back to article Bad news: 'Unblockable' web trackers emerge. Good news: Firefox with uBlock Origin can stop it. Chrome, not so much

Developers working on open-source ad-blocker uBlock Origin have uncovered a mechanism for tracking web browsers around the internet that defies today's blocking techniques. A method to block this so-called unblockable tracker has been developed by the team, though it only works in Firefox, leaving Chrome and possibly other …

  1. IGotOut

    Come the revolution...

    We're going to need a big wall.....

    Social media exec's, advertising exec's, lawyers, patent trolls.....

    1. John Brown (no body) Silver badge
      Coat

      Re: Come the revolution...

      BUILD THE WALL!!!!!

      1. Oengus Silver badge

        Re: Come the revolution...

        I think Carrot Top is building a suitably large wall...

        1. Mephistro Silver badge
          Devil

          Re: Come the revolution...

          ... in Colorado!.

      2. NoneSuch Silver badge
        Paris Hilton

        Re: Come the revolution...

        "If it bleeds, we can kill it." - Predator

        If it has an IP, we can block it.

    2. katrinab Silver badge
      Pirate

      Re: Come the revolution...

      No need. We can use lamp posts.

    3. imanidiot Silver badge

      Re: Come the revolution...

      Nah, we'll just build them a big B ark, it would be a waste of ammo.

      1. Rob Daglish

        Re: Come the revolution...

        B Ark, huh?

        Just remember what eventually happened to those left behind...

        1. imanidiot Silver badge

          Re: Come the revolution...

          Which is why we don't send the telephone sanitizers

          1. el_oscuro
            Pint

            Re: Come the revolution...

            Telephone sanitizers are especially important these days as the ones everyone are carrying around aren't particularly clean.

      2. Dog11

        Re: Come the revolution...

        SpaceX has been designated as prime contractor for the B ark.

    4. eldakka Silver badge
      Coat

      Re: Come the revolution...

      Well, there's this pretty long wall in China.

    5. Kane Silver badge
      Alien

      Re: Come the revolution...

      "Social media exec's, advertising exec's, lawyers, patent trolls....."

      Marketing Departments...

    6. N2 Silver badge
      Mushroom

      Re: Come the revolution...

      Blindfolds? nah, bullets? lots of.

  2. Anonymous Coward
    Anonymous Coward

    An easier solution...

    Kill anyone that uses ad tracking. Want to serve ads fine but don't track us to do it. The moment you try to track we get to fling you into space so you stop wasting our oxygen.

    1. bombastic bob Silver badge
      Devil

      Re: An easier solution...

      it's always going to be difficult to keep up with careful (read: tricky and malicious) use of DNS

      A 301 "moved permanently" response could be cached. It could return a small graphic, like a logo, but re-direct to a unique URL that identifies you, like "http://tracker.example.com/" re-directing to "http://tracker.example.com/alphabet-soup-identifier". Making that URL consistent every time might simply involve your IP address, the web browser's cache, and a few other minor details. And if the DNS records for each of those web sites point to the SAME set of IP addresses, and the web server supports virtual hosting, there's now a way to have a "single point of tracking" for a LOT of web sites... and nothing can really stop that UNLESS you have a black list of tracker sites.

      Legislation might help fix it, as long as PROSECUTIONS HAPPEN and they happen PROMINENTLY, with VERY STIFF FINES against the violators. And, it MUST be OPT-IN ONLY to be tracked.

      1. Anonymous Coward
        Anonymous Coward

        Re: An easier solution...

        Legislation might help fix it, as long as PROSECUTIONS HAPPEN and they happen PROMINENTLY, with VERY STIFF FINES against the violators.

        I don't often find myself in agreement, but I'm 100% with this one, with one extra: fines must start to include board member jail time. It's their responsibility, and making sure it stays there will (a) encourage a bit more attention/budget and (b) prevent the usual scapegoating which ultimately means that nothing changes.

  3. J. Cook Silver badge

    ... that Pi-hole keeps looking better and better. I'm pretty certain that there's a way for it to un-SNAFU this exploit...

    1. Shadow Systems Silver badge

      At J. Cook, re: Pi Hole.

      I wish the R'Pi was accessible so I could create a Pi Hole of my own. There's the ViPi project which supposedly gets the Pi to be accessible, but I've been unable to get it to work.

      I'd love to be able to blackhole all the ads, tracking, & social media bullshit, if only I could see to get an R'Pi working & easily configureable to do my bidding.

      Of course, if I could get computers to do my bidding I'd probably raise an army of Roombas outfitted with laser pointers on their foreheads so I could start theKittyArmeggeddon...

      *Cackle*

      1. Anonymous Coward
        Anonymous Coward

        Re: At J. Cook, re: Pi Hole.

        I'm also blind and I've been using the pi since it launched eight years ago. Speakup and orca are both completely supported if you need speech from it, BRLTTY if braille is your thing. But you don't need either to run a DNS blocker on one. Write an image to the card, "touch /boot/ssh", and then use an SSH client and web browser from your local machine. You've already got all you need.

      2. katrinab Silver badge
        Linux

        Re: At J. Cook, re: Pi Hole.

        You don't need a Raspberry Pi to run Pi Hole. You can use anything that runs Debian or Ubuntu. I run it as a Hyper-V virtual machine.

      3. Kane Silver badge

        Re: At J. Cook, re: Pi Hole.

        "Of course, if I could get computers to do my bidding I'd probably raise an army of Roombas outfitted with laser pointers on their foreheads so I could start theKittyArmeggeddon..."

        Foiled again!

      4. Kiwi Silver badge

        Re: At J. Cook, re: Pi Hole.

        I wish the R'Pi was accessible so I could create a Pi Hole of my own. There's the ViPi project which supposedly gets the Pi to be accessible, but I've been unable to get it to work.

        Late to the party sorry. I have PiHole running with OpenVPN on Devuan on an old laptop (Dell D630) sitting in an unused closet (no signs yet about leopards (not even the death kind). Works wonders, and protects me (largely) when out from home.

        Cannot recall the details off hand but used a basic script likely from PiHole's website.

  4. Lost In Clouds of Data
    Big Brother

    Fuck the fucking fuckers...

    Another marketing analytics biz, Wizaly, also advocates this technique to bypass Apple's ITP 2.2 privacy protections.

    As if we needed another reason to hate bastards like Wizaly. Those tossers really piss me off - they really don't give a flying fuck about user privacy and will do anything and everything in their power to subvert it.

    uBlockOrigin for the win. And screw Google for deliberately helping advertisers trace everything we do, even when where we go has fuck all to do with them.

    1. Mage Silver badge
      Devil

      Re: screw Google for deliberately helping advertisers

      This technique is depressing. No doubt Google will shortly (if not already use it).

      In reality, there is no reliable way to block it.

      1) Use random subdomains of 1st party site.

      2) Even with cname lookup in the blocker/browser you need a list of <evil domains>, but Google, Facebook, other advertisers etc can use any domain.

      3) The alias on a 1st party page/site could exist for a valid reason such as DDNS protection, load balancing, rentacloud etc, not just tracking.

      4) It's not just cookies. Can be any sort of thing that gets loaded.

      1. John Robson Silver badge

        Re: screw Google for deliberately helping advertisers

        Subdomains aren't an issue - cnames aren't an issue - unless they point offsite.

