Klaus Zimmermann's Corner

Tracking the world in about 80 lines of Javascript

This morning my news feed had an article which was quite an eye-opener: following some boasting about having detailed data on some five billion users around the globe, Oracle corporation has been issued a class-action lawsuit by an Irish-based civil rights group claiming it has severely violated the privacy rights of entirely populations on the globe.

This announcement is interesting for several reasons:

This third point is especially important in Oracle's case and their "five billion" claim. A company that started out making RDBMSes does not have to specialize in tracking technology as long as it has a highly specialized arm that takes care of it - which brings us to BlueKai. Founded 2008, this former startup specializes in tracking technology for marketing enhancements, and was acquired by Oracle in 2014 for 400 million dollars - a few crumbles compared to Oracle's 42 billion-a-year revenue. Since then, Oracle has quietly joined in on the surveillance business, managing to avoid the bad reps that Google et al have received.

However, one thing that the article does not mention is the method used, and years later, we can only wonder: how could they passively but surely have gathered so much data? Surely only some network-sniffing technology developed under top secret cover could've had such astounding reach, right? Well, turns out part of that technology is extremely trivial and, in fact, has been with us since the mid-90s or something: Javascript.

Bluekai works by sniffing user data from snippets of javascript embedded into webpages. Leveraged by the desire of businesses worldwide of doing "market research" to boost sales and the ubiquitous ignorance about what Javascript even is, this sort of tracking has become omnipresent the same way as the Facebook Pixel or Google Adsense. And it's simple and trivial to implament thanks to browsers' naïveté in processing unchecked code from the web.

How trivial, you ask? Here's an example snippet from Github, where in about 80 lines of uncompressed Javascript you can prep, prime and send rich data from a webpage's visitor straight to Bluekai's servers where it's added and processed by the gargantua. Paste that snippet into a webpage, and all it takes is one load to put your visitor in the bag.

Fortunately, though, the fix is likewise not complicated. For those of you who have been heeding the warning against the Javascript trap, you might be safe already: just block their script from ever running in your browsers. Use an extension like NoScript or uMatrix to prevent it from being executed by your browser, or go even deeper and preventing it from loading in your computer at all with a /etc/hosts-level blacklisting.

Hence, privacy-conscious web browsing is still enough to ensure protection against this, as it has been against several other sorts of threats online. However, this is in no way a reason to put aside and forget Oracle and the real threat lurking out there: billions of unsuspecting people surfing the internet are still precisely being tracked in live-time and shame is for those who enable such technology to happen. Keep an eye out for other threats like this in the surveillance arms race.

Did you know about Oracle's tracking capacity before news of this lawsuit came forward? How do you prevent it from reaching you? Let me know in Mastodon!

This post is number #35 of my #100DaysToOffload project. Follow my progress through Mastodon!

Last updated on 08/24/22