Are unblockable web trackers truly unblockable?

We saw the following article pass by on a reputable technology news website: “Bad news: ‘Unblockable’ web trackers emerge. Good news: Firefox with uBlock Origin can stop it. Chrome, not so much. Ad-tech arms race continues: DNS system exploited to silently follow folks around the web” (from The Register)

When we read about this, we immediately looked into whether or not these ‘unblockable’ trackers are indeed al they are cracked up to be: unblockable or not?

We performed a variety of tests and can confirm that IvyDNS blocks these so-called unblockables by default and has been blocking them for a while already. IvyDNS was able to do so automatically and independently (i.e. without any need for us to teach it about this scheme), was a pleasant surprise to us, but then again, IvyDNS’ Artificial Intelligence was designed and deployed to anticipate these types of bad actors. It did exactly what it was supposed to: learn, adapt, overcome! And thus, Betteridge’s Law applies to this post.

As an aside: the linked article provides a lot of information and is, mostly, factually correct, after all, The Register is known for quality journalism. However, we think that it is limited in its world-view: it pretends that browsers are the only thing that matter in the world of the Internet.

While it is true that this is how most individuals interact with the Internet, there’s more to the Internet than browsers. In the end, browsers still need to resolve domain names, and that’s where IvyDNS lives: on a deeper, more fundamental, networking level. (And we’ll talk about DoH – DNS-over-HTTP[S] in another blog post.)

Google has quietly dropped ban on personally identifiable web tracking

Google has reversed an earlier made promise on privacy and will now allow personally identifiable web tracking:

We may combine personal information from one service with information, including personal information, from other Google services — for example to make it easier to share things with people you know. […] Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google. […]

Read more or more

IvyDNS blocks tracking that is done by these large players.

Tool in the spotlight: Pure URL

Tool in the Spotlight: Pure URL, a Firefox extension that removes tracking query string fields like “utm_source=*” from URLs (the homepage of its creator is here. NOTE: while, according to the add-on web page, the tools declares to be available under the GPL v3.0, we can’t find the location of its actual source code).

What makes us excited about this add-on is that it automatically modifies and strips all unnecessary query string content (e.g. “utm_source=*” but others as well) from URLs that it encounters while you are browsing. Many sites embed these query string elements in links that they provide in order to track you, their advertisement campaigns, conversion sources, etc.
But these fields are of no use to you and even work against your best interests.

What Pure URL does, is turn a hyperlink like this:
https://www.domain.com/?page=7741&utm_source=somesite.com&utm_medium=RSS&utm_campaign=mail
into the more reasonable:
https://www.domain.com/?page=7741

By default, Pure URL treats and removes the following unnecessary query string elements (lifted and modified from the extension’s web page as of writing of this article):

  • utm_source, utm_medium, utm_term, utm_content, utm_campaign: spyware fields used by Google Analytics
  • yclid: spyware fields used by Yandex
  • feature: a useless field used by youtube.com
  • fb_action_ids, fb_action_types, fb_ref, fb_source, action_object_map, action_type_map, action_ref_map: spyware fields used by Facebook
  • ref, fref, hc_location: tracking fields used by Facebook
  • ref_: tracking field used by imdb.com

Pure URL strips out these query string values from hyperlinks by default and lets you specify which others you want it to strip as well (and – but why would you do this – which ones of the above, you want to keep).

One word of caution: it is unclear whether or not it prevents these values from being submitted to servers when you make a request containing these values yourself. In other words: it is unclear whether or not this add-on only modifies your DOM or whether it also modifies your requests. This can be an issue when you click on links containing these values in another program (e.g. e-mail client) which then opens up the page in your browser.

While IvyDNS already protects against this type of tracking, it is useful to have a multi-layered approach to your online security and privacy. Pure URL is a nice addition to these layers which also prevent the server-side from tracking you through these query string values.

NOTE: we are entirely unaffiliated with whoever produces this tool, we receive no compensation whatsoever from them.

The fallacy of personalized advertising

When peddlers of on-line advertising talk about their product, they hail ‘personalized advertising’ as a good thing, something you should actively want because, so they claim, “it is relevant content”.
But if you think carefully about it, you soon realize that this framing of the situation starts from an incorrect premise, namely that it is OK to be abused by adverts and that personalization of these ads is a cherry on top of the cake.