        There is a slight issue with CDNs, which tend to use cnames for the main domain, but that shouldn't be insurmountable.

        1. Ben Tasker Silver badge

          Re: screw Google for deliberately helping advertisers

          Ah, but taking this to it's logical conclusion, what do you do when I delegate a zone out rather than use a CNAME?

          So you visit www.example.com and I serve you tracking code from content.example.com, but if you look closer at my DNS the following records are there:

          content. IN NS adfling.google.com

          content. IN NS adfling2.google.com

          Then, beyond that we can go even further if we don't mind being really, really evil.

          You visit www.example.com and I serve the tracking content from www.example.com/imgs. But, on my server the location /imgs is a reverse proxy back to adfling.google.com.

          In neither case will cookies be too much of a concern (repeat visits aside) because if you then go to othersite.com, your cookies from content.example.com won't get presented. What *is* an issue though is browser fingerprinting (as well as things like your IP allowing the 2 profiles to be tied together) etc

          You start getting into having to check more and more stuff, which gets quite expensive and slows page loads (although, inevitably, still less than the ads do)

      2. holmegm Bronze badge

        Re: screw Google for deliberately helping advertisers

        #3 is the key there ... it's not as though subdomains pointing outward are new. They are used for all sorts of things. E.g. events.whatever.com points to some cloudy event registration service.

        This is going to end with some star chamber deciding "what is an ad"?

  5. This post has been deleted by its author

  6. kartstar

    Chrome or Chromium?

    I'm assuming this problem with Chrome is also the case for other variants of Chromium such as Brave and (soon to be) Microsoft Edge?

    1. DavidRa

      Re: Chrome or Chromium?

      Seems likely, since the extra JS methods/functions would need to be added to the DOM in source.

    2. Roland6 Silver badge

      Re: Chrome or Chromium?

      I suspect Firefox only has the DNS API because it implements DNS over HTTP. Currently neither Chrome or Edge support DoH.

  7. Notas Badoff

    Drip, drip, drip, ...

    Why is it *always* a mystery to the individual miscreants when the 'revolution' comes? It's not how bad this one is, or how nasty that one is, it is that the increasing number of insults accumulate to the point *no one* can tolerate *any* of them any more.

  8. Blackjack

    I quit using Chrome and Chromium months ago...

    Icecat is my favorite blend of Firefox, I only keep using Opera on mobile because it handles downloads better that Firefox does. Unfortunately there is no Uget equivalent for Android.

    1. nematoad Silver badge

      Re: I quit using Chrome and Chromium months ago...

      "Unfortunately there is no Uget equivalent for Android".

      Now I wonder why that is!

    2. Gob Smacked
      Coat

      Re: I quit using Chrome and Chromium months ago...

      uGet for Android ==> Play Store... Did not test it, but seems legit

  9. DavidRa

    What always amazes me is that the advertising companies must have technical folk working for them. Why then do those technical people assist the marketroids? I couldn't in good conscience do that kind of deep analysis work to assist an ad-slinger - and I find it near incomprehensible that others sell their souls that way.

    1. Richard 12 Silver badge
      Flame

      Some people don't care

      In every field, there are a small number of people who just want to watch the world burn.

      And some who will do anything for money.

      These people become politicians or advertisers

    2. NATTtrash
      WTF?

      You know what keeps really surprising me? What part of "user opt in" is so difficult to understand?

      It's not only these geezers, but also take for example what I read today on the changes LinkedIn will do in 2020. They also seem to have no problems marrying "we respect GDPR" with "you can opt out ads and tracking".

      I mean, if governments are cash strapped, suing the shit out these companies would complement the increased taxation they want to do nicely, right?

      1. Mike 137 Bronze badge

        RE: What part of "user opt in" is so difficult to understand?

        It's not difficult to understand, it's just of no interest, and that's primarily because enforcement is so lax.

        I've just been informed officially by the UK supervisory authority that "examples" of processing on the basis of Legitimate Interest are "sufficient" in an Article 13 or 14 disclosure. As legitimate Interest confers a statutory right to object, it seems to me that not declaring all processing on that basis denies a data subject that statutory right. But despite this it's apparently OK to conceal some Legitimate Interest processing from the data subject.

        Compared with this, opt in for cookies is a minor matter.

        1. osakajin

          Re: RE: What part of "user opt in" is so difficult to understand?

          Legitimate interest emascualtes gdpr.

      2. DropBear Silver badge

        We need not go any further than the explicit stipulation of the GDPR that websites are motherfucking forbidden to refuse service simply due to a visitor not consenting to tracking. Because 98% of all websites very much actively prevent any service unless you click "accept", and any other button (if any is present) only goes to "how to contact XYZ in the hopes of not getting tracked" or "how to disable cookies in your browser, at which point our site won't even load anymore" for the more brazenly unashamed ones. If I was a millionaire I would make a point out of suing hundreds of them to bankruptcy, and Disqus would be the first...

        1. Charles 9 Silver badge

          Not enough dosh. Need to be at least a BILLIONAIRE, as those companies tend to have have good teams of lawyers AND a few connections to the lawMAKERS as well. And since laws are made by man, they can be UNmade by man.

    3. LDS Silver badge

      "Why then do those technical people assist the marketroids?"

      Because the pay is good, maybe even better than yours and mine?

    4. Charlie Clark Silver badge

      Why then do those technical people assist the marketroids?

      Why do you assume that techies are any more moral than marketers? They're being paid to do a job and might well enjoy the challenge of finding new ways to track people.

    5. Anonymous Coward
      Anonymous Coward

      I couldn't in good conscience do that kind of deep analysis work to assist an ad-slinger

      you're an extremely small minority then. Millions of people work happily in jobs that stink, more or less. They take their monthly paycheck and 99.99% of them declare - strongly - there's nothing wrong with doing what they're doing.

      p.s. no, I'm not one of those millions any longer, but I once was and I remember those endless excuses I could produce on the spot, when my conscience tried to gently tap me on the shoulder. Thanks God for hypocrisy, our daily saviour!

      1. doublelayer Silver badge

        Re: I couldn't in good conscience do that kind of deep analysis work to assist an ad-slinger

        That's one aspect, but there are also plenty of technical people who don't care about people, honesty, or really anything. Just look at all the people writing malware. If you find those people and offer them enough money, they'll do whatever you ask. The world is a very big place. It doesn't matter if fifty thousand of us decide we'll never work on advertiser tracking; the companies just have to increase the salary a little bit and they'll find people ready, willing, and able.

      2. DropBear Silver badge

        Re: I couldn't in good conscience do that kind of deep analysis work to assist an ad-slinger

        Perhaps not so small. I'm currently working for a pittance in an absolute shit job because I actively refused to work for a company doing something I could not accept being part of when I had to leave my previous job. I'd love something better, but not at that price.

        1. Charles 9 Silver badge

          Re: I couldn't in good conscience do that kind of deep analysis work to assist an ad-slinger

          You're lucky. For others, that pittance falls "below the Cost of Living in the cheapest town within moving distance". In which case, it's either take the crap job...or starve on crap.

    6. Doctor Syntax Silver badge

      What really amazes me is that the actual advertisers - those people who buy from the advertising industry - don't realise that they're not just wasting money spending on advertising to people who don't want to be advertised at; they're actually spending that money to drive away potential customers.

