[tor-talk] google analytics says it can track across separate domains

[Mike Perry]

Thus spake Joe Btfsplk (joebtfsplk at gmx.com):

> A few months ago, someone raised the question of TBB or any included
> addon not blocking web beacons / trackers and perhaps something like
> Ghostery should be included in TBB (I think).  I asked about beacons
> (web bugs) compromising anonymity (not to mention privacy).  Can't
> find the post, but I believe either Mike or Roger replied that it
> shouldn't be an issue because web beacons, like Google Analytics,
> can't track from site to site.  Hope I've got the essence of the
> reply correct.

Yes, that is correct. We consider the ability to link user activity
across different url bar domains a violation of our design requirements
(https://www.torproject.org/projects/torbrowser/design/#privacy), and
any ability to do so is a major bug.

Unfortunately, there are a couple such bugs we're already currently
aware of:
https://trac.torproject.org/projects/tor/query?keywords=~tbb-linkability

We'll fix them, eventually. Help is always appreciated, though.

> There are other independent articles I've read about ability of web
> beacons to track across sites.  Here from the horse's mouth, * seems
> * to be verifying in a matter of fact, ho - hum way, they can & do
> track across completely separate domains.  Unless I've completely
> misread it.
> 
> I don't know what this means to Tor users, but as a Firefox user, I
> don't want them - & always suspected they were capable of doing more
> than gathering data ONLY on the site where they were 1st loaded.
> BTW, have many read the new Google "unified" privacy policy?

Yes, you are absolutely right. Normal web browsers do not consider the
ability to link your accounts and activity across multiple url domains
to be a problem. Actually, most of the major browsers see it as a
totally awesome feature....

As a result, we have all sorts of stupid crazy conflict between policy
people arguing for bullshit like "Do Not Track"; crazy lawsuits against
Facebook and other companies who are simply using the tracking
technology provided to them by browser makers; and weird filter addons
like Request Policy and Ghostery to try to filter "bad actors" (who can
simply reappear under new domains on a moment's notice anyway).

Almost no one wants to solve the real technical problem, it seems.

Sick sad world.


-- 
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120519/957c3bf4/attachment.pgp>