Recognizing your computer via cookies? IP? Flash Objects? - New proposed EBAY policy

[ebayaintstupid]

your MAC address, computer serial number, host name, IP Address, etc.

OK, we know how they get IP Address right?

And if they could get your MAC Address and Computer Serial Number, what in the heck would they need cookies for? They would have you identified already. Cookies would be totally unnecessary.

Now folks, show me one site on the internet, the entire internet, that displays your mac address and/or your host name and/or your computer serial number during a check of your system.

If anyone could do it, they would have.

EBAY wants to keep your cookies around because it is all they can truly depend upon to identify you. Even IP address is transient, in case you didn't understand dial-up, proxies, etc.

Geesh.

[tuanom]

Is there a way to get around the tracking from ebay Aus when selling after june? Hopefully they can't find out that I have a suspended account in the past and dump me!

Should I reboot my hard drive and get rid of all the old ebay junk?

Any help is help!

[ebayaintstupid]

but the subtle things are. First, a company that installs software on your computer, like an active X control, can find out much more about you. Don't ever allow active X controls to be installed unless you are certain you know the company, because when they are run, they have access to your computer information. Spyware is often disguised as an Active X Control.

Similarly, any executable that they want to run or download. Don't do it.

But EBAY doesn't do this. They use other means. Addressing Modee's question earlier, I think the reason that even though you deleted cookies and tried again, there was so much coincidental about your computer they allowed you to continue. Or, I have noticed, in some instances, that exiting the browser and going back in and suddenly it doesn't work anymore. Like the browser caches them.

The other thing they can use to a degree, although imperfect, are your computer settings. This is a vast amount of data available to any web site. OS you are running for example. Resolution of your screen. Among other stuff.

What would be interesting, Modee, is this.

1. Repeat what you did in your original test.
2. Now change IP Address and close your browser.
3. Log back in. Did they recognize your computer?

If not, it is likely a combination of IP Address and coincidental configuration information.

Obviously they are getting sneakier.

[imjustme]

I work in the IT industry for many years. Believe me, there is no way they can track you other than by your IP address and cookies. The user-agent wouldn't be a reliable method. Too many people use the same browser these days.

If they will make you verify your phone line every time you clear your cookies, that will:

1. Cost eBay millions in phone fees. Not a good business idea.
2. Cause hundreds of thousands of sellers, who clear their cookies every time they close their browser or restart their computer, to have to verify their phone line.

In short, HUGE problems for eBay. It's not going to happen, forget it.

[NowWhat]

Quote:

Originally Posted by ebayaintstupid

your MAC address, computer serial number, host name, IP Address, etc.

OK, we know how they get IP Address right?

And if they could get your MAC Address and Computer Serial Number, what in the heck would they need cookies for? They would have you identified already. Cookies would be totally unnecessary.

Now folks, show me one site on the internet, the entire internet, that displays your mac address and/or your host name and/or your computer serial number during a check of your system.

If anyone could do it, they would have.

EBAY wants to keep your cookies around because it is all they can truly depend upon to identify you. Even IP address is transient, in case you didn't understand dial-up, proxies, etc.

Geesh.

Would you be more secure - make eBay/PP less suspicious you opened a user account in XP only for that one ⊗⊗⊗⊗ account, set up an AOL account just for that user account, and didn't clear cookies. EBay/PP would have cookies reporting, but there would be nothing negative to report since you only used this XP user account for the ⊗⊗⊗⊗ EB/PP business?

[ebayaintstupid]

I already made that statement about two weeks ago. You are right, to a degree, having an independent user dedicated to use on EBAY makes it seem safer to leave your cookies hanging out.

There is an issue there though, there is cross pollenization of cookies that allow sites to share information. So, you might want a separate account for Paypal as well. But that won't do any good, because EBAY and Paypal are linked now. So, Paypal and EBAY can share info via their cookies.

What I was saying in my last note, though, is that a web site cannot remotely get your computer serial number unless they install software on your computer to retrieve it. And they can't get your computer MAC address either.

But on the other hand, they don't need to. They can obviously nail you and spy on you quite effectively without it.

[NowWhat]

There is an issue there though, there is cross pollenization of cookies that allow sites to share information. So, you might want a separate account for Paypal as well.

Why two XP accounts, ebayaintstupid, if in an XP user account you are using EB and PP accounts that are set up to work together?

[ebayaintstupid]

poke around with google, it isn't hard to figure out how they do it.

[divine422]

wow, wth is ebay doing...I think they are trying to make people paranoid...its like paypal saying, your account information must match your bank account even though it doesnt really too...they just dont want people to do it. I cant imagine them tracking ppl more than they are now, thats like borderline invasive and labour intensive for them to keep calling to verify...since i always log on at different cafes. Ebay is getting a bit power crazy these days.