      If I get their unwanted advertising shoved in my face any time I want the sort of thing I'm selling I'll research the market and, if at all possible, buy from their competition.

      1. Headley_Grange Silver badge

        Ad Spend

        @Doc - In my experience Ad spend isn't wasted. It's carefully tracked and if it didn't give value for money the advertisers would go out of business. I've worked in consumer goods companies with combinations of brick and web presences. Their marketing and advertising budgets were a significant proportion of their costs and as such were planned, managed and analysed very carefully. They all got significant (and expected) increases in sales and reach after their campaigns. If they don't then a years' worth of product could be binned and heads roll. Sometimes it goes wrong, but the companies I worked for wouldn't piss money away if they didn't get a return on it.

        Of course, their campaigns were more extensive than just hijacking a sidebar and filling it with flashing pics of their product - but a chunk of their spend was on this type of ad because they work.

        Incomprehensible to the likes of us (I have a no-buy blacklist) but we're probably not representative of the wider product-buying public.

        1. Richard 12 Silver badge

          Re: Ad Spend

          Because they *think* they work, and have been sold it as working so have very high priors forcing belief in whatever they paid for.

          Where's the actual evidence?

          You can't run the universe again with a different campaign, but you can do research afterwards to attempt to measure the impact.

          I've taken part in several pieces of market research that tried to answer the question as to whether a campaign actually worked, and it was abysmal. The research was very obviously designed to prove that it had worked, regardless of actual effect - leading questions, careful phrasing, limited range of answers. All the usual tricks.

          I presume this was because heads would roll if the campaign hadn't worked - whether the product sold "well" seemed to be irrelevant.

          1. holmegm Bronze badge

            Re: Ad Spend

            "Where's the actual evidence?"

            For web based ads? It's abundant. You can run A/B tests (or A/B/C/D/whatever tests) in highly sophisticated ways and see what works.

            1. Doctor Syntax Silver badge

              Re: Ad Spend

              What you won't see from that is that A, B, C & D all pissed of some prospects and maybe current customers. You only see the relevant upsides. The downsides are invisible to that sort of comparison. Yes you can see that some customers didn't return but you've no idea that that was because of whatever crap you shoved in their face with your "campaigns" and not for some other reason. As Richard says nobody is going to do that particular bit of research, not if it costs them their jobs.

              1. holmegm Bronze badge

                Re: Ad Spend

                Not if "A" *is* your current content and functionality. Then you are literally testing new stuff against current stuff.

        2. Doctor Syntax Silver badge

          Re: Ad Spend

          "It's carefully tracked and if it didn't give value for money the advertisers would go out of business."

          What is very unlikely to be tracked - and it's actually quite difficult to see how unless you actually listen to people like me telling you how they behave - is the people who walk because of it.

          For example, yesterday I had to ring up my car insurer to give them an updated card number. The agent then promptly tried to upsell on other insurance products. That annoys me. When renewal time comes around I'll go elsewhere. It won't be the first time I've done that and I don't suppose it will be the last. Their marketing won't have the faintest idea that that's why they've lost this customer. They'll be able to show the positive results of their upselling but they won't know how many customers like me that they've lost. Their figures will be slanted to the optimistic side.

          1. Headley_Grange Silver badge

            Re: Ad Spend

            @Doc - for the companies I worked with it's much simpler. Product not shifting - run ad campaign - product shifts. Sales increase, bottom line increases. They didn't rely on surveys to tell them if their advertising worked, they looked at their actual sales and over time (tens of years of actuals) their sales correlated highly with advertising campaigns. Surveys just provide evidence of causation.

            Your example about the insurance is interesting, but if you're not the target market for the technique then don't be surprised when it fails. For every person like you (and me) who is annoyed by this there are 2,3, 4.... people who buy the products. The spiel takes time, time they could be dealing with another customer, and they wouldn't waste it if it didn't make them money. The fact that they lose your custom will be hidden in the extra money they make from the people who buy the add-ons. They don't care about you, they only care about money - and everybody's money looks the same to them.

            Advertisers' targets are carefully chosen, characterized, grouped and, ahem, targeted by different selling techniques. When you see an ad that annoys you it's probably because it's not targeted at you. It's interesting to think about products/services one's bought over the past couple of years and identify why one chose that particular product and whether or not it was due to one's clever research and selection or if some neat "advertising" was partly responsible. Placement (magazine/newspaper articles, forum posts and 'independent' reviews) is a good technique for tecchies

            1. Headley_Grange Silver badge

              Coincidence

              As a coincidental example..

              At Christmas I ignore all those charity ads on the telly cos I feel I'm being manipulated. I've just read a great article in the Grauniad about a bus driver and it led me to the charity mentioned in the article and I've made a donation. It wasn't an "ad" as such, but I bet it wasn't an article that the Grauniad came up with all on its own. It'll be part of a campaign in the run up to Christmas to cash in on people feeling the spirit of the season. In reality I've been targeted and manipulated just as much as the puppy-dog-eyes ads at Christmas manipulate their targets, but it doesn't feel the same and they've got my money. Job done.

              And, the campaign will also have an assumed element of people like me sharing the article online and generating more donations. I'm not going to give any more details cos if people find it themselves.........

            2. Doctor Syntax Silver badge

              Re: Ad Spend

              "Product not shifting"

              The nothing to lose case.

          2. holmegm Bronze badge

            Re: Ad Spend

            It's strange that you think those things aren't measured.

            So say that 33% get no upsells at all, 33% get upsell set 'A', and 34% get upsell set 'B'.

            For a large enough audience, yes, they do very well know whether the upsells pissed off enough people to make it not worth it.

            1. Doctor Syntax Silver badge

              Re: Ad Spend

              It'll take a year for the consequences to become apparent. Still, with bonuses only running on a monthly or quarterly basis nobody in sales is going to care.

      2. Anonymous Coward
        Anonymous Coward

        If I get their unwanted advertising shoved in my face any time I want the sort of thing I'm selling I'll research the market and, if at all possible, buy from their competition.

        Unless, of course, the ad was actually supplied by the competition. Somewhere out there must already someone be working on that.

        The older I get, the more I start appreciating the guillotine..

        1. Charles 9 Silver badge

          Can't without going black. See, this is why trademark protection exists: to prevent your name getting smeared by the competition.

    7. Mike Moyle Silver badge

      "I'm sorry, sir --They burst through by putting money in me hands!" -- Willium "Mate" Cobblers

  10. Neil Barnes Silver badge
    Paris Hilton

    I'm forced to wonder

    when firefox and other browsers (not anything google based, for obvious reasons!) will default - or even provide a setting - to forbid setting any cookies at all without permission. Possibly make those cookies you choose to allow the option to be permanent, and ban everything else.

    Alternatively, and probably less of a user pain, change the 'erase cookies on exit' to 'erase cookies when tab is closed'. Or as well as 'new tab', allow opening to a safe mode separate window with a separate instance for each tab, so that closing the tab/window nukes the cookies.

    Am I missing something blindingly obvious here, or (whisper it) could it be that browser makers really really want me to have lots of sticky cookies?

    1. Richard 12 Silver badge

      Re: I'm forced to wonder

      A lot of useful functionality requires first-party cookies.

