Cooper Quintin | Third Party Tracking: How it works and how to stop it for good

Alright. Oh, should I wait for people to get back from the beer now? Alright. Yeah, screw it. Alright. How's it going, everybody? I'm going to finally get started here. Technical difficulties sorted out. My name is Cooper Quinton. I'm with the Electronic Frontier Foundation. And I'm going to talk to you today about third-party tracking and corporate surveillance on the web, how it works, and what we can do to stop it. So show of hands, who in here has heard of the Electronic Frontier Foundation? All right, cool. That's maybe a little more than half of you. So for those of you who haven't heard of us, we are a nonprofit that is dedicated to defending your civil liberties in the digital world. And we do this

through... We do this through a combination of impact litigation. We try to get things to the Supreme Court. We try to make case law activism and technology. We work on projects like HTTPS Everywhere, Let's Encrypt, Panoptic Click, Privacy Badger. We have lawsuits going against the NSA. We fight against patent trolls. And we do a lot of really cool things. I'm a staff technologist at EFF, which which means that I'm a programmer, I cannot answer your legal questions because I'm not a lawyer. However, my colleague, Mitch Stoltz, is a lawyer and he'll be up after me and you can ask him all of your legal questions. And he might hate me for saying that just now. So what are we

going to talk about today? Browser tracking is what we're going to talk about and it's a bigger problem than you might think. Although if you were here for the last talk, you might realize how big of a problem it is. We're going to talk about why online privacy matters, who's tracking us, how they're doing it, and what we can do to stop it. Oh man, I lost one of my slides. Oh well. Oh no, I didn't. I'm good. Sweet. Okay, so what is a third-party tracker? So third-party is a resource that gets loaded from a domain other than the one you intended to visit. So when you visit New York Times, it might load a

resource from Twitter and from Facebook. These are third parties. And third parties are everywhere. Third parties load images and CSS. CDNs, content delivery networks, will cache images, CSS static files for faster delivery. Fonts, maps, widgets, social media buttons, analytics engines, and of course, the most obvious one, ads. So there are a number of different third parties. And what does this look like? So this is a tool called LightBeam. And it's an add-on for Mozilla. And these domains right here, the four domains that I just happened to open up in my browser, Boing Boing, New York Times, CNN, and BuzzFeed, and all of these little triangles here are the third-party domains that loaded on each site. So, and actually I'll go back over here. Up here in the corner you

can see that there are four sites that I visited, 61 third-party sites loaded on these four sites. Now, a lot of these are only seen, so CNN saw a lot of these just by itself, right? Boeing saw a lot of these by itself. But what's really interesting is these third-party sites that are seen on New York Times, CNN, and BuzzFeed, right? We've got Facebook here, we've got some other ones here that I don't recognize. And if I were to browse more, you would see a lot more third-party links between these different websites, right? And why is this a problem? This is a problem because these 30-party sites have ways of tracking you, and I'll demonstrate some of those ways later. And when they see you

on CNN and then on New York Times and then on BuzzFeed and then on whatever else you visit, they can correlate that data and build a really rich profile of everything that you're looking at online, down to a pretty granular level. So 61 sites here, but how many people are doing this? How big is this really? It's huge. It's big business. This is a multi-billion dollar industry, right? And who's in this industry? Well, there's a lot of obvious people, right? Google, DoubleClick, Facebook, right? Some things you maybe haven't heard of, right? AddThis, you've probably seen online. It's a little button that lets you share things on social media. AxiCom is a data broker that you've probably never even heard of. Scorecard Research is on a ton of

websites, and they don't serve any ads. I think they do analytics and basically third-party tracking. So it's a big business. There's a lot of companies doing this. It's almost ubiquitous on the web. And why am I focused on third-party trackers? Because obviously Amazon is tracking you when you're shopping on Amazon, and there's other things that are tracking you. Governments are tracking you. Malware is tracking you. The reason that I'm interested in third-party tracking on the web is because it's Really non-consensual, right? That's one of the reasons. When I go to Amazon, I'm kind of consenting to let Amazon see what I'm looking at on Amazon, right? I can expect that Amazon might want to know what I'm looking at