We disagree with this for at least the following reasons:

  • By definition, advertising is manipulative. Its sole purpose is to change your behavior or opinion in favor of the advertised product or service.
  • Advertising interferes with what you are doing. Think about the last time you said to yourself “I’d love to watch some (on-line) ads now instead of doing what I set out to do”. Take your time…
    Almost no-one likes ads or is eagerly anticipating whatever they are trying to do or accomplish, to be interrupted by an ad.
  • Most people reluctantly accept advertising as a necessary evil, a way to fund things that would otherwise not get funded. This in itself is a huge indemnification of advertising and shows that, fundamentally, it is not something we desire, instead, we endure it… (even though there are ways to pay for these things; just search for the “(digital) subscription” link on, for instance, your favorite on-line news provider)
  • Personalized advertising, by definition, requires an invasion of your privacy: it only works if and when you tell third parties things about you that you would otherwise never reveal. This is so that the system can get to know you, can learn about you and figure out which impulses you are most vulnerable to.
  • Personalized advertising works against you: it finds your weaknesses by following you everywhere and then exploits what it finds in order to cajole you into performing actions you would otherwise not perform, namely spending your hard-earned money.
  • Personalized advertising is not acceptable and is really nothing more than an admission that “we realize everyone hates ads, we’re going to make the pill less bitter by trying to serve you ads that our system thinks you will object to the least“.

A pill less bitter, is still a bitter pill.

IvyDNS protects from abuse by advertisers and other miscreants, whether it is theft, exposing you to malware or an invasion of your privacy.

Advertisers know exactly who you are… the data is NOT anonymized

Advertisers know who you are, where you go, when you go there and how much time you spend where you are: Advertisers will be able to upload email lists to target customers and similar audiences with ads on search, Gmail and YouTube.

This shows, yet again, that the claims about the data being anonymized, are false. This capability enables advertisers and those buying advertising time/space from (in this case) Google, to say “here’s an individual I want to show my ads to”(*).

What was that about “we don’t know who you are, you’re just an anonymous number to us“, you say? When the number is you, uniquely you, then you’re not anonymized, instead, you’ve been given an (additional) alias which makes it easier to be identified, not harder.

IvyDNS prevents you from ever being recorded as one of these (non-) ‘anonymous numbers’ in the first place. And even if you were recorded in the past, it makes your future footprints melt away before anyone gets a chance to see them. IvyDNS’ Artificial Intelligence contains comprehensive information about the purpose of domains used in tracking you, serves malware, serves advertising, invades your privacy.

(*) Interestingly, this also opens up a mechanism for those using advertising networks as delivery mechanisms for malware, to target very specific individuals for infection with their malware.

Tool in the spotlight: Random Agent Spoofer

Tool in the Spotlight: Random Agent Spoofer, a Firefox extension that gives you control over how your browser identifies to sites you visit.

Many sites create a fingerprint of you when you visit them. Usually, this information contains the ‘User Agent’ string, which (oversimplified) is a combination of the name of your browser, its version together with the name of your operating system with its version (this is much oversimplified, check out the wikipedia page for more info). This is useful information for those operating the sites you visit because it enables them to send you content that is specific to your browser. Specifically, if the site detects that you are visiting them using a mobile browser/device, it will send the mobile version of the site; if it sees a desktop browser or device, it sends the desktop version of the site.

However, with HTML5 and CSS3 in specific, websites no longer need to have multiple versions for different browsers, they can use “media selectors” to have the site render correctly instead.

The remaining use of the user agent string is being reduced to just fingerprinting you so that you can be uniquely identified based on what your browser tells the site it is and is capable of using a technique called browser fingerprinting. So even though you aren’t logged into the site, it knows it is you before you told it that it is you. Obviously, we are not a fan of this kind of thing. No-one should be forced to identify or legitimize themselves unless out of their own volition.

Enter Random Agent Spoofer, a tool that is part of the solution by changing the way your browser identifies to sites. It makes it super easy to select a particular browser and version you want to impersonate or you can set it up to change how it identifies every so often by itself. Once configured, there’s nothing you need to do.

Obviously, and similarly to other tools we highlight, this tool is not the one, single tool to use which will solve all your problems, but it adds to making it harder for sites to identify you as you visit them.
On top of that, Random Agent Spoofer gives you control over script injection, cookie behavior, headers sent to the site when you request it, etc… all making it harder for the site to figure out who you are (and make their efforts to do so, more frustrating and less accurate).

Check out the tool here. This tool is an open source tool currently hosted on GitHub, which means that you can look at the source code and figure out what exactly it is that it does, and how it does it – if that’s your thing (it is for us).

NOTE: we are entirely unaffiliated with whoever produces this tool, we receive no compensation whatsoever from them.

Power in the age of the feudal internet

While this article is already a couple years old, someone recently reminded us about it. The Internet started out as a way to build resilient systems: systems that could deal with black-outs or the disappearing of a server. And if one went down, we’d just prop up another one.

When ‘Cloud’ was the newest buzz-word, we were told that it would give us flexibility: if we didn’t like our current provider, we could pick up and move to another – it’s all in the cloud anyway, whether it’s over here or over there, it doesn’t matter, right?

