This is only a preview of the April 2020 issue of Practical Electronics. You can view 0 of the 80 pages in the full issue. Articles in this series:
|
Net Work
Alan Winstanley
This month, Net Work looks at the history of ‘cookies’ and the trail of digital data you leave in your
wake when you surf the Internet, plus some of the options you have to boost privacy and security.
T
he first ever web browser
was NCSA Mosaic, which was
a product of the University of
Illinois’ National Center for Supercomputing Applications. It was designed as
a simple graphical means of rendering
and sharing information over a network.
Mosaic was developed by a very bright
student (Marc Andreessen) and fellow
programmer Eric Bina, who reportedly
worked flat out on this university project
to earn some pocket money. Released
for free public download in 1993, the
early version of Mosaic gained 1,000
users in a few weeks, but as the Internet started to mushroom, there were a
million users of Mosaic worldwide by
the following year.
According to a 2006 biography by
Simone Payment (see Marc Andreessen and Jim Clark: The Founders of
Netscape from the Internet Career Biographies series), NCSA hogged the
limelight for their new ‘Mosaic web
browser’, while Andreessen earned no
recognition for its success. Andreessen
would eventually join forces with Jim
Clark, a wealthy and highly successful
businessman who had decided to cut
his ties with Silicon Graphics Inc (SGI),
the graphics workstation manufacturer that he had founded. The result was
an all-new, reworked version of NCSA
Mosaic initially produced by Mosaic
Communications Corporation, their
new company formed in 1994. Their
browser was initially named Mozilla
after their dinosaur-like mascot (a portmanteau of Mosaic and the mythical
monster Godzilla).
Website cookie opt-ins control the type of
cookies dropped onto your system.
12
Mosaic changed their name to Netscape and Mozilla’s successor, Netscape
Navigator 1.0, was launched late in
1994 at a time when Internet users had
little to choose from in web browsers.
Over time, Netscape tried to monetise
Navigator, but it eventually folded into
today’s Firefox web browser, which is
downloadable for free from Mozilla.org
The curse of cookies
Those early foundations have left us
with something that many users remain
deeply suspicious of: cookies. In a paper
published by France’s Inria (see later),
a young and highly talented Netscape
developer named Lou Montulli, one
of the first half dozen that formed the
new Netscape team with Andreessen,
is credited with an idea in 1994 that
would enable websites to ‘remember’
their visitors, something that was a
thorny problem for the emerging web
industry at the time.
As web surfers will doubtless agree,
cookies are both a blessing and a curse.
These encrypted, innocuous-looking
little text files are dropped onto a user’s
system to enable a website to recognise
and interact with that user. They can
be genuinely useful at times: a cookie
helps a website to remember the contents of your shopping cart so you don’t
have to re-enter your choices again, for
example. Cookies are also needed sometimes to make a website work properly,
but they are also used to follow your
journey across the web. By tracking
which websites you visit, cookies can
shape the adverts that appear when you
visit other websites such as Facebook,
eBay or media portals. Add-on browser
extensions such as Ghostery show the
true extent of trackers that larger websites might typically utilise. I discussed
Ghostery in a 2013 column, and the
problem of trackers has not gone away.
Advertising clicks are the corpuscles
of the online ad industry and, as you
would expect, the software and analytics
that monitor the delivery and performance of ads, their click-though rates,
cpm (cost per mille, or cost per thousand clicks) and cookie metrics have
all been refined to a granular degree
over the years. The use of cookie controls means that users are supposed
to consent to receiving them when
browsing. Website cookie opt-ins can
be distracting, annoying and intrusive,
and many everyday users simply click
‘accept’ and dismiss the opt-in without a second thought. If you ‘reject’
cookies, you may block personalised
ads but you may still see generic adverts instead.
The rise of Cookieless Monsters
Some disreputable sites may harness
cookies for more malicious purposes,
possibly leading to the installation of
spyware or malware scripts hosted by
infected websites. Cookies can be deleted from popular web browsers via the
usual settings menu, something that one
third of us do within a month, industry sources say. Using ‘Privacy’ mode
when surfing will block cookies and
hide one’s browsing history (but not
much else). Software that helps clean up
cookies includes CCleaner, now owned
by Avast, from www.ccleaner.com or
consider PrivaZer from https://privazer.
com/en (not tested by the author). ‘Personalities’ or ‘containers’ can also be
used when surfing to ring-fence your
browsing session, which prevents a
website from sniffing out other cookies stored on your system. Extensions
or plugins designed for your browser
can also help with cookie management.
Each web user is seen as a marketing
opportunity, and every online marketer
somehow wants to identify our system
and by implication, profile the person
using it. Our IP address, our browsing history, our location, date of birth,
things we’ve bought, things we’ve seen
but haven’t bought yet, our interests –
this personal usage data enables vendors
to join the dots and target our profile
with relevant advertising.
Even though cookies don’t identify
users individually and contain no personal data as such, the fact that savvy
web users can defeat them so easily has
created a problem for online marketers:
how can a user’s web-browsing session
be linked to a device if it doesn’t contain any cookies? One way is through
Practical Electronics | April | 2020
Panopticlick by EFF will reveal any browser
fingerprinting vulnerabilities in your system.
the use of non-consensual browser fingerprinting¸ which has given rise to
the term ‘cookieless monsters’. When
visiting a web page, a wide range of
seemingly benign data is exchanged
between your browser and the website.