on their website, right? And there's kind of a contract there. If I don't want them to know, then I don't go to Amazon. The other thing about third party, but third party tracking doesn't have this contract. Third party tracking just shows up on whatever website I go to. When I read an article in the New York Times, I've decided to look at the New York Times. I haven't decided to let Scorecard and Google and everybody else know what I'm looking at, but they get to do that anyway. It's also ubiquitous, like I said. Something like 90% of news websites have third party trackers on them, right? Almost every website on the web has some third

party trackers on it. And it's hard to, and because of that, it's hard to avoid, right? And it's hard to avoid if you can't see it or if you don't know it's there or if you don't understand how it's happening, right? And like I said, this is a multi-billion dollar industry, so there's huge financial incentive to keep doing this. But maybe you like targeted advertisements, right? So this is the most common way that you would notice third-party tracking, right? You do a search for Google for vacuums, right, or for pet insurance, and then you go to a completely different website, and lo and behold, there's an advertisement for vacuums, there's an advertisement for pet insurance,

right? And these ads follow you around the web. Maybe you're okay with that. Maybe you think, "Hey, I want to see ads for things that I'm interested in." It's boring, it's useless to see ads for things that I don't care about. But the thing is, you have no control over how your information is being stored and being used. Third parties don't have any obligation to anonymize or temporarily store data. They don't have any obligation to delete data ever, right? And the data that they're storing can be stolen, it can be sold, it can be subpoenaed by the government, it can be misused by criminals or governments or government criminals or other corporations, right? And this is a big

problem. It's also useful for spies, right? So there's a few different stories that came out of Edward Snowden's leaks about the NSA using Google cookies, using other cookies, using smartphone tracking super cookies, right, to assist in their global spying efforts, right? And there's a great, actually there's a great slide from the NSA, this is from an NSA slide deck, about how cookies can be used to track people within an IP address. So this is all really bad to me. But some people don't think so. There's still a big strain of privacy nihilism. People say, "But privacy is dead." Privacy's dead, get over it, it's gone. Really, that's interesting. I think when people say things loudly, we should look at who's saying that

and what incentives they might have to say such things. So who likes to say privacy is dead? Well, there's this guy. This guy likes to say privacy is dead. This is Mark Zuckerberg, the CEO of Facebook, for those who didn't recognize him. Might Mark Zuckerberg have a financial interest in privacy being dead? Seems pretty likely, right? But does Mark Zuckerberg actually think privacy is dead? Well, Not according to this headline, where he spent more than $30 million buying the four neighboring houses around him for increased privacy. Furthermore, I'm pretty sure that if any of us asked Mark Zuckerberg for his Facebook password or his email password, he would probably not give it to us, because Mark Zuckerberg, like all of

us, enjoys privacy. Why should we care about privacy? Well, there's a lot of reasons that we should care about privacy. You may want to read things that are controversial. You may want to do controversial research. You may want to read things that are embarrassing or just for general interest, right? You may want to learn about things that are, you know, not okay or that may make you look like a criminal even though you're not. You just want to learn how hacking works, for example, right? And there's data which might be embarrassing when put together. Say, for example, if you look up a disease on WebMD, you look up symptoms of cancer on WebMD and then you go search for health insurance quotes. We have,

as a third party tracker, a pretty good idea that you are experiencing some medical problems and you're just now looking for health insurance. And I could do a number of things based on that. I could decide that I want to show you higher rates I could decide that I don't want to give you insurance, right? I could use that information and possibly blackmail you, right? There's a number of things you could do. And there's also just chilling effects, right? Privacy is really good for a functioning, healthy democracy. Privacy is really important for freedom of thought and freedom of speech. When people know that they're being surveilled or when people think that they're being surveilled, They tend to curb their speech and they tend to even curb their thoughts toward

what is acceptable to the society at large. Privacy lets us make mistakes, play with ideas, and grow as individuals. It gives us the space to discover who we are. So that's why I think privacy is important. And that's the end of my philosophical rant. Thank you for bearing with me. Now we'll get into the fun technical stuff. So how does online tracking work? Well, the most obvious form is the IP address. So there's about 4 billion 2 to the 32 IP addresses. And IP addresses can be useful for tracking, but they're actually not super great. If you're behind a firewall, if you're behind a NAT, many of us will share the same IP address. Everybody at your house

shares an IP address. A lot of people at this university, if you were connected to a wireless access point, would share the same public IP address. So IP addresses aren't great. Although they can be useful, they're not excellent. But they have decent entropy. And I'm going to talk about entropy a lot. So let me take a little tangent here. What do I mean when I say entropy? Entropy in information theory is the amount of information contained in a message. And in computer science, we usually refer to it in bits. So a two-bit message would have an entropy of, well, two bits or one in four people, one in four messages. There are four possible messages. A cookie with low entropy, something like lang equals ES, right?