      Eg logging in, shopping cart etc

      1. Headley_Grange Silver badge

        Re: I'm forced to wonder

        "A lot of useful functionality requires first-party cookies."

        Agreed, but not much. And it would be easy and clear to get consent for these useful cookies. Login - get a dialogue "will you accept a cookie to keep you logged in for x days', etc.

        If they had to ask consent for every cookie, with an explanation of why it's needed then I believe that much if the "useful" functionality would be rejected by users when they found out exactly who finds it useful.

        1. Charles 9 Silver badge

          Re: I'm forced to wonder

          Or they'll just suffer Click Fatigue and whine, "JUST SHUT UP AND LET ME GET ON WITH IT ALREADY!"

          1. Doctor Syntax Silver badge

            Re: I'm forced to wonder

            Or it would provide users with a good idea of what sites they wish to avoid.

          2. Mark Solaris

            Re: I'm forced to wonder

            I get that sometimes when doing the allow-reload-allow-reload-allow cycle of the uMatrix incremental permission process to play media on some cross domain whored up affiliate TV station site. Usually the DRM stuff wants you to give a wide-on into your cabbage patch before you can watch a thirty second segment which was on youtube the whole time.

            But usually I'm beligerent. Or I'll fire up Qubes and have a fresh browser VM each time which gets discarded after the media has played.

      2. Joe W Silver badge

        Re: I'm forced to wonder

        Yes, but you should be able to allow these explicitly. That functionality is unfortunately now missing (or buried deep in some options in a sub-menu saying 'beware of the leopard'), and when I still used it (... a decade ago) the sheer number of cookies per website was overwhelming. So: good idea, but not (currently) feasible.

        1. Peter2 Silver badge

          Re: I'm forced to wonder

          Set cookies. "allow for session only". Persistent tracking cookies then don't work, unless set by somebody who the browser makers has been bribed by.

          1. Graham 32

            Re: I'm forced to wonder

            I think this is tied to the browser session. My session lasts for days, weeks sometimes. It only gets interrupted by browser updates and OS updates demanding a reboot.

            As mentioned further down, use the Cookie AutoDelete addon in Firefox. With this addon the session ends, and cookies deleted, a few seconds after you close the last tab on that site or navigate away.

            I wouldn't be too surprised if Firefox add something like this as a native feature soon.

            1. Tessier-Ashpool

              Re: I'm forced to wonder

              That would be a very rare case. Most websites time out sessions on the server after a relatively short period of user inactivity. And, for those that don't, it's a couple of clicks to close down the browser completely.

              1. Graham 32

                Re: I'm forced to wonder

                If you're logged into a site like a bank, then yes they will keep your session short. It is far from rare. Cookies for tracking will be much longer lived.

                For example, going The Register's homepage sets a cookie called __cfduid with an expiry one month in the future. So without taking some other action to remove the cookie you'd need to avoid the site for a month to break the tracking.

            2. Doctor Syntax Silver badge

              Re: I'm forced to wonder

              "My session lasts for days, weeks sometimes. It only gets interrupted by browser updates and OS updates demanding a reboot."

              Yup. For some people convenience beats security any time. Some of us close down sessions we're not using. We even log off when we're not using the computer. We go further still - we switch the computer off.

              1. Charles 9 Silver badge

                Re: I'm forced to wonder

                You meant MOST. And be careful about shutting that computer off. There's a chance it won't turn on again. You can tell that from the inevitable casualties after a blackout (sometimes long enough to beat an UPS).

                1. Kiwi Silver badge

                  Re: I'm forced to wonder

                  And be careful about shutting that computer off. There's a chance it won't turn on again.

                  A very very slim chance, and not something I've known to be a problem for many years (unless one uses WD HDDs and pulls the plug rather than does a graceful shut down).

                  My oldest drive gives a SMART powercycle count over 4,600. In the years I've had it (a 640gb Samsung, thus also my oldest and smallest in-service drive) it's had hundreds if not thousands of shutdowns, and spends a lot of it's time turned off.

                  Even after our electrical storms last night, the machine boots happily.

    2. Mage Silver badge

      Re: I'm forced to wonder

      It's not just cookies.

      I could today block all cookies, not just 3rd party (why are they on by default?) except for sites I log into, which is not that many and per month virtually no extra ones.

      The 1st party and the advertisers should have an AUTOMATIC 4% of turnover fine when any GDPR violation is detected.

      ALL "targeted" advertising should be illegal. Not just tracking etc without permission. Default "opted in" is without permission. Blocking user and/or ONLY offering accept is surely illegal?

    3. Charlie Clark Silver badge

      Re: I'm forced to wonder

      Cookies were introduced because http is stateless, such as whether you're logged in or not. If you try and get rid of them, you'll have to propose something else that provides state and can, thus, also be abused.

      1. Charles 9 Silver badge

        Re: I'm forced to wonder

        Then use an active protocol like VNC instead of shoehorning state into what was mostly a passive protocol.

        Frankly, what's needed is to reduce web functionality drastically so that we go back to a mostly-passive environment. Anyone who complains get their Internet access cut off by their ISP (on pain of fines and possible criminal culpability) until they re-earn their Internet License.

      2. holmegm Bronze badge

        Re: I'm forced to wonder

        We need a "your idea will not work because" checklist for this, like we used to have for anti spam solutions.

      3. Anonymous Coward
        Anonymous Coward

        Re: I'm forced to wonder

        I guess it's back to poorly written CGI scripts.

    4. chroot

      Re: I'm forced to wonder

      "change the 'erase cookies on exit' to 'erase cookies when tab is closed'."

      That is what the Firefox extension Cookie Autodelete does. I mostly accept anything and it's gone the moment I close the tab.

    5. mihares
      Linux

      Re: I'm forced to wonder

      You can get a feeling of how that would work by using Lynx and pointing it at a website. Lynx will ask what to do with every single cookie, unless you already told it that cookies from such and such domain are OK.

      It gets annoying very quickly. Because sites use a buttload of cookies --which is to say: there are loads of widgets and trinkets that, for some obscure reason, want you to persist.

      A very pleasant exception is El Reg, which is actually usable from Lynx. Comments included. After you loaded the home page and allowed the cookie for logging in, that is about it. This impression is without Javascript support, though, as Lynx does not support it (and that's a reason to love it).

    6. Anonymous Coward
      Anonymous Coward

      'erase cookies when tab is closed'

      There are in fact, a number of addons that will do this for you, i.e. Self Destructing cookies or Vanilla Cookie Manager (the one I've been using for years now).

      Can be set to erase all or select cookies on elapsed time or on tab exit.

      Works a treat.

    7. PaulVD
      Happy

      Re: I'm forced to wonder

      Firefox has had this for years. Options > Privacy & Security > Cookies and Site Data. Check "Delete Cookies and Site Data when Firefox is closed" then click "Manage Permissions" and note any sites that you want to "Allow" to retain cookies after you close Firefox.

      You will no doubt need to clear all existing cookies to start fresh.

      Voila! All functionality (logins, shopping baskets, whatever) works during a session. But when you close Firefox everything is gone unless you agreed to retain it. No distinction between first-party and third-party.

      It does not solve every problem - you probably need NoScript to block fingerprinting, for example - but it consistently wipes out persistent cookies that you did not ask for.

