[HN Gopher] TikTok tracks you across the web, even if you don't ... ___________________________________________________________________ TikTok tracks you across the web, even if you don't use the app Author : bubblehack3r Score : 107 points Date : 2022-10-01 20:26 UTC (2 hours ago) (HTM) web link (www.consumerreports.org) (TXT) w3m dump (www.consumerreports.org) | DerekBickerton wrote: | https://archive.ph/RTsuG | justtosaythanks wrote: | Thanks for posting this! Ok as a web dev who actively cares about | user privacy--- can these things accidentally sneak onto my page | through npm deps? Or would I need to install them deliberately? | If so ---- how are they on gov websites?? | t-writescode wrote: | Wild guess: they're part of a default "share buttons" | repository that includes the "Share on Twitter, Facebook, | Google+" buttons for the page, or something very similar to | that. | DerekBickerton wrote: | > You can't stop data collection from the tech industry | altogether, but with a few simple steps you can make a dent in | the amount of information that's being collected. | | > Use privacy-protecting browser extensions. You can add | extensions to your browser that will do a lot to protect your | privacy. One is Disconnect, made by the company that performed | our TikTok investigation. The Disconnect extension shows you how | websites are trying to track you and blocks a lot of that data | collection. Privacy experts often recommend uBlock Origin, as | well. | | > Change your browser's privacy settings. A lot of browsers have | built-in controls you can use to block trackers, including | cookies, pixels, and other technologies. Open your browser's | preferences or settings, and you'll usually find the controls in | the privacy section. | | > Try a more private browser. Google Chrome collects a lot of | data on behalf of Google. The Consumer Reports Security Planner | recommends Firefox and Brave as more privacy-focused options. | | Case closed when you use uBlock Origin preferably with Brave or | Firefox. As an extra measure I disable JS Unless it's _really_ | needed, and surf in a private /incognito session to stop cookies | building up. | jszymborski wrote: | Shame uMatrix is dead, but I use it to allow javascript for the | local domain, and disable for third-party domains by default. | It allows me to use at least some websites without too much | fiddling with the uMatrix settings. | chaxor wrote: | What do you mean umatrix is dead? | | I'm using it now, and it's IMO hands down *the absolute best | extension I have ever used*. | | uMatrix >> (uBO | noScript | privacy badger | cookie ninja | | cookie autodelete | etc) | | I use all of them along with vimium-ff and midnightlizard, | but uMatrix is by far the best idea for managing what is run | for better privacy and performance of browsing. | jszymborski wrote: | I use it daily too and it's on my list of essential | plugins, but gorhill archived the repo and development has | halted as best as I can tell [0] which leads to | complications [1]. | | [0] https://www.ghacks.net/2020/09/20/umatrix-development- | has-en... | | [1] https://www.ghacks.net/2021/07/15/umatrix-has-an- | unfixed-vul... | kuratkull wrote: | AFAIK uMatrix creator made uBlock origin. He hasn't worked | on uMatrix for a while now. That's just something for you | to look into. | d110af5ccf wrote: | I am also still using it and haven't run into any issues so | far. But it is unmaintained for quite some time now last I | checked so I assume that eventually it will just stop | working. | | It's quite nice though. I have it set to disable any and | all third party resources by default and from there it's | generally fairly easy to permit the necessary things the | first time I visit a site. And if it proves to be difficult | I generally just decline to use that website at all. | stjohnswarts wrote: | As long as firefox maintains the API it should work just | fine. But the day the don't a lot of people will be | unhappy. I always figured some bored javascript wizard | would eventually pick it up since gorhill archived it, | but I don't think anyone has | rascul wrote: | Ublock origin advanced mode with some other setting I can't | remember can get you filtering similar to (but not quite as | advanced as) umatrix. | | Edit: After setting advanced mode, hit ctrl twice in the | popup to get the green/gray/red filtering. | https://github.com/gorhill/uBlock/wiki/Dynamic- | filtering:-qu... | andrepd wrote: | > surf in a private/incognito session to stop cookies building | up. | | Rather than do this, you should install Cookie Autodelete. It | simply clears all cookies when a site is closed, while | incognito only clears when all incognito windows are closed. | MengerSponge wrote: | Tech savvy folks, is it enough to run Privacy badger and uBlock | origin (on Firefox)? I also let Firefox use its enhanced tracking | protections. | kuratkull wrote: | + uMatrix or NoScript and you have a top notch setup Edit: and | maybe something for cookies / cookie banners | Ozzie_osman wrote: | No surprise. Every company with an ad platform uses a pixel. | Meta, Google, Reddit, Microsoft. Advertisers add it to their site | to get access to things like tracking of performance if their | ads, and custom audiences for retargeting or look-alike | audiences. In exchange, that ad platform gets your browsing data. | | It's not great, but everyone is doing it so I wouldn't consider | the fact that TikTok, one of the biggest social media platforms, | does it too as news. | nashashmi wrote: | What is the source of the tracker? It can't be tiktok.com. | | They must be using a different name domain. | thakoppno wrote: | somewhat related, one time someone mentioned that reddit's | analytics runs off the main domain such that one wouldn't be | able to block analytics without blocking the site and its | content itself. | | does anyone remember the comment or article that mentioned it? | it seems like this tactic will be increasingly useful for | companies whose revenue is entirely ad dependent. somewhat | related, do any ad blocker extensions block POST/PUT but not | GET? | ramesh31 wrote: | So does everyone else. The question is what are they doing with | it. | localy wrote: | Do you think their ties to China make them doing it any more | nefarious or no? | rawcal wrote: | As european I don't assume either US or china has my | interests in mind when regulating privacy-invading activity. | stjohnswarts wrote: | I make the same assumption about Europe and China as well. | You can't be too careful | mrj wrote: | Yeah I had to implement this once because we ran a handful of ads | on TikTok, so they wanted access to all of our traffic. I | protested, saying they didn't need all traffic to do analytics | for people who click through.. just tell me how to identify the | traffic you need. This is fair, if somebody clicks on an ad then | analytics would be expected. | | Yeah no, they didn't allow their advertisers to do that. I ended | up getting permission to remove from the site when their pixel | was found to be causing a performance impact for users. But | without good monitoring for that they would have still been | running, possibly for forever. I'm sure this is basically how | they get to be everywhere. | nickphx wrote: | Why not use the "server to server" api for conversion events? | lapcat wrote: | Block the domain analytics.tiktok.com | giuliomagnifico wrote: | Exactly, with a Pi-Hole. | vdfs wrote: | Regex blacklist: (\.