Data Collection Techniques
|About this Data Collection Techniques Page|
- 1 Data Collection Techniques
- 1.1 Cookies
- 1.2 Active Web Contents
- 1.4 Browser Fingerprinting
- 1.5 Browser History and Cache
- 1.6 Web (Email) Beacons and Banner Ads
- 1.7 TCP Timestamps
- 1.8 IP Address
- 1.9 MAC Address
- 1.10 HTML5 Canvas Image Data
- 2 License
- 3 Footnotes
Data Collection Techniques
Some of the techniques employed by data miners on the Internet are briefly introduced below.
Cookies have been in existence since 1994, when they were conceived by a programmer working for Netscape Communications as a reliable method for e-commerce applications. According to Wikipedia: 
An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small piece of data sent from a website and stored on the user's computer by the user's web browser while the user is browsing. Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart in an online store) or to record the user's browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past). They can also be used to remember arbitrary pieces of information that the user previously entered into form fields such as names, addresses, passwords, and credit card numbers.
Whonix users are probably most familiar with third-party cookies since they can be used to track browsing history via web page content sourced from external websites, such as banner advertisements. However, cookies have a range of both useful and potentially harmful applications: 
- Authentication cookies: Used by web servers to know whether a user is logged in, and the account being used.
- Session cookies: Exist temporarily in memory while a website is navigated and are normally deleted when the browser is closed.
- Persistent cookies: Expire after a specific period of time, or on a set date. They transmit information to servers every time a user browses websites that are associated with the cookie. Persistent cookies can track a user's browsing habits over an extended period, possibly years. 
- Secure cookies: Transmitted over encrypted (HTTPS) connections, making them less vulnerable to cookie theft.
- Third-party cookies: Belong to domains that are different from the URL shown in the web browser address bar. Tracking is enabled via the following process:
- Website A contains an advertisement served by
- A cookie belonging to is downloaded and stored on the user's computer.
- Website B is visited and also contains advertising content from , setting another cookie belonging to that domain.
- Both cookies are eventually sent to , and an extensive profile of browsing history is gradually acquired over time.
- Supercookies: Have an origin of a top-level domain like or a public suffix such as . If not blocked by the browser, adversaries in control of malicious websites can set supercookies and then impersonate or disrupt user requests to another website sharing the same top-level domain or public suffix.
With 80% of users disapproving of tracking while browsing the Internet, they have progressively started to delete cookies with relevant browser settings and extensions. Advertisement and tracking networks have responded in kind, using more sophisticated methods - evercookies - to distinguish users.
Evercookies come in various forms:
- Entity tag (ETag) cookies: HTTP supports simple cache control mechanisms, including ETags which store either a version number or a user identifier (ETag cookie). The purpose is to save bandwidth and have browsers use caches for web content when it has not changed, instead of reloading the complete web server content again.  Unfortunately this provides a tracking mechanism which can be persistently stored, and has been used by various websites including . ETag cookies can be, and often are respawned. 
- Zombie cookies: Automatically recreated after being deleted. Cookie content is stored in multiple locations such as HTML5 web storage, Flash Local shared object, client-side and server-side locations. When the cookie is deleted on a user's computer, this is detected and restored from one of the other cookie storage locations.
- Flash cookies (LSOs): Flash cookies are also known as local shared objects (LSOs) and store data from websites that use Adobe Flash. User permission is not sought when cookies are stored, and they are stored outside of normal browser local storage system.  Previously, it was difficult to delete Flash cookies, as they could not be located easily with browsers.  However, modern browsers, extensions and software have relevant settings to easily remove them.  LSOs can be used to: 
- Store and retrieve information from local storage when a user access webpages with a Flash application.
- Store user preferencs.
- Save data from Flash games.
- Track users' Internet activity, even across different browsers. For example:
- Firefox is used to visit a site showing a relevant product.
- Firefox is closed, but that information was stored in a LSO.
- The same person on the same machine uses Chrome to access a website viewed in Firefox.
- The website is able to read the LSO value(s) in Chrome, and display relevant content or targeted information.
- HTML5 DOM cookies: Allow web application software to store data persistently in a manner similar to cookies. Local storage and session-only storage are both possible. The storage size is far greater than that available to cookies, but it is not automatically transmitted on every HTTP request. Instead, client-side scripts allow the desired interaction with the server. It is possible to remove DOM cookies without about:config changes in Firefox , by using relevant extensions (like Click&Clean or BetterPrivacy), or by waiting for Firefox 58 which will disable them by default. Tor Browser defends against this by default. 