There's about eight bits of entropy. There's about 255 language codes. So I can identify you as about one in 255, like a group of one in 255, right? And then a high entropy cookie. We have a 12-digit long hexadecimal number, right? This contains about 48 bits of entropy or approximately one in 281.5 trillion, right? So this is a fairly uniquely identifying cookie, right? And cookies, as you may know, are pretty, are, very common form of web tracking. A cookie is a file that's--or a file or a string really that's stored in your browser and can be used--can contain just a unique string like the one I showed you which can then be read by the

site that said it and follow you around. So how this works in practice is you go to New York Times and New York Times loads some information from DoubleClick. DoubleClick gets to set a cookie, which uniquely identifies your browser. And then when you go to another website, say Boing Boing, DoubleClick gets loaded again. DoubleClick gets to read the information from the cookie that it set and gets to know that it's this same browser. Now it can say, okay, this is the browser that just visited New York Times and read an article about rising colon cancer rates. And now it's at boing boing and it's reading an article about furries. And suddenly we have a lot

of information about this browser and what the person driving this browser is interested in. So that's how cookies work. Most of us know about cookies. Most of us know how to clear cookies, right? There's a wealth of knowledge. And so trackers are moving away from using cookies and onto new and interesting technologies like super cookies. A super cookie is pretty much the same as a cookie. It's a little, it's a string, a uniquely identified fine string that's stored somewhere in your browser, right? The thing about super cookies or ever cookies as they're sometimes called is that they can be stored in all sorts of interesting places. It turns out that there's a lot of places where your browser can store

information indefinitely. There's flash cookies, there's the local storage object, there's you can cache an image that serializes into a uniquely identifying string. There's a bunch of different types of super cookies. And Most browsers don't have good ways to clear these. How many of you know how to clear Flash cookies from your browser? I see like a half a hand. Yeah, so this is really bad, right? We have great ways to clear cookies, but no ways to clear super cookies. Well, okay, maybe you can clear super cookies by going into private browsing mode, right? Sometimes private browsing mode works to clear super cookies. It works to clear some super cookies. It doesn't work for all of them, but it can help,

right? So we can use browser fingerprinting. Browser fingerprinting is really neat if you like tracking people. Browser fingerprinting is where I take a measurement of the unique properties of your browser and make an identifier out of that. Now, this is great because you can't clear your cookies and get rid of the fingerprint, right? You can't go into incognito mode and get rid of the fingerprint, right? EFF did a bunch of research on browser fingerprinting and published it on this website, panopticlick.eff.org, which we recently revamped. So if you're already familiar with Panopticlick, you should check it out again. And if you go to pinopticlick, you can hit this big orange button that says test me and test your browser against fingerprinting. I tested my

browser and my browser so far is unique among the 137 browsers that have been tested in the last two months since we relaunched pinopticlick. Conveys 17 bits of identifying information. That's 17 bits of entropy, right? And what sort of things did we check to make this fingerprint? We checked super cookies. We wrote some Canvas data using the HTML5 Canvas API. We checked my screen size. We checked what plugins I have in my browser. This is like Flash, the Chrome PDF plugin. Not to be confused with browser extensions, which are things like Adblock Plus, Privacy Badger, Ghostry. browser plugin details, time zone I'm in, if I have D&T enabled or not, what fonts I have installed, what user agents I'm

running, meaning also what version of the browser I have. So some of these things change frequently. Some of them don't. But when combined with super cookies, when combined with regular cookies, these turn into really effective, really hard to get rid of forms of tracking. And there's more. In the last talk, we saw a bunch of these, right? This is one that I think is really, really insidious and really interesting. This company called Silverpush. And so what they do is they get onto TV advertisements and they have a high frequency tone that's not audible to the human ear. But then they have a Silverpush SDK, which gets added to various applications on your phone. and it listens for this high frequency tone.

