back to article User experience test tools: A privacy accident waiting to happen

Researchers working on browser fingerprinting found themselves distracted by a much more serious privacy breach: analytical scripts siphoning off masses of user interactions. Steven Englehardt (a PhD student at Princeton), Arvind Narayanan (a Princeton assistant professor) and Gunes Acar (postdoctoral researcher at Princeton …

  1. Mark 85

    Diversion tactics needed?

    I'm thinking periodically and randomly, go visit, say, Pornhub and return, or Breitbart, the Democratic national party site, maybe some religious sites and return after each site visit. Mix up the random sites and just confuse the hell out of analytics.

    1. allthecoolshortnamesweretaken

      Re: Diversion tactics needed?

      No analyst, software-based or human, will be surprised or confused by data suggesting that Breibart readers are wankers.

      1. Korev Silver badge
        Pint

        Re: Diversion tactics needed?

        No analyst, software-based or human, will be surprised or confused by data suggesting that Breibart readers are wankers.

        Sadly I can only upvote this once ->

    2. Anonymous Coward
      Anonymous Coward

      Re: Diversion tactics needed?

      I use to do this on start/favourite pages for a while.

      Like choosing a random, now archived Register story as their "Home page" when I load them up. Just for the giggles of knowing somewhere, an IT bod/Marketing assistant is looking at the Data going... "Thursday the evenenteenth of November, that article from seven years ago, keeps getting dug back up from our tape drives*. It's so popular... why?"

      Ok, I know it's not configured that way, but still, it would have some sort of listing of importance for access time on content, and me choosing a random or old page would surely confuse the plan.

      1. Anonymous Coward
        Anonymous Coward

        Home page?

        Why would I ever want my home page to be anything other than about:blank? ;-)

        I then start typing the address of the page I want to go to, and it autocompletes from my bookmarks or my browsing history (or, occasionally, I use the search box instead).

        1. JohnFen

          Re: Home page?

          "Why would I ever want my home page to be anything other than about:blank?"

          I don't know about you, but I find it awfully handy to make my bookmark server my home page. I don't use the browser to hold my bookmarks because I use multiple machines and multiple browsers.

    3. Anonymous Coward
      Devil

      Re: Diversion tactics needed?

      I'm quite sure analytics data are already full of individuals that visit both porn and religious/political sites....

      1. Korev Silver badge

        Re: Diversion tactics needed?

        I'm quite sure analytics data are already full of individuals that visit both porn and religious/political sites....

        "Only for research purposes"

    4. macjules

      Re: Diversion tactics needed?

      Yandex The Internet Research Agency would just report back to Putin its's sponsor that you are a committed Trump supporter with typical violent pornographic requirements, plus a desire to monitor the DNC 'to see what lies HRC has been spreading today' which you then offset by visiting Breitbart.

    5. 7teven 4ect

      Re: Diversion tactics needed?

      It won't work, market research analysts will just ignore your weird data, and use what they know is right to find another person, near enough like you, and double that person's weighting until you get bored and stop diverting, then they come back like night hags.

      Yes this comment was designed to be found by certain searches.

  2. allthecoolshortnamesweretaken

    So, spending money to get past that paywall - which I do to avoid the data slurping and privacy invasions on ad-revenue based sites - will probably expose me to data slurping and privacy invasions at a scale that is worse? WTF?

    1. Anonymous Coward
      Anonymous Coward

      You seem surprised?

  3. Flocke Kroes Silver badge

    Designing software to create computer illiterates

    Firefox used to have easily accessed off switch for javascript. The switch has been hidden because when illiterates view a broken website with javascript disabled they blame firefox, not the site's owner.

    The checkbox could have been given a warning: "Disabling javascript will block irritating adverts and most spyware, but some badly/maliciously designed websites will become unusable." Dozens of people would have become slightly less computer illiterate. One or two broken websites would have been fixed for a few months.

    If you have the choice between deleting something useful and providing an opportunity for people to become a little less ignorant, please think of the consequences.

    1. shifty_powers

      Re: Designing software to create computer illiterates

      Well, could just use noscript then.

      Although will be grateful when noscript 10 is finally released for FF57.

    2. Dan 55 Silver badge

      Re: Designing software to create computer illiterates

      I've often wondered why the design geniuses at Mozilla never thought to put a toggle switch in the settings which changes between basic and advanced views, like VLC or Kodi.

