[Cryptography] Digression: "Letterlocking" and URLs and avoiding the spread of surveillance

Thu Jul 18 18:58:38 EDT 2019

At 03:22 PM 7/18/2019, Jon Callas wrote:
>> On Jul 18, 2019, at 10:26 AM
>> Fascinating story about physical security of communication in the pre-industrial world.
>> 
>> https://www.atlasobscura.com/articles/what-did-people-do-before-envelopes-letterlocking?utm_source=Atlas+Obscura+Daily+Newsletter&utm_campaign=7f707c590c-EMAIL_CAMPAIGN_2019_07_18_Not_NYC&utm_medium=email&utm_term=0_f36db9c480-7f707c590c-63217145&ct=t(EMAIL_CAMPAIGN_07_18_2019_Not_NYC)&mc_cid=7f707c590c&mc_eid=8437a3c9e4
>
>List, I have a request for the future about pasting in URLs: please clean them up from tracking things.
>
>I apologize for taking a specific previous post as my example here, but it's the proximate case for us. I, too, am a sinner too on this front. I try to do what I'm going to describe below and am often successful at it. Perhaps even usually successful.
>
>Many URLs come with marketing tracking information in them. The base URL is everything up to the question mark, for example:
>
>https://www.atlasobscura.com/articles/what-did-people-do-before-envelopes-letterlocking
>
>And if you click that you get to the site and everything is copacetic. I ask that when you send a URL, you simply cut off the question mark and everything after it. Bonus points for verifying that it still works. QA is important. That's it. Please and thank you. Please do this all the time, but especially here on Cryptography.
>
>=======
>
>Yet let's look at what we trimmed. The rest of the URL is tracking information. Let me decompose the pieces:
>
>utm_source=Atlas+Obscura+Daily+Newsletter
>utm_campaign=7f707c590cEMAIL_CAMPAIGN_2019_07_18_Not_NYC
>utm_medium=email
>utm_term=0_f36db9c480-7f707c590c-63217145
>ct=t(EMAIL_CAMPAIGN_07_18_2019_Not_NYC)
>mc_cid=7f707c590c
>mc_eid=8437a3c9e4
>
>The first piece tells us the it came from the Atlas Obscure Daily Newsletter (duh), and I too get the daily newsletter. Great to see another lover of Atlas Obscura.
>
>In the second one, the hard work of Captain Obvious tells us that there's some hex stuff that's interesting in that it's 36 bits, not obviously ASCII or UTF-8, and wow, an email campaign for people not in NYC. I clicked on the link in my own email blast and this string was the same for me as it is here. So it's probably the lookup tag for this campaign.
>
>I'll leave the meaning of the third one as an exercise for all us readers.
>
>The fourth one has that previous string surrounded by two other strings. Interestingly, the prefix 0 has an underscore as a separator and the rest of it in dashes. I think this tells us something about the development practices of the organization that made it.
>
>That first string, f36db9c480, is the same in my URL, so I presume it is also something global at least across the campaign, too. The third digit string, 63217145, is interesting in that it's not obviously hexadecimal. The one in my URL is similar in that it starts with 629 rather than 632 and also appears to be decimal. I'm going to guess that it's an account number or something like that.
>
>The fifth, "ct" element is so redundant that even Captain Obvious moves on.
>
>The mc_cid element is our old pal here for a third time, and I'll guess that it's a Campaign ID.
>
>The last mc_eid, and probably the ID of something starting with the letter E.
>
>On my URL, my mc_eid was different from this one, but it was the same across another link in the same email, and also the same in an email from July 16 to me as well. I'm going to guess that it's an opaque token for my email address, on no other basis than the invariance in my case and that email starts with an "e".
>
>When I look at a URL from the July 16 email I received, the mc_cid is different, which I suspect, as it's a different campaign. The mc_eid is the same, as I mentioned before. The campaign string is "EMAIL_CAMPAIGN_07_16_2019_Not_Chicago" which is interesting and leads me to guess that they're doing some sort of A/B testing across metropolitan areas. The thing I guessed was an account number (starting with 629 for me) was also constant across the two emails.
>
>Thanks for reading this far. Again, please clean up URLs by deleting from the question mark forward. Please do it everywhere, but especially here.
>
>        Jon

One minor point:

On some URL's, there is some sort of hex token used *after* the "?", and this token is *required* in order to view the content.

How to tell: fire up a *different* browser (i.e., one with different cookies), and copy/paste the URL *withOUT the stuff after "?"*, and if the content comes up ok, then you're good to go with that truncated URL.  If not, you may have to figure out which of the parameters (the stuff between "?" and "&", or between "&" and "&") has the token, and which has the tracking stuff.

Of course, if the web site is clever, the token provides an index into the tracking info, so they don't need any of the other tracking stuff.