- Samy Kamkar has shown that there are other possible methods to track Internet users using evercookies.
In a study by the University of California, Berkeley the methods of Space Pencil Inc. (aka KISSmetrics) were exposed. In addition to cookies and flash cookies, KISSmetrics used cache cookies via ETags, DOMStorage and IE-userData to distinguish each user. KISSmetrics was sued as a result and dispensed with using ETags. It also allegedly now respects the Do Not Track HTTP header. 
Tor Browser, which comes with Whonix, resists evercookies.
It is evident that cookies are useful for website personalization, logins, monitoring purchases and other functions, but they also present a dire tracking threat. The average website places 34 cookies on a device on the first visit, and 70 percent of these are third-party cookies. Expiry dates are often set to the year "9999", indicating there is no intention to ever stop recording user behavior. 
A 2011 study by the University of California, Berkeley found that the top 100 websites at that time stored a total of 5,675 cookies. Of these, 4,914 cookies were set by third party domains and not the first-party domain being purposefully visited by the user. When browsing these 100 websites, data was transmitted to 600 servers.
Cookie security is dependent on whether cookie data is encrypted, since adversaries may otherwise use this information to gain access to user data or to access websites with the user's credentials. Examples of this attack include cross-site scripting and cross-site request forgery.
As well as gathering the IP address and/or the HTTP referrer field of the computer requesting the web page, cookies can also store the requested URL and the date/time of the request. Web hosts are therefore capable of recording a large proportion of browsing behavior over many years, and correlating the accumulated profile data with individuals. The typical Internet user has collected hundreds of cookies from various websites on their PC without their knowledge. For instance, the following figure exhibits a small number of the cookies that are stored when a request is made to.
Figure: Cookies set by the New York Times
Most modern browsers integrate an optional function to block cookies, but the option has to be first set by the user. Tor Browser, which comes bundled with Whonix, has activated cookie blocking by default. Firefox has also adopted Tor Browser's first party isolation feature since version 55, meaning cookies are separated on a per-domain basis. Advertisement trackers are unable to see all the cookies stored on a user's computer (only the cookie for the currently viewed domain), meaning they cannot aggregate persistent cookie data for profiling. In the future, it is expected that more functions will become available to administrate preferences and acquired cookie collections.
Active Web Contents
Web content that is accessible by browser plugins such as Flash, Java, ActiveX and Silverlight renders the Web more dynamic and colorful. However, permissions are also granted to websites to execute code locally on a machine, increasing the security risks. If executed, these plugins can read a host of details about the user's computer and network configuration and send it to a remote server. Certain techniques even permit files to be read and edited on the user's machine, and in extreme cases this allows complete control over it.
|Signed Java applets are particularly hazardous. By accepting its signature and by extension the applet, the visited webserver automatically receives all user rights on the computer. The applet may then read the IP address, MAC address, and even HDD/SSD contents.|
Limiting browsing to trusted websites does not mitigate the risk from applets. In the recent past, numerous popular websites have been hacked and infected with malicious code. Greater security requires these plugins to be blocked, deactivated or removed.
In Whonix, an adversary will not benefit from learning the IP address via this method: it is either a local IP address shared among all Whonix users or the IP address of a Tor exit relay, both of which do not reduce the user's anonymity set. Further, the MAC address is a virtual one which is also shared among all Whonix users, and is therefore worthless to attackers. Although active content will not reveal the real IP address, it is deactivated in Tor Browser by default. See Browser Plugins for a detailed discussion of browser plugins in Whonix and the potential effects on anonymity, security, and privacy.
- Drive-by download attacks: When users visit a compromised website running malicious code,  users are redirected to another site controlled by the attackers. Attackers then run code in the victim's web browser that loads an exploit kit which probes the user's OS, browser and software to find vulnerabilities. Payloads/malware are then downloaded that access personal data, encrypt the computer or other intended criminal activity.
- Execute remote code with root privileges.
- Forge login requests and view private information.
- Change personal information or fully compromise online accounts.
- Conduct illicit money transfers.
- Performance nearly all actions of a logged in user.
Session Replay Scripts
You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.
Although full or part redactions are attempted on passwords, credit card numbers, CVC numbers, and credit card expiry dates, sensitive information was found to leak in many instances, such as: 
- Passwords entered into registration forms.
- Leaking of credit card details on payment pages, even in real time.
- Leaking of specific medical conditions and prescriptions.
