Bounce Tracking

From MgmtWiki
Revision as of 14:08, 14 March 2022 by Tom (talk | contribs) (Context)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Full Title or Meme

A technique for putting Third Party Cookies into the URL.

Context

Some of this material is from this article on Ars Technica.

Advertisers pay well for tracking users. Even when the visitors' choice is to block third-party cookies—the identifiers that track browsing activity as a user moves from site to site—they find sneaky ways to bypass those settings. Now, makers of the Brave browser are taking action.

Earlier this week, Brave Nightly—the testing and development version of the browser—rolled out a feature that's designed to prevent what's known as bounce tracking. The new feature, known as unlinkable bouncing, will roll out for general release in Brave version 1.37 slated for March 29.

Overriding privacy Bounce tracking is one of the key ways websites circumvent third-party cookie blocking. When a browser prevents a website such as site.example from loading a third-party tracking cookie from a domain such as tracker.example, site.example pulls a fast one. When site.example detects that the tracker.example cookie can't be set, it instead redirects the browser to the tracker.example site, sets a cookie from that domain, and then redirects back to the original page or a new destination.

With that, the tracker.example cookie gets passed through a URL parameter and then gets stashed as a first-party cookie on the landing page. Once tracker.example places itself between enough of the sites a visitor browses, the tracker eventually builds a detailed profile of that activity, including the user's interests and demographics.

The image below shows how third-party cookie blocking is supposed to work. When the user moves from site-one.example to cats.example and later from site-two.example to cars.example, there's no way to track those movements as coming from the same person.

Bounce tracking circumvents this arrangement by inserting a third-party tracking site such as tracker.example in between the originating site and the cats.example or cars.example sites the user later browses to. Tracker.example then records that it was the user who visited both cats.example and cars

While browsers that support third-party cookie blocking have existing mechanisms designed to thwart bounce tracking, this sneaky form of surveillance remains hard to defend against, since the browser doesn't know beforehand that it will be directed to tracker.example. That's where unlinkable bouncing comes in.

Ephemeral storage to the rescue

In a post, the Brave privacy team on Wednesday outlined the process that unlinkable bouncing uses. In a nutshell, unlinkable bouncing checks the site a user is about to visit against a list of URLs known to perform bounce tracking. When a destination site appears on the list and Brave has no cookies, localStorage, or other data related to it, the browser automatically creates a new one-time browser storage area for the site.

Once a user leaves the tracking site, Brave deletes the temporary storage. Because the data is no longer stored, the tracking site will be unable to re-identify the user the next time they are bounced through it.

Brave has several other ways to prevent site tracking. They include query-parameter stripping, debouncing, and (when blocking is set to aggressive mode) a warning to give concerned users a chance to back out.

References