You repeated this like 10+ times already in this thread, but never explained it why it's so evil. You just assume everybody is on the same page that tracking (logging actually) is bad, but it's far from obvious.
The fact that I can see access log in my web server is just a helpful tool for me as a developer to improve my services. I think the majority of sites use this in good faith and keep products healthy.
If your threat model involves secret services tracking your activity down based on downloading favicon.ico, then you might have more serious problems than architectural choices of the web platform.
Because 10+ times people keep not getting that while native apps can track you, all Web apps do track you and fed every single action into marketing engines, even if then don't public acknowledge doing so.
At my day job, we make a web application for health records that can be deployed inside an air-gapped intranet. Surely you don't think that's feeding a marketing engine?
That's a different question. All over this thread, you're repeatedly saying that 100% of web apps are feeding marketing machines. I have a counter-example.
It's a separate question of how a patient can be sure of that fact. There's actually not a really reliable way a patient could even become aware of the existence of this product, since they would never see it or be informed of it. Patients are not users of this product. Users could ask their IT department for a log of outgoing internet-bound requests from the servers. Or ask whether those servers even have the capability of contacting arbitrary third parties.
Sorry, but until you present conclusive proof that you don't, we better assume that you do. Unfair? Sure, possibly... But that's just the risk you took in choosing to use the same technology as all the personal info thieves.
I mean, one could also be running around in a supermarket in a balaclava without intending to rob the cashier -- but would you assume someone you saw doing that wasn't going to do exactly that?
You can look at the network tab of your browsers dev tools. You can see everything being exfiltrated that way.
In fact, that's pretty similar to the technique that you'd use to check on a local app too, except it's built into the browser.
I'm not particularly interested in convincing anyone that some app is or isn't leaking their data. If you don't want to use web stuff, don't use it. But I do take issue with assertions that 100% of all web apps must be doing that kind of stuff. It's obviously not true. You can develop your own web app from scratch that doesn't do it, which is sufficient to form a counter-example.
Sure I can. And you can. But to 99% of users, you're talking Greek -- ancient, not modern. And hey, BTW: Can we always? Where's the "Dev tools" menu on my phone browser?
And one counter-example does not a summer make. As long as 99% (typical Internet statistic, i.e. pulled from my mether regions) of web apps harvest your data for sale, that last percent won't get the benefit of the doubt: it's far too difficult and uncertain to find out which percent that would be.
The fact that I can see access log in my web server is just a helpful tool for me as a developer to improve my services. I think the majority of sites use this in good faith and keep products healthy.
If your threat model involves secret services tracking your activity down based on downloading favicon.ico, then you might have more serious problems than architectural choices of the web platform.