➡ Google, along with other tech giants, uses your browser to track your online activities without your consent. This is done by embedding their code into websites you visit, turning your browser into a data source for them. This process, similar to a botnet, is facilitated by a unique ID assigned to you by Google. The article also explains how to use browser isolation to block this tracking.

Imagine waking up to discover your browser has been secretly enlisted in a cyber army tracking your every click scroll and search all without your knowledge that’s the chilling reality of a botnet a massive network of hijacked devices turned into remote-controlled zombies by hackers but what if I told you a similar setup exists right under our noses powered not by malware but by tech giants like Google using your browser as the unwitting tool they track your every move across sites with a persistent ID you never agreed to and you shouldn’t wonder why Google knows your every preference idea opinion and connection people you are also vulnerable I call this the Google botnet and this isn’t a traditional botnet of malware infected computers but a vast army of web servers willingly embedding Google’s code turning visitors like you into data sources for a third-party empire I’ve tried explaining this for years but today we deep dive into the tech straight from Google’s code to show you exactly how your behavior is harvested no theory just proof and I’ll reveal why my go-to solution browser isolation blocks it flawlessly this is privacy warfare 101 stay right there our approach today I will not bore you with a lot of theoretical talk what I will do instead is demonstrate to you exactly how things work to accomplish this I had to write some code to show you the detail well those who are very techy can repeat the demo itself and examine the data more closely if you’re not super techy just graph the main concept which I will state at the end of each section I’m just trying to show you that there’s proof to this not fud the basic tools for this demonstration as a website I built just for this demo which I will leave with the original credentials for a short while after I release this video but after that I will delete the Google credentials so if you’re watching this video later on it may not function completely as shown this website is Brax dot live next I will demonstrate this using two browsers the first browser will be Chrome and the other browser will be brave let’s get started let’s start with the Google ID I’ll state it directly now the problem is the Google ID when you log into Google on a browser your Google ID is translated to a bunch of identifiers that are obfuscated by Google to be anonymous the idea is that third parties cannot directly translate these identifiers to your original Google ID which is typically some Gmail email address however let’s make it clear that Google made these anonymous identifiers so they’re able to use it to identify the original account let’s look at a Chrome browser that’s been logged into Google we’ll actually start from google.com to make this clear what we’re going to do is look at the cookies on this computer to do that I right-click on the browser and click on inspect this will launch DevTools and we’re going to use it a lot today we’ll click on the application tab and then you’ll see a cookie section where we select www.google.com there are several Google domains here and it doesn’t matter which one you pick the Google identifiers will be the same look at these cookie values secure 1psid, SID, HSID these are Google’s master keys to your account they’re anonymized so they don’t look like your email address but Google can reverse them to your original Google ID let’s switch to Brave now and again using google.com as the website here I did not log into Google and using the same procedure I look at the cookies and look at the list for www.google.com you will see that the value secure 1psid, SID, HSID are missing so clearly when you do not log into Google on a browser the browser has no trace of the Google identifiers if you’re trying to duplicate this make sure that before you start you clear cookies on Brave this is in case you’ve logged into Google on it in the past let’s summarize for the non techies if you don’t log into Google Google ID identifiers are not on your browser Google IDs on one browser doesn’t transfer to another browser the botnet demo to demonstrate a website that behaves like it’s part of a botnet I made a web page on Brax dot live and here it is just to summarize what I’ll be showing you here basically this is the web page that includes the standard features installed by most websites which is Google Analytics Google Tag Manager and Google Adsense I’m not going to demonstrate or install Google Adsense since there are no ads here but the concept is the same you can look at the source code of the demo anytime you want as I will leave it up even if you’re not a techie I will just scroll through the source code using the view source option and I will highlight each particular module we’re discussing the embedded Google website this is the secret that allows a lot of the surveillance that we’re talking about and this is specific to only a few companies notably Google and Facebook but I’ll focus only on Google here if I look at the dev tools for Brax dot live you will see that not only can I see the cookies for Brax dot live