[HN Gopher] Vodafone and Deutsche Telekom to introduce persisten... ___________________________________________________________________ Vodafone and Deutsche Telekom to introduce persistent user tracking Author : mmazzarolo Score : 34 points Date : 2022-07-23 21:07 UTC (1 hours ago) (HTM) web link (blog.simpleanalytics.com) (TXT) w3m dump (blog.simpleanalytics.com) | account-5 wrote: | Can someone ELI5 how these operaters can track my websites if I'm | using HTTPS and DoH? Sure they might see handshakes etc but what | else can they see? | aaaaaaaaaaab wrote: | They can't. | gruez wrote: | Not really. Based on the picture on the site[1], I can think | of multiple ways of how that would work: | | 1. The site that wants visitor information makes a CORS/third | party request to | https://vodafone.example/api/GetSubscriberInfo, which then | fetches the associated account information and returns it to | the site | | 2. The site notes the IP + port + timestamp that was used for | the HTTP connection, and then asks vodafone for the | information. | | [1] https://assets.simpleanalytics.com/blog/2022-Trustpid/vod | afo... | fulafel wrote: | Traffic analysis + IP addresses would be one way. | | (But if the visited site is colluding with VF, your traffic is | no longer protected from VF observation anyway) | tsimionescu wrote: | The site operator asks Vodafone "what is the unique account ID | for the machine accessing my site right now from | 17.56.2.43:3452?", and Vodafone gives them an account ID. They | can then use that account ID to correlate to previous | interactions you had with their site, even if they were coming | from different IPs. | | Https and DoH don't protect you in any way from the site | operator wanting to serve you ads, and Vodafone will always | know what IP:port they assigned you personally (well, your | phone). | | Tor, VPN and proxy services can protect from this, since they | decouple your original request from what the server receives. | Of course, the latter two can also sell your information | instead of Vodafone. | politician wrote: | How is this compliant with the GDPR? Is the GDPR a complete joke? | formerkrogemp wrote: | These companies operate in multiple countries. So, at a guess, | they can implement this in areas where GDPR isn't a concern. | mildmotive wrote: | I think once you sign a contract with one of these providers | you're basically signing away the rights to your personal | information. GDPR wont protect you from state actors trying to | spy on the people, but it will allow you to ask a company to | delete all personal information about you. The problem is that | doing so will effectively end the service for you. If all | mobile carriers start enforcing predatory contracts then I | don't know if GDPR will be very effective here. | | Something additional will be required to stop this tracking. As | it stands right now some European countries have started | forcing ISPs to save logs, that's actually worse. We must make | sure that it's well understood that the public does not want | these policies. The public must also deny any party their vote | if fixing this is not in their agenda. Politicians are getting | away with slowly eroding our freedoms without many people | noticing or speaking about it, that has to change. We need to | let them know that they have zero support from us if they | decide to continue in this trajectory. | dane-pgp wrote: | I wonder if Deutsche Telekom will integrate these persistent user | IDs with the "global COVID vaccine verification app" they are | building for the WHO: | | https://www.reuters.com/business/healthcare-pharmaceuticals/... | Traubenfuchs wrote: | Ah yes, the good old "antivaxer conspiracy theory confirmed as | upcomming future" kind of twist. | | I wonder what they'll make up next after monkeypox. | FredPret wrote: | From the continent that brought you the last one million privacy | cookie popups: ISP-level tracking | unnecessaryuser wrote: | unnecessaryuser wrote: | gigatexal wrote: | This 100% means I'm going to be running a persistent VPN on my | phone at all times. Great. | moehm wrote: | The article mentions they are injecting a http header, so | shouldn't https be enough to prevent tampering? | turtleman1338 wrote: | Yes, you can not just inject a http header when using SSL | without breaking it. | tsimionescu wrote: | That's only about how Verizon did it back in the day. They | don't explain how Vodafone and DT are planning to technically | achieve it, but it could simply be related to IP or similar | lower level protocol addresses from 4/5G. As network operators, | they have access to the Account:IP mapping, they don't | necessarily need to inject anything special in the packets. | gruez wrote: | >The article mentions they are injecting a http header | | It does, but if you read carefully you'll see there's no source | saying that's how that's being implemented. It's all | speculation on the author's part. In fact, one of the sources | linked (wired.com) says the opposite, claiming that it's "based | on a user's IP address", which wouldn't require any HTTP header | injection. ___________________________________________________________________ (page generated 2022-07-23 23:01 UTC)