[bolder88]

Good. This recent war against cookies is futile and silly.

If you visit a website (Assuming you don't go via some anonymizer proxy), they can track you, and they can pass your details to any 3rd party who wishes to also track you.

Cookies are the easiest way for them to do that, but its absurdly naive to think that if you block cookies then people won't track your browser activity online.

If you don't want to be 'tracked', stop generating HTTP requests, or do them through an anonymizer service. And good luck getting any website to work properly.

[ANTSANTS]

>If you visit a website (Assuming you don't go via some anonymizer proxy), they can track you, and they can pass your details to any 3rd party who wishes to also track you.

Sure, server-side logging is always possible, but (AFAIK) advertisers and data miners have little interest in this information because it requires trusting the website owner not to forge results, which is obviously a very stupid idea when your business revolves around purchasing and selling ad impressions. Precluding the practical methods of this type of data mining (ideally by requiring whitelisting of Javascript and all access to third party resources, but disabling third party cookies is a good practical step) could greatly reduce the amount of surveillance that users are subject to, by eliminating the most common incentives to perform it.

>If you don't want to be 'tracked', stop generating HTTP requests, or do them through an anonymizer service.

I hope you realize that the effectiveness of services like Tor is greatly reduced if you aren't using the same techniques to reduce your surveillance "attack surface" that people are advocating for regular, non-anonymous browsing. It's really not hard to see why; considering the tracking cookie example: A unique cookie makes it clear to a site operator that the requests coming from all these different exit nodes are really originating from the same user. A third party tracking cookie can then make it clear to that third party that the same user is visiting sites A, B, and C over Tor. All it takes at this point is small handful of screwups (from mentioning personal information to something as innocuous as reading a news article that is only relevant to people living in a certain location) to greatly reduce the search space required to identify you. "Uses xmonad and likely lives in New York City" could be more than enough to tie a large amount of your Tor browsing activity to a small set of suspects, in this case.

[icebraining]

A single website can only track you inside their own pages. The problem with third-party cookies is that they enable cross-site tracking, which is much more privacy invading. First-party cookies don't help with that, since a cookie dropped by siteA won't be sent to siteB.

Now, sure there are other ways of doing cross-site tracking, like Etags, fingerprinting and such, but why shouldn't we try to plug those leaks too instead of giving up?

[bolder88]

No, we shouldn't bother trying to plug those leaks.

Current situation:

  * You request website A, which includes 3rd party code from C. C drops a cookie
  * You request website B, which includes 3rd party code from C. C knows you previously visited A.

New situation:

  * You request website A, which includes 3rd party code from C. Website A sends details of your visit via a backchannel to C.
  * You request website B, which includes 3rd party code from C. Websites B sends details of your visit via backchannels, and C knows you previously visited A.

Wouldn't you rather such tracking to be out in the open and easily blocked - stop accepting cookies, rather than them creating backchannels to track you instead?

Yes - You should give up if you think you will able to continue sending websites HTTP requests directly, whilst not being tracked.

[jrochkind1]

I'm not sure. Those backchannels would be enormously more expensive and technically challenging for the commercial entities to do right.

So, yeah, I see your point, but maybe I _would_ rather make it much more expensive to do that, and much harder for them to do it succesfully rather than messing up a technical detail.

On the other hand, I guess eventually they'd get it right in commodity software that everyone can use. Eventually.

Really, I don't know why anyone that wants to do the kind of tracking we're talking about is using cookies anyway, instead of user-agent fingerprints that have been shown to be pretty much unique anyway. So the cookies is perhaps all a distraction. The browser makers don't need to invent a new cookie-less browser fingerprint tracking system, they've already got it with the over-specialized user-agents.

[paulgb]

If you block third-party cookies, C has no longer has a reliable way to know that you are the same visitor on both requests. (Unless you're suggesting that C is stuffing a UID in the cache or something?)

[gcb0]

C can already infer that. Google probably does that on their free CDN stuff.

you have unique combination of IP+UserAgent+extra Headers. That is enough. A and B does not even have to send anything. And this will continue to work even without cookies.

[icebraining]

Requiring an IP address already eliminates cross-network tracking. For example, lots of people browse both on their PC on a cable/fiber connection and on their phone/tablet on 3G, with different IPs. They also often browse from their work network (yet another IP).

Same with User Agent: not useful if you're using Chrome on your laptop and Safari on your phone.

[gcb0]

This move is to prevent you from being tracked against website A and B will.

For example, google provides jquery CDN. website A and B uses that to save some cents on bandwidth. Google now knows you visited which pages on website A and B. and if A was a backpack store and B was a pressure cooker review, expect the NSA :D

[millstone]

Even if server-side tracking is as effective as cookie tracking (and I would argue it will not be), there’s a difference between the site tracking me, and the site enlisting my browser to aid it in tracking me. If I am to be tracked, let the site do so by expending its own cycles and storage, not mine.