Re: how does host B know that its visitor is the one that visited host A? from Jonathan Rees on 2011-08-14 (www-tag@w3.org from August 2011)

From: Jonathan Rees <jar@creativecommons.org>
Date: Sun, 14 Aug 2011 07:03:38 -0400
To: Alan Ruttenberg <alanruttenberg@gmail.com>
Cc: www-tag@w3.org
Message-ID: <CACHXnaoGNiR_KJE22ksgDUSF0OpDiCJsPDB66SgQnHpgZdC8WQ@mail.gmail.com>

Thanks Alan, this explains it what I've observed.
Jonathan

On Fri, Aug 12, 2011 at 2:40 PM, Alan Ruttenberg
<alanruttenberg@gmail.com> wrote:
> A and B are in cohoots.
> A creates an id in their cookie. (aid)
> They embed a link to B that includes their id in the name. B's server
> responds to the link no matter what the id is
> B sets their cookie. on the server end, they associated their id
> (bid), with aid, and using the referrer information, record where
> you were when.
>
> C and B are in cohoots.
> C creates an id in their cookie. (cid)
> They embed a link to B that includes their id in the name. B's server
> responds to the link no matter what the id is
> B sets their cookie. on the server end, they associated their id, with
> cid and using the referrer information, record where you were when.
>
> C asks B where the person known by cid has been. B can respond that
> the person has been at A and when because it can compose the relations
> cid->bid o bid->aid and then look up the events.
>
> Tools such as Ghostery attempt to block this by blocking connections
> to organizations like B.
> See also http://blogs.wsj.com/wtk/
>
> -Alan
>
> On Fri, Aug 12, 2011 at 11:11 AM, Jonathan Rees <jar@creativecommons.org> wrote:
>> Probably everyone knows this but me...
>>
>> I shop at expedia.com (or somewhere) for a London hotel room. Later I
>> visit guardian.co.uk and see an Expedia ad for London hotel rooms.
>>
>> I visit guardian.co.uk in a different browser (same computer & IP
>> address but Safari instead of Chrome) and instead get an ad for
>> magazine subscriptions. Apparently the Guardian can tell my two
>> browsers apart somehow - it's using more than just my IP address to
>> decide what ads to show me.
>>
>> How does this work? I.e. what are browser instances doing that leaks
>> their identity to servers? Is it just a lucky guess based on
>> User-agent or something?
>>
>> (a propos our privacy & tracking discussions)
>>
>> Thanks
>> Jonathan
>>
>>
>

Received on Sunday, 14 August 2011 11:04:06 UTC