My OperaEnforcing Disclosures - The Present Social Networking e-Identities' helplessness
Wednesday, May 26, 2010 6:53:38 AM
How often do you empty your Temporary Internet Files, Cookies, History, etc. right before hitting the Tor Button to "Enable" just to make your browser speed up and feel clean ?
Sure it speeds up the performance but does it really keep you anonymous ?
What we read, what we feed and what we click, everything is getting monitored, whether you like it or no.
A few years ago, it was just Facebook Connect vs OpenID for the single-sign on war.
Then MySpaceID joined hands with Google for Google Friend Connect in December 2008.
Just login once and have access to posting comments on more than just one website. These comments and clicks made by users are run through intelligent scripts which help categorize the user type, check his likes, dislikes, views, etc and ultimately draft a social behavior character of the user.
But how about you not wanting to express your views but still being analyzed ? What if you all did was read an article on the Internet without making a comment. Well, that was possible.. but no more !
Online instant-messaging company Meebo has already launched an open source project called XAuth.
XAuth is yet another part of the ongoing fight between the open and interconnected web.
XAuth lets websites know which sites you are logged into. Although this aids in sharing links but using the XAuth protocol, a publisher could know that you are logged into your Google account.
XAuth will help Meebo to track user likings and visit frequencies.
XAuth is an open platform for extending authenticated user services across the web, already supported by Google, Microsoft and Yahoo.
XAuth.org has a central server which serves the cookie that all services write to.
Facebook on the other hand has a web-wide "Like" button
Publishers can put this "Like" button on their website to let Facebook users "like" a story or blog post.
This, along with a sharing tool-bar helps Facebook to collect info on what its users are doing around the web.
This enables Facebook to create deep marketing profiles of users and enables them to serve extremely targeted and expensive ads to users.
on their site and around the web. This definitely involves keeping a track of user surfing behavior and frequency of visit.
On Wednesday, 28th April 2010 Facebook announced in its F8 developer conference the "Open Graph," and how Facebook plans to connect disparate corners of the Web that other social sites are building.
[Refer : http://news.cnet.com/8301-13577_3-20003053-36.html ]
According to this "These social plug-ins, which are dropped into sites and allow the user to see which of your friends like content around the Web, will make Facebook applications a lot more social, without sharing any unnecessary data..."
Let us see a practical implementation and effect of this.
You log into your Facebook account, use it for a few minutes, open a new tab and casually browser your regular websites. Suddenly you notice at the end of a news article:
This means the website had acces to your friend's List or maybe even more. Let's find out the truth behind this.
1. USER visits a URL via Facebook :
Notice that this doesn't contain any Facebook Cookie .
2. USER gets response from www.cnn.com and gets the HTML content of the article back
Note this line which includes the javascript named connect-lite.js
3. Contents of connect-lite.js connect to Facebook
This javascript attempts to search if the User browsing the news article is already logged onto Facebook.
It also retrieves back the apiKey which will be used by the user to "Like" the page as well as to retrieve names of Facebook Friends of the User who liked the page.
3. Using apiKey to check the user's Facebook Login Status
The page now uses the apiKey along with the Facebook cookie (obtained by functions in connect-lite.js) and makes a GET request to www.facebook.com to check the user's Facebook Logon status:
4. Using apiKey to check the out List of Friends who "Like" the page
Right after checking the Login Status using /extern/login_status.php the Page and receiving a confirmation of the Login status it reuses the users cookie and the apiKey to pull out the list of user's Friends who liked the Page as well from Facebook's Server :
And finally we see:
Conclusion:
Until now searching while being logged into GMAIL was an issue, now using Facebook and surfing using the same browser is going to be a potential issue cause just like the "Like" Plugin there can be many more which would register your browsing habits without you clicking 'Recommend'.
Sure it speeds up the performance but does it really keep you anonymous ?
What we read, what we feed and what we click, everything is getting monitored, whether you like it or no.
A few years ago, it was just Facebook Connect vs OpenID for the single-sign on war.
Then MySpaceID joined hands with Google for Google Friend Connect in December 2008.
Just login once and have access to posting comments on more than just one website. These comments and clicks made by users are run through intelligent scripts which help categorize the user type, check his likes, dislikes, views, etc and ultimately draft a social behavior character of the user.
But how about you not wanting to express your views but still being analyzed ? What if you all did was read an article on the Internet without making a comment. Well, that was possible.. but no more !
Online instant-messaging company Meebo has already launched an open source project called XAuth.
XAuth is yet another part of the ongoing fight between the open and interconnected web.
XAuth lets websites know which sites you are logged into. Although this aids in sharing links but using the XAuth protocol, a publisher could know that you are logged into your Google account.