Safest Browser Against Exploitation
It is clearly unwise to browse the Internet without a well secured browser, otherwise there is a danger of a browser exploit leading to an infected system. Personally configuring a browser to be secure is an enormous effort requiring expertise and significant trial and error. The safer path is to use Tor Browser, preferably on a Whonix platform, since it is already hardened against data leakage. As noted in the Tor Browser chapter:
Tor Browser is a fork of the Mozilla Firefox web browser. It is developed by The Tor Project and optimized and designed for Tor, anonymity and security.
...In stark contrast to regular browsers, Tor Browser is optimized for anonymity and has a plethora of privacy-enhancing patches and add-ons. With Tor Browser, the user "blends in" and shares the Fingerprint of nearly three million other users, which is advantageous for privacy.
Features like proxy obedience, state separation, network isolation, anonymity set preservation and a host of others are simply unsupported by other browsers.
Tor Browser blocks most dangerous technologies by default, but most popular websites like Youtube will still resolve correctly. For media portals which rely on Flash or alternative plugins, the user can download the relevant files with special software and then view it with an open source media player like VLC. Websites should be avoided if they insist on the use of active plugins, see Browser Plugins.
Research from a pool of 500,000 Internet users has shown that the vast majority (84%) have unique browser configurations and version information which makes them trackable across the Internet. When Java or Flash is installed, this figures rises to 94%.  Considering this research relied only on a relatively small number of variables,  companies with advanced fingerprinting capabilities may be approaching 100%, particularly in combination with cookies.
Fingerprinting and Anonymity
|Academics suggest that around 33 bits of information is required to positively identify one person out of several billion! |
For anonymity, it is necessary to reduce the number of bits of information (entropy) the browser provides to an acceptable lower bound; for instance, 18.1 bits of entropy means that a browser chosen at random will share the fingerprint with one in 286,777 other browsers.  Browser uniqueness research has revealed the entropy associated with various pieces of browser information: 
- Fonts: System fonts are collected by Flash or Java applets, or by CSS introspection.
- User Agent string: When websites are visited, the browser sends precise information on the operating system and web browser being used. 
- HTTP Accept headers: With every webpage request, the browser sends URL variables within the HTTP protocol framework that can be analyzed. This includes personalized language, browser type and version, operating system and version, supported character / font sets, file codecs, and the last visited webpage.
- Screen resolution: The exact resolution is revealed to websites, for example
- Supercookies: Reported entropy depends on whether the following are enabled: DOM localStorage, DOM sessionStorage, userData, Flash LSOs, Silverlight cookies, HTML5 databases, or DOM globalStorage.
- Clock skew/precision measurements: Differential parameters are used to measure the time difference (down to milliseconds) between a user's computer and that of the server. Clock precision measurements rely upon how long operations take on a partricular system.
- HTML5 canvas: A precise fingerprint is provided by the rendering of WebGL, font and color data to a canvas element. This is then extracted from the image buffer, and an identifying hash is computed. For more information, see here.
The EFF has found that while most browsers are uniquely fingerprintable, resistance is afforded via four methods:
- Use of Torbutton, which is bundled with Tor Browser and enabled by default. 
- Use of mobile devices like Android and iPhone.
- Corporate desktop machines which are clones of one another.
- The User Agent is uniform for all Torbutton users.
- Plugins are blocked.
- The screen resolution is rounded down to 50 pixel multiples.
- The timezone is set to GMT.
- DOM Storage is cleared and disabled.
|Users should not rely solely on different filtering applications and services that hide or change problematic headers, like Privoxy.  They cannot filter encrypted (HTTPS) connections and the setting of special values for variables actually worsens the user's fingerprint.|
Browser History and Cache
A user's browser history and cache enables the possibility of history sniffing attacks: 
- Inspection of style properties to infer browser history.
- Transfer of the browser's history to the network.
- Actual history hijacking.
Websites can tell which sites are saved in a user's browser history using specialized commands and design elements. Three example are outlined below.
- CSS Stylesheets: Commonly the visited wesite will embed special formatting commands (CSS Stylesheets) that contain external links "of interest" on the pages that are visited. If one of the external websites have been visited before, the browser will react by executing a command defined in the format, for example by downloading a small picture from the website. In this way the website can learn and/or make educated guesses about the contents of a user's browser history.
- ETags: The contents of the browser cache can reveal previously visited websites. Along with the website URL and numerous page elements, the browser caches also store an ETag sent by the server. If the website is visited again, the ETag is first sent to ask for changes. ETags can contain unique user IDs, which have been used by companies like KISSmetrics to identify persons visiting some of the top 100 websites.