  11. werdsmith Silver badge

    Dear advertisers:

    If we are trying to block you it is because we are not interested in you. If you try and force yourself on us when we don’t want you, then you are going to lose any goodwill and cause us to actively boycott whatever you are going to sell. Several of you are already on my blacklist. Stop wasting your money.

    1. Headley_Grange Silver badge

      Sir Geoffrey

      @werdsmith - I've sometimes thought of a boycott campaign. Every week users vote for the most annoying ad and the following week everyone boycotts that particular company, service or product.

      Hmmmmm.....if I set up a website and got enough members I could probably make a decent whack out of advertising as well.

      1. Spanners Silver badge
        Pint

        Re: Sir Geoffrey

        I like the idea of such a campaign but I can see a couple of problems.

        1. Different ads and types of ads annoy different people.

        2. Lawyers will get involved if we link to the offending adverts.

        3. We will not know which advert we are talking about if we don't and lawyers might still see a way of making money by messing it up.

    2. Anonymous Coward
      Anonymous Coward

      re. Stop wasting your money

      oh, but they are (trying to stop wasting their money). Only IN NO WAY related to your advice, more like, if you can't pick a lock, try another pick, and if this fails, borrow a pick from your pal, if this fails, tapping with a hammer might do it, and if a gentle tap won't, then, well, tap harder, or try a bigger hammer...

      1. Doctor Syntax Silver badge

        Re: re. Stop wasting your money

        Unfortunately the "they" who are using the lock picks aren't the "they" who stand to lose money. The lock pickers are the advertising industry whose sole objective is to take money from the advertisers. It's the latter who stand to lose money. Ultimately the advertising industry has no interest at all in whether the advertisers lose money so long as they keep buying and don't actually go down the drain and can no longer buy at all. And it's entirely against the industry's interests in letting their mugs know how much of their money is being spent counter-productively.

  12. Robert Grant

    which can unmask CNAME shenanigans

    How does this tell the difference between shenanigans and legitimate uses of CNAME?

    Also, can't this also be done with an A record to a designated subdomain?

    1. jemmyww

      Re: which can unmask CNAME shenanigans

      Presumably it looks at the DNS entry the CNAME points to, to see if that should be blocked.

    2. sbt Silver badge
      Boffin

      Re: which can unmask CNAME shenanigans

      A CNAME record identifies the destination, which an adblocker can either block because it's linked to a different root domain, or if that's too blunt, apply the usual blacklisting to the destination and block the first party sub-domain accordingly.

      A records produce an IP, but I assume it's less practical for tracking if the third party server needs to be set up to respond to a bunch of other domains. Probably creates an issue with HTTPS, as well; the third party won't have a legit cert for the sub-domain.

      1. Ben Tasker Silver badge

        Re: which can unmask CNAME shenanigans

        >A records produce an IP, but I assume it's less practical for tracking if the third party server needs to be set up to respond to a bunch of other domains.

        It'd need to be setup that way anyway.

        A CNAME changes the destination for the DNS lookup *only* so the HTTP host header (and SNI if using HTTPS) will still be for the original name.

        1. sbt Silver badge
          Facepalm

          It'd need to be setup that way anyway.

          True, I must have been thinking of redirects. I still think certificates would be an issue and given browsers are cracking down on mixed content, so those beacons or scripts would need to be via HTTPS as well.

    3. Major Page Fault

      Re: which can unmask CNAME shenanigans

      As the name implies, an A record points to an IP address, not another domain. It's possible, but less practical, the tracker slingers would have to get the other party to update the record any time the IP address of their tracker server changes, which can be quite often when using cloud services.

  13. Evil Harry
    Pint

    Here's to Raymond Hill, the uBlock Origin developer! (see icon).

  14. revenant Silver badge

    Who to block?

    I prefer a simple approach: given that the sites themselves are providing subdomains expressly for this nefarious purpose (and are therefore complicit in any GDPR breach that results), all it needs is a list of such sites. I would rather just block them and take my interest elsewhere.

    1. big_D Silver badge

      Re: Who to block?

      A better bet would be a groundswell of people complaining to their local GDPR controlling body, the ICO in the UK, for example.

      If they start getting thousands of notifications, they will have to pull their finger out and actually do something.

      1. Doctor Syntax Silver badge

        Re: Who to block?

        Perhaps uBlock should just fire off an email to report each detection direct to ICO or equivalent. That should grab their attention. In fact discussing a proposal to do that might be sufficient.

        1. jtaylor

          Re: Who to block?

          just fire off an email to report each detection direct to ICO

          The Internet has a limitless supply of fools and self-entitled people who would lower the signal/noise ratio beyond anything useful.

          1. Doctor Syntax Silver badge

            Re: Who to block?

            Yes, they're called advertisers.

      2. Charles 9 Silver badge

        Re: Who to block?

        And if the site in question IS the local GDPR body? Or another government website?

        1. big_D Silver badge

          Re: Who to block?

          You are looking for the advertising agency "hijacking" the CNAME of the subdomain.

          1. Charles 9 Silver badge

            Re: Who to block?

            And like I said, what if the subdomain BELONGS to the government? As they say, truth is stranger than fiction...

    2. katrinab Silver badge
      Megaphone

      Re: Who to block?

      Put a couple of them in jail, then the rest will stop.

      1. Charles 9 Silver badge

        Re: Who to block?

        Nah, they'll just bribe them or put out to get it changed.

    3. Peter2 Silver badge

      Re: Who to block?

      I prefer a simple approach: given that the sites themselves are providing subdomains expressly for this nefarious purpose (and are therefore complicit in any GDPR breach that results), all it needs is a list of such sites. I would rather just block them and take my interest elsewhere.

      Hmm. This brings to mind the "web phishing" filter blocklist.

      Doing another for "This site has been reported to be using web tracking without user consent" would probably quite strongly discourage this sort of thing.

      1. Charles 9 Silver badge

        Re: Who to block?

        It would probably also break too many sites to the point you hear, "SHUT UP AND TAKE MY PRIVACY! JUST LET ME GET ON WITH IT ALREADY!"

        1. Doctor Syntax Silver badge

          Re: Who to block?

          What you won't hear will be the silent good-byes as users go elsewhere.

          1. Charles 9 Silver badge

            Re: Who to block?

            The day people willingly leave Facebook and the like en masse will probably come some time after the heat death of the universe. You overestimate the intelligence of the average Internet-goer, thus my derisive line, "SHUT UP AND TAKE MY PRIVACY!"

  15. Kevin Johnston

    Build a List?

    I think we need someone to start making a public list of the companies using this process so we can all make GDPR complaints against them. It will only take a few '4% of global turnover' fines for them to go bust and maybe encourage the others to stop the practise. At worst the fines could be used for socially acceptable projects across Europe.

    1. Charles 9 Silver badge

      Re: Build a List?

      And if they instead finagle, bribe, or simply get the government changed?

      1. Rich 11 Silver badge

        Re: Build a List?

        There's always the lampposts.

        1. Anonymous Coward
          Anonymous Coward

          Re: Build a List?

          In THIS weather? HAH! Plus aren't the governments putting cameras on those lampposts?

          1. Anonymous Coward
            Anonymous Coward

            Re: Build a List?

            Great, televise the executions, pour encourager les autres

            1. Charles 9 Silver badge

              Re: Build a List?