      Never mind, I think I've answered my own question.

    3. Doctor Syntax Silver badge

      Re: Designing software to create computer illiterates

      "providing an opportunity for people to become a little less ignorant"

      Those who need the opportunity most will be too ignorant to take it.

    4. Anonymous Coward
      Anonymous Coward

      Javascript Exception-List - Why none in Firefox?

      Its there for Cookies but it'd help to have it for JavaScript + Images too (as per Chrome). Mozilla's reasoning for obfuscating JavaScript & Images toggling is strange. Plus asking users to remember shortcuts like 'pt.e' or 'lt.i', wtf? Yes, sure Add-Ons... But they're not a runner if your work PC is locked down or you've responsibility for maintaining PC for a wider circle of friends & family!

      1. Dan 55 Silver badge

        Re: Javascript Exception-List - Why none in Firefox?

        There is an image exception list in Tools > Page Info > Permissions.

        JavaScript's permissions have been completely hidden. We can't allow Web 2.0 to be broken, can we?

        SettingSanity works on Firefox ESR and brings the JavaScript and images settings back to the options screen.

      2. druck Silver badge

        Re: Javascript Exception-List - Why none in Firefox?

        NoScript allows you to whitelist and blacklist domains.

        If you haven't already, add all of these session reply sites to your blacklist.

        1. JohnFen
          Thumb Up

          Re: Javascript Exception-List - Why none in Firefox?

          Even better, block everything that isn't on the whitelist. Deny by default should be the, errr, default.

          1. Anonymous Coward
            Anonymous Coward

            Re: Javascript Exception-List - Why none in Firefox?

            Better still, block everything by default, and do not keep a whitelist.

            Issue temporary permissions as needed, and revoke before leaving a site, or periodically revoke all temporary permissions.

  4. TrumpSlurp the Troll
    WTF?

    Login and payment sessions?

    Have I missed something subtle, or are a load of sites key logging both your login session and your payment processing including all credit card details?

    Just to check how you navigate a site?

    Ummm....if so how do you detect and prevent? There are hints that script and ad blockers may help but no definitive "use these and you should be fine".

    1. Anonymous Coward
      Anonymous Coward

      Re: Login and payment sessions? “Use these and you should be fine”

      As ever, all you need are RequestPolicy (stops content from untrustworthy sites from even being requested or loaded), and NoScript (stops untrusted scripts from running).

      If the tracking spyware can’t even be loaded (which would leave a minimal shadow footprint of you in their server logs otherwise), and can’t run, then they can’t track you.

      But, unfortunately, many shopping sites use third-party servers and JavaScript for integral parts of the site (such as product images), so sometimes you lose essential content by trying to block tracking by those third-party services.

      With ever more sites being hosted on a large South American river, I’m sure it’s sadly only a matter of time before the river pilots start to tightly bind spyware and tracking code into their hosting environments, if they haven’t already. It then becomes virtually impossible to load a site without it being known about and analysed.

      1. Adam Inistrator

        Re: Login and payment sessions? “Use these and you should be fine”

        RequestPolicy and Noscript are all far better handled all in one addon, "ublock origin". It isnt instantly obvious how to use it but once you get the hang of it, it is an almost perfect solution for the picky individual.

        1. Kiwi

          Re: Login and payment sessions? “Use these and you should be fine”

          RequestPolicy and Noscript are all far better handled all in one addon, "ublock origin". It isnt instantly obvious how to use it but once you get the hang of it, it is an almost perfect solution for the picky individual.

          Does it let you temporarily allow certain scripts on a page without allowing others? Eg El Reg wants to load google analtics, google tagservices (flagged as "untrusted" and thus not even in the "temporarily allow" options), dpmrv.com (no idea so not allowed), regmedia.co.uk (not needed so not allowed), and theregister.co.uk (makes the pages look better so allowed).

          All those I can change with a simple menu, 1 click to bring up the list and one for each item I wish to load/ban.

          I can't see that functionality quite so simply in Ublock, which means I might need several more clicks per option. As I only load scripts needed to display the page/get certain functionality IF I am desperate enough to use the page to load those things, I'd really not want to do 10-clicks to load 1 script, see I need more, another 10 clicks to load another script, see more still needed, another 10 clicks....