- Website Page Load Time: The time required for a website page to load changes when it is partially stored in the browser cache. By subtle placement of the images on the website, the server can analyze the cache elements one by one. 
The obvious corporate business case for information collected via history sniffing is targeted advertising. However, the same technique can be used to deanonymize web surfers.
Consider the following attack vector, outlined in a publication by security researchers iSecLab.  Browser history was used to collect the groups visited in the social network "Xing." Logically, it is improbable that two or more people would share membership of the same set of groups within a social network. Therefore, when this information was revealed it was possible to associate users with their real names and e-mail addresses.
The only reliable protection against analysis of a user's browser history is to use Tor Browser:
- This "feature" is deactivated by default.
- Tor Browser bypasses the cache for third party content to protect users. 
- The cache is deleted automatically when the browser is closed.
Deactivating the browser cache is not recommended, since it can have a deleterious impact on browsing speed.
Web (Email) Beacons and Banner Ads
A web/email beacon ("webbug") is a technique for tracking persons who read a specific web page or email, including the time it occurred and the details of the connecting device.  Beacons can also capture whether an email was read or forwarded, or if web pages were copied to another site. 
This technique is possible because some emails and web pages are not wholly self-contained. Often content is not provided directly, but instead provided by other servers. When the browser or email client prepares the content for display, usually requests are made to the foreign servers for the additional content. These requests reveal: 
- The IP address of the requesting device.
- The time/date the content was requested.
- Details of the web browser/email client making the request.
- Whether cookies exist that were previously set by the server.
Logically a detailed profile can be built over time if this information is stored by servers and each request is associated with a unique tracking token.
Web Beacons (Webbugs)
If users examine the cookies stored in a standard browser, usually one or more exist that are attached to data miners like doubleclick.com, advertisement.com or Google, even if those websites have never been visited. This is possible because these enterprises embed "webbugs" on various websites, which plant cookies in the browser and track browsing habits: 
Web bugs are tiny (usually a single pixel) transparent image files on web pages that are used to monitor user's online habits. As cited in a CNET article at the height of the web bug storm, critics claimed the bugs could capture IP addresses or perhaps install "pernicious files" and were therefore more invasive than cookies. The argument revolved around the capability, used or unused, that the bugs could take information given by the user at a selected web site and transfer it to any number of other sites without the user's knowledge or consent. The arguments also included the possibility of the bug's information being aggregated with that of cookies and used to create profiles of specific users' habits, instead of being used as general demographic information.
Webbugs are usually tiny pictures around 1 x 1 pixels in size, making them invisible to the viewer. Webbugs can also be coded into banner ads embedded in a website. The website contains a picture (webbug) that is loaded from a third party server running a statistics service, such as Doubleclick or Google Analytics. The statistics service then sets or edits a cookie in the browser, without the user noticing.
Afterwards, the browser will send this cookie back to the statistics service if/when a new content request is made on a site where the service's webbug is embedded. This means if a service is used on many different or popular websites, it can now track a large proportion of a user's browsing session. If a statistics service were to collaborate with a user's preferred search engine, then this could reveal nearly the entirety of Internet activities. 
It is important to note that the privacy functions of most modern browsers provide an inadequate defense. Optimal protection against webbugs is not achieved by simply employing webbug filters and rejecting cookies and/or deleting them upon browser shutdown. As the IP address is sent to the statistics service with every request, the only effective protection is an anonymization service like Tor.
The same profiling technique via beacons can be utilized with email: 
- Web beacons (tiny images) are embedded in emails with unique identifiers contained in the URL.
- When the email is opened, the email client requests the image.
- The email senders learns when the message was read, and the IP address of the device (or proxy server) that the user went through.
- The same information is gathered each time the email is displayed (opened).
This technique is popular with email marketers, spammers, and phishers. It confirms the validity of email addresses, tests whether emails made it past the spam filters, and informs if/when the email is displayed. Detection of these emails by users and mail filters is difficult, and emails do not need to contain advertisements or any other commercial material.
The general advice is to use an email client (like Mozilla Thunderbird) rather than a browser, and to disable the downloading of remote images whose URLs are embedded in HTML emails. Alternatively, text-based mail readers are available (like Pine or Mutt) or graphical email clients with text-based HTML capabilities (such as Mulberry), which do not interpret HTML or display images. Plain text email messages close off this attack vector completely, because web beacons cannot be embedded; the contents are interpreted as display characters, rather than as embedded HTML code.  
