Online anonymity is pretty much gone. You can uniquely identify most visitors without cookies using a bunch of other exposed attributes.<p>This site shows you how unique your system appears:
<a href="http://panopticlick.eff.org/" rel="nofollow">http://panopticlick.eff.org/</a><p>When you combine things like screen-resolution, installed fonts, etc. you get a pretty-unique profile of each person.<p>Bruce Schneier addresses the topic here:
<a href="http://www.schneier.com/blog/archives/2010/01/tracking_your_b.html" rel="nofollow">http://www.schneier.com/blog/archives/2010/01/tracking_your_...</a><p>How UberVu mapped this back to an actual email address is a separate matter - but I'm guessing they used the profile of his machine and connected it to a matching profile they had access to from some site he does authenticate with.<p>Now extend that concept to Google. They've got their digital hooks on millions of sites using Google Analytics. They can map those hits back to an IP address that correlates to a GMail login and get a pretty good idea about where else their users browse.
Looking at the <a href="http://ubervu.com/" rel="nofollow">http://ubervu.com/</a> website, it seems they are using a tracking service hosted on <a href="http://trackalyzer.com/" rel="nofollow">http://trackalyzer.com/</a>. This is a privately registered domain (there is no index page either), but from <a href="http://trackalyzer.com/w3c/policy1.xml" rel="nofollow">http://trackalyzer.com/w3c/policy1.xml</a> we can derive that this service is operated by LeadLander.com.<p>The LeadLander product seems to identify users by company name (most likely by checking the IP address/netblock) and then "integrates" with LinkedIn and Jigsaw in order to contact (spam?) the users by email (see: <a href="http://www.leadlander.com/web_analytics.asp" rel="nofollow">http://www.leadlander.com/web_analytics.asp</a>).<p>Definitely interesting, but legal? Not very likely...
UberVU Response:<p>For the life of me, I can't figure out how to link directly to a specific reply in Google+, but here's the reply from UberVU:<p>"Elisabeth Michaud
Hi Sumit - Elisabeth from uberVU here (I also run the uberVU twitter account where we were chatting earlier). Niek is right that we have been using a tool called LeadLander (based in San Francisco) to help us connect with companies who visit our site. We take privacy very seriously and definitely don't want visitors to our site to feel we are overstepping our boundaries. As such, we've decided as a team to discontinue our use of LeadLander and focus our efforts on other ways to engage website visitors. You won't see any further emails from us, and these changes will be implemented globally.<p>If you have any further concerns, don't hesitate to reach out to me at <redacted>"
I run analytics for a major enterprise and have had this technology pitched to me for years. It is a very common practice for B2B lead gen.<p>That said, don't believe the sales copy on their websites. They will tell you that they can reliably identify the individual, but that is horseshit.<p>They usually maintain and/or purchase access to lists of people who work at companies and have relevant job titles. The lists are captured from multiple sources ranging from stuff pubically posted on company websites to business cards collected (and sold) at trade shows/conferences. There are lots of other sources and I'm sure this audience can think of many on their own.<p>Comapny/ip/id can be gleaned from either an ip block or someone who registered to download a free report or other content from a partner site at some prior time.<p>Sure you'll sometimes get the contact for the exact person that browsed the site, but you'll often get it wrong. That said, it could still be valuable to contact someone at the company about your services, because if one person is looking into it, then someone else might be interested too.<p>The tech/idea certainly isn't new - I've been getting pitched it for 5+ years.
Does anyone know for sure that cookies or browser uniqueness were exploited to identify the visitor? I've used LeadLander, and as far as I can tell LeadLander and Relead both use reverse DNS to find what company the visitor is from. They track what pages the visitor goes to, and time spent (Google Analytics style). Plus "helpful" information like the company's location, and publicly available info about who works there.<p>That sort of information doesn't feel creepy to me, it's basically what you could do manually with info from the server logs and lots of searching (DNS, Google, LinkedIn).<p><i>If</i> they are using information from another website where the user is logged-in to get the contact information it might be illegal, as it is likely that the first website's privacy policy doesn't say they are giving away that information. If company X uses LeadLander, and LeadLander gathers a user's email address from them, then gives that address to company Y when the same person visits, company X might be breaking the law because they are giving away personal information without stating it in their privacy policy. And privacy policies are required by California law.
I've no idea if their service actually works but if it does, it's illegal in the EU and it would also be illegal for their clients to use such information to e-mail those visitors.<p>EDIT: talking about relead.com mentioned in a g+ reply.