XAuth will help Meebo to track user likings and visit frequencies.
XAuth is an open platform for extending authenticated user services across the web, already supported by Google, Microsoft and Yahoo.
XAuth.org has a central server which serves the cookie that all services write to.
Facebook on the other hand has a web-wide "Like" button
Publishers can put this "Like" button on their website to let Facebook users "like" a story or blog post.
This, along with a sharing tool-bar helps Facebook to collect info on what its users are doing around the web.
This enables Facebook to create deep marketing profiles of users and enables them to serve extremely targeted and expensive ads to users.
on their site and around the web. This definitely involves keeping a track of user surfing behavior and frequency of visit.
On Wednesday, 28th April 2010 Facebook announced in its F8 developer conference the "Open Graph," and how Facebook plans to connect disparate corners of the Web that other social sites are building.
[Refer : http://news.cnet.com/8301-13577_3-20003053-36.html ]
According to this "These social plug-ins, which are dropped into sites and allow the user to see which of your friends like content around the Web, will make Facebook applications a lot more social, without sharing any unnecessary data..."
Let us see a practical implementation and effect of this.
You log into your Facebook account, use it for a few minutes, open a new tab and casually browser your regular websites. Suddenly you notice at the end of a news article:
This means the website had acces to your friend's List or maybe even more. Let's find out the truth behind this.
1. USER visits a URL via Facebook :
GET /2010/TECH/04/29/cashmore.google.facebook/index.html HTTP/1.1 User-Agent: Opera/9.80 (Windows NT 5.2; U; en) Presto/2.2.15 Version/10.01 Host: edition.cnn.com Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: en-US,en;q=0.9 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Referer: http://www.facebook.com/?ref=logo [B]Cookie: CNNid=G3d0aab00-9593-1232007212-354; s_vi=[CS]v1|496EF02C00001F4D-A3A080A000049CD[CE]; __qca=1229491282-41234190-24533905; SelectedEdition=edition[/B] Cookie2: $Version=1 Connection: Keep-Alive
Notice that this doesn't contain any Facebook Cookie .
2. USER gets response from www.cnn.com and gets the HTML content of the article back
HTTP/1.1 200 OK Date: Fri, 30 Apr 2010 10:31:49 GMT Server: Apache Set-Cookie: CG=IN:09:Ahmadabad Accept-Ranges: bytes Cache-Control: max-age=60, private Expires: Fri, 30 Apr 2010 10:32:49 GMT Content-Type: text/html Vary: Accept-Encoding,User-Agent Content-Length: 37121 Keep-Alive: timeout=2, max=10 Connection: Keep-Alive <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en"><head><script type="text/javascript" src="http://i.cdn.turner.com/cnn/.element/js/2.0/ad_head0.js"></script> . . . . [B] <script type="text/javascript" src="http://i.cdn.turner.com/cnn/.element/js/3.0/connect/connect-lite.js"></script>[/B] . . . . .
Note this line which includes the javascript named connect-lite.js
3. Contents of connect-lite.js connect to Facebook
This javascript attempts to search if the User browsing the news article is already logged onto Facebook.
It also retrieves back the apiKey which will be used by the user to "Like" the page as well as to retrieve names of Facebook Friends of the User who liked the page.
