Safari and Firefox both block many third-party cookies by default (which is why I had to change Firefox’s privacy settings to get this experiment to work), and as of today Chrome doesn’t (presumably because Chrome is owned by an ad company).
In the article, the author included a picture with his login cookies digitally blacked out. Just an FYI if you ever do this, certain image formats like bitmap can trivially remove the black mark while keeping the data it’s obfuscating intact. Look up bitmap watermarking if you want to know more!
Specifically, bitmaps aren’t compressed, and typically colors are stored in an 8 bit pixel. You can mask the least significant bit, or bits, and easily hide an image inside of another image with no visible detection.
Yeah most people use compressed formats, but it’s something to be wary of if you are posting credentials online. And with PDFs many programs let you draw over the pdf if you want to hide specific info, but when you open that pdf somewhere else, the drawing is gone. This isn’t something to do with bitmaps, but something worth noting.
Sites send cookies with the tracking pixel so that they can tell that the person who visited oldnavy.com is the same as the person who’s using Facebook on the same computer.
How do they give you the correct tracking pixel as a third party? Can Facebook’s cookie from Old Navy’s site interact with it’s cookie from it’s own site? Or is it a combination of ip address and browser fingerprinting that identifies you?
The answer to this is pretty complicated, so it’s not a surprise that this particular article doesn’t get into it. There’s a technology called cookie match or cookie sync. There are a lot of different flows it can use, but the basic trick is like this:
The user navigates to a site they want to read, which we’ll call interestingnews.com.
An advertising tag on the page causes the browser to load a pixel from, say, doubleclick.net. A previously-existing cookie A is sent with this request. The cookie value contains several fields, but the most important one is a simple integer which uniquely identifies this cookie jar. We’ll call the integer value A.id.
The server hosting the first pixel, instead of an image file, replies with an http redirect to one of its advertising partners, say retailer.com. The URL of the redirect is a pixel owned by this second site. Crucially, the URL of the retailer.com pixel includes a query parameter with the value of A.id.
The browser follows the redirect and sends retailer.com a previously existing cookie B, set on that domain. While the technology stack behind it may be different, this cookie too has a simple integer at the heart of it, which we’ll call B.id.
The retailer.com server now knows the value of B.id, because it was in the cookie, as well as the value of A.id, because it was in the URL. They can now store the mapping between these cookies server-side, and use it to join whatever other server-side information they may have about this cookie jar. They may even sell the use of the linkage graph to third parties.
I usually have to explain this with diagrams, but I did my best. I’m happy to answer questions.
So I guess at that point it’s just all graph processing? Get enough sites, get enough people, take the mappings and build correlations between the parts.
Edit: Thank you for taking the time to leave a detailed reply.
This article suggests installing ublock, but it probably meant to recommend ublock origin, which is a completely different, and much better product.
I enjoyed this.
In the article, the author included a picture with his login cookies digitally blacked out. Just an FYI if you ever do this, certain image formats like bitmap can trivially remove the black mark while keeping the data it’s obfuscating intact. Look up bitmap watermarking if you want to know more!
Minor suggested edit: “s/his/her”
Oops, thanks, but too late unfortunately
Ok, I looked up “bitmap watermarking”, and found nothing but articles on how to add watermarks to bitmap images. What exactly are you referring to?
Specifically, bitmaps aren’t compressed, and typically colors are stored in an 8 bit pixel. You can mask the least significant bit, or bits, and easily hide an image inside of another image with no visible detection.
Surely no one does it this way though? You just open the image in a photo editor, paintbrush over the top, export the result.
Yeah most people use compressed formats, but it’s something to be wary of if you are posting credentials online. And with PDFs many programs let you draw over the pdf if you want to hide specific info, but when you open that pdf somewhere else, the drawing is gone. This isn’t something to do with bitmaps, but something worth noting.
How do they give you the correct tracking pixel as a third party? Can Facebook’s cookie from Old Navy’s site interact with it’s cookie from it’s own site? Or is it a combination of ip address and browser fingerprinting that identifies you?
The answer to this is pretty complicated, so it’s not a surprise that this particular article doesn’t get into it. There’s a technology called cookie match or cookie sync. There are a lot of different flows it can use, but the basic trick is like this:
The user navigates to a site they want to read, which we’ll call interestingnews.com.
An advertising tag on the page causes the browser to load a pixel from, say, doubleclick.net. A previously-existing cookie A is sent with this request. The cookie value contains several fields, but the most important one is a simple integer which uniquely identifies this cookie jar. We’ll call the integer value A.id.
The server hosting the first pixel, instead of an image file, replies with an http redirect to one of its advertising partners, say retailer.com. The URL of the redirect is a pixel owned by this second site. Crucially, the URL of the retailer.com pixel includes a query parameter with the value of A.id.
The browser follows the redirect and sends retailer.com a previously existing cookie B, set on that domain. While the technology stack behind it may be different, this cookie too has a simple integer at the heart of it, which we’ll call B.id.
The retailer.com server now knows the value of B.id, because it was in the cookie, as well as the value of A.id, because it was in the URL. They can now store the mapping between these cookies server-side, and use it to join whatever other server-side information they may have about this cookie jar. They may even sell the use of the linkage graph to third parties.
I usually have to explain this with diagrams, but I did my best. I’m happy to answer questions.
So I guess at that point it’s just all graph processing? Get enough sites, get enough people, take the mappings and build correlations between the parts.
Edit: Thank you for taking the time to leave a detailed reply.
Yes, basically, it’s graph processing with a lot of money changing hands over different pieces of the task.