Browser settings alone are not enough

Browser settings alone are not enough

Browser settings alone are not enough

©2023, Baycloud Systems Ltd. All rights reserved.

More than a decade after efforts to standardise a Do-Not-Track signal were started, and more than 4 years after it was finally disbanded at the behest of Big Tech, attempts to drain the online tracking swamp via exclusively techniical means have continued to fail.

Tracking people online across the web via "link decoration", "navigation-tracking" or "bounce-tracking", was predicted in 2014,

Safari (and eventually other UAs) by default implement third-party cookie
blocking, but this does not stop cookies placed via a redirection to a
first-party link. 

To get round these default blocks, a tracker could supply a JavaScript
library, or an external link to it. On page load this would automatically
scan all the links on a page and edit the href Uris to point to the
tracker’s domain inserting an extra query parameter to enable a return to
the ostensibly visited site via a 30x redirect.

and in use by 2015.

There is also a danger that less scrupulous companies will develop similar script that circumvents third-party cookie blocking without explaining at all to users what they are doing. Regulators and privacy watchdogs should be on their guard for this. It is also worth noting that could be impossible for browser extensions like Ad Blockers to spot third-party cookie placement through redirection, because the interception is only visible for a very short time, and could be implemented completely using in-line script.

This is a highly successful, but difficult to detect, tracking technique designed to bypass restrictions on more traditional "third-party" cookies.

As this recent proposal for navigation tracking mitigations from some browser companies explains there will always be loopholes to browser based privacy enhancement techniques which determined bad actors will exploit.

The only way to rid the web of the cancer of unconsented online tracking is well-drafted, technically germane privacy law properly enforced by compentent regulators, imposing obligations on both browser companies and websites.

Of course browser based mitigations are important, but they must be standardised, ubiquitous and backed as widely as possible by robustly enforced law, with significant penalties for avoidance.

The EU's ePrivacy Regulation will eventually contain much of this, but, though initially proposd more than 7 years ago, has been unfortunately stuck in in limbo through the embarrassing incapability of EU institutions to agree.

See our blog posts about this and similar issues going back to 2011

The public mailing list of the W3C Tracking Protection Working Group aka Do-Not-Track