and that your TV will be emitting when certain commercials come on. And when it sees those commercials come on your TV, when it hears that tone, it knows the Silver Push SDK that's listening on your phone knows what program you're watching, what ad you're watching, right? And it's a way of connecting your TV viewing habits and your TV ad viewing habits with what's going on on your phone and the tracking that's happening on your phone. And it all comes together really nicely for the people that are trying to track you. This stuff is super interesting. I really encourage you to check it out more and think about the other possibilities of high frequency communication between devices that humans

can't hear because it's creepy as hell. So I've given you a lot of -- there's a lot of terrible things out there, right? But I'm not just gonna leave you with that. Of course, I think that this can be stopped. How can it be stopped though? Well, you could do incognito browsing. Like I said, incognito browsing, you're only untrackable between incognito-- you're not even untrackable between incognito sessions, right? You're still vulnerable to fingerprinting. You're still vulnerable to some super cookies, right? Incognito browsing isn't actually really that good at protecting you from tracking. And that wasn't the point. The point of incognito browsing is to protect you from somebody else who has access to your computer reading your browser history. What about Tor Browser? Well,

Tor Browser is actually really great at preventing tracking. They've done a lot of hardening against fingerprinting, and when you start a new Tor Browser session, it gets rid of all super cookies, it gets rid of all regular cookies, or if you refresh your identity, you're a totally new person in the eyes of the trackers. So Tor Browser is actually excellent for protecting against tracking. Unfortunately, Tor Browser is also not usable yet for a lot of people. Tor is slower than normal web browsing. You can't do things like, you can't run Flash on it. You can't run peer-to-peer web streaming video applications on it. And you know, it's so it's not necessarily for the layperson yet. Hopefully someday it can be. What about

ad blockers? Well, a lot of ad blockers by default only block advertisements, not necessarily trackers. There are a lot of trackers, which are invisible, right? Not all of them show advertisements. Scorecard research, for example, doesn't show any advertisements, right? Some ad blockers even just hide the ads. They don't necessarily block the network connection. They just hide you from seeing it, right? This is worse than useless. Blacklist, a lot of trackers are blacklist based, right? And this means that they're always behind, right? You have to always add new domains to your blacklist. You have to always be finding what new domains are used for tracking. And there's kind of an arms race problem. And they're not always trustworthy, right? Some third-party track-- some ad

blocking and tracker blocking companies sell information to advertisers and this is part of their business model. They sell information about, for example, Ghostry's Ghost Rank program. If you opt into Ghost Rank, which is how they make their money, what they do with that Ghost Rank data is sell data about-- and they say it's anonymized. But they sell data about what ads people are looking at, what ads people are blocking, what third parties show up where. And they sell these to advertisers or just whoever else wants to buy this data, right? Other ad blockers get paid to unblock ads, right? Adblock Plus business model is that they have this acceptable ads policy, right? And they will come and if you pay them money, they can audit you

and get you into the acceptable ads program and then you won't be blocked by Adblock Plus, right? I will leave it to you to decide what you think about those business models. But I don't think they're great, right? So we can do policy work, right? We can try to do this with the W3C, right? Well, we tried do not track, right? It was an opt-in thing. It was send a browser header that says dnt equals one, do not track, true, right? And the idea was that if a website saw this header, they wouldn't track you, right? Unfortunately, advertisers got involved in the WC3 process and DNT turned out to be much weaker than it could have been. It's totally optional, there's

no enforcement, nobody even really listens to it, and it didn't end up being a real privacy-preserving option. The ad industry solution was of course the Digital Advertiser Alliance. And you might have seen this logo on the top right corner of some of the ads that you've seen online. Advertisers proposed that they should just self-regulate. Yeah. So Digital Advertising Alliance offers an opt-out. Right? But what does this opt-out opt you out of? It turns out that what it opts you out of is seeing targeted ads. and yet you are still tracked. Again, this is actually worse than nothing. It's not legally binding, and even still, only certain advertisers have adopted this. So, at EFF, we've been

