Of software downloads and unique identifiers

When you visit a website, there is a chance that you are tracked by the operators of the site or by third-parties. Whether that is the case or not depends on the site in question and which site party connections it makes.
Software vendors and download sites may track users that visit the website. They may track the pages that users open or where they came from.
What most Internet users may not know is that they may also embed unique identifiers in software downloads.
A recent article on the Ctrl blog suggests that software vendors embed identifiers to software downloads for various reasons.
Companies use two different means to add unique data to downloads; the first adds data before or after code signature certificates on Windows or in extended file system attributes on Mac, the second adds data to downloaded file names.
The adding happens on-the-fly after users initiate the start of the download process on the site.
Data that is added may include the IP address, web browser, marketing campaign data, or other data.
It is difficult to find out if companies add unique identifiers if the first method is used, and most companies hide the fact that they do. To find out about it, you need to analyze certificates and use Diff-software.
The Ctrl blog analyzed downloads from popular companies and discovered that companies like Google or Yandex add unique identifiers to downloads, and that others, Avast, AVG, Avira, or WinZip add marketing campaign data to the downloads.
The data is only useful if it is picked up again somehow. Companies may retrieve the data during installation and during upgrades.
In a follow-up blog post, Ctrl blog listed ways to limit the tracking in software downloads.
- Download from other sources or use legacy / offline installers. You may use reputable software sites to download many popular applications. Doing so ensures that tracking information is not added to software downloads.
- Changing program names if the name contains unique information.
- Use application firewall to block outgoing traffic. The method works only if the program does not require Internet to function or if you configure the firewall to block outgoing connections to company servers.
- Use private browsing mode to limit tracking capabilities.
- Enable Do-Not Track. Some companies, Mozilla for instance, honor Do-Not-Track.
I'd like to add that you could use portable software as it is not installed and often provided by third-parties instead of the developing company.
Now You: how do you download software?


Thank you very much C, I appreciate it!
I always opt for portable. Allot of devs offer portable versions direct from the dev; foobar, mp3tag, vlc, textpad, sublime, curl, xplorer2, FSViewer, even many browsers, etc… Block ALL outgoing & incoming connections by default. Only allow your browser inet and your non-ms file manager network (137/9/445) access. I always use 2 port blockers; 1 for most apps and another to block the devious MS, whose corrupted apps unethically bypasses Win 7’s firewall and the host file too. To browse, all you need is to allow 443 for https and 53 for dns; and if you use dnscrypt, 53 can be blocked too. I only allow 1 app, firefox, access to 443. All other apps are denied. Port 80 is a relic from the 1990s so I block it. If an archaic site insist on 80 I go elsewhere & never return (same with javascript). I also block MS IPs at the hardware firewall just for safety. You can find out MS IPs via wireshark installed on a stand alone, bridged 2 network card Unix box.
PS: To install a new app, I remove the cable because I have to disable my safety software which absolutely protects against changes to c:\, c:\winders, & c:\prog files and also via custom made rules, blocks execute from the temp & user’s dirs.
PSS: ALWAYS browse in a vm and ridiculously lock it down to the point it almost wont boot. It takes a while but halt/disable/block everything not required to browse; ei: smb, server,workstationo,printing,taskschd,GPclient,netbios-tcp,etc. Set dangerous files such as js,vbs,wmf, et al to open via notepad. Deny exec/remove access to powershell and other dangerous ms products. Install several non-ms security apps for further protection (ms security is an oxymoron). Once perfected, snapshot it and restore often or when something wierd occurs. ALWAYS browse as non-admin; use dropmyrights or remove admin rights from your user. There is about 100 more things you have to do, but this is a start. ooops, sorry went off the reservation about devious app installers, but it’s all part of it.
@Steve – dont apologize for being slightly off-topic. It all helps. Helped me !
You should have your own blog buddy.
Very useful information.
So they are signing each file digitally AFTER adding a unique identifier? Is this what they are doing?
Mozilla (Firefox) also has a different kind of tracking in their funnelcake system, basically running browser experiments via its download portal. Thus, even though they don’t embed unique identifiers, you can still get a different download if you’re (un)lucky.
On Windows use Simplewall in whitelist mode filtering, that will block all outgoing traffic.
On Linux use Gufw or OpenSnitch.
Get it all from Github.
I don’t see any way to block out-going traffic with the built-in firewall on Macs – It’s easy to block incoming traffic. I block out-going traffic with modem settings. There is an excellent program for Macs called “Find Any File” that’s available at the app store. I use it to track down every reference to an app or app developer’s name. Hidden files/cookies are easy to spot and trash.
I don’t recommend using a firewall on your computer for anything except a backup defense. You should be using a standalone firewall. Not only will that allow you complete configurability, but it will also make it immune to any shenanigans that might take place on your computers (malware, your OS deciding to bypass firewall rules, etc.)
Windows Firewall Control / Windows Firewall, etc offers much more granular control of your network and internet traffic from individual apps than a hardware firewall on your network. Ppl should be using both for sure. Each on it’s own isn’t the full answer but using both goes a long way.
@John Fenderson
Thanks, I’ll see what’s available.
I assume most software is doing something like this.
Some software won’t work or have critical features disabled unless you go online. Others give away free lifetime license “Pro” versions at the expense of more hidden trackers than their reduced feature set free versions.
Not sure the form (portable, installer, first thru10th party source, offline installer) makes much difference. If a package clearly claims to not track or not ID customers, they may not; otherwise expect to be identified.