The Transmission Control Protocol (TCP) is a session-layer protocol for transferring data between computers. It is necessary for using Internet protocols like http (www), smtp (email) and ftp. For example, when a computer sends a request for a website, this data is sent within many small TCP packets. In addition to the data request, a TCP packet also contains optional information fields in the header (metadata), such as the TCP timestamp. The timestamp's value is proportional to the current time of the computer and is incremented according to the computer's internal clock.
The timestamp can be used by the client and/or server machine for performance metrics and optimization. However, an Internet server may recognize and track a computer by observing those timestamps. By measuring the clock skew of the timestamps to millisecond precision, an adversary can remotely calculate the individual clock skew profile for a computer, and determine the system uptime and boot time. These techniques work even if the user has otherwise perfectly anonymized their Internet connections.
The Whonix documentation recommends that TCP timestamps be disabled on the host operating system due to the risk.   Non-Qubes-Whonix and Qubes-Whonix users are already protected from this threat. The clock in Whonix-Workstation (
anon-whonix) does not match the clock on the host and is also set securely by sdwdate over , which results in a slightly different result compared to the more accurate NTP.
Tor users are also being protected from being profiled by TCP timestamps in another way: Tor relays automatically replace the potentially insecure TCP packets with their own.
The Privacy Commissioner of Canada provides a nice definition for an IP address: 
An Internet Protocol (IP) address is a numerical identification and logical address that is assigned to devices participating in a computer network utilizing the Internet Protocol. Although IP addresses are stored as binary numbers, they are usually displayed in a more human-readable notation, such as 220.127.116.11. The Internet Protocol also has the task of routing data packets between networks, and IP addresses specify the locations of the source and destination nodes in the topology of the routing system.
Internet Service Providers (ISPs) assign or lease IP addresses to individuals and these can be static or dynamic. Static IP addresses have a permanent address that is assigned to the network-connected device such as a firewall or router. Dynamic IP addresses are assigned to network-connected devices on a temporary basis (typically a few months), which is often the case for household customers.
In both cases, the IP address acts as a unique identifier and the ISP may save (meta)data for months or even years. This may include browsing records, time spent online, and any direct connection to Internet services. This is possible because the IP address tells the server where to send a response. So long as the IP address does not change, it is easy for ISPs to monitor when and where a user has connected.
Information Linked to IP Addresses
Knowledge of an IP address can reveal various information about devices, networks or services: 
- ISP provider: Personal data might be retrieved if the provider is known. For example, information might be sought on email addresses associated with an IP address, which in turn might relate to requests for subscriber information.
- Personal Information:
- Searching the WHOIS database might reveal other information about an individual, including organizational affiliations. 
- Internet searches using the IP address or computer names might show relevant peer-to-peer (P2P) activities (such as file sharing), fragments in web server log files, or evidence of other individual activities (like Wikipedia edits). Small pieces of online history can reveal a range of personal characteristics, preoccupations and individual interests.
- Physical location: It is possible to geo-locate an IP address to the country, city and regional level:
- Geo-location services are available to refine the search further to districts or office buildings. In the case of a company or computer center, it is sometimes possible to determine which terminal a user is on.
- Traceroutes can find the path to a computer, which provides information on its logical and physical location. 
- Some lookup tools reveal latitude/longitude, telephone area code and a map of the location.
- Access Technology:
- Databases can help reveal what hardware is being used to browse the Internet. For example, it is possible to distinguish whether a user is relying on DSL, a modem or a mobile device for connectivity.
- A reverse lookup can be performed to obtain a computer name, which can reveal the physical location or other details. 
Based on the preceding information, it is clear that without privacy or anonymity software, individuals are "browsing naked" on the Internet. While many of the threats in this chapter may be mitigated fully or partially without any special services, this is not the case for the IP address which is often uniquely linked to one person.
This is why projects like Tor were founded, to blur any connection between a user's IP address and the websites that are visited. Similarly, this is why the Whonix platform relies on the Tor network as the foundation for anonymous activities. How Tor works
The Media Access Control (MAC) address is the hardware address of each individual network device. It is sometimes referred to as the Ethernet-ID, Airport-ID, or physical / hardware / adapter address. Standard computer systems may have several physical or virtual network devices. These devices can be bound to a cable (LAN), wireless (WLAN), mobile (GPRS, UMTS) or virtual (VPS) environment, or another setup.
|"MAC addresses are typically 6 groups of two hexadecimal digits (0-9,A,B,C,D,E,F), separated either by colons (:) or hyphens (-)." |
The MAC address serves as a unique identifier for the respective device in a local area network. Unless the computer is infected with malware designed to disclose this identifier, it is neither used nor transmitted on the Internet. Also, an access provider can only see the MAC address if the computer is connected directly to the Internet (for example by a modem), rather than over a router.
