Nick Tanic and I did a group work on this assignment and came up with a tracking system solution. The source code is available here: https://github.com/mikahayk/veillance-craigslist.
Our idea was to gather information from people by placing our tracking URL in one of the popular platforms across the web. We decided to move on with Craigslist. I did a fake post about a bicycle, which I was giving away for FREE. It immediately caught the public attention, and during an hour I have received up to 30 email requests. I included the tracker URL in the post description, referring it as a link to the address on a map where people were supposed to take the bike from. But in fact, I am planting a cookie when user is visiting the website, following by immediate redirect to the actual Google Map after the “page” is loaded. It is enough time to get all user information logged into session.db. I do not really have any content on the page, except the JavaScript code for Cookie and Signature.

Note, live URL to the ad is not available, as I have already unpublished it, but the free give away post looked like this:

The description message looked like the following, asking to visit the URL in order to see the bike pickup location:

At first, I wanted to make the URL look less fraudulent, and so I encoded it with URL Shortener service. But it turns out that Craigslist blocks all the suspicious URLs which do not correspond their content policies.

The experiment took 40 minutes.  

I had 12 requests to URL, from 7 unique locations. I received 25 email requests willing to get the bike. People were leaving their contact information and from the email messages I could be able to gather the data about them.

More info about the results available not for public: https://itp.nyu.edu/classes/v-sp2019/2019/02/12/craigslist-tracking/

Final comments:

We haven’t used an image to plant a cookie, rather used a URL. I referenced it as a link to Google Map address. It is very worrying how easily you can create a fake online presence and get real information from real people. In fact, there is way more improvements could be done to make the “trap” more realistic. It is very interesting to think about how people believed that a URL, which does not contain at least a domain name http://142.93.252.105 can be a Google Map address. Unfortunately, Craigslist does not provide any analytics about the traffic. Which makes me unable to play with that data and come up with conclusions.

The bottom line – So, what percentage of users are technologically illiterate?

PS. I have added a function in the server to be able to get the user IP address. See line 89, 98.

function getCallerIP(request) {
var ip = request.headers['x-forwarded-for'] ||
request.connection.remoteAddress ||
request.socket.remoteAddress ||
request.connection.socket.remoteAddress;
ip = ip.split(',')[0];
ip = ip.split(':').slice(-1); //in case the ip returned in a format: "::ffff:146.xxx.xxx.xxx"
return ip[0];
}