[HN Gopher] TikTok tracks you across the web, even if you don't ...
___________________________________________________________________
TikTok tracks you across the web, even if you don't use the app
Author : bubblehack3r
Score : 107 points
Date : 2022-10-01 20:26 UTC (2 hours ago)
(HTM) web link (www.consumerreports.org)
(TXT) w3m dump (www.consumerreports.org)
| DerekBickerton wrote:
| https://archive.ph/RTsuG
| justtosaythanks wrote:
| Thanks for posting this! Ok as a web dev who actively cares about
| user privacy--- can these things accidentally sneak onto my page
| through npm deps? Or would I need to install them deliberately?
| If so ---- how are they on gov websites??
| t-writescode wrote:
| Wild guess: they're part of a default "share buttons"
| repository that includes the "Share on Twitter, Facebook,
| Google+" buttons for the page, or something very similar to
| that.
| DerekBickerton wrote:
| > You can't stop data collection from the tech industry
| altogether, but with a few simple steps you can make a dent in
| the amount of information that's being collected.
|
| > Use privacy-protecting browser extensions. You can add
| extensions to your browser that will do a lot to protect your
| privacy. One is Disconnect, made by the company that performed
| our TikTok investigation. The Disconnect extension shows you how
| websites are trying to track you and blocks a lot of that data
| collection. Privacy experts often recommend uBlock Origin, as
| well.
|
| > Change your browser's privacy settings. A lot of browsers have
| built-in controls you can use to block trackers, including
| cookies, pixels, and other technologies. Open your browser's
| preferences or settings, and you'll usually find the controls in
| the privacy section.
|
| > Try a more private browser. Google Chrome collects a lot of
| data on behalf of Google. The Consumer Reports Security Planner
| recommends Firefox and Brave as more privacy-focused options.
|
| Case closed when you use uBlock Origin preferably with Brave or
| Firefox. As an extra measure I disable JS Unless it's _really_
| needed, and surf in a private /incognito session to stop cookies
| building up.
| jszymborski wrote:
| Shame uMatrix is dead, but I use it to allow javascript for the
| local domain, and disable for third-party domains by default.
| It allows me to use at least some websites without too much
| fiddling with the uMatrix settings.
| chaxor wrote:
| What do you mean umatrix is dead?
|
| I'm using it now, and it's IMO hands down *the absolute best
| extension I have ever used*.
|
| uMatrix >> (uBO | noScript | privacy badger | cookie ninja |
| cookie autodelete | etc)
|
| I use all of them along with vimium-ff and midnightlizard,
| but uMatrix is by far the best idea for managing what is run
| for better privacy and performance of browsing.
| jszymborski wrote:
| I use it daily too and it's on my list of essential
| plugins, but gorhill archived the repo and development has
| halted as best as I can tell [0] which leads to
| complications [1].
|
| [0] https://www.ghacks.net/2020/09/20/umatrix-development-
| has-en...
|
| [1] https://www.ghacks.net/2021/07/15/umatrix-has-an-
| unfixed-vul...
| kuratkull wrote:
| AFAIK uMatrix creator made uBlock origin. He hasn't worked
| on uMatrix for a while now. That's just something for you
| to look into.
| d110af5ccf wrote:
| I am also still using it and haven't run into any issues so
| far. But it is unmaintained for quite some time now last I
| checked so I assume that eventually it will just stop
| working.
|
| It's quite nice though. I have it set to disable any and
| all third party resources by default and from there it's
| generally fairly easy to permit the necessary things the
| first time I visit a site. And if it proves to be difficult
| I generally just decline to use that website at all.
| stjohnswarts wrote:
| As long as firefox maintains the API it should work just
| fine. But the day the don't a lot of people will be
| unhappy. I always figured some bored javascript wizard
| would eventually pick it up since gorhill archived it,
| but I don't think anyone has
| rascul wrote:
| Ublock origin advanced mode with some other setting I can't
| remember can get you filtering similar to (but not quite as
| advanced as) umatrix.
|
| Edit: After setting advanced mode, hit ctrl twice in the
| popup to get the green/gray/red filtering.