Periodically I look at my firewall and block anything I can that phones home but that doesn’t necessarily mean the OS or something else isn’t doing it instead; MS is a de facto ad company too, you’d have to trace every connection made.
I read an article earlier today on google’s latest quarterly report which contained the lines “…of the major online advertising companies…” and “…chrome, the most popular search based ad engine…” They’re not even trying to fake it any more. LOL!
VPN’s are showing up in TV ads, just don’t get a fake one. Argh!
Even open source software can have a unique identifier, e.g. ebook management program Calibre:
“Every calibre installation has a unique ID, this ID remains unchanged by upgrades and even an uninstall/re-install. This ID is used to collect usage statistics. Only this ID is stored, no other identifying information is collected.”
(https://calibre-ebook.com/dynamic/calibre-usage)
I repeat: “this ID remains unchanged by upgrades and even an uninstall/re-install.”
Why many people don’t care about privacy is because they think the only way of being identified is by email address (and user name) or mobile phone number.
Instead, it’s actually people’s IP address that’s been made into a identifier or (potential) customer id.
Even without IP, the other breadcrumbs left while browsing can narrow down a pool of say a million users to a thousand, giving ad suppliers a higher likelihood of targeting the right users. Start with a thousand potential marks and it gets much easier; User X with a few possible IP’s is almost the same as if that user’s true name and IP are known.
If it is just a question of ads while, then the problem can easily be solved with an ad blocker or uBlock Origin.
@ Gerard,
> “Even open source software can have a unique identifier, e.g. ebook management program Calibre”
answers my above question (sorry for quoting myself),
“But how would I know if the application downloaded from its original source isn’t itself embedded with a unique identifier?”
Which means that a unique embedded identifier can happen to be included in an application downloaded from the very developer’s Website. That’s when Superman cries like a kid.
More and more I’m using offline installers and portable or enterprise editions (not PortableApps), most having their own unique id.
Also, I’m making sure I’m not “logged in” or “synchronizing” any operating system or software like Windows 10 Pro, Office 2016 and Chrome.
I’m using Chromium’s user profiles, and make sure the rest of my privacy settings are set.
I think what I’ve mostly learned is to actually start documenting the changes I’m making, or which settings are set. Which programs I’m downloading, and where they are from.
I refuse to use Stub installers, and always look for a portable version. However, I’ve had a very good amount of success, installing in my VM, and then porting the files over to my Non-VM OS, and then “restoring” the VM back to pre-install…
In other words, installing in the VM, purely to get a folder structure to copy and paste, then rolling back.
In almost all the times I’ve done this, the ‘resulting’ software has worked without any issues that I have found, which flies in the face of the usual situations you might expect to have found, re: missing registry entries.
I hate what some software might be doing to my registry, and I’ve almost completely addressed this by using this method. You’d think this would often not work….but it does. I’m guessing that Reg. entries are still made…..but on the fly, and likely far less far-reaching. Try it!
Nasty behaviour. It’s mostly present in online/stub installers – one of the many reasons I refuse to use this kind of installers. Or when 3rd party websites repack the program, such as C|rap|NET, using their own installer.
Either provide a clean installer, or a portable version, or else I start looking at alternatives.
How do you know if an installer is clean?
Trust the developer. On programs like AIMP, VLC, Paint.NET, PaleMoon, etc. If it’s not an option, test inside a VM. If it screws the virtualized OS then restore it and look elsewhere.
The screwing up of a (virtualised) OS does not mean that there is an identifier, and the not screwing up does not mean there is no identifier. In other words, an identifier is not related to the quality of a program.
True. My main reason of doing it is so I can see if a program uninstalls nicely, with no leftovers and how the install process is like (any PUPs, file or protocol association questions, etc). All that being disconnected from the internet.
I already said stub installers are a no go for me. For the few programs I install I do make sure I get the version everyone else gets, not a special, uniquely identifiable one. Installer is run without internet, and if possible to avoid it (even by extracting it with 7-zip) I will gladly do so.
Currently I have 17 programs installed, minus drivers. However, my portable folders (I have two) have 155 main subfolders. That’s 155 portable programs and installers of which I did not have to run. I also have no need or desire to install any of those programs which would potentially want to track the installation process in the first place – such as AV software, Chrome, or other programs which I do not understand why they need to exist in the first place, such as WinZip (7-zip is superior in every possible aspect).
They don’t miss one (tracking) bit, do they?
I always download applications/software from their developer’s Website, for security reasons. Now, with embed unique identifiers, privacy becomes another argument.
But how would I know if the application downloaded from its original source isn’t itself embedded with a unique identifier?
I tend to disconnect from the Web when installing .msi files, maybe should I proceed the same with all installers?
I also rename those files which sound closer to a tracking url than to a plain file name, often encountered with Microsoft installers by the way.
Embedded unique identifiers maybe explains my surprise when comparing hashtags of two same version files, same name, same size… if so, this would explain that.
I’m wondering, not sure, who has the answer? : to what point are hashtags relevant?
CRC32, MD5, SHA-1, will they systematically be changed by whatever embedded identifier? In other terms can a unique identifier be included that would fool those hashtags?
They don’t miss one (tracking) bit, do they? (bis!)
No, the hash string (i.e SHA256) should be unique. Flipping one single bit of data (not including metadata, like filename, attributes, modify date, etc) from a file should result in a completely different string, even though the file size would be 100% identical.
Correcting myself, “hash string” not “hashtag”.
OK, Yuliya. That’s what I thought until a friend of mine started sharing his doubts about the uniqueness of hash strings…
I used to use Glary utilities which also facilitates FilePuma. I stopped using them and now I only use the site of a particular software program I need.