In 2021 german publishers and shops widely started to use a cookieless tracking technology.
It's based on your e-mail and login information, so you should know about it. Especially as you are even tracked without login.
How identity providers work
⬇️[Thread]
Identity Providers are basically recording your login and sharing this information with other pages. Here GMX sends your login ID "tpid" to Adition which shares its own cookie with several ad tech companies using a classic cookie matching. In this case only with your consent.
Other Publishers like Spiegel Online, BILD and SPORT1 track households based on the IP address (also with consent).
The ID in the first screenshot is stable against deleting cookies, changing browsers and devices. It probably gets long term persistence by logins from other household members.
Not all pages are asking for consent. In the second screenshot you can see Gutefrage.net working together with Berlin based startup Zeotap to send the hashed e-mail from a login to Google, Xandr, Mediamath, Adition and The Trade Desk.
Regarding privacy, everything is lost now.
In this video Zeotap founder Daniel Herr explains a interesting part of his business model: Selling behavioural data from marketplaces like Autoscout24 to automotive brands like BMW. Publishers using Zeotap are getting paid for this insights.
https://www.youtube.com/watch?v=mrZ0HLd0LsI&t=81s
Indeed: The hashed e-mail from a autoscout login is transferred to Zeotap without consent.
This data is probably part of the automotive interest data that Zeotap is trying to sell on audience marketplaces.
Now it's getting criminal:
Watch the biggest identity provider Liveramp stealing a e-mail address from a hidden login field without consent and without login.
It was prefilled by the default Firefox password manager.
Read more about this interconnected login matrix in my in-depth article at @kuketzblog:
https://www.kuketz-blog.de/tracking-durch-identitaetsprovider/
Or in a easy understandable version in the newspaper Süddeutsche Zeitung (both German).
https://www.sueddeutsche.de/wirtschaft/cookies-internet-datenschutz-identitaet-1.5479567
And the whole thread on my website for convenience: https://rufposten.de/blog/2021/12/05/how-you-are-tracked-without-cookies-using-identity-providers/
@rufposten@social.tchncs.de would things like noscript even protect against this? i saw in one of the screenshots, image tags were used so maybe users should block media from such domains? (e.g. by setting these domains to "untrusted" in noscript)
@Johann150
Practically yes, most systems work just with javascript because of easy implementation, also the pixel iframe in the screenshot.
But remember that large companies also use identity providers to feed their customer data into marketing channels. So unique emails (eg with "catch-all") are the best solution.
@rufposten Unique mails plus avoiding browser's built-in password manager and use KeePassXC in a security aware way instead: I.e., don't have KeePass pre-fill your logins automatically, but use the clipboard, with clearing after 10 sec's (or similar). It's a bit inconvenient, but like with wearing an FFP2 mask covering your nose and mouth completely and the mask pressed to your face, it depends on the strength of your will to apply the responsible tool, not of the tool itself. The user decides either for the inconvenient but responsible way, or the lazy way. @Johann150
@mupan @rufposten @Johann150 I'm using KeePassXC with Firefox plugin.
This setup does not autofill credentials, but hovers a KeePassXC icon: when clicked, credentials are then filled.
Is this setup not of a similar/greater security than copy/pasting?
@mupan @rufposten @Johann150 Fair enough.
I just remember looking into copy-paste with KeePassXC vs the browser plugin, and it seemed the plugin has overall better security, since then the only place your password is unencrypted is the the credential box.
@douginamug @rufposten @Johann150 I really don't know. I generally distrust automatic processes in security, but, on the other hand, KeePassXC never disappointed me before. And, not to forget, the real thing currently is MFA. If the web application supports that, I'm fine with some more convenience.