| https://github.com/gorhill/uBlock/wiki/Dynamic-
| filtering:-qu...
| andrepd wrote:
| > surf in a private/incognito session to stop cookies building
| up.
|
| Rather than do this, you should install Cookie Autodelete. It
| simply clears all cookies when a site is closed, while
| incognito only clears when all incognito windows are closed.
| MengerSponge wrote:
| Tech savvy folks, is it enough to run Privacy badger and uBlock
| origin (on Firefox)? I also let Firefox use its enhanced tracking
| protections.
| kuratkull wrote:
| + uMatrix or NoScript and you have a top notch setup Edit: and
| maybe something for cookies / cookie banners
| Ozzie_osman wrote:
| No surprise. Every company with an ad platform uses a pixel.
| Meta, Google, Reddit, Microsoft. Advertisers add it to their site
| to get access to things like tracking of performance if their
| ads, and custom audiences for retargeting or look-alike
| audiences. In exchange, that ad platform gets your browsing data.
|
| It's not great, but everyone is doing it so I wouldn't consider
| the fact that TikTok, one of the biggest social media platforms,
| does it too as news.
| nashashmi wrote:
| What is the source of the tracker? It can't be tiktok.com.
|
| They must be using a different name domain.
| thakoppno wrote:
| somewhat related, one time someone mentioned that reddit's
| analytics runs off the main domain such that one wouldn't be
| able to block analytics without blocking the site and its
| content itself.
|
| does anyone remember the comment or article that mentioned it?
| it seems like this tactic will be increasingly useful for
| companies whose revenue is entirely ad dependent. somewhat
| related, do any ad blocker extensions block POST/PUT but not
| GET?
| ramesh31 wrote:
| So does everyone else. The question is what are they doing with
| it.
| localy wrote:
| Do you think their ties to China make them doing it any more
| nefarious or no?
| rawcal wrote:
| As european I don't assume either US or china has my
| interests in mind when regulating privacy-invading activity.
| stjohnswarts wrote:
| I make the same assumption about Europe and China as well.
| You can't be too careful
| mrj wrote:
| Yeah I had to implement this once because we ran a handful of ads
| on TikTok, so they wanted access to all of our traffic. I
| protested, saying they didn't need all traffic to do analytics
| for people who click through.. just tell me how to identify the
| traffic you need. This is fair, if somebody clicks on an ad then
| analytics would be expected.
|
| Yeah no, they didn't allow their advertisers to do that. I ended
| up getting permission to remove from the site when their pixel
| was found to be causing a performance impact for users. But
| without good monitoring for that they would have still been
| running, possibly for forever. I'm sure this is basically how
| they get to be everywhere.
| nickphx wrote:
| Why not use the "server to server" api for conversion events?
| lapcat wrote:
| Block the domain analytics.tiktok.com
| giuliomagnifico wrote:
| Exactly, with a Pi-Hole.
| vdfs wrote:
| Regex blacklist: (\.|^)tiktokcdn\.com$
| -tiktokcdn-com.akamaized.net$ (\.|^)tiktokv\.com$
| (\.|^)musical\.ly$ (\.|^)tiktok\.com$
| MikeYasnev007 wrote:
| ForOldHack wrote:
| I just wrote the most scathing review I could, and ads pop up for
| the product. Gee. Thanks. So Every time, I click through and
| minimize. I know its junk.
| mcast wrote:
| When you share a video link on TikTok, it'll append a bunch of
| tracking data to know who opened it and notify you. That's not
| really a surprise, but what's more sneaky is they shorten the
| "shared" video links into a few unique characters without visible
| tracking data and parameters in the URL (AFAIK they used to
| visibly expose tracking data on the URL a few years ago but
| recently started using a URL shortener).
|
| ie. https://www.tiktok.com/t/ZTRmqkW4N
|
| What seems like an inconspicuous and universal URL for a video
| actually sends a lot of advertising and tracing data back to
| TikTok's servers about your friend/you.
| bilsbie wrote:
| Wow that's scary. Is there a way to share a video without that?