thinking about this problem, and we think that we have a solution that might be a bit better than these other ones. And the solution is Privacy Badger. Privacy Badger is a combination of technology. It's a browser extension and also policy. And this is Privacy Badger in its natural habitat celebrating its first birthday. Yeah. So Privacy Badger is a browser extension for Chrome and for Firefox. It's open source. And we focus on completely blocking trackers, right? Our focus is not necessarily blocking advertising unless that advertising is tracking you We use an algorithm instead of a blacklist. We try to Determine what's tracking you specifically by looking at the cookies that are being set the super cookies that are being set and

we if People still want to base their business models for their websites on advertising. We offer them a way to do that without tracking their users. So how does Privacy Badger work? First, it sends the DNT header, right, which I discussed earlier. It looks for third parties that are following you around as you browse the web. And if the third party is seen on several different domains, And if it appears to be tracking you, say by setting high entropy cookies or high entropy super cookies, Privacy Badger blocks it. Pretty simple. Here's privacy badger running on Gawker.com. As you can see we've blocked IMR Worldwide, KRXD.net, NRdata.net, QuantServe.com. You probably haven't even heard of any of these companies and I see

them every day on most of the websites that I go to. And so these are all being blocked by privacy badger here. You can see that their indicator is set to red. and they've been blocked. One of them hasn't been blocked yet, kinja.com, and that's because we haven't decided yet that kinja.com is tracking. Occasionally, a tracker can't be blocked without creating a significant breakage for the user. Things like YouTube embeds, Google Maps, PayPal, checkout. These things, if we block them entirely, the web will stop working in the way that people expect and people get angry. So for these, instead, we try to block them from tracking you without blocking them entirely. And so we do things

like we block them from setting HTML5 super cookies. We block them from setting or reading regular cookies. And we block, right now, canvas fingerprinting and in the future, other forms of fingerprinting. Here's Privacy Badger running on boingboing.net where you can see that we've tried to cookie block creativecommons.org and gstatic.com and we haven't decided yet to block licensebuttons.net or apis.google.com. Excellent question. Yes. So if you don't like the decisions that Privacy Badger has made, You can manually block. You can see what Privacy Badger has blocked and you can adjust the settings. You can block something, you could cookie block something, you could allow something. You could disable Privacy Badger for a certain site entirely if you want, if it's breaking that site, or if you just really don't

think that site is tracking you or if you don't mind and you want to not block whatever they're running. And you can, we have some things to, well, I'll get into that in a second. So yeah, you can see that if you move them manually, it puts that little undo arrow there if you did the wrong thing. And you can disable Privacy Badger. We also replace social widgets, so like the like button, the tweet button, right? We replace those with a self-hosted version that when you click on it, it will either go to the Twitter share page or it'll go to a non-tracking share page or it'll load the tracking content in there when you

click it so that you're not automatically tracked by these things and you opt into them. We also recently did the same thing for SoundCloud, so now... If you see a SoundCloud widget, there's a privacy badger replaces it with a click to play button and SoundCloud doesn't get to automatically track you. But if you want to play a song from SoundCloud, you can do that and the artist still gets revenue and SoundCloud still gets revenue. So what about for third party sites that legitimately don't wish to track their users, right? And for that, we have the policy side. And the policy side is a new do not track agreement that EFF, along with a bunch of other companies, has been working on. The do not

track agreement is an actual document that we think is I don't want to anger the lawyer. We think it's similar enough to a contract that if you put up the do not track document and then you were to track people anyway, you could probably be sued. Maybe be sued. Okay. So it states that users sending, that anybody sending the do not track header will not be tracked. And it goes into some specific ways in which they won't be tracked. And we think that this is important. We think that blocking sites that do track people, we think blocking sites that don't respect the DNC header creates an incentive to respect the do not track header. Sort of the carrot and the stick approach. The carrot is

do not track and you get to show your ads and you get to get revenue and the stick is if you're tracking people, Privacy Badger is going to block it. DNC specifically says that you'll identify for a user that has requested you not track them. You will throw away user identifiers. You won't keep logs longer than a necessary minimum amount of time, which is specified. I can't remember what it is, but it's a number of days. Data can be kept for debugging or security purposes, of course, until the debugging or security incident is over. Data can be anonymized and aggregated in large buckets for analytics. And third-party sites that adopt DNT get automatically unblocked by Privacy Badger. You don't have to come to EFF to adopt the DNT