              Oh, THOSE lampposts. No, these kinds of people know how to turn the hangmen to their side. Everyone has their price.

  16. Warm Braw Silver badge

    French newspaper website liberation.fr uses a tracker

    When Libération was first founded (by, inter alia, Jean-Paul Sartre), its principles/principals didn't permit any paid advertising at all.

    Although the advertising industry deserves some of our condemnation, the moral flexibility of those that host the advertisements in the first place should not go unremarked

    1. Mage Silver badge
      Black Helicopters

      Re: French newspaper website liberation.fr uses a tracker

      Adverts should ONLY be a static image (same URL for every request) and a URL for those that really want to click on it. But what percentage of clicks are bots run by agency selling the adverts or the dodgy website operator wanting click revenue from eventual seller?

      The ultimate seller of what ever is advertised is often ALSO being exploited by Google, Facebook and the other web advert agencies.

      Also "targeted adverts" may break discrimination laws (gender, age, ethnicity, location etc).

      1. Doctor Syntax Silver badge

        Re: French newspaper website liberation.fr uses a tracker

        The advertisers are the only targets for the advertising industry which only exists to separate them from their money. The rest of us are just collateral damage.

      2. jmch Silver badge

        Re: French newspaper website liberation.fr uses a tracker

        "The ultimate seller of what ever is advertised is often ALSO being exploited by Google, Facebook and the other web advert agencies."

        Very much this. FB, G etc market themselves as the place o be... as if your business id dead if you don't use their adverts. But they themselves know that they are vastly overestimating the amounts of clicks / page impressions etc that they are selling to their clients

    2. BlueTemplar

      Re: French newspaper website liberation.fr uses a tracker

      The ironic/funny part that El Reg missed is how this discovery seems to have initially originated from Liberation.fr boasting about being the first news website that doesn't track its readers, which obviously pissed off the technical-inclined news websites that did it years ago, and so pushed them to dig around to try to find some mistake with those claims :

      https://reflets.info/articles/liberation-a-traqueur-vaillant-rien-d-impossible

      (in French, paywalled, but the partial text from that article and the previous ones should give you the idea !)

    3. Mark Solaris

      Re: French newspaper website liberation.fr uses a tracker

      D'you think they know what it symbolizes when she holds her hands like that?

      https://www.liberation.fr/checknews/2019/11/26/est-il-vrai-que-philippine-hubin-tete-de-liste-de-benjamin-griveaux-a-pris-des-positions-tres-a-droi_1765617

  17. Mage Silver badge
    Childcatcher

    Cookies

    It's really awkward to block all cookies except the one you want. You need a browser/plugin powered block/allow list generator. The built in Firefox/Waterfox interface is too awkward.

    Is there such a plug-in, that works also on Waterfox and also Firefox on android etc too?

    1. Charles 9 Silver badge

      Re: Cookies

      I'm waiting for the day the ad and the content are part and parcel, either due to Product Placement like in TV shows, or by ad companies BECOMING the content providers. Either way, ads become articlrs, articles become ads, and your only recourse is to go, "Stop the Internet! I wanna get off!"...and go back to your junk mails, billboards, product placements, etc.

      1. Doctor Syntax Silver badge

        Re: Cookies

        Actually that's a good deal more sensible. The page can carry advertising appropriate to the content. No tracking but then no tracking services to be sold to advertisers. If I search for advice on something and find a useful page which has a link to a page of relevant vendors I'm very much likely to follow that up if I'm looking to buy than I am to follow up tracked ads about something I bought weeks ago. I'm also, BTW, more likely to read that page, and hence follow through to the ads than I am to read a page with the same content hidden in a mass of display ads. The latter is likely to have me mousing over to the Back button PDQ.

      2. Kiwi Silver badge

        Re: Cookies

        I'm waiting for the day the ad and the content are part and parcel, either due to Product Placement like in TV shows, or by ad companies BECOMING the content providers.

        That is actually the most successful way to advertise (short of word-of-mouth). The adverts must be relevant to the text, the text must be of good quality as anyone with only marginally better quality can steal your potential revenue.

        As Doc Syntax says, relevant links in a decent article are quite likely to be followed. I've done it myself, both as an advertiser and as a buyer.

        Make people want your content, sell stuff related to your content, and watch people flock to the ads on your page rather than go out of their way to avoid them.

  18. Luke McCarthy

    The Web Platform is the problem

    This is inevitable if you allow arbitrary code to execute automatically which can open new connections to another server, either by async requests, web sockets or modifying the page DOM to refer to another resource (which will be auto-loaded by the browser). You could do all the tracking aggregation first-party, with scripts fetched from the primary domain and data exfiltrated to the primary domain, and then send to third parties from the server. There would be no way to stop it without disabling JavaScript, which breaks most websites. Even with JavaScript disabled, you could fingerprint the client with various techniques, like using IP addresses, HTTP headers, and first-party cookies and other side-channels, and send the data out to trackers from the server.

  19. Chris G Silver badge

    Unblockable email

    Yesterday I received an email purportedly from CVS, some kind of cheap drugs platform I think.

    It arrived in my Outlook spam box, I usually rollover the sender to see the address, this one had no address so I just clicked on the outlook block function but it too could not read an address so it couldn't block it.

    That is the first time I have seen an addressless email.

    Just deleted permanently but nothing on the block list.

    1. It's just me

      Re: Unblockable email

      Most spam I see comes from random or fictional addresses so a block list doesn't help in many cases, I recently found gmail bounces incoming email that doesn't provide a From: heading.

    2. stiine Silver badge

      Re: Unblockable email

      What I've found works is to click Forward and see what source address info is included in the text being forwarded. Of course, I then have to open a new window and lookup abuse@hacked-or-fuckers.tld to get the right address to send a complaint.

  20. Anonymous Coward
    Anonymous Coward

    It's not enough to block - you need to salt (or fuck depending on your style :) )

    Don't just block the fuckers - send them back with mountains of shit data. Maybe I will get off my arse and write a plugin that does just that.

    If you devalue the process, it'll stop soon enough. When FatCatCorps marketing budget is returning just one sold packet of Everton mints, you'll have done your job.

    1. Doctor Syntax Silver badge

      Re: It's not enough to block - you need to salt (or fuck depending on your style :) )

      I like this. Turn their cookies into a DDoD.

      1. Charles 9 Silver badge

        Re: It's not enough to block - you need to salt (or fuck depending on your style :) )

        Don't know if that will work. We end up paying for extra data capacity, and they probably whitelist as a precaution.

  21. mark l 2 Silver badge

    While Google is the main contributor to Chromium they are never going to be willing to implement anything that could ultimately undermine the ability to fling ads and collect data from its users.

    So for the moment if you want to avoid these tracking techniques you need to ditch Chrome and its variants and move to a Firefox based browser.

  22. anoco

    Enterprising Developer

    How about some enterprising developer design an add-on that deletes all cookies, cache and offline storage at predetermined intervals.

    As it is I manually delete all the offline storage every time the browser gets started. Cookie and cache gets deleted at close. But I also have to close and restart and close my browser every time I logon to facebook, google, microsoft and any website that knows my real name. It gets to be a pain but it works to a certain level. If that add-on existed I could be a little more care-free and set it to delete all every 5 minutes or so. Or even pause it if what I'm doing takes longer. I know the offline storage may be tricky to implement, but if there is a way to create them files, there's gotta be a way to kill them.