Sadly, the cloud has become a mist. A mist preventing us from seeing what could have been. It prevents us from venturing out because we can’t move from one provider to another.

Regardless of how you feel about it, “Power in the Age of the Feudal Internet” is an interesting read.

Advertising networks are delivery mechanisms for malware

The Register published an article on how advertising networks used by major and popular sites are (yet once more) being hijacked by malware peddlers. IvyDNS eliminates this attack vector.

It’s just another reason to no longer treat advertising as ‘harmless’ or ‘a minor nuisance’: allowing content from unknown third parties to be downloaded to and executed on your devices is a major security risk that can lead to compromised devices and can include identity theft.

A two-year long, highly sophisticated malvertising campaign infected visitors to some of the most popular news sites in the UK, Australia, and Canada including Channel 9, Sky News, and MSN.

Readers of those news sites, just a portion of all affected (since it also affected eBay’s UK portal), were infected with modular trojans capable of harvesting account and email credentials, stealing keystrokes, capturing web cam footage, and opening backdoors.

The news sites are not at direct fault as they displayed the advertising; the ad networks and the underlying structure of high-pace and low-profit margins is what lets malvertising get its huge impact.

Read the full article here.

Tool in the spotlight: uMatrix

Tool in the Spotlight: Firefox extension – uMatrix.

uMatrix is a tool we love because it puts you back in control of where your browser will connect to when you visit a web page instead of handing that control over to whoever created the web page. Without it, your browser will just connect to and download everything and anything the page tells it to connect to or download. uMatrix gives you back the control to specify what you want your browser to connect to (and thus spend your bandwidth on) and what you don’t want your browser to connect to. The benefits of uMatrix are that it significantly enhances your security, privacy and greatly reduces your network usage (i.e. your browsing becomes faster since requests that are not made, are requests you don’t have to wait for).

By default, uMatrix works in a ‘relax block-all/allow-exceptionally mode’. What this means is that only ‘first party’ assets, namely those directly related to what you’re visiting, are allowed to be downloaded. Anything else that is attempted to be downloaded will be blocked.
In this mode, you’re really telling your browser to “go get this specific thing and make sure you get just that thing, don’t bother with anything else”. These ‘anything else’ could be third party scripts, trackers (like cookies, tracking pixels or any other analytics code), images, etc.

Sometimes this will break a web page that really does rely on these third parties, but you is easily fixed by the ‘allow-exceptionally’-part of this mode: the matrix lets you specify which types of assets (scripts, images, cookies, etc.) you are allowing to be downloaded from other places for this specific site. There is an excellent write-up here about how to do this.

NOTE: we are entirely unaffiliated with whoever produces this tool, we receive no compensation whatsoever from them.

Web-of-Trust add-on caught selling out its users

The Web-of-Trust (WoT) add-on for Firefox and/or Chrome has been removed from the add-on repositories for Firefox and Chrome. Some excellent sleuthing(*) by the Norddeutscher Rundfunk revealed that the WoT add-on was selling data which can uniquely identify its users to other parties, without ever asking for consent for this, let alone in a clear and proper way.

On top of this, WoT made claims about anonymizing the data but, as is almost always the case, the data was either not anonymized at all or the anonymization is useless and individual users can be deduced from the data. If the article is correct, then it appears that the latter is the case, that these claims appear to be unsubstantiated and grossly misleading, and that WoT is no different from other privacy-invaders.

This is just another example of the kind of limitations that you face when you try to enhance your privacy through browser add-ons or extensions: they see everything you see and it only takes a single, rogue add-on to compromise you, your privacy and your security. And while most of these tools are valuable and useful, you need a more comprehensive tool to secure you, your on-line safety and your privacy.

This is where IvyDNS comes in: it prevents connections to undesirable domains and it does it on a deeper, more fundamental networking level than browser add-ons. IvyDNS’ Artificial Intelligence contains comprehensive information about the purpose of domains and blocks access to those that are undesirable, whether that is because the domain is used in tracking you, serves malware, serves advertising, invades your privacy, etc.

IvyDNS is also built so that it does not ever receive the kind information that WoT is reselling. This is because IvyDNS receives only DNS requests: ‘What is the IP address for domain X’. It never receives information about which page you are requesting, or even which protocol you will be using to talk to that server. You could be asking for the IP address of a domain because you want to check your e-mail, you want to visit a web page on it, or there’s an app that pulls data from there, etc… IvyDNS does not ever see or receive the purpose of requests (nor requests made to non-IvyDNS servers).

The reason for this is simple. It is none of our business, and it would be wrong to pull ‘stunts’ as described in the linked articles. We built IvyDNS with these considerations in mind. It offers deep protection from top to bottom and it keeps you secure, undisturbed and as private as it can, while you are on-line!

You can read the original article on NDR.de (in German) about WoT selling out its users, and read about it over at The Register.