How does Amazon track my browsed items?
I have taken all the possible privacy measures I can possibly take with Abrowser. I have NoScript on 24/7, RequestPolicy on 24/7, no permanent whitelist on either, all cookies disabled except for few websites, DOM storage turned off. and I have network.http.sendRefererHeader set to 0.
Yet, despite all of these measures, I click on a few items on Amazon and it still manages to keep track of my recent history and show me related items on the home page. The first thing I thought that the website could still know about me is my IP address, so naturally I tried to use a proxy while on the same browser. Guess what? It still manages to know my recent item history. I'm really getting concerned here for my privacy here.
What annoys me even more is that there is an option to disable this browsing history (which I can bet is only user-side), but that option uses cookies. It suprises me how they are able to track all my item history with all these security measures, yet they need cookies just to have me disable it. I can see why Amazon is globally despised by freedom supporters.
So I guess my question here is how I can really prevent myself from these tracking devices, given all the measures I have already taken aren't enough? Is there really any way to stop this?
Have you tried with FireGloves. Maybe it's tracking your browser's fingerprints?
I haven't tried FireGloves. Does it just mask your browser's user_agent? I'm not sure they could track my browser by its fingerprints considering many other browsers, probably have the same fingerprints.
Browser's fingerprints can be very telling...from your installed addons to their order, browser version, installed fonts, etc. etc. that panopticlick website by EFF has a good explanation I think.
Here's my results.
It's just using URLs.
All hyperlinks on Amazon are fixed with a "ref" variable (or whatever it is those things are called in URLs) that is some sort of unique identifier. So Amazon stores your browsing history by associating it with that unique identifier, and links are presented to you with that identifier in them. Just go to https://www.amazon.com/gp/history/ instead of the links you see, and you'll see no history. Similarly, erase all the junk after the product number in the URL for something (so it's just something like http://www.amazon.com/dp/1441436855/) and Amazon's server probably isn't identifying it with you in any way (I say "probably" because it might be keeping a list based on your IP address, but I doubt this is the case; IP addresses aren't very unique anyway).
That makes more sense. Although I have read that google is researching a way to track your browser's fingerprints, so FireGloves may still be a useful addon for those who want more anonymity.
so your browser is quite unique. Try again after installing FireGloves.
Mine comes out to about 1 in 1000 w/ FireGloves.
I guess it makes sense that making the fingerprint more generic is less prone to tracking. Thanks for the info. Although I belive onpon4 is right about the URL, which I think is very sneaky. Is there any add-on that will disable refids or other sorts of tracking suffixs on URLs?
Yes, I think onpon4 is right. I don't know of any add-ons to disable them.
That sounds like a very good idea for an add-on to make, espcially for the privacy-aware users. You can tell that the browsing lists are actually stored server-side because you can delete items from the history and the link will remain the same. This can be temporarily linked to your IP, and if you were browsing or logging in to other sites with the same IP, that private data could be transfered to those websites and posibly linked to your accounts.
This definitely sounds like an easy add-on to make so I hope someone comes up with one. I know lots of other websites use refids or other suffixes to keep history, including youtube, so I think this add-on would prove to be very viable. I wish I knew how to make add-ons just because of this potential security risk.
I wouldn't call it sneaky, and it's not new either. Websites have been doing that for a long time. Usually, it's smaller, like a mention in the URL that you got there from a search or by clicking on a certain thing, but still, it's not uncommon.
The fact that the list from Amazon history is server-side is a sneaky idea to me. Usually all the information is shoved into a long suffix on the URL, but in this case it is actually stored on their servers; that is what's new to me. If the information is stored on their servers rather than your own computer, there is a likelier chance they will be able to use it for malicious purposes without you knowing. They already claim to give personalized ads based on your history, whether you are logged in or not, and on other websites with Amazon content[1]. They even go as far as to tell other websites to send personal information about you to Amazon[2], whether it be an online or offline source.
[1]http://www.amazon.com/gp/dra/info
[2]http://www.amazon.com/b/?&node=5160028011
Amazon utilizes several tracking methods.
* Third-Parties (including devices with Amazon Cloud, music apps, ebook readers, etc.)
* Session Cookies
* Ever-Cookies/DOM (Most important)
* Referrer Tracking
* Click-Handling
I don't think they are tracking browser fingerprints, or if they do it doesn't really affect the site. But it doesn't hurt to use FireGloves just the same.
To stop what oralfloss was saying, you will need to have DOM AND session cookies disabled. This can be achieved with Cookie-Controller addon for aBrowser. Set it to "Force "off" state at start" and "[Off] DOM Storage". Then try browsing Amazon and you'll find their history doesn't work.
Additionally they make heavy use of click-handlers. These are urls which track you when they can't get you from anything else. Luckily we have another addon for that known as "Clean Links". However by default it won't help you. You'll need to make some adjustments that I just wipped up tonight to make it work properly.
1) Under the Clean Link Addon Preferences "Remove From Links" Field where it says (?:ref|aff)\w*, add these unique identifiers (|place|pr|pf_rd_m|pf_rd_s|pf_rd_t|pf_rd_p|pf_rd_i|ld|pf_rd_r).
When your done it should like like this:
(?:ref|aff|place|pr|pf_rd_m|pf_rd_s|pf_rd_t|pf_rd_p|pf_rd_i|ld|pf_rd_r)\w*|utm_\w+|(?:merchant|programme|media)ID
(You can copy+paste the above into the Remove From Links field if in doubt)
*Note: I cannot guarentee all those extra rules won't break other sites, but as of right now it seems OK for me and works nicely on Amazon.com
2) Uncheck Event Delegation Mode
3) Check Use Redirect Watcher
4) Wipe Out Skip Domains, the guy probably got paid off by Google,FaceBook, Linkedin, et all. which are in that whitelist.
5) Highlight Cleaned Links.
6) Go to Amazon (get your sunglasses ready for all those yellow cleaned links!)
Lastly, they track purchase habbits. So as soon as you login and buy they're going to have that data and give you targeted suggestions. Some of which are configurable your account settings but keep getting reset on each login. So have fun with continually setting those privacy settings. Oh and they completely ignore Mozilla's Do-Not-Track Header. ;)
I already have cookies, DOM storage, and referrer tracking disabled as I statde in my initial post. Clean Links is the exact add-on I was describing/looking for. Thanks for the suggestion.