          There is the picker mode which I've used to block certain elements, but that requires the page loading fully first (something I am NOT willing to allow, EVER, if it has scripts I don't want - one load of google analtics is a COMPLETE FAIL of the blocker!), and the item has to be visible and obvious (analtics wouldn't be "obvious" as it's not displayed). I have used the picker to block things eg the "spotlight" which kept showing stuff from many months back or that I'd already read, and that other thing El Reg had creeping into the left side of the main article. But not allowing scripts to load UNLESS I individually allow them, and then only on a temporary basis unless I choose otherwise? I don't see that in there in an obvious fashion. In that regard I am like most users with these types of things, if tool1 and tool2 do the same job, 1 is intuitive and easy to use while 2 is a trillion times better but takes 2 seconds to learn and a mircosecond longer each use, I'm going to use 1.

  5. LewisRage

    SessionCam

    SessionCam have posted a rebuttal of sorts here : https://blog.sessioncam.com/sessioncam-and-privacy-why-you-dont-need-to-worry-about-session-replay-ce9cabbe52e2

    1. joed

      Re: SessionCam

      I read their explanations and left unconvinced. I'm not sure if just blocking their domain (on the router) is sufficient but I figured this was least I'd have done.

  6. Anonymous Coward
    Anonymous Coward

    F-ck Digital

    I know I'm maybe alone in this and pissing against the wind.... But weekly revelations like this one, makes me cancel even more subscriptions. It gets me questioning everything... Like can I go without digital 100%, and just stick to real world products. Thinking hard too about bringing kids into the world. This revelation is like Barcoding-at-Birth. F*ck social media, US tech giants & advertisers for creating this arena of universal - digital - dystopia...

    1. JimC

      Re: F-ck Digital

      I've always worked on the assumption that there is no privacy on the net, and no secrecy. As long as you operate on that basis there isn't really a problem. There's no privacy or secrecy in a busy restaurant or crowded pub either, and it doesn't stop us using them.

      1. Anonymous Coward
        Anonymous Coward

        'no privacy or secrecy in a busy restaurant or crowded pub either'

        That kind of comparison is flawed and only hurts the whole issue. In the Digital sphere, its all too easy to profile entire populations and manipulate their behavior in incredibly invasive ways. Cambridge Analytics / Russian Ads on Facebook, influencing the US election is one toxic example. Can't glean that from any pub!

        -

        https://www.theguardian.com/politics/2017/feb/26/robert-mercer-breitbart-war-on-media-steve-bannon-donald-trump-nigel-farage#img-1

        -

        https://www.theguardian.com/technology/2017/may/02/facebook-executive-advertising-data-comment

        -

        https://www.lrb.co.uk/v39/n16/john-lanchester/you-are-the-product

        -

      2. JohnFen

        Re: F-ck Digital

        "There's no privacy or secrecy in a busy restaurant or crowded pub either, and it doesn't stop us using them."

        I think there's a great deal more privacy and secrecy in a busy restaurant or crowded pub than online (unless you putting a fair bit of effort into maintaining online privacy).

      3. Tim Seventh

        Re: F-ck Digital

        "I've always worked on the assumption that there is no privacy on the net, and no secrecy. As long as you operate on that basis there isn't really a problem. There's no privacy or secrecy in a busy restaurant or crowded pub either, and it doesn't stop us using them."

        I agree mostly the main point, just not the whole point. I always work on the assumption that there is no privacy on the net, but I keep operating on the basis that it is a problem that I should know. It keeps me on my toes that one day everyone/ someone would know everything about it including who said/did it if I said/did it on the net (or in a restaurant where the waitress overhear it).

        This is why in the public, I usually say whatever public topic proudly to the point that people on the next table would all give weird looks at me.

  7. Sssss

    Sue

    It is pretty simple. It is stalking, it is cyber espionage, it is spying, it is cohesion. It is time for courts to start applying existing laws on the actions and intent they were made to govern, irrespective of the technology used. To use contract law as well, to strike down unreasonable and illegal contracts (very illegal). The days of hiding behind a new technology, trying to confuse the issues by so, and trying to set up lasting invalid precidents to change the law and legal culture, has to end. All these subversuins must be struck down as subversions, and things interpreted by the intent and actions of the old laws. Somebody doing a crime remotely Acronis a border, is exactly the same as somebody standing at a border and reaching across to do the crime. Or somebody sending a package by mail to another company. Or somebody following somebody else all day recording what they are doing for bad purposes. Or demanding compliance and leverage on unreasonable terms (unbeknown to you) to carry out some service (instead of making an honest living by charging a small fee). Etc, etc, and so forth.