    But the golden add-on will be the one that does the above tasks and also scramble the browser fingerprinting. Periodically change my screen size, my fonts, my plugins and all the other evil ways the browser developers have provided to the advertisers to track you. Mozilla may look good on this instance, but I'm sure some one in the company is looking at it more like a bug and is determined to fix it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Enterprising Developer

      Firefox addon "Temporary Containers" is awesome - set it to open links to any new domain in a new sandboxed tab.

      Whenever the last tab for a given domain is closed, all storage for it is wiped - localStorage as well as cookies.

      Not only does it stop tracking between each session - it also stops tracking between any 2 sites.

      1. anoco

        Re: Enterprising Developer

        "quote" This add-on requires a newer version of Firefox (at least version 60.0). You are using Firefox 57.0.

        Thanks, I'll keep this in mind. I'm using Waterfox now and it's not compatible.

    2. Tim99 Silver badge
      Big Brother

      Re: Enterprising Developer

      Probably not what you want, but I posted the following here a couple of years ago - Caveat: I am no longer involved with using Chrome on Windows, so I have not run this for a year or so:-

      A tip for Windows users of Chrome - Delete the local Google Appdata folder to get rid of crap, and don't log in to your Google Acc.

      ‘ ————————————————————

      ' A simple vbs script that you can run at logon

      Dim delFolderPath(1)

      delFolderPath(0)="C\:SomeOtherFolderThatYouWantGone"

      delFolderPath(1)="C:\Users\Your_Account\AppData\Local\Google\Chrome"

      Dim fso

      Dim objFolder

      Dim objFile

      Dim objSubfolder

      For Each x In delFolderPath

      'Set objects & error catching

      On Error Resume Next

      Set fso = CreateObject("Scripting.FileSystemObject")

      Set objFolder = fso.GetFolder(x)

      'DELETE files in path unless they are ReadOnly, or set to True for All

      For Each objFile In objFolder.files

      objFile.Delete False

      Next

      'DELETE all subfolders in delFolder Path even if they are ReadOnly

      For Each objSubfolder In objFolder.Subfolders

      objSubfolder.Delete True

      Next

      Next

      Set objSubfolder = Nothing

      Set objFile = Nothing

      Set objFolder = Nothing

      Set fso = Nothing

      ' The usual warnings apply if you run some VBS file you copied from the Internet!

  23. STOP_FORTH
    Big Brother

    Two things

    I'd like to nominate "This is yet another example of the 'badtech industrial complex' protecting its river of gold." as sentence of the year on el Reg. (If there is no such thing, there should be. You used to have "Flame of the Week." Or was it month?)

    Use a live LINUX CD for browsing. This allows you to have statefulness whilst browsing so your shopping carts etc will work. All of the locally stored cookies/supercookies etc disappear when you switch off machine. Of course, you have to then type in your address and credit card details every single time, but that's the price you have to pay for wearing a tinfoil hat.

    I believe the kewl kids use live LINUX USB sticks but these will happily store cookies (probably).

    1. Doctor Syntax Silver badge

      Re: Two things

      Simpler: just have a browser set up to delete all history on exit. Fire it up and kill it again as necessary. If you really want to be paranoid delete its profile directory on logout.

      1. STOP_FORTH

        Re: Two things

        I can't remember the details of supercookies, but didn't they drop "crumbs" in hidden system (i.e non-browser) directories?

        Virtual machines and/or sandboxes would presumably also work.

    2. Charles 9 Silver badge

      Re: Two things

      "Of course, you have to then type in your address and credit card details every single time, but that's the price you have to pay for wearing a tinfoil hat."

      So what do you tell people with bad memories who can't recall stuff like that to save their lives, to say nothing of stuff like passwords (Now was it correcthorsebatterystaple or donkeyenginepaperclipwrong)?

      1. STOP_FORTH

        Re: Two things

        You tell those people to write that stuff down in a small notebook OR you tell them they are going to be tracked all over the web.

        Solutions don't have to work for everybody. More than one solution may be possible.

        Whataboutism can be a useful rhetorical device to further a discussion. It can also reveal a passive, defeatist approach to life's problems. Just because greedy, corporatists are seizing control of an engineering toy, doesn't mean we have to give up and go home.

        1. Charles 9 Silver badge

          Re: Two things

          "Whataboutism can be a useful rhetorical device to further a discussion. It can also reveal a passive, defeatist approach to life's problems. Just because greedy, corporatists are seizing control of an engineering toy, doesn't mean we have to give up and go home."

          The thing about edge cases is that they don't STAY edge cases. And there are people out there who encounter Murphy more often than most. Not to mention people who have to live with people with terrible memories (as in sometimes they can't recall their name yet are too proud to ask for help).

          As for solutions, I always recall my favorite whine: "I want it all, and I want it yesterday! Now JFDIE!" Thus ICU to me isn't Intensive Care Unit but Instructed to Chase Unicorns.

          1. STOP_FORTH

            Re: Two things

            I am not ignoring the plight of those with terrible memories.

            Now that I have been off statins for a few years I can now remember lots of things. PIN numbers (no more credit card refusal), the name of the guy I sat next to at work, many proper nouns etc.

            Wholesale prescription of water-soluble statins is going to produce a large number of people with severe memory problems. These will all probably be misdiagnosed as Alzheimers.

            Having recently sat in on a "memory test" of a relative administered by a specialist, I am not convinced that the current assessment techniques are effective.

            All the best to you and yours.

            1. STOP_FORTH
              Headmaster

              Statins erratum

              I was on a fat-soluble statin. These are supposedly the ones that are associated with memory problems.

              Never take medical advice from an engineer.

        2. Doctor Syntax Silver badge

          Re: Two things

          "You tell those people to write that stuff down in a small notebook"

          Or use a password manager. And in any case I'd prefer sites that don't keep credit card numbers.

          1. Charles 9 Silver badge

            Re: Two things

            Bad memories mean people forget mnemonics: meaning little black books get lost and master passwords get forgotten. That's how bad we're talking (as in bad enough to forget their birthday or even their name sometimes). Yet they're too proud to ask for help.

            1. Kiwi Silver badge

              Re: Two things

              Charles, those of us who work in these industries know what goes on, and what steps to take to deal with their issues.

              We don't live in your funny little world where solutions that work for most people cannot be used because of a few edge cases. We live in a place where we use solutions that work for most people most of the time, and specially tailored solutions for those few times we need something specifically tailored to a person's situation.

              Why not join us in the real world instead of that weird loser-land you keep yourself locked into?

      2. Doctor Syntax Silver badge

        Re: Two things

        Of course, you have to then type in your address and credit card details every single time, but that's the price you have to pay for wearing a tinfoil hat keeping control of your bank account

        FTFY

        1. STOP_FORTH
          Headmaster

          Re: Two things

          You don't like my tinfoil hat? You, sir, are a millineryist of the first order.

          Icon - top titfer.

  24. Craig 2 Silver badge

    Grrr....

    Software methods that circumvent browser security measures should be considered hacking. ie. Unauthorized computer access and prosecuted as such.

    1. Warm Braw Silver badge

      Re: Grrr....

