You know how whenever you visit a website it asks you: “Do you want a cookie? We really want to give you a cookie! Please take our cookie.” Sadly they are not the cookie fairies bringing joy to the world. Cookies, on the web, are completely unique numbers given to your browser for the sole purpose of uniquely identifying your browser, and thus you.
This is an important feature of the web. If we couldn’t differentiate you from someone else, you couldn’t log in into an app. Right now, you can put your username and password, and it will say “welcome back.” But there was a time when the next click of a link or button would make it ask: “who are you?” because you would look exactly like everybody else. That’s why cookies were invented. And it was an internal mechanism of web browsers that no user should have ever heard of. It was an inside joke.
But then cookies were used for evil. Well… evil is a strong word. They were used for other purposes. They were used to track you so they could sell you stuff much much more efficiently. They were used so that whenever you visit site A and then site B, site B could show you ads for site A. What’s the harm in that? Well, by the time you visit 100 sites, advertisers had a profile of who you are that was creepily accurate and allowed for some ridiculously effective manipulation.
Legislators, starting in Europe, decided to put an end to it. They said:
“People should be asked for consent before they get a cookie and if you force feed someone a cookie, you’ll get fined!”
It sounded good in theory. In practice we ended up with a web plastered in “Oh, you want to see my website? Accept my cookie first” and everybody is blindly accepting the cookies, and blindly being tracked in return. We are just wasting a bit of time going through the motions of pretending we know what we are doing when we consent to these non-crumbling cookies.
Advertisers also reacted by searching for alternatives to cookies. They now look at everything else about you: your browser, your device, the resolution of your monitor, your operating system, the version of various things, the plug-ins you installed, the amount of battery left on the device and many other seemingly innocuous facts. And with that they construct a fingerprint that is also eerily unique. If you want to see how specific your digital fingerprint is, go to https://www.amiunique.org/fp. It will look something like this:
One of the attempts at solving the tracking problem was with the Do Not Track signal. The idea is that you would configure your browser either in tracking or not tracking mode and companies would respect it. Yeah…. Nobody respected it, why would they? Nobody was enforcing it in any way.
In 2020 we saw an important development in this area. Several companies proposed a new signal called Global Privacy Control that works exactly the same as Do Not Track but this time it has the backing of the law. Both the CCPA (California Consumer Privacy Act) and GDPR (General Data Protection Regulation) consider it valid declarations of “You are not allowed to sell or give my data away”. Remember, identifying you individually is necessary so you can log in, the problem is when that data is given to third parties and it starts following you around and growing an itty-bitty database on how to use you.
So, what now? If you go to https://globalprivacycontrol.org/ at the very top you can see whether your browser is sending the GPC signal and in your browser you should be able to configure whether you want to be tracked or not. When you are sending the signal it looks like this:
You know which browser doesn’t support it yet? Chrome. There are Chrome clones that do, like Brave Privacy Browser and DuckDuckGo Privacy Browser. The problem with Chrome is that Google is conflicted. Advertisement is their main source of revenue and this hurts their bottom line. If you want to keep using Chrome, thankfully, you can just add an extension that will add the GPC signal, it’s called OptMeowt. After you add it, when you go back to https://globalprivacycontrol.org/, you should see the signal being transmitted. It’s possible that Google will implement it, after all they did implement Do Not Track. We’ll see.
Going back to the insufferable cookie popup dialogs. Why would all of this make a difference? Because the laws can (and likely will) forbid asking for consent more than once, so once your browser withdraws consent from tracking, a popup can’t ask for it again. We don’t need the whole world to pass these kinds of laws, only a few important enough locations, for applications to start behaving differently for everybody. In retrospective the cookie-popup solution was lawmaking without tech, and Do Not Track was tech without law. Now we are having a solution that has both the law and the tech aspect, hopefully this time will work.
haveibeenpwned.com is a wonderful service created and managed by Troy Hunt. I’ve been using it personally to monitor my own email accounts and at every company where security was my responsibility I set up haveibeenpwned.com to monitor at the domain level. The reason is very simple: in the course of performing their tasks, employees create accounts in many websites and applications, sometimes uploading customer data, leaving a trail of potentially reused passwords. Every time there’s a breach of one account, that could grow into the breach of many others or the leak of sensitive information.
haveibeenpwned.com sends you a report of the breaches which I found required quite a lot of manual work on my part to get things unbreached to the level I was happy with, that’s why I created Unbreach. Unbreach notifies each employee at your company when their email gets found in a data breach directly and shows them a list of all their breaches where they can track which passwords they have changed already. That screen looks like this:
For you, it shows you a dashboard of all employees and all breaches, including who was affected by what, and which one remains open and which one is unbreached. It looks like this… if your team is the Avengers that is:
This extra functionality, which I can summarize as a todo list of passwords to change and a dashboard of open and closed breaches is what Unbreach provides, and why I created it.
We currently pay haveibeenpwned.com for an API key. If Unbreach takes off commercially we hope to find a way to pay more for that API access because it would be too cheap. One can only dream of one day collaborating closely with Troy Hunt.