The IAB loves tracking users. But it hates users tracking them

• uid2docs

  6 155 9.9 TypeScript

  Documentation Repository for Unified ID 2.0

  

"Personally, I recommend installing the uBlock advert blocker on all devices which support it."

NB. I am a casual use of uBlock. I have nothing against it. However like other alternatives it may have limitations that are worth considering.

At the very least we have to consider devices that do not support uBlock Matrix/Origin.

With respect to those that do support it, a company making large profits from advertising that controls a particular application, like a web browser, or that controls a particular operating system, like a graphicl mobile or desktop one that no user ever compiles themselves, can "remove support" for uBlock at any time.

Options for setting a default gateway and setting DNS servers are arguably even more prevalent on devices than support for uBlock. Presumably companies making large profits from advertising to remove support for DNS settings and default gateways from the operating systems they control, however this seems much less likely.^1

Where no user-configurable firewall is available on the device, we can sometimes use DNS settings, i.e. wildcards, to point DNS traffic to a DNS server we control. We can configure the DNS server to block/allow certain DNS traffic. We can also use the DNS server to point all HTTP traffic to the proxy.

The DNS server and the proxy can be running on the loopback of the device or they could be running on the gateway, where the gateway is another computer that we control.

What is needed to disrupt this UID API from IAB. Is DNS enough. Do we need to filter URLs for certain JS files. Do we need to filter cookies.

"All UID2 endpoints use the same base URL.

Environment Cloud_Region Code_Base_URL

Testing AWS US East (Ohio) us-east-2 https://operator-integ.uidapi.com

Production AWS US East (Ohio) us-east-2 https://prod.uidapi.com

Production AWS Asia Pacific (Sydney) ap-southeast-2 https://au.prod.uidapi.com

Production AWS Asia Pacific (Tokyo) ap-northeast-1 https://jp.prod.uidapi.com

Production AWS Asia Pacific (Singapore) ap-southeast-1 https://sg.prod.uidapi.com

For example, https://operator-integ.uidapi.com/v2/token/generate"

Source: https://github.com/IABTechLab/uid2docs/blob/main/api/v2/READ...

In authoritative DNS, a wildcard entry such as

   *.uidapi.com 1 IN A 127.0.0.1

• libphonenumber

  53 16,016 8.8 C++

  Google's common Java, C++ and JavaScript library for parsing, formatting, and validating international phone numbers.

  

https://github.com/google/libphonenumber/blob/master/FALSEHO...

> 1. Some people do not own phones, or do not wish to provide you with their telephone number when asked. Do not require a user to provide a phone number unless it is essential, and whenever possible try to provide a fallback to accommodate these users.

What a bunch of hypocrites.

• SurveyJS

  surveyjs.io featured

  Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

  

• trualias

  3 36 5.4 Python

  Mentally computable verification codes for email aliases implemented as a postfix tcp table or milter; uses asyncio.

They've settled on a set of features and non-features, similar to how we do it with threat indicators. If it's error prone for threat indicators it's error prone for user tracking and vice versa.

There are reasons not to care. For instance in the threat indicator space false negatives (a threat which is not caught) doesn't cause nearly the pucker as a false positive (something which is not a threat which is flagged as one). Their calculus and minimum may be driven by somewhat different objectives, because their audience is advertisers not security practitioners.

You can still 1:1 addresses to purposes and if you see crosstalk you can draw conclusions. Their normalization is lossy; that's the point.

The cynic in me notes that given the absolute lack of originality in password choice, similar lack of entropy could be seen in 1:1 mappings and perhaps they can infer that if you're hansolo@ and they're example.com, that the email address you'd use is han.solo+example@. The cynic also says: that's on you.

But damn, I'm looking better all the time: https://github.com/m3047/trualias

• fx-private-relay

  179 1,417 9.9 Python

  Keep your email safe from hackers and trackers. Make an email alias with 1 click, and keep your address to yourself.

  

That's why for Firefox Relay [1], we recommend using random email masks, and why I use it over my own catch-all domain for unimportant things.

We do support your own catch-all subdomain, but that is just to cover the use case of having to come up with an email mask on-the-spot. If you are filling in a web form, best to use an email address that looks exactly like the email addresses of other Relay users.

[1] https://relay.firefox.com/

Suggest a related project