3. Using apiKey to check the user's Facebook Login Status
The page now uses the apiKey along with the Facebook cookie (obtained by functions in connect-lite.js) and makes a GET request to www.facebook.com to check the user's Facebook Logon status:
GET /extern/login_status.php?api_key=[B]64b385429f05b2492d713f343d05ba02[/B]&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23%3F%3D%26cb%3Df4573999920462754%26origin%3Dhttp%253A%252F%252Fedition.cnn.com%252Ff5879320418811096%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23%3F%3D%26cb%3Df5423554470228806%26origin%3Dhttp%253A%252F%252Fedition.cnn.com%252Ff5879320418811096%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df37874387740936637%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23%3F%3D%26cb%3Df7084964685151585%26origin%3Dhttp%253A%252F%252Fedition.cnn.com%252Ff5879320418811096%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df37874387740936637%26result%3DxxRESULTTOKENxx&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23%3F%3D%26cb%3Df10506331850759197%26origin%3Dhttp%253A%252F%252Fedition.cnn.com%252Ff5879320418811096%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df37874387740936637%26result%3DxxRESULTTOKENxx&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23%3F%3D%26cb%3Df6124310394581006%26origin%3Dhttp%253A%252F%252Fedition.cnn.com%252Ff5879320418811096%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df37874387740936637%26result%3DxxRESULTTOKENxx&sdk=joey&session_version=3 HTTP/1.1 User-Agent: Opera/9.80 (Windows NT 5.2; U; en) Presto/2.2.15 Version/10.01 Host: www.facebook.com Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: en-US,en;q=0.9 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Referer: http://edition.cnn.com/2010/TECH/04/29/cashmore.google.facebook/index.html Cookie: __utma=87286159.1911458455.1243416641.1254913450.1254913563.7; lsd=ZqOXe; c_user=<cuserIDnumber>; datr=1242017486-5af1bd941dca57ea7dfd678eaa37911934dc1d594556ff4d977d0; lo=QPFeIgBfDok47UjttGHyGg; lxe=user%40inbox.com; lxs=1; sct=1272876443; cur_max_lag=2; locale=en_US; xs=717238f395c0573b549496e52aed37bf; x-referer=http%3A%2F%2Fwww.facebook.com%2F%3Fref%3Dlogo%23%2F%3Fref%3Dlogo; presence=DJ272625303G27H1_2c1_2c1_2c1_2c1L1097852140A7BF272625258218WMblcMsndPBbloMbvtMctMsbPBtA_7bQBfAnullBuctMsA0QBblADacA3V272625008Z400K272622444QQQ Cookie2: $Version=1 Connection: Keep-Alive, TE TE: deflate, gzip, chunked, identity, trailers HTTP/1.1 302 Found Location: http://static.ak.fbcdn.net/connect/xd_proxy.php#?=&cb=f7084964685151585&origin=http%3A%2F%2Fedition.cnn.com%2Ff5879320418811096&relation=parent&transport=postmessage&frame=f37874387740936637&result=xxRESULTTOKENxx P3P: CP="DSP LAW" Set-Cookie: locale=en_US; expires=Fri, 07-May-2010 11:02:13 GMT; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 X-Cnection: close Date: Fri, 30 Apr 2010 11:02:13 GMT Content-Length: 0
4. Using apiKey to check the out List of Friends who "Like" the page
Right after checking the Login Status using /extern/login_status.php the Page and receiving a confirmation of the Login status it reuses the users cookie and the apiKey to pull out the list of user's Friends who liked the Page as well from Facebook's Server :
GET /plugins/like.php?action=recommend&api_key=64b385429f05b2492d713f343d05ba02&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23%3F%3D%26cb%3Df9219316299964743%26origin%3Dhttp%253A%252F%252Fedition.cnn.com%252Ff5879320418811096%26relation%3Dparent.parent%26transport%3Dpostmessage&href=http%3A%2F%2Fwww.cnn.com%2F2010%2FTECH%2F04%2F29%2Fcashmore.google.facebook%2Findex.html&layout=standard&locale=en_US&node_type=link&sdk=joey&show_faces=true&width=420 HTTP/1.1 User-Agent: Opera/9.80 (Windows NT 5.2; U; en) Presto/2.2.15 Version/10.01 Host: www.facebook.com Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: en-US,en;q=0.9 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Referer: http://edition.cnn.com/2010/TECH/04/29/cashmore.google.facebook/index.html Cookie: __utma=87286159.1911458455.1243416641.1254913450.1254913563.7; lsd=ZqOXe; c_user=<cuserIDnumber>; datr=1242017486-5af1bd941dca57ea7dfd678eaa37911934dc1d594556ff4d977d0; lo=QPFqInBuwok47UjtQkqBGg; lxe=user%40inbox.com; lxs=1; sct=1272876443; cur_max_lag=2; locale=en_US; xs=717238f395c0573b549496e52aed37bf; x-referer=http%3A%2F%2Fwww.facebook.com%2F%3Fref%3Dlogo%23%2F%3Fref%3Dlogo; presence=DJ272625303G27H1_2c1_2c1_2c1_2c1L1097852140A7BF272625258218WMblcMsndPBbloMbvtMctMsbPBtA_7bQBfAnullBuctMsA0QBblADacA3V272625008Z400K272622444QQQ Cookie2: $Version=1 Connection: Keep-Alive, TE
And finally we see:
Conclusion:
Until now searching while being logged into GMAIL was an issue, now using Facebook and surfing using the same browser is going to be a potential issue cause just like the "Like" Plugin there can be many more which would register your browsing habits without you clicking 'Recommend'.
You must be 
Anonymous # Saturday, June 19, 2010 8:53:51 AM
Azim Poonawalaquakerdoomer # Monday, June 21, 2010 6:55:20 AM
I think that can be controlled.
Anonymous # Monday, June 21, 2010 10:56:53 AM
Anonymous # Monday, June 21, 2010 11:08:26 AM