policy. We don't have to approve you. But if you post the do not track policy and abide by it, you get unblocked by Privacy Badger. So this is the path for sites that legitimately do not wish to track their users, but would otherwise get blocked by Privacy Badger. So we have our policy up at EFF org slash DNC policy And it's been adopted so far by a few different companies duck go ad zerk Which is an ad network mix panel, which is an analytics company medium the blogging website Disconnect which is another tracker blocking browser extension and hopefully more soon we're in talks with some bigger companies some like Alexa top small numbers. So hopefully, DNT will get larger and larger. What still needs

to happen? Well, Privacy Badger still needs some speed and usability improvements. I'm working on this, but I'm the only person at EFF who's paid full-time to work on Privacy Badger. We need to detect more types of super cookies and detect more types of fingerprinting, and we need more DNT adoption from third parties. So how can you help, you ask? Well, of course, you can use Privacy Badger and send me feedback, find bugs. You can submit bug reports, or if you like to write code, it's open source, and you can find the source code at github.com slash EFF org slash, well, you can find it slash Privacy Badger Chrome or slash Privacy Badger Firefox. You can

adopt the DNT header and navigate or you're sorry not the DNT header. You can adopt our DNT policy and respect users who send the DNT header and not track them. And of course you can donate to EFF. We're a nonprofit, we're a member driven organization. Most of our yearly operating budget comes from our individual members and it's how we stay alive. And the business model of Privacy Badger is being housed by EFF and getting donations from our members. So that's how you can help. So what do we need though that's bigger than this? We need some things that are bigger than this, right? We need better tools in the browser. Privacy Badger is, I mean, I like it. I work on it

a lot. But I can only do so much with a browser extension. And we actually need browsers to do more things to protect their users. We need things like built-in tracking protection. And we're actually getting this, right? Firefox is starting to ship with tracking protection lists that are turned on by default in private browsing mode. And you can, there's a setting in your about config menu where you can turn on tracking protection all the time. The Brave browser, is a super interesting new project being led by Brendan Eich and former EFF staffer Yan Zhu. And they're shipping with some interesting tracker blocking and revenue sharing stuff. So we're kind of getting this, right? And it's pretty cool. Another thing

that would be really nice is double-keyed cookies, right? So this is where if you set a cookie, right now it's only keyed to the domain that set it, right? So if double click sets a cookie, double click can read that cookie, nobody else can. A double keyed cookie would be if a third party sets a cookie, that cookie is keyed to the third party that set it and the first party that it was set on. So if double click sets a cookie on NewYorkTimes.com, double click can only read that cookie again on NewYorkTimes.com. This would be a good way to stop a lot of third-party tracking and especially if you extend this to double keying all super cookies, right? Double keying anything that could be read by the

browser or store a unique string, right? We need browsers to be better hardened against fingerprinting, right? Right now Tor browser is doing a great job of this. No other browser is. The folks at Mozilla are trying to bring a lot of the Tor browser patches back into upstream Mozilla, back into upstream Firefox, and I commend them for that. But it needs to happen now. And we need better controls for blocking and clearing super cookies. Like I said, nobody in here knew how to get rid of Flash cookies. It turns out you have to go to a special website that Adobe created And there's a button that you can click on that website that says clear my Flash cookies. You can Google for that.

It looks super sketchy. It's not great. And of course you have to have Flash installed. And if you don't have Flash installed, Flash super cookies won't be a problem for you. We also need new business models for the web. Right now, tracking is the primary business model of the web. And I think that has to change, right? I don't want to put my favorite websites out of business. I don't want to put anyone out of business. This isn't my goal here. But we need different business models, right? And I think we need to start experimenting with different business models. We can try memberships, right? We can try donation-based. We can try crowdfunding, right? If a potato salad can get crowdfunded, I'm sure that your

really awesome blog can also get crowdfunded. I think micropayments are really interesting. This is like if you load up a Bitcoin wallet and any website you visit, you give them a small amount of your Bitcoin just to say, "Hey, I really like your site. Instead of showing me ads, why don't I just give you some money?" Non-intrusive advertising would be fine. If you want to show your ads, that's great. Host your ads locally. Don't send me malware through your ads. Don't let people track me through your ads. If you're running, you know, ucf.edu and you have ads for some reason, okay, bad example. If you're running New York Times, just work with advertisers directly, cut out the middleman, load the ads