there are also cookies for google.com you may not know this rule but for security only the owner of the domain can see cookies for that domain given this rule you may ask how is it possible that google.com is showing this is Brax ad live the reason is that Brax ad live has an embedded google.com site inside it a website within a website and the website creator willingly puts this in there the technical term for a website that is in another website is called an iframe and I will show you the iframe in the source code and here it is but what’s interesting in this iframe is that it is sized to be one pixel by one pixel large in other words it is an invisible Google website it won’t interfere with the appearance of the main site when there is an embedded website within a website the cookies from both websites become accessible this allows the google.com identifiers to be within the scope of Brax ad live normally a website can only access cookies from its own domains to summarize for non techies because third-party websites embed a hidden google.com website inside their website then these websites can read the Google identifiers that are found in cookies the CID now I will show you the final identifier that is used by the website to pass your identity to Google aside from the iframe Google JavaScript is embedded into the website JavaScript is the programming language used for websites by browsers and I will just show you several areas where various scripts are purposely embedded on the website per Google’s instructions so again this is Google’s JavaScript one of the first things that the Google code does is take the original Google identifiers from www.google.com and translates that into something the third-party website can use to identify you this is all anonymized so that third-party websites can’t track the internet only Google can the identifier is called the client ID or CID and you will see it as a cookie on Brax ad live so basically Google knows what that is and it is an anonymized version of your Google ID this is what the cookie looks like and the last two parts become the CID that can be translated by Google to your real Google account if you’re logged into multiple computers or multiple browsers or multiple tabs and these have a Google ID for example an Android phone an office computer and a home computer and possibly with multiple tabs then these devices will have different CIDs but at the Google end Google can link it back to your original Google ID I want to also bring up another point on androids even if you don’t log into Google on a browser the Android is logged into Google and the alternate identifier is called the Google advertising ID or GA ID this is a device level identifier and is typically used on androids these are also passed to the browser and basically provide the same functionality as the CID for the non techies the summary here is that websites obtain an anonymous client ID that will identify you on their website to Google the bombshell the botnet calls home now let’s proceed to the bombshell of this video when I say Google can track every click on the website I mean that literally so to demonstrate this I have a button here that can function as any click on some website again understand that Google JavaScript code is embedded in this website let me resize this and open up the dev tools here what I’ll do is show you the network traffic when a button is clicked we’ll leave the network tab open because we’re going to capture network traffic from this website now we’re going to click on my click me button and there you go you will see the response but look here on the network traffic that says collect let’s look closely at this it’s a pretty tiny text but I’ll highlight the relevant portions look for the CID and there it is that identifies you specifically there’s the TID and GTM and those are the website identifiers for the Google Analytics and Google Tag Manager the rest showed the particular details of the click itself and you can see it is very detailed and includes the main text of the window and even the specific label of the button now let’s repeat this same exact test on brave and you can see that on brave which has no Google ID the collect event fails and cannot send anything to Google for non techies whatever you click on on a non Google website is seen by Google and collected by Google servers but only if there’s a Google ID before I continue if you find that I’ve given you special information please subscribe to this channel and check out our other privacy solutions at the end of the video the fingerprinting back door for this demonstration it becomes clear that a direct match of a Google ID is only possible when using a logged in browser but depending on the browser two separate browser sessions or tabs can be correlated via browser fingerprinting the clue that this is happening is if you examine the CID on the click me and two operations reveal the same CID then it means the two sessions have been connected by browser fingerprint this is the reason why I don’t accept using privacy windows or isolated tabs or any such thing it’s just not guaranteed to be safe the best solution is still using separate browsers the browser isolation strategy explained now that you’ve seen the technical mechanics let’s explain how we put this to use you can contain the Google tracking if you understand what’s going on the strategy is based on the