I think the author said he was in Australia.. but he felt like it’s an encroachment by the US in some way.

What does referencing mean exactly?

Sometimes HTML email comes with the logos and objects needed to render it, sometimes not. When the objects are included it’s possible to render the message while offline. In the case at hand, the logo was not included and the HTML body defined a logo with that unique URL inside img tags.

In the very least, if we assume the tracking is appropriate and that it’s consistent with the privacy policy and ToS I agreed to, I would still find it objectionable that a government would conceal the fact that they are using a tracker pixel/image by withholding the content-length header. The gov should be transparent about what they are doing. They should even disclose in each such message “we have a tracker pixel in here”, for transparency which should not be an issue if it’s legit. I personally need the content-length header because I’m on a shit internet connection and have a need to know how big something is before I fetch it. So I’m disturbed that all Cloudflare sites (which is like ½ the web now) withhold the content-length header. The agency at hand is sloppy with privacy and probably sloppy with everything. It’s not necessarily malicious but nonetheless I’m not going to lower the standard by which they should be held to.

That’s cheating. I wish it were that easy but I really can’t create another account for this. I will ask around if anyone else has an account so we can compare notes. But I was just wondering if there is anything else I can do in a solo investigation to get more clues. It would generally be a useful skill to detect messages from other senders as well. ~~I did a search on the domain to see if it’s a known service that sells tracking capability but that came up dry.~~ nvm.. it seems mailjet.com is behind this and they appear to be pitching analytics services.

emoji works, just not pics. But thankfully someone on a proper connection handled it.

Probably. But if you want that anti-theft feature, I wonder if you could disable it and then install another app for that which serves you alone. Whatever you install probably wouldn’t be baked into the kernel but probably a good trade-off.

I would ditch an app that can’t handle text. You want a screenshot of what, curl’s output? I’m on a shitty connection with images disabled so it’s a bit of a hassle and uses my allowance.

bleepingcomputer·com ← cloudflare site. Should be prefixed with web.archive.org/web/ or cautioned.

Okay, so it’s either:

• incompetence (getting breached); or
• malice (selling your data)

They might have been better off claiming incompetence. OTOH, we already know AT&T is malicious from project Fairview, so perhaps in the end it’s better for PR to just stay in the malicious lane and not be regarded as both malicious and incompetent.

As for PayPal, well, your cc / bank also shares lots of data.

Paypal is not a bank. Paypal is an additional MitM. Using Paypal adds another surveillance capitalist to the chain along with your bank and credit network. But indeed, the banks and credit cards are shit so I am fighting the war on cash quite hard. I’ve already been dragged into court for insisting on paying a creditor in cash. I won that case and will continue insisting on cash payments.

If your threat modelling is that severe

My threat model simply includes mass surveillance. Which is in the threat model of everyone who understands and embraces privacy. It’s worth noting that it’s not purely and infosec stance. I also object to feeding a supplier who is acting against me. The moment I detect that a supplier is working against me, I walk on ethical grounds. They have failed to earn my business. The snooping just happens to be the manner in which they are working against me.

your best bet is Tor Craigslist,

I was doing that at one time but something pushed me off. I don’t recall what.. whether it was SMS verify or CAPTCHAs or phone numbers or fussy email address verifiers... something drove me off.

Ethical consumers patronize the lesser of evils, and go without if it’s feasible given only quite shitty options. Affluenza-driven OCD consumption is the unhealthy obsession that ethical consumers manage to avoid.

I think someone mentioned this is in the Playstore services stuff that’s hardwired in to the platform. Which means if a device is unrooted you can possibly do: $ adb shell 'pm disable --user 13 com.google.android.gms'.

To be clear I linked to someone else’s post. I don’t have the Pixel phone.