|^)tiktokcdn\.com$ | -tiktokcdn-com.akamaized.net$ (\.|^)tiktokv\.com$ | (\.|^)musical\.ly$ (\.|^)tiktok\.com$ | MikeYasnev007 wrote: | ForOldHack wrote: | I just wrote the most scathing review I could, and ads pop up for | the product. Gee. Thanks. So Every time, I click through and | minimize. I know its junk. | mcast wrote: | When you share a video link on TikTok, it'll append a bunch of | tracking data to know who opened it and notify you. That's not | really a surprise, but what's more sneaky is they shorten the | "shared" video links into a few unique characters without visible | tracking data and parameters in the URL (AFAIK they used to | visibly expose tracking data on the URL a few years ago but | recently started using a URL shortener). | | ie. https://www.tiktok.com/t/ZTRmqkW4N | | What seems like an inconspicuous and universal URL for a video | actually sends a lot of advertising and tracing data back to | TikTok's servers about your friend/you. | bilsbie wrote: | Wow that's scary. Is there a way to share a video without that? | cwillu wrote: | Download the video and send it the old-fashioned way, is | really the only option. | nthitz wrote: | You can disable the link tracking thing in settings, bit | buried but settings > privacy > suggest your account to | others > people who open or send links to you | ronsor wrote: | The fact that they let you disable it is a miracle | d110af5ccf wrote: | Even then, you can never be certain that a service isn't | providing you with a URL for something that is unique to | you. For example, if HN wanted to go evil there's no | reason it couldn't hand out a unique URL to every single | visitor for every single page visited and invisibly map | them to the appropriate resource on the backend. And they | could even perform a redirect to a different unique URL | each time one was loaded to reduce overlap between | different parties (since most people wouldn't bother to | counteract the redirect when resharing something). | | And it's not even resource intensive to do something like | this. It can all be done in a purely stateless manner by | concatenating an internal ID with a counter and | encrypting it to derive the URL that gets served to the | user. | | The moral of the story is, you should really download and | share things yourself. | nantes wrote: | It appears to just be an HTTP 301 redirect, so you could use | something like curl to unroll it: curl -I | https://www.tiktok.com/t/ZTRmqkW4N | | produces: HTTP/2 301 server: nginx | content-type: text/html; charset=utf-8 location: https: | //www.tiktok.com/@spencer.sebastian.yang/video/71495785602300 | 34734?_t=8W9Y6CPjvbf&_r=1 | | Trim off the GET params (the bit after the ? in the URL) and | you get <https://www.tiktok.com/@spencer.sebastian.yang/video | /7149578...>. That appears to load in a browser for me. | | I did check to see if that resulting URL after the first | redirect is also a redirect. It is not, but also returned an | HTTP 403 response ('Forbidden'), when submitted without | cookies that had been added. | amelius wrote: | Except in the EU, I suppose? | b800h wrote: | My guess would be you just get an annoying banner and click | "agree to all" on it by habit, then it does the same thing. | superkuh wrote: | The TikTok pixel is not actually a pixel like in the old days. It | is not a 1x1 transparent image loaded from their servers. It is | executable javascript code. All you have to do to stop 99% of the | corporate spying is disable unsafe remote code execution. | | It's hard to believe I have to say that after the many decades of | people getting it drilled into their heads "Do not open random | email attachments" but here we are in a dark future where | everyone is going to say not automatically running untrusted code | is stupid and not a real option. It is. And it works. | dijit wrote: | I really _really_ wish that I could convince Web Developers | that not every website needs to be a web app. | | I keep bringing up that I don't want JS to execute random code, | even if it's sandboxed, it's mostly unnecessary, and I always | get the same sort of replies. | | Everyone calls me out of touch, I'm downvoted to oblivion, | everyone suggests that _I 'm_ a unique case and everyone wants | JS, they say that they don't want fragmentation and want life | to be easier for them. | | I get it, their pay check literally depends on them using JS, | it adds a lot of flexibility. | | I'm going to make the additional, controversial, guess that | most web-developers don't really know what they're doing | either; I would surmise that they lean on frameworks and if | those frameworks are ever under threat (from people like me | requesting progressive enhancement) then they need to defend | the frameworks to defend themselves. | wackget wrote: | It's a shame uMatrix is no longer actively supported because it | was the silver bullet for this kind of shit. | L0in wrote: | I think uBlock Origin can do the same things with uMatrix. | badrabbit wrote: | Make shadow profiles illegal. | olliej wrote: | As opposed to Google and Facebook, two companies known for their | zealous defense of privacy? | stjohnswarts wrote: | That's not the point. No one said other companies didn't do | similar things. I assume they all want to get as much info as | possible without breaking the law. I think the elephant in the | room however is that they also send a copy to the Chinese | Communist Party databases as well. ___________________________________________________________________ (page generated 2022-10-01 23:00 UTC)