    Time to start suing them in class action, left, right and centre, and to offer perpetual class actions for non compliance concerning old or new plaintiffs.

  8. Version 1.0 Silver badge
    Pint

    The Internet is dead

    Will the last person on-line please turn off the lights when they go down to the pub.

    1. Dave559 Silver badge

      Re: The Internet is dead

      Fittingly, it would be appropriate if this were to happen by somebody pressing a Big Red Switch at CERN…

      (No, no that Big Red Switch, the other one…)

      [ObPedant: Yes, I know that the net is not just the web.]

      But, yes, it is depressing to see how the web has turned from a utopian library of open information to a marketing-riddled spyware-infested (and sloppily-coded) swamp in such a short space of time.

  9. Sir Runcible Spoon

    Time...

    to bring back Gopher - all is forgiven?

    1. Alistair
      Coat

      Re: Time...

      @SirRS

      No! Kermit!! we need Kermit!

  10. jms222

    My first "web" experience _was_ Gopher on a serial terminal to a mainframe so yes bring back Gopher and serial terminal or emulation of your choosing. The more variety there the better.

  11. Richocet

    Use of these things

    While these services are designed for honourable purposes, there are still risks: that if cost wasn't a barrier they could be abused for spying and keylogging, that rouge individuals at the vendor or the customer organisation could abuse the data obtained, that the data they obtained could be accessed by hackers, or if a company providing these services was bought by a criminal organisation and systematically abused without the other parties being aware.

    What can go wrong can be seen in examples like the advertising syndicates that collect as much personal data as they can and sell it to anybody that they can; and Facebook whose platform was used for unintended malicious uses plus Facebook's greed in doing business with anyone who would pay.

    I gather this type of data for my work to improve websites. After years of working in the field I have settled on an approach: I invite user in for a session, ask them to sign a release, observe them in person, and record the screen and sound. I pay them for the effort, and provide a written guarantee that the information will only be used for improving the website.

    Using online interaction recording services is an attempt to get the data cheaply, and I don't think it is worthwhile overall. Because it costs more to run online observations, the privacy situation e.g.consent, and the quality of the information is lower than in-person studies. Online tools are only useful for running analysis across large numbers of sessions, or meeting (unecessary) requirements to include hundreds or thousands of people in astudy.

  12. jMcPhee

    Never hard to find an idiot when you need one

    Just look for someone with javascript always toggled on - or the owners of web sites which require it.

  13. Paolo di Gugliemo

    Appalling ad practice

    It's difficult to take you seriously on this topic when the read is ruined by the ads you plaster over the text which can't be dismissed. Frankly, you are of the same ilk.

    1. Anonymous Coward
      Anonymous Coward

      Re: Appalling ad practice

      Let's sum up your argument. You don't like the ads, therefore we lack credibility on reporting on something that is not about ads.

      FWIW our ads are well behaving - we run fewer per page than our competitors. And we don't make you register to read our content.

      1. Kiwi
        Thumb Up

        Re: Appalling ad practice

        FWIW our ads are well behaving - we run fewer per page than our competitors.

        That I can give you. If you want a horror story in tracking and annoying ads overload (both quantity of ads is overloading and and the ads are also an overload on annoying each in their own right) then visit the "stuff" news1 site (childish name, even more childish site).

        I'd be happy to turn ad blocking off on El Reg if I could be sure I wouldn't have those anoying moving ads back. My attention span is limited enough as it is! :)

        1 In much the same way that Faux is news and Brietbat(sp) gives useful unbiased information

    2. Kiwi
      Coat

      Re: Appalling ad practice

      It's difficult to take you seriously on this topic when the read is ruined by the ads you plaster over the text which can't be dismissed. Frankly, you are of the same ilk.

      I use AdAwayTM. Gets rid of those 'headachy' pains you get on a regular basis.

      (Or you could use the more generic uBlock Origin or another adblocker if said ads really get too annoying (and video ads on El Reg are why I use ad blockers, had El reg used static ads I'd never have discovered ad blockers instead kept limiting my web use to sites that don't piss me off - El Reg had content worth trying to see more...)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like