"William H. Geiger III" wrote:
> I am not sure how this defeats proxies & anonymizers? While this technique
> allows tracking within the website of a users movements it does nothing to
> reveal who the user is. At best going through a anonymizer the web site
> knows that anonymous user xxyz1 took 10 mins looking at the following
> pages and then followed link x123 to 123.com.
from your surfing alone, it will not reveal who you are. however, if you
enter your name at just one of the sites using this mechanism, all the
other can use that information as well, since your unique ID stays with
you all the time.
> Have you done any testing to see if you change the tracking number in the
> Location: tag if you can still view the web pages?
yes. if you change the URL by hand, it still works as long as whatever
you enter is again a valid tracking number. for example, replacing a few
numbers by other numbers works. replacing all of it with a string (say,
"donttrackme") does not, it will bounce back with a new location
containing another valid tracking number.
> I am not sure how much of a privacy risk this really is. IIRC a similar
> technique was documented in some of my CGI books for tracking users in
> shopping cart applications without using cookies.
what really gets me nervous here is the inter-site tracking. a bit of
data here, a bit of data there, and soon you know all about me, from
what I buy and where I live to what books I'm interesting in, what
movies I watch or whatever else is on the participating pages.
> It should be noted that in some situations tracking of a user while on the
> site is not a BadThing(tm). I think most peoples concerns is when this
> information is cross referenced with metaworld data (name, address,
> ...ect) and then sold off to the marketing droids. By going through an
> anonymizer service you should be able to prevent this
> cyberworld<-->metaworld correlation (except by the operators of the
> anonymizer service).
correct. I do think a website has all rights to track "clickstreams". I,
too, want to know what people are doing on my site, which pages they
view, and clickstreams are a very good way to check on your navigation
and website structure.
it's the uniqueness and persistence that ticks me off here. looking at
the length of the ID, I'm fairly sure that it is perfectly unique within
a long time-frame. add a cookie or other mechanism to retain information
between sessions and you can perfectly track not an anonymous
clickstream, but a well-identified person. and correlate the data he or
she entered at various sites. you always leave some kind of information.
just pooling what you're interested in is often worth something, eg. for
"targeted advertising".