Despite the limited risk of disclosure, MAC addresses can be used for tracking purposes by adversaries. For instance, other computers on the local network can potentially log it, which would then provide proof that the user's computer has been connected to a specific network. Moreover, advanced tracking techniques exist that are able to enumerate the MAC address of a Wi-Fi card in use, by examining its physical characteristics. For these reasons MAC spoofing should be considered for particular circumstances, like when an untrusted, public network will be used. See the MAC address entry for further information.
HTML5 Canvas Image Data
When combined with other exposed browser settings this can be enough to uniquely identify an individual, even without access to the specific IP address. 
The Tor Project provides a good explanation of this fingerprinting method: 
After plugins and plugin-provided information, we believe that the HTML5 Canvas is the single largest fingerprinting threat browsers face today. Studies show that the Canvas can provide an easy-access fingerprinting target: The adversary simply renders WebGL, font, and named color data to a Canvas element, extracts the image buffer, and computes a hash of that image data. Subtle differences in the video card, font packs, and even font and graphics library versions allow the adversary to produce a stable, simple, high-entropy fingerprint of a computer. In fact, the hash of the rendered image can be used almost identically to a tracking cookie by the web server.
Tor Browser has been patched to prompt before returning valid image data to the Canvas APIs. By default, if the site has not been given previous permission to extract canvas image data, then white image data is returned to the Javscript APIs. Third parties are not allowed to extract canvas image data at all.
When browsing, if a prompt appears with a message like that below, it is recommended to select.
This website (github.com) attempted to extract HTML5 canvas image data, which may be used to uniquely identify your computer. Should Tor browser allow this website to extract HTML5 canvas image data?
Gratitude is expressed to JonDos for permission to use material from their website. (w) (w)  The DataCollectionTechniques page contains content from the JonDonym documentation DataCollectionTechniques page.
- They also have legitimate functions such as keeping users logged into specific accounts.
- In Linux, LSOs are normally stored in:
- Users should never relay on DNT preferences, since they are rarely respected by industry.
- ip-check.info returns some false values and confuses TBB users (w)
- 82% of malicious sites are hacked legitimate ones.
- This includes the usual privacy offenders such as microsoft.com, skype.com and adobe.com, along with various sites providing banking, media, torrenting, educational, telecommunications, forums, shopping, and anti-virus services.
- Reinforcing the perception that the private sector really is a comfortable and principal ally in the surveillance-industrial complex.
- For instance, the EasyList and EasyPrivacy blocking lists that are available in popular extensions. However, they did not block all the major companies at the time of writing.
- Supercookie test, hash of canvas fingerprint, screen size and color depth, browser plugin details, time zone, DNT header enabled, HTTP_Accept headers, has of WebGL fingerprint, language, system fonts, platform, user agent, touch support, cookies enabled.
- Research suggests this is useful for profiling and tracking Internet users, as it reveals 10.5 bits of identifying information on average. This means only one person in 1,500 shares the same User Agent.
- In Tor Browser, Torbutton reduces the available entropy by quantising AvailWidth and AvailHeight, and setting the actual Width and Height to the values of AvailWidth and AvailHeight.
- Torbutton automatically disables many types of active content.
- Privoxy manipulates cookies and modifies web page data and HTTP headers before the page is rendered.
- Cache elements include graphic files (logos, icons, banners, buttons etc.), script files, photographs and HTML pages.
- Broken link.
- This means a website can only learn information about itself, and not other websites.
- The first beacons were small images.
- See here for further details on actual implementation.
- Users can also disconnect from the Internet before reading any downloaded messages, and then delete them before reconnecting.
- Even though TCP timestamps protect against wrapped sequence numbers.
- The disabling of ICMP timestamps is also recommended for the same reason.
- This might include organizational address, name and phone number.
- This technique displays the path of packets across an IP network.
- This technique links the resolution of an IP address to its domain name.
- Broken link: https://anonymous-proxy-servers.net/forum/viewtopic.php?p=31220#p31220
https | (forcing) onion
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.