How Incognito is my Mode?
March 2, 2015 10:50 AM Subscribe
Are buzzfeed/playbuzz style quizzes able to correlate my answers to my identity when I use Incognito Mode in Chrome?
I'll admit it, I love a good stupid Internet quiz. I even love the bad ones. They are fun little 5 minute distractions and I know to never take the results seriously at all.
But, I also realize that they are a great data mining tool for advertisers, as they are sneaky ways to get you to admit that, say, you enjoy drinking alone and reading trashy romance novels when that isn't information that you would otherwise voluntarily give up.
Obviously, the most privacy-hygienic thing to do would be to not access the quizzes at all, but I am not a stone. So I have some questions:
1.) I usually see quizzes I'm interesting in on Facebook*, I will right-click, open in Incognito Mode. Is there, generally, something in the GET/POST of those requests that will link allow trackers to link my quiz results to my Facebook id?
2.) I know that browser fingerprinting is a thing, and so it is technically possible for any website that I access to uniquely identify me. But there is a difference between hiding from the NSA and hiding from Doubleclick. Are the trackers on the stupid internet quizzes really sophisticated enough to tie my browser fingerprint to my non-Incognito browsing?
3.) Is there a safer way to do this? I use AdBlockPlus (which I understand is not perfect), but not Ghostery - are there other prophylactic measures that I should be taking before figuring out which Hogwarts House I belong in?
Help me find the right balance between naivety and paranoia.
*the irony of asking about privacy concerns while having an active facebook account is not lost on me.
I'll admit it, I love a good stupid Internet quiz. I even love the bad ones. They are fun little 5 minute distractions and I know to never take the results seriously at all.
But, I also realize that they are a great data mining tool for advertisers, as they are sneaky ways to get you to admit that, say, you enjoy drinking alone and reading trashy romance novels when that isn't information that you would otherwise voluntarily give up.
Obviously, the most privacy-hygienic thing to do would be to not access the quizzes at all, but I am not a stone. So I have some questions:
1.) I usually see quizzes I'm interesting in on Facebook*, I will right-click, open in Incognito Mode. Is there, generally, something in the GET/POST of those requests that will link allow trackers to link my quiz results to my Facebook id?
2.) I know that browser fingerprinting is a thing, and so it is technically possible for any website that I access to uniquely identify me. But there is a difference between hiding from the NSA and hiding from Doubleclick. Are the trackers on the stupid internet quizzes really sophisticated enough to tie my browser fingerprint to my non-Incognito browsing?
3.) Is there a safer way to do this? I use AdBlockPlus (which I understand is not perfect), but not Ghostery - are there other prophylactic measures that I should be taking before figuring out which Hogwarts House I belong in?
Help me find the right balance between naivety and paranoia.
*the irony of asking about privacy concerns while having an active facebook account is not lost on me.
1. Doubtful, because this means they would have to post a different link for every user.
2. Yes, in fact I think most of the concern about browser fingerprinting is based on ad networks doing it because (a) the NSA doesn't need to bother with it and (b) the most ubiqituous ad networks can basically track you across every mainstream websites
3. There is, the question is how much effort you want to expend. You could thwart fingerprinting by using a different browser, or a hardened browser (like the Tor browser), or a browser in a VM, but you still might have the same IP address so the next step would be to use a VPN or proxy or TOR itself. But you would still have to be extremely vigilant in terms of opsec to not leak information between sessions. And without knowing exactly what techniques your adversaries are using, it's hard to know what countermeasures to take.
posted by unrulychild at 11:55 AM on March 2, 2015 [1 favorite]
2. Yes, in fact I think most of the concern about browser fingerprinting is based on ad networks doing it because (a) the NSA doesn't need to bother with it and (b) the most ubiqituous ad networks can basically track you across every mainstream websites
3. There is, the question is how much effort you want to expend. You could thwart fingerprinting by using a different browser, or a hardened browser (like the Tor browser), or a browser in a VM, but you still might have the same IP address so the next step would be to use a VPN or proxy or TOR itself. But you would still have to be extremely vigilant in terms of opsec to not leak information between sessions. And without knowing exactly what techniques your adversaries are using, it's hard to know what countermeasures to take.
posted by unrulychild at 11:55 AM on March 2, 2015 [1 favorite]
I'm pretty skeptical that a web site or ad network behaving as though it no longer recognizes you after you've blanked cookies etc. is any proof that it actually has; I'd kinda expect that at whatever rate visitors use "privacy" features in their browser, ignoring that behavior ends up being more trouble than serving tailored content is worth in that small number of cases.
The various tracking mechanisms connected to any given web page don't necessarily need to be trying to perform browser fingerprinting on you themselves, all they need to do is log information that would be correlated with other sources in the future after they share or sell or leak their data.
Also, note that some details like those you'd see in https://panopticlick.eff.org/ are going to be shared across different browsers on the same system.
posted by XMLicious at 2:39 PM on March 2, 2015
The various tracking mechanisms connected to any given web page don't necessarily need to be trying to perform browser fingerprinting on you themselves, all they need to do is log information that would be correlated with other sources in the future after they share or sell or leak their data.
Also, note that some details like those you'd see in https://panopticlick.eff.org/ are going to be shared across different browsers on the same system.
posted by XMLicious at 2:39 PM on March 2, 2015
I was going to suggest using a different browser, or even going so far as to save URLs to a neutral location and load them up under a different user account on your machine. But then I remembered that time my girlfriend brought her laptop over, shopped for internet service providers using my wifi (her own laptop, her own logins, her own browser, her own cookies) and the next week *I* got five postcards from different ISPs to my home address. Good luck.
posted by myrrh at 7:10 PM on March 2, 2015
posted by myrrh at 7:10 PM on March 2, 2015
This thread is closed to new comments.
You can test this.
In normal mode log out of Facebook. Still in normal mode, go online shopping for something. Google around a bunch, check out reviews, go to a site, add the item to your cart, get almost all the way there... and then just ditch the virtual shopping cart and walk out of the virtual store
Log in to Facebook.
Facebook's advertising should now be for the product you almost bought, or at least for that store. (Not all stores take part, but it does happen.)
In Incognito mode, go shop online for something. Do the same sort of thing.
Go back to Facebook in Normal mode and refresh.
The advertising hasn't switched to recommending whatever you were searching for in incognito mode.
As far as cookies are concerned, incognito mode is good enough.
Now, this isn't actually proof, and between the NSA and Doubleclick, there's your health insurance company, who would very much like to know that you drink alone and wouldn't tell you that they know via Facebook, but it's proof enough that Doubleclick is at least pretending they can't see through incognito mode.
To go one step further, you could use a different browser to take the quizzes, and then never use that browser for personal stuff. Ie only use Facebook via Firefox, and only use Chrome for fun quizzes, but incognito mode is good enough for now, as far as advertising preferences go.
posted by fragmede at 11:51 AM on March 2, 2015 [1 favorite]