      This is already illegal and the companies doing it presumably know that and are happy to continue until such time as there's an effective prosecution, hoping they'll have found another loophole by then. The only effective response to that would be to make the individuals liable rather than the companies.

      1. Charles 9 Silver badge

        Re: Grrr....

        But that's shy corporations exist in the first place. They were made to shield liability.

        1. Craig 2 Silver badge

          Re: Grrr....

          "The lowest-level of penalty is applied if you are found guilty of gaining access to a computer without permission (or officially known as “unauthorised access to a computer”). This crime holds a penalty of up to two years in prison and a £5,000 fine"

          Applying £5k PER infringement should force even the largest corporation take note. Of course, sending the CEO down for a couple of years wouldn't hurt too :)

  25. Mephistro Silver badge
    Mushroom

    I guess that...

    ... the Tor Browser would be useful here. No permanent cookies, no user's IP address, circuit and identity changes whenever the user wants...

    It will break many sites or turn using them into a PITA, but those sites usually are the ones trying harder to buttfuck the users, so... to hell with them!

    1. Charles 9 Silver badge

      Re: I guess that...

      Including GOVERNMENT websites, meaning no benefits and so on?

      1. Paul Shirley

        Re: I guess that...

        In my experience those gov sites tend to not work even if you disable every layer of browser protection.

        1. Anonymous Coward
          Anonymous Coward

          Re: gov sites tend to not work even if you disable every layer of browser protection.

          Working on a government adjacent website atm. One requirement driving all the youngsters up the wall is "must work perfectly with no client js". So simple ad blocking should work if you disable js.

          I'm taking about uk gov, your country may vary....

          1. Doctor Syntax Silver badge

            Re: gov sites tend to not work even if you disable every layer of browser protection.

            I suppose the requirements "insert more white space" and "spread the functionality over as many pages as possible" provide them with some compensation.

      2. Mephistro Silver badge

        Re: I guess that...

        "Including GOVERNMENT websites...?"

        For those sites you can use a 'normal' browser. If your government uses the technique described in the article in its own webpages, the right thing to do is a revolution, not some silly change of browser!

        ;^)

  26. dajames Silver badge

    What I find ironic is that when I set my preferences on a website to tell it not to store cookies, it stores this preference ... in a cookie! A cookie that will be deleted automatically as soon as I close the browser.

    Wouldn't it be nice if browsers provided a separate form of storage just for the storage of a very limited set of preferences, so that they could survive the inevitable end-of-session purge. It would be hard to persuade website owners to use such a mechanism, though.

    1. Major Page Fault

      I think the Browser could just send a header specifying the types of Cookies it accepts, configurable by the user. One might come up with a few of categories of cookies, and there is already the Do-Not-Track header. The site then doesn't have to store the preferences in a Cookie. The problem here is that some Browser manufacturers might just set default consent (it really should be asked of the user once a new profile is created and changed later, with a per-site override).

      1. Charles 9 Silver badge

        "(it really should be asked of the user once a new profile is created and changed later, with a per-site override)"

        NO, because of Joe Stupid. And YES, you have to protect Joe Stupid from himself or he'll take the rest of us with him.

  27. FrogsAndChips Silver badge

    Two days ago, [...] Raymond Hill deployed a fix for Firefox users in uBlock Origin v1.24.1b0

    Unfortunately, the latest version available on addons.mozilla.org is still 1.24.0 at the moment.

    Oh well, haven't read Liberation for a while, that can wait a few more days.

    1. Belperite

      Re: Two days ago, [...] Raymond Hill deployed a fix for Firefox users in uBlock Origin v1.24.1b0

      Still in beta to ensure he's not broken anything I imagine.

      1. FrogsAndChips Silver badge
        Facepalm

        Re: Two days ago, [...] Raymond Hill deployed a fix for Firefox users in uBlock Origin v1.24.1b0

        Thanks, should've guessed what the b in 1b0 stands for...

    2. Gob Smacked

      Re: Two days ago, [...] Raymond Hill deployed a fix for Firefox users in uBlock Origin v1.24.1b0

      Remove, then install the beta version. FTFY.

  28. Venerable and Fragrant Wind of Change

    DNS delegation

    Should surprise noone.

    Like so many things abused by advertisers and marketers (not least the WWW itself), DNS delegation has been widely used by techies for many years for entirely legitimate purposes. In fact DNS delegation is older than the WWW - though back then aliases were (by convention, at least) CNAME records, rather than very-slightly-naughty duplicated A records that proliferated from the mid-1990s with the rise of Virtual Domains.

    A similar story can be found in email headers, if you look up the quaint distinction between "From" and "Sender" headers, when we trusted that they wouldn't be abused, and forging them was a student prank.

  29. This post has been deleted by its author

    1. Venerable and Fragrant Wind of Change

      will make absolutely no difference to the scheme described in the article.

      1. el_oscuro
        Big Brother

        Actually, pi-hole could prevent this easily:

        1. Resolve DNS alias to real A-record

        2. Check if on block list

        3. Optionally add new record to blocklist

        So if x-d.example.com really points to tracking.doubleclick.net, x-d.example.com would be added to the pi-hole block list and eventually all of these faked subdomains aliases would just become additional blocked entries

  30. Andy1

    I just went to the Firefox addon site and installed UBlock well wouldn't you know it I retuned straight away to this page and UBlock reported the blocking of 5 requests attributed to El Reg. I now know the meaning of "Biting The Hand That Feeds IT(self)"

    A.

  31. Gob Smacked
    Thumb Up

    Next to UBO, this...

    Nice addition to UBO: Cookie AutoDelete plugin.

    YW

  32. elaar

    Perhaps a silly question, but if I select "Do not track" in my browser, and yet companies do track me regardless of the method used, doesn't that break GDPR?

    1. Doctor Syntax Silver badge

      Yes, if you're in the EU.

  33. elaar

    Their website is written by the typical bunch of marketing morons.

    Talking about adblockers - "In response to this climate of mistrust but also to the growing importance of user data protection and the pressure of the European institutions (GDPR)"

    Their response to this mistrust is - "using subdomains....increase in the amount of data collected and, therefore, a much more real and accurate view of what is happening"

    That will sort out the mistrust!

  34. Paul 195
    Mushroom

    GDPR

    Since this is in breach of GDPR when can we expect to see some large fines being handed out? And since it requires the active co-operation of sites hosting the adverts, those organizations are presumably in breach and therefore also liable to fines?

    1. SImon Hobson Silver badge

      Re: GDPR

      when can we expect to see some large fines being handed out?

      When ? When the regulators run out of excuses for doing nothing !

  35. Soapy

    If I was to go into a Tesco store, and whilst in they attached a GPS tracker to me so they could see where I go after I left the store, this would be probably deemed illegal and it would be stamped out in the courts very quickly. So why is it allowed to happen online? If I go to the Tesco website, no doubt trackers will be attached to me to follow me about the web. What's the difference between that and the real real world? We just need our government to grow a set and simply make it illegal to track us online.

    1. Charles 9 Silver badge

      No, because it'll probably be the government that puts the Tescos up to it. In which case, if the courts say one thing, they can always change it to fit.

  36. brucedenney

    If we block cookies that are not on the same subdomain rather than under the same parent domain we are good to go.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019