Reposting the paper referenced in the G+ thread:<p><a href="https://panopticlick.eff.org/browser-uniqueness.pdf" rel="nofollow">https://panopticlick.eff.org/browser-uniqueness.pdf</a><p>From the paper:<p>"By observing returning visitors, we estimate how rapidly browser fingerprints might change over time. In our sample, fingerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a fingerprint was an 'upgraded' version of a previously observed browser's fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%"
> <i>I did not ... connect with any of their social media properties</i><p>What do you mean by "connect"? Do you mean you didn't <i>visit</i> any of UberVu's social media pages, or that you didn't <i>load</i> any of the tracking-related assets that their website includes? Right now, Ghostery is reporting 5 tracking-related assets on their home page, including something called LeadLander. Click around a bit, and you might even come across assets that are loaded directly from a social media service that you use. Or maybe your browser willingly supplied personally identifiable information to them without telling you about it. Like auto-completing some fields in a hidden form, or automatically connecting to an identity provider that the website happens to support.<p>Every time I try Panopticlick [1], it tells me that my browser is unique among millions. I guess it means I'm leaving greasy fingerprints everywhere I go, even with AdBlock and Ghostery enabled, and even without logging in anywhere.<p>[1] <a href="https://panopticlick.eff.org/" rel="nofollow">https://panopticlick.eff.org/</a>
There was a time, in the not-too distant past, when the Internet was mostly about sharing educational information.<p>Sadly, the Internet is now full of companies who want to use it as a vehicle for advertising and who are obsessed with building up a dossier on as many people as possible, to exploit for financial gain. Your privacy means nothing to these companies; they will collect as much information about you as possible, with no regard for your wishes.<p>I take active countermeasures against these hostiles. I browse with javascript disabled. I don't have flash installed. I don't accept cookies blindly. I adjust my user agent. I run my own DNS server and cache and have hundreds of sites blackholed, including facebook, google analytics, and all the major ad servers.<p>It's some trouble to set all this up, and inconvenient at times. But unfortunately it's a jungle out there, and the default setup of browsers leaves you like a naked person in a mosquito-infested swamp.
Reducing the uniqueness of a browser's fingerprint seems like a more valuable privacy investment than a DNT header that may or may not be adhered to by the websites you visit. Are any of the major web browsers actively working on this?
It could be that they're taking advantage of a third-party service that he's signed up for. For example, Google Docs used to show a user's email when they clicked a link to a document that you created (it's anonymised now)
Quick privacy scan of their homepage only shows scripts being launched from 6 different companies and tracking cookies from optimizely and themself. (along with google analytics).<p>This actually has fewer than the average for tracking cookies placed on a homepage yet they are able to uniquely identify you. Privacy isn't gone on the web, but it is getting harder by the day. Some data can be passed outside of cookies and just through loading the scripts, but in general this site seems to be much ahead of average. (~10 unique domained scripts and ~7 unique domained cookies).
Can we share tips for "feeding" a browser with fake data and keeping some level of anonymity? For example, I noticed that one of the factors for Panopticlick is time zone. This is easily faked with changing a time zone on your computer and then starting a browser. You can fake IP address with anonymous proxies and change user agent in browser settings. Is there a way to change/fake plugin and fonts list as these are worst offenders regarding fingerprinting?
I don't think it's hard right now to get information on a visitor's company if they work somewhere large enough to have their own public IP block.<p>What I would love to know is how they take that and get an email address out of it. Which 3rd party are they working with that 1) had the IP -> email address link, or this guy logged in and 2) is willing to share that data with a 3rd party?
As an operator of a large web site, I was once pitched a product like this. Basically it used various sources to gather as much personally identifying information as possible from your visitors, right down to name, email address, address and phone number (where possible.<p>Super creepy, chewed the sales person out and told them to go away. But this is a thing.
Does anyone know where they are buying these data sets that link browser characteristics to personally identifiable information? Obviously, companies like Linkedin and Facebook have these data sets but I can't imagine them selling that information.
I don't think they are using browser uniqueness. I mean where would they get the fingerprint/email pairs from?<p>Everyone should use Firefox and install/do these:<p>- BetterPrivacy (removes supercookies)<p>- RefControl (to stop sending http referrers)<p>- User Agent Switcher (just in case)<p>- HTTPS-Everywhere<p>- Disable third party cookies in Preferences > Privacy<p>- Use a VPN<p>- Change Google for StartPage<p>- Use fake accounts (eg: youtube) and emails (dispostable.com) whenever possible. This is very easy if you have a password manager like LastPass, you don't have to remember many passwords.<p>With all this, you can surf the web quite safely, unless someone with your ID is creating a shared database of fingerprint/ID pairs. In that case you will also have to remove all your other plugins or use NoScript.
Is there a VM offering preconfigured browsers being identical for everybody? Same JavaScript settings, same (VM) screen resolution, same browser size... Make it fixed and use that VM <i>only</i> for browsing...<p>That would not prevent all types of tracking but it give people using panopticlick-like tracking techniques a few headaches...