[HN Gopher] Vodafone and Deutsche Telekom to introduce persisten...
___________________________________________________________________
Vodafone and Deutsche Telekom to introduce persistent user tracking
Author : mmazzarolo
Score : 34 points
Date : 2022-07-23 21:07 UTC (1 hours ago)
(HTM) web link (blog.simpleanalytics.com)
(TXT) w3m dump (blog.simpleanalytics.com)
| account-5 wrote:
| Can someone ELI5 how these operaters can track my websites if I'm
| using HTTPS and DoH? Sure they might see handshakes etc but what
| else can they see?
| aaaaaaaaaaab wrote:
| They can't.
| gruez wrote:
| Not really. Based on the picture on the site[1], I can think
| of multiple ways of how that would work:
|
| 1. The site that wants visitor information makes a CORS/third
| party request to
| https://vodafone.example/api/GetSubscriberInfo, which then
| fetches the associated account information and returns it to
| the site
|
| 2. The site notes the IP + port + timestamp that was used for
| the HTTP connection, and then asks vodafone for the
| information.
|
| [1] https://assets.simpleanalytics.com/blog/2022-Trustpid/vod
| afo...
| fulafel wrote:
| Traffic analysis + IP addresses would be one way.
|
| (But if the visited site is colluding with VF, your traffic is
| no longer protected from VF observation anyway)
| tsimionescu wrote:
| The site operator asks Vodafone "what is the unique account ID
| for the machine accessing my site right now from
| 17.56.2.43:3452?", and Vodafone gives them an account ID. They
| can then use that account ID to correlate to previous
| interactions you had with their site, even if they were coming
| from different IPs.
|
| Https and DoH don't protect you in any way from the site
| operator wanting to serve you ads, and Vodafone will always
| know what IP:port they assigned you personally (well, your
| phone).
|
| Tor, VPN and proxy services can protect from this, since they
| decouple your original request from what the server receives.
| Of course, the latter two can also sell your information
| instead of Vodafone.
| politician wrote:
| How is this compliant with the GDPR? Is the GDPR a complete joke?
| formerkrogemp wrote:
| These companies operate in multiple countries. So, at a guess,
| they can implement this in areas where GDPR isn't a concern.
| mildmotive wrote:
| I think once you sign a contract with one of these providers
| you're basically signing away the rights to your personal
| information. GDPR wont protect you from state actors trying to
| spy on the people, but it will allow you to ask a company to
| delete all personal information about you. The problem is that
| doing so will effectively end the service for you. If all
| mobile carriers start enforcing predatory contracts then I
| don't know if GDPR will be very effective here.
|
| Something additional will be required to stop this tracking. As
| it stands right now some European countries have started
| forcing ISPs to save logs, that's actually worse. We must make
| sure that it's well understood that the public does not want
| these policies. The public must also deny any party their vote
| if fixing this is not in their agenda. Politicians are getting
| away with slowly eroding our freedoms without many people
| noticing or speaking about it, that has to change. We need to
| let them know that they have zero support from us if they
| decide to continue in this trajectory.
| dane-pgp wrote:
| I wonder if Deutsche Telekom will integrate these persistent user
| IDs with the "global COVID vaccine verification app" they are
| building for the WHO:
|
| https://www.reuters.com/business/healthcare-pharmaceuticals/...
| Traubenfuchs wrote:
| Ah yes, the good old "antivaxer conspiracy theory confirmed as
| upcomming future" kind of twist.
|
| I wonder what they'll make up next after monkeypox.
| FredPret wrote:
| From the continent that brought you the last one million privacy
| cookie popups: ISP-level tracking
| unnecessaryuser wrote:
| unnecessaryuser wrote:
| gigatexal wrote:
| This 100% means I'm going to be running a persistent VPN on my
| phone at all times. Great.
| moehm wrote:
| The article mentions they are injecting a http header, so
| shouldn't https be enough to prevent tampering?
| turtleman1338 wrote:
| Yes, you can not just inject a http header when using SSL
| without breaking it.
| tsimionescu wrote:
| That's only about how Verizon did it back in the day. They
| don't explain how Vodafone and DT are planning to technically
| achieve it, but it could simply be related to IP or similar
| lower level protocol addresses from 4/5G. As network operators,
| they have access to the Account:IP mapping, they don't
| necessarily need to inject anything special in the packets.
| gruez wrote:
| >The article mentions they are injecting a http header
|
| It does, but if you read carefully you'll see there's no source
| saying that's how that's being implemented. It's all
| speculation on the author's part. In fact, one of the sources
| linked (wired.com) says the opposite, claiming that it's "based
| on a user's IP address", which wouldn't require any HTTP header
| injection.
___________________________________________________________________
(page generated 2022-07-23 23:01 UTC)