Everyone is watching what you do online. How user tracking with cookies works (opens in new tab)

That's CRAZY. Couldn't reproduce in Edge though.

The problem with simply blocking cookies is that you'll break session handling at web hosts. That's probably why Reddit fails to work. And you don't need all that to avoid cookie tracking.

EDIT: Yep, looks like it's not compatible with the latest versions.

It has been broken for a long time and was eventually removed: https://bugzilla.mozilla.org/show_bug.cgi?id=606655

1) Get rid of the misfeatures that allow the problem to exist. Change the browser to never send headers that leak information by design (Referer, Cookie, Etag, User-Agent, etc).

1.1) (Optional) Fix stateful sessions that previously depended on cookies with a new HTTP session+authentication feature (that doesn't have the problems that made the Authorization header mostly useless).

2) Strip most of the other HTTP headers that leak bits of entropy so the browser fingerprint is too small (~16 bits max?) to be a unique id.

2.1) (Optional) Add some of the removed functionality back as a single header that reports a single "browser class" out of a handful (<32, 4-5 bits max. ~8 would be better) of predefined classes (e.g. "Standard Desktop with screen size between H1xW1 and H2xW2 with >=2 channel audio output. Supported codecs: audio=[MP3, AAC], video codec [...]", "mobile with multitouch screen with size ...etc...").

3) Disable Javascript. Running Turing complete code from potentially malicious remote hosts will always be dangerous, because it isn't possible to answer any question about the behavior of a program without running it (halting problem in general; Turing machines with >=7918 states cannot[1] be proven with ZF set theory). A safe web of documents is possible. Software needs to be handled separately.

Of course, none of this will happen because the people with the power to make most of these changes derive a lot of their income from surveillance.

[1] https://www.scottaaronson.com/blog/?p=2725

Set you browser to clear all cookies on close, use a separate browser for anything that requires authentication (ex: gmail), and never mix the two types of browsing. If they create a profile on you the cookies it's tied to disappear when you close your browser.

It's feels like a minor pain when you first start out but you used to it quick. Plus since you're not logged into anything by default there's a slightly higher barrier to ordering needless crap online.

It's not foolproof as you can be tracked by a combination of other factors (see: https://panopticlick.eff.org/) but it's much better than the alternatives.

Which is why I'm left wondering why nobody has mentioned Firefox Incognito mode (chrome too I think).

At least on firefox, incognito mode does not store cookies on disk. They persist for the duration of the tab/window you logged into.

this would circumvent cookie tracking, I think. I mean I guess not if you opened one icognito window and did all of your browsing inside of it, and never closed it?

am I missing something?

I set my browser (firefox) to clear all cookies on exit but I let my browser save passwords whenever possible. That way you have to log in every time you use a service but at least you don't need to type in the login info every time. It's quick. Of course, this does not work nicely for two factor stuff but you can use another browser for those.

The industry is moving to cross-device tracking to track you over multiple devices, without using cookies. This is probabilistic, not deterministic: There is 88% chance this is user A. But with huge amounts of data still useful.

I always find it very creepy when I looked something up on someone else's laptop and use it again half a year later, only to find that it remembers my last visit and (for example) centers the map where I last left it. I'm so used to having things be cleaned up against tracking, I don't even really experience what the web is like these days.

Cookies are sent to the website by your browser automatically when you visit pages. This is usually limited to the cookies belonging to the domain that set them, but the rules allow some flexibility for cross origin sharing. When you hear about tracking cookies, these are most commonly set by an embedded iframe; these can use a different domain from the page that embeds them, and in the case of ad networks this domain is often shared among many sites. These cookies present the largest potential danger to privacy, as they allow a third-party domain to track some browsing behaviors on the host sites in a way that isn't obvious to the user, and this can be used to build up a profile about the sites that user visits most frequently.

If you clear your history in your browser, the website will see no cookies from your browser on the next request. Most sites will simply set a new set of cookies immediately, treating you as a new visitor. You can instruct most browsers to automatically clear your cookies when you exit. Browsers which use a "private browsing" mode also typically use a separate cookie store, so they won't send any cookies from your regular session. From a tracker's point of view, this creates sort of a second user, and in theory should separate that activity from your main accounts. (In practice this can be easily circumvented with browser fingerprinting if a tracker is particularly determined.)

Not all cookies are bad, mind. They're one of the earliest widely adopted implementations of "local storage" for websites, and for a time they were the only reliable way a site could remember a visitor between requests. The most visible effect of clearing your cookies is usually logging you out of everything, since most sites still store your session this way.

If I were to start following you whenever you are going anywhere, sit next to you whereever I can, and write down as much about your life as I can, without asking you for permission first, would you also agree that that would be acceptable if I claimed that I need that information to operate or develop my business?

Also, obviously, noone "needs" that information, that's just bullshit. It may sometimes be helpful, but that doesn't mean you need it--just as any other business might be able to learn something from surveilling my non-online life, but that doesn't make it a need for them to spy on me, especially without my consent.

Whether you like targeted advertising is completely irrelevant, as noone is telling you that you may not agree to being spied on. That's like saying that there is nothing wrong with forcing everyone to walk around naked because some people enjoy appearing in porn.

Aren't there libraries/frameworks/products for exactly this? E.g., when I google "website tracking framework" amplitude.com is top ad result, and it seems to cover the business uses. And http://google.github.io/tracing-framework/ is the first non-ad result, which seems to cover the legitimate technical uses.

> I believe most of the site-owners need these information to operate/develop their sites

Can you give an example of a piece of user-relevant functionality that cannot be implemented without Google Analytics?

IME especially Google Analytics is mostly useful for business reasons, not technical reasons.

It's certainly fair to say that it's difficult to operate a profitable web business without Google Analytics. But that's a very different claim. And the difference is important because...

> So, if anyone could simply explain why this is SO bad or send me to correct discussion

Legitimate customer-business relationships should always involve informed consent. Cookie blockers and Firefox containers provide the technical tools that enable me to make an informed decision about whether to use your site. Without those technical mechanisms, it's very difficult for me to constantly monitor whether you are tracking me.

You/Google are free to deny me access to your products/content if I choose not to be tracked. But I should be allowed to make an informed decision about whether to use your site. The tools you're complaining about enable that informed decision.

You said could instead of do. Have they ever actually? Do you really click on ads? I don't think I've ever encountered somebody who admits to willingly clicking on ads. The only ad clickers I've seen are people who do it by accident or people who don't realize they're clicking on an ad (usually older folk with poor computer skills.)

Not really. Instead, each time you return to a site that has set a cookie on your computer, that cookie is included in the request header.

That same site will also know about your last visited page, even if it's outside of their domain, because of the "referer" frpm the request header.

> So if I copy paste the website in the address bar, they dont learn anything about my last browsing habit?

If you do that, then the referer will be empty and whatever site you visit will not know what you did last.

Cookies are just one thing. Web beacons i.e. tracking pixels, and the fact that companies utilizing those to suck up data about web users sell it feely to others for the sake of targeted marketing, is the reason you see peronalized ads all over the internet whenever you've finalized an online purchase.

There are lots of shady tracking systems in the world and cookies aren't one of them: they are clear, user-visible, and in the user's direct control both in theory and in practice.

Tor isn't relevant to this. If you're using Tor to block cookies you're Doing It Wrong.