[imjustme]

Surely many of you have read the new eBay rules coming in June, that they may verify the phone number if you're selling:

Quote:

Trusted Selling with Identity Confirmation
One of the ways criminals attempt to defraud people on eBay is by gaining access to member accounts with well-established reputations which they then use to set up listings in that person’s name. They gain this access often through a phishing email that convinces an unsuspecting member to click a link and enter their User ID and password.

To protect the Community against this type of fraud, beginning today, eBay will start noting which computers members typically use to conduct their buying and selling activity. After our data collection phase, sometime in June eBay will begin verifying our sellers when they list an item to ensure they are logging in from the same machines they have successfully used previously – usually a home or business computer.

If you are a seller, and you attempt to list an item from a different computer – for example, from a PC you are borrowing in a hotel or library – eBay will make an automated call to the phone number you have registered with us to confirm it is really you. We may also prompt you to verify your identity in other ways.

Initially, this identity confirmation process will only be applied to selling, although we may be extending this to other high-visibility activity in the future.

Note the part I have marked in bold. If they were using cookies to track you as a seller, that wouldn't work. Cookies expire after less than a day, unless eBay wants to create a huge security risk and let cookies expire 2 years down the road.

They HAVE to use IP's to track this. Otherwise they wouldn't call it a "data collection period" of about 2 months from now on. If they were using cookies, they would have no reason to create a collection period, they would just set the cookie and have you verify the next time you try to sell.

The data collection period means they are logging IPs more closely and say if you sell from the 123.456.X.X range and then suddenly from the 99.88.x.x range, they will make you receive that call to verify your account. If you stay within the same IP range always, you should be fine.

[imjustme]

By the way, another way to prove that eBay doesn't use cookies to track you if you're really the same seller, is their cookies themselves. According to eBay, they have already started this new tracking system. I logged into one of my eBay accounts and investigated all the cookies it placed.

All of them are set to expire "at end of session". Which means when you close your browser. If they would want to keep track of you after you close your browser, they wouldn't set it like that. Because when you close your browser, your cookie goes *POOF* even if you set your browser to keep cookies.

And I doubt that they want to call a few dozen million sellers every time they list an item just because they closed their browser. So it's all about the IPs, guys :D

[imjustme]

I just wrote a whole thread about this here:

http://www.aspkin.com/forums/ebay-di...kie-based.html

Read it and you will know how it works. Their new system is all about IPs, not about cookies.

[mantisinc]

That kind of makes sense. After all, I lot of people clear their cookies regularly.

[ebayaintstupid]

why? Dial-up? Changes every time. All AOL users would have to do phone verification on every dial-up? Hang up the phone and pick it up again to do the verification and you have another IP. Whoops, gotta do it again. Ad nauseum.

Many people do not have Static IP Addresses through their cable operators. They get a new IP every day or two. You think they are going to call millions and millions of people every day?

And tons more people come through a central IP Address. For example, where I work shows up as the same IP Address on every external machine. It is just "us" and that is thousands of "us".

IP Address, while a good way of verifying location to a degree, is not a firm way of identifying an individual. Good way of linking them, but even that is limited. Cookies combined with an IP Address, gotcha.

[imjustme]

On AOL, you are still on the AOL ip range. AOL has IP blocks assigned just to them. They can't do it with cookies, believe me.

For example, using 123.123.15.x and 123.123.66.x will not get you flagged, but using 123.123.15.x and 64.245.36.x will.

[imjustme]

Remember the key here is how they mention the "data collection period". If they would use cookies, there would be no need to collect any data for nearly 2 months. The data collection is them logging the IP address ranges you are using for the next 2 months. When they have a list like:

240.x.x.x
28.x.x.x
103.x.x.x

Those will be the ranges you would be able to login from. If you're suddenly using 89.x.x.x then you're flagged and you need to take the phone call.

[simplyjimbo]

I think there is more to the ebay tracking problem than meets the eye. Ok IPs will probably be taken in to account from a networking point of view as each ebay account holder would in effect always be connecting via their chosen ISP who will be using the same subnetted IP address range for their particular location. However this doesn’t help resolve the issue fully when it comes to multi user ips etc. However reading the trust and safety messages that I have come across, below is one for example, I believe we are missing something.

As ebay chatter states: http://www.ebaychatter.com/the_chatter/trust_safety_corner/index.html"]

Quote:

Quote:
Q: How will you track which computer I'm using?
A: We generate a unique ID that identifies the computer you've used to connect to eBay. This unique ID is stored on your computer using cookies and Flash objects so that the next time you visit eBay, we're able to confirm that you're using the same computer.
This unique ID doesn't include any personal information, such as your email address or eBay transactions, and won't be shared with anyone else.

Notice that they (ebay) are using more than just browser cookies to gather data they are also using flash objects which are can defined as local shared objects aka flash cookies. A local shared object is exactly like a browser cookie, except that it can also store data more complex than simple text as in the case of browser cookies.

