer.

Browser fingerprinting

Approach: Method of identifying unique browsers and tracking online activity. A device fingerprint, machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off.

Mitigation: Incognito mode makes your browsing private by setting your “profile” to certain standard data points. These data points are part of your fingerprint, so, since many people use the same “profile” settings, the fingerprints look similar. This will greatly reduce your chances of having a unique fingerprint.

TLS State

Great paper. Tracking Users across the Web via TLS Session Resumption

Other Mobile methods

  • Phone number. Some apps depending on which operating system you use (Android or IOS) will allow an application access.
  • IMSI and IMEI number. Same depending on operation system.
  • MAC address. Both Android and IOS perform randomization so this isn’t as much of an issue.

Other mostly physical

  • License plate. Automatic License Plate Recognition (ALPR)
  • Face print. Using your face to authenticate via your phone opens you up to someone else using the fingerprint in ways you didn’t authorize.
  • Credit card number. While obvious including for completeness.

Overall desktop/laptop Mitigations.

  • Use a VPN that does not log.
  • Use a browser that prevents tracking, possibly something like Brave. Use incognito mode in that browser.
  • Careful of Tor, some Tor exit nodes are controlled by goverments.
  • Read Behind the one way mirror by Electronic Frontier Foundation

Overall mobile mitigations

  • Use a open source operation system focused on privacy and security. Ex GrapheneOS is an privacy and security focused mobile OS with Android app compatibility developed as a non-profit open source project.
  • Use open source and offline maps

References

https://www.eff.org/wp/behind-the-one-way-mirror https://samy.pl/evercookie/ https://pixelprivacy.com/resources/browser-fingerprinting/ https://developer.apple.com/app-store/user-privacy-and-data-use/ https://cookie-script.com/all-you-need-to-know-about-third-party-cookies.html https://manuals.info.apple.com/MANUALS/1000/MA1976/en_US/device-and-data-access-when-personal-safety-is-at-risk.pdf https://arxiv.org/pdf/1810.07304.pdf https://osmand.net/