Much of it is already collected by web
server logs for use in statistics, such as
the visitor’s IP address and country of
origin, the web browser type (called
the ‘user agent’), screen settings and
the client’s operating system. It’s how
websites know to render the mobile
or desktop version of a page. Website
operators know that such data is not
always reliable as it can be spoofed.
However, this ordinary-looking data
(and more besides) that travels to and
fro during your web-surfing session
can be amalgamated to form a ‘browser fingerprint’ identifying your system
at that moment in time.
How browsers leave fingerprints
Parameters that can be checked this way
include the user agent, the screen resolution and colour depth, any browser
extensions, add-ons or plugins installed,
any fonts installed (derived from the use
of Flash), the system language, WebGL
(Javascripted web graphics) and other
esoteric settings. Cybersecurity developers Seon (https://seon.io) claims up
to 500 fingerprint parameters can be
extracted and ‘hashed’ this way. These
factors undoubtedly change over time
(weeks/months) but if the marketers
(or fraudsters) hit lucky, the fingerprint
will be unique to your device at that
moment in time.
In a paper published by Inria, the
French Institute for Research in Computer Science and Automation, the
techniques for browser fingerprinting
were explored and they analysed nearly
10,000 fingerprints collected from about
2,000 browser sessions. Even though
the browser fingerprint was likely to
change over time, they discovered that
they could track browsers for over 54
Practical Electronics | April | 2020
days, and 26% could
be tracked after 100
days, all without
using cookies, says
the Inria paper (see
https://hal.inria.
fr/hal-01652021/
document).
‘Browser fingerprinting is both
difficult to detect
and extremely difficult to thwart,’ say
the digital privacy activists at Electronic Brilliant.org offers a fascinating and thought-provoking analysis
Frontier Foundation on Youtube of the Starlink network.
(EFF). One way to test
your browser for tracker vulnerabilities dollars into launching a constellation
is at the Panopticlick website (https:// of cheap satellites offering broadband
panopticlick.eff.org/), a ten-year-old access? The website Brilliant.org, which
research project run by the EFF. It recog- offers online courses supporting STEM
nised that my own system was unique and engineering topics, offered a comamong the 215,000 users tested in the pelling insight into the technology as
well as a thought-provoking critique
last six weeks.
To safeguard privacy, one way of help- of the business model behind Staring defeat trackers is to enable the Do link. They also explain the trade-off
Not Track (DNT) option in your web between latency and area of coverage,
browser privacy settings, but most web- highlighting some major commercial
sites fail to observe DNT anyway, says benefits that satellites flying in lowearth orbit may offer. A matrix of 12,000
the EFF. The ultra-anonymous TOR
browser from www.torproject.org/ could Starlink satellites will circle the globe
be used, but it will be far too slow for and inter-communicate using lasers,
everyday users. Mainstream web brows- they think; you can see more in Brilers such as Google’s Chrome have lacked liant’s must-watch YouTube video at:
fingerprint protection, but the latest https://youtu.be/giQ8xEWjnBs
In a move that has infuriated the US
version (72.0) of the Firefox Quantum
browser is a step in the right direction; administration, Britain has opted to
it helps defeat fingerprinting by block- allow Huawei to play a very limited
ing third-party requests to companies role in building the UK’s 5G network.
that are known to participate in this The British government is confident
form of system snooping. Mozilla has that any supposed risks can be manpartnered with Disconnect.me which aged and mitigated by the country’s
offers free and paid-for anti-tracking security services. The US embargo on
tools for mobile and desktop browsers. Huawei and Britain’s involvement with
An optional Disconnect add-on shows the UK’s Huawei Cyber Security Evalgraphically any blocked trackers but I uation Centre (HCSEC) was discussed
found it blocked some Ebay functions in Net Work, August 2019.
Facebook will pay $550m to settle a
as well. In addition, my browser has
blocked more than 10,000 trackers a class-action privacy lawsuit in the US
month thanks to Firefox’s Enhanced covering its ‘tagging’ feature that used
facial recognition to identify those
Tracking Protection.
Firefox has developed into a fast and appearing in photos, in breach of bipowerful web browser that is worth a ometric privacy laws in the state of
look and the new browser fingerprint Illinois. Facebook’s tagging function is
countermeasures are likely to be wel- now an opt-in feature. Meantime, Loncomed. It’s perhaps ironic that the first don’s Metropolitan Police is activating a
mainstream browser to actively help network of overt live facial recognition
defeat ‘cookieless monsters’ is derived (LFR) cameras in busy areas, linking
indirectly from Netscape, which creat- to a database of wanted persons in an
effort to apprehend villains or maybe
ed cookies in the first place.
locate missing persons. What could
Other news
possibly go wrong?
SpaceX launched its fourth crop of StarThat’s all from Net Work this month
link satellites at the end of January in its
– see you next month!
quest to offer low-cost Internet access
around the globe. So far, so good, unless
The author can be reached at:
you’re an astronomer. What could be
alan<at>epemag.net
the real reason for pumping billions of
13
|