directly from New York Times, right? Is advertising the best way to fund the web? It's hard to say. It seems like it's the model that we've all agreed on. So, okay, we can stick with advertising. But if we're going to live with advertising, it must stop violating users' privacy without their consent. Thank you. Now go install Privacy Badger. I have time for questions. Cool. So I have some time for questions. Go ahead. So what do you think of, like, merchants' ghost stories? Good question. So the question was what do I think of NoScript and also if you have other tracker blockers or ad blockers installed, will those conflict with Privacy Badger? I'll start with the first one. I think NoScript is great. I think their business model is

donations. As far as I know, they're not doing anything sketchy with your data. It's kind of a power user tool. I feel like I wouldn't want to install NoScript on my dad's computer because he would end up breaking a lot of things, but it's really cool. I love it. If you can handle NoScript, I think it's a fantastic tool. Will privacy badger conflict with other tracker blockers or ad blockers? It shouldn't. If it does, you found a bug and you get a cookie and you should report that bug to me. You don't get a browser cookie. You get like a, hopefully a delicious sweet cookie. Yeah. Right. Good question. So the question was, how does... Browser fingerprinting gets sent back to the company doing the fingerprinting

The short answer is through JavaScript, right you use JavaScript to fingerprint the browser or you know with with flash and with any other things you can use and then you just make a Call back to your tracking server that says hey, here's this guy with this fingerprint. Yeah Yeah, exactly. Just a post request or get request, right? Yeah, exactly. Yep, exactly. I Yeah, it's real hard to detect. Oh, no, no, no, no. So it's stored locally. So Privacy Badger builds up a database of trackers uniquely for your browser. And that's not shared back with EFF. That's not shared with anybody else, right? That database is unique to your browser and what websites you visit and what is being seen to be tracking you specifically. Yeah?

Is there any hope for mobile? So, Disconnect has an Android application. They're a tracker blocking company. They're also donation-based, membership-based. I like their business model. They're cool. They have an Android app, which is pretty cool. You can check that out. We're working, we're sort of working on a privacy badger Android app, but it's It's fairly hard. I can't tell you when that's going to be out because I don't know when, if ever. On iOS, Safari has their new content blocking API. And so I think Mozilla and a few other people have released iOS add-ons to block tracking in Safari. So you can check those out. I saw a hand up right there and then also back there. Oh, great. Okay. So I want

to make sure the question was Fingerprinting could happen without your knowledge on any website you visit. Is that correct? Yeah, that's absolutely correct. So fortunately for us fingerprinting is usually also used to refresh cookies or refresh identifiers that can then be seen by Privacy Badger or it's used in conjunction with super cookies, it's used in conjunction with regular cookies. So if you block the domain that's fingerprinting you, if you just block it entirely from even sending any packets or receiving any packets, then of course it can't fingerprint you. But yeah, that's the way to stop fingerprinting. And I mean there are some signs, right? Depending on how deep into the browser you can get, you can look for certain behaviors,

right? Like if you can shim JavaScript, you can look for a script that's enumerating your list of browser plugins, right? And you can say, "Oh, that's absolutely fingerprinting." Right? We'll block that. Or you could look for a script that's enumerating your fonts on your system. would a reverse firewall be able to pick that up? I mean, it goes over 4432, right? It goes over HTTPS. So you'd have to be man in the middle of yourself and then doing deep packet inspection on yourself looking for... Yeah, no. So I don't know that a reverse firewall is the answer. I think really the answer lies within the browsers. You mentioned several browsers. What's your opinion on Opera? I mean, we don't endorse specific. Oh,

but they, yeah, so I mean, they just released some new ad blocking technology in their thing. I don't really know anything about it. I haven't researched it. And also, I mean, EFF doesn't endorse specific products. But yeah, I don't know. I haven't really looked at it at all, to be honest. Okay. Yeah. And I think that's all the questions anyway. Oh, wait, maybe there was one other. Do I have time for one more? All right. One more question back there. Oh, I thought somebody had their hand up. No? Okay. All right. It's false positive. All right. Thanks, everybody.