| cwillu wrote:
| Download the video and send it the old-fashioned way, is
| really the only option.
| nthitz wrote:
| You can disable the link tracking thing in settings, bit
| buried but settings > privacy > suggest your account to
| others > people who open or send links to you
| ronsor wrote:
| The fact that they let you disable it is a miracle
| d110af5ccf wrote:
| Even then, you can never be certain that a service isn't
| providing you with a URL for something that is unique to
| you. For example, if HN wanted to go evil there's no
| reason it couldn't hand out a unique URL to every single
| visitor for every single page visited and invisibly map
| them to the appropriate resource on the backend. And they
| could even perform a redirect to a different unique URL
| each time one was loaded to reduce overlap between
| different parties (since most people wouldn't bother to
| counteract the redirect when resharing something).
|
| And it's not even resource intensive to do something like
| this. It can all be done in a purely stateless manner by
| concatenating an internal ID with a counter and
| encrypting it to derive the URL that gets served to the
| user.
|
| The moral of the story is, you should really download and
| share things yourself.
| nantes wrote:
| It appears to just be an HTTP 301 redirect, so you could use
| something like curl to unroll it: curl -I
| https://www.tiktok.com/t/ZTRmqkW4N
|
| produces: HTTP/2 301 server: nginx
| content-type: text/html; charset=utf-8 location: https:
| //www.tiktok.com/@spencer.sebastian.yang/video/71495785602300
| 34734?_t=8W9Y6CPjvbf&_r=1
|
| Trim off the GET params (the bit after the ? in the URL) and
| you get <https://www.tiktok.com/@spencer.sebastian.yang/video
| /7149578...>. That appears to load in a browser for me.
|
| I did check to see if that resulting URL after the first
| redirect is also a redirect. It is not, but also returned an
| HTTP 403 response ('Forbidden'), when submitted without
| cookies that had been added.
| amelius wrote:
| Except in the EU, I suppose?
| b800h wrote:
| My guess would be you just get an annoying banner and click
| "agree to all" on it by habit, then it does the same thing.
| superkuh wrote:
| The TikTok pixel is not actually a pixel like in the old days. It
| is not a 1x1 transparent image loaded from their servers. It is
| executable javascript code. All you have to do to stop 99% of the
| corporate spying is disable unsafe remote code execution.
|
| It's hard to believe I have to say that after the many decades of
| people getting it drilled into their heads "Do not open random
| email attachments" but here we are in a dark future where
| everyone is going to say not automatically running untrusted code
| is stupid and not a real option. It is. And it works.
| dijit wrote:
| I really _really_ wish that I could convince Web Developers
| that not every website needs to be a web app.
|
| I keep bringing up that I don't want JS to execute random code,
| even if it's sandboxed, it's mostly unnecessary, and I always
| get the same sort of replies.
|
| Everyone calls me out of touch, I'm downvoted to oblivion,
| everyone suggests that _I 'm_ a unique case and everyone wants
| JS, they say that they don't want fragmentation and want life
| to be easier for them.
|
| I get it, their pay check literally depends on them using JS,
| it adds a lot of flexibility.
|
| I'm going to make the additional, controversial, guess that
| most web-developers don't really know what they're doing
| either; I would surmise that they lean on frameworks and if
| those frameworks are ever under threat (from people like me
| requesting progressive enhancement) then they need to defend
| the frameworks to defend themselves.
| wackget wrote:
| It's a shame uMatrix is no longer actively supported because it
| was the silver bullet for this kind of shit.
| L0in wrote:
| I think uBlock Origin can do the same things with uMatrix.
| badrabbit wrote:
| Make shadow profiles illegal.
| olliej wrote:
| As opposed to Google and Facebook, two companies known for their
| zealous defense of privacy?
| stjohnswarts wrote:
| That's not the point. No one said other companies didn't do
| similar things. I assume they all want to get as much info as
| possible without breaking the law. I think the elephant in the
| room however is that they also send a copy to the Chinese
| Communist Party databases as well.
___________________________________________________________________
(page generated 2022-10-01 23:00 UTC)