expectation that we can’t escape Google that some part of our internet traffic is going to involve Google when you log into Google on a browser or device that device will tie an identity to a cookie which will then be readable by all the websites that have Google code depending on the country this could be up to 80% of all websites so the strategy I’ve taught for a decade now is called browser isolation or really you can rephrase it to mean let’s isolate the Google ID if the Google ID is on a single browser and that browser never goes into any Google website then there is zero traffic that would identify any click to Google from a third-party site Google already knows what you’re doing on a Google platform like YouTube so there is no extra information so to apply this to a privacy strategy you should have two to three browsers always active I recommend using Chrome for Google it reminds you that it is Google because it is owned by Google then you can bookmark the common platforms you use on Google to remind you what it’s for so mine is bookmarked for example to YouTube and Google Earth then all the other websites I commonly visit are on my second browser which in this case is brave I will never never never ever log into Google on brave and you can easily verify that it is not logged into Google by going to google.com and looking at the cookies to see if you see the Google identifiers on there the third browser is made for the occasions where you would like to visit a Google site like YouTube Google Earth or Google Maps without logging in by keeping it separate from the brave browser which never goes to Google we keep all the cookies clean it will not necessarily kill browser isolation to go to brave and visit YouTube without logging in but this third browser is there to block potential browser fingerprinting so to summarize for the non techie three browsers Chrome brave Firefox Chrome for Google logged in brave for anything else Firefox for Google not logged in if you prefer to use three different browsers than what I stated here that’s fine except I wouldn’t use Chrome at all for any non Google function other than that use any three browser combo you want but this is the combo I personally use default browsers to prevent problems with browser fingerprinting and leaking the Google ID you should not make Chrome the default browser the device default browser in this example is brave or it could also be Firefox the reason for this is that many email messages may contain links to websites especially Google websites and then you click on it and it will launch the website if the link is to Google it is possible that some ID may be attached to the link that may tie it to you based on the email information so having a different default browser prevents accidental revelation of your identity mobile on mobile as I already mentioned the Google ID isn’t based just on your logins to Google apps or Google websites using the mobile browser on Android and iPhones the alternate identifier is the advertising ID which is then matched to your login to Google on those devices this means that by default an Android or iPhone will always identify it to Google and thus we’re back to every click being tracked when you’re using a production phone the solution is to use a privacy phone like a Brax 3 Brax 3 and pretty much all other the Google phones have no Google login they are running a variant of Android open source project a OSB which has no Google code in it called GSM so I just caution you that if you do browser isolation on a computer or mobile but you don’t pay attention to the kind of mobile device you have then you will not have solved the problem completely final thoughts the Google botnet is it sci-fi it’s live and depending on where you live it will be embedded in up to 80% of all websites and you can see how this works live on Brax that live there’s a similar Facebook botnet but I don’t choose to do isolation on Facebook unfortunately Facebook is more dangerous so the only option is to not be on it or on any meta platform the Google botnet is a nasty surveillance system but we can be safe from its prime fingers with this strategy three browsers Chrome brave Firefox Google only on Chrome brave as the default browser use a de-google phone folks I’d like to invite you to visit our community site Brax me which has a growing community of privacy enthusiasts there are people from various walks of life and beliefs converged together in the mutual support of privacy issues please join us we created products in our Brax me store for the purpose of defending our privacy do you want a pseudo anonymous phone number that can be used instead of your very public phone number that’s Brax virtual phone do you want an email address that removes IP addresses and allows you to create unlimited email identities with aliases that’s Brax mail do you want a VPN you can trust instead of the big Eastern European conglomerates that dominate the VPN business that’s bites VPN we have other products and services like various Google phones and OS flashing services the very successful Brax 3 phone is also available for pre-order on its second batch the first batch has been sold out information about that is on Brax tech net thanks also to those who donate to us on patreon locals and YouTube memberships you are all appreciated see you next time
[tr:trw].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.