The following info has been compiled from various reputable sources and /or developers:

Whilst normal browser cookies are only session based, flash cookies have a much longer life span.

By default, Flash is configured to permit small, otherwise invisible "tracking" files, known as Persistent Identification Elements (PIE) Local Shared Object files, to be stored on the hard drive of a user's computer. These are sent in the background over the internet from websites to which a user is connected, these files work much in the way "browser cookies" do with internet browsers.

When a user goes to a PIE-enabled website, the visitor's browser is tagged with a Flash object that contains a unique identification similar to the text found in a traditional cookie. When stored on a user's computer, PIE (.sol) files are capable of sending personally sensitive data back out over the internet without the user's knowledge to one or more third parties.

Whilst consumers are deleting normal browser cookies from their primary computer folders on a periodic basis PIE helps combat this behaviour by leveraging the properties in Flash local shared objects.

In addition, PIE, which can't be easily removed, through normal cookie deletion, can also act as a normal browser cookie backup, since it contains the same information and also acts as a deleted cookie restorer. In this way PIE can also restore the original deleted cookie when the consumer revisits the site.

While users have learned to delete browser cookies, most are unaware of shared objects, and don't know how to disable them.

One major disadvantage of flash cookies is that you can’t locate them in your browser. They are not shown in the list of cookies that you can see when you take a look at the cookies that are currently saved in your web browser.

Here is test to show how it is done and confirmed:
1. Go to Youtube,
2. increase or decrease the volume of the videos
3. delete all your browser cookies afterwards.
4. Now revisit the Youtube page again

You will notice that the volume level is still at the same set level as when you closed your browser and when you opened it again. This is done with so called Local Shared Objects, Flash cookies.

The main question is of course how a computer can be checked for Flash cookies and how it would be possible to delete those cookies again.

This is actually a very tricky thing. I was searching for a way to check them on my computer but could not find it just by normal searching. After reading some information on the Adobe Flash website I was able to realize that the only possibility to check them was to open a page on the Adobe site which would show them.

Now visit
Adobe - Flash Player : Settings Manager - Website Storage Settings panel
And delete the applicable or all your flash cookies on show in the 'settings manager box' and retry the youtube page you just visited, see the volume has been reset.

As ebay intend to use Flash objects surely this will probably confirm some of the intended ‘data gathering' processes, as confirmed by the blue squares seen by some users .

(from wikipedia)
In addition to cookies, many banks and other financial institutions also routinely install Persistent Identification Elements using Flash Player on users' hard drives when they establish and access their accounts, as do other interactive sites such as "YouTube" and the like.

[zymo]

This is quite interesting. I just looked at the Adobe link and found these "cookies" for 4 websites. Ebay and Paypal are not among them Sites shown were amazon ingdirect youtube and bankofamerica

[simplyjimbo]

Yes traditionally Flash records personalised settings for web pages etc however internet Marketers have used flash cookies for more.

As taken from the Adobe website

What kind of data can a Flash application store on my computer?
The kind of information stored depends on the application. Information can be anything from your user name to your current score in an interactive game to a list of stocks in your portfolio. The application should make it clear what kind of information it wants to store.

From ebay.com

Cookies we use for trust and safety (Flash cookies) - eBay uses Flash cookies, which are cookies written with Flash technology, to help ensure that your account security is not compromised and to spot irregularities in behaviour to prevent your account from being fraudulently taken over.

How does eBay use Flash cookies?
When you sign in to your eBay account, a unique ID is generated that identifies the computer you’ve used to connect to eBay. This unique ID is stored as a Flash cookie on your computer so that the next time you visit eBay from the same machine, we are able to confirm that it is a trusted source.

As you know from the previous post flash cookies are not normally in the same places as your browser cookies.

I am obviously speaking with colleagues on the Adobe developer forums for further info

[simplyjimbo]

which one did you choose modee.

I did spot this on ebay.com
What happens if I want to delete Flash cookies or prevent their use?

Although we don’t recommend it, you can delete or prevent the use of Flash cookies. If you delete or disable Flash cookies, we won’t be able to recognize the computers you frequently use, and we may need to request additional verification from you at certain times.

What do you reckon the verification is? their dreaded phonecalls

[imjustme]

Quote:

Originally Posted by simplyjimbo

What do you reckon the verification is? their dreaded phonecalls

Nope. It's the password verification when you delete a listing or when you update your contact information.

Flash cookies get deleted when you clear your temporary internet files. Many browsers, including Firefox, clear temporary internet files when you close the browser. Disk cleanup also does it. If eBay would have to call every user that closes their browser and cleans their temporary internet files or cookies or cleans up their disk, they would get millions of dollars in phone bills.

It's the IPs they log. That's why they state the 2 months "data collection period". They wouldn't need to collect anything if it was just the cookies.

[imjustme]

I'm wondering how they could track you anyways if you use Auctiva to list?