Hacker News new | ask | show | jobs
by icebraining 4601 days ago
A single website can only track you inside their own pages. The problem with third-party cookies is that they enable cross-site tracking, which is much more privacy invading. First-party cookies don't help with that, since a cookie dropped by siteA won't be sent to siteB.

Now, sure there are other ways of doing cross-site tracking, like Etags, fingerprinting and such, but why shouldn't we try to plug those leaks too instead of giving up?
1 comments
bolder88 4601 days ago
No, we shouldn't bother trying to plug those leaks.

Current situation:

  * You request website A, which includes 3rd party code from C. C drops a cookie
  * You request website B, which includes 3rd party code from C. C knows you previously visited A.
New situation:

  * You request website A, which includes 3rd party code from C. Website A sends details of your visit via a backchannel to C.
  * You request website B, which includes 3rd party code from C. Websites B sends details of your visit via backchannels, and C knows you previously visited A.
Wouldn't you rather such tracking to be out in the open and easily blocked - stop accepting cookies, rather than them creating backchannels to track you instead?

Yes - You should give up if you think you will able to continue sending websites HTTP requests directly, whilst not being tracked.

link
jrochkind1 4601 days ago
I'm not sure. Those backchannels would be enormously more expensive and technically challenging for the commercial entities to do right.

So, yeah, I see your point, but maybe I _would_ rather make it much more expensive to do that, and much harder for them to do it succesfully rather than messing up a technical detail.

On the other hand, I guess eventually they'd get it right in commodity software that everyone can use. Eventually.

Really, I don't know why anyone that wants to do the kind of tracking we're talking about is using cookies anyway, instead of user-agent fingerprints that have been shown to be pretty much unique anyway. So the cookies is perhaps all a distraction. The browser makers don't need to invent a new cookie-less browser fingerprint tracking system, they've already got it with the over-specialized user-agents.

link
paulgb 4601 days ago
If you block third-party cookies, C has no longer has a reliable way to know that you are the same visitor on both requests. (Unless you're suggesting that C is stuffing a UID in the cache or something?)
link
gcb0 4601 days ago
C can already infer that. Google probably does that on their free CDN stuff.

you have unique combination of IP+UserAgent+extra Headers. That is enough. A and B does not even have to send anything. And this will continue to work even without cookies.

link
icebraining 4600 days ago
Requiring an IP address already eliminates cross-network tracking. For example, lots of people browse both on their PC on a cable/fiber connection and on their phone/tablet on 3G, with different IPs. They also often browse from their work network (yet another IP).

Same with User Agent: not useful if you're using Chrome on your laptop and Safari on your phone.

link
gcb0 4601 days ago
This move is to prevent you from being tracked against website A and B will.

For example, google provides jquery CDN. website A and B uses that to save some cents on bandwidth. Google now knows you visited which pages on website A and B. and if A was a backpack store and B was a pressure cooker review, expect the NSA :D

link