In the never-ending battle between online trackers and blockers, the companies producing the trackers tend to stay a bit ahead, constantly tweaking their techniques in order to keep tabs on people as they move around the web. This forces the ad blockers to adjust in turn, and recently the EFF made a significant change to its Privacy Badger browser extension that detects and blocks a technique known as cookie sharing that Google Analytics and other trackers use to get around the way many blockers detect and prevent cookie-based tracking.
The change means that Privacy Badger now provides users with more comprehensive protection from the tracking performed by Google Analytics, which is deployed on a significant fraction of the web. Millions of sites use Google Analytics to track visitors and their activity on the sites and many other extensions and ad blockers already block Google Analytics through various techniques. Privacy Badger uses a handful of different rules for detecting and blocking trackers, specifically looking for the types of behaviors that indicate tracking activity. The extension looks for a site trying to set a third-party cookie, which is the most common type of tracking activity; sites that set so-called supercookies, which are more persistent; and browser fingerprinting.
Google Analytics, along with some other trackers, doesn’t use any of those techniques, so Privacy Badger wasn’t having much success in blocking it. And because Google Analytics is present on such a large portion of the web, that was a problem. So the EFF has modified Privacy Badger to detect and block the use of cookie sharing, a technique that allows sites to make use of cookies set by other sites.
“It works like this: When you visit a website, the page loads a piece of JavaScript from a third-party server. That JavaScript runs in a first-party context and sets a cookie associated with the first-party domain, like “example.com.” Your browser allows the third-party JavaScript (running as part of the first-party page) to read and update the cookie. Then, the JavaScript sends off a request to the third-party tracker. Normally, cookies are automatically sent alongside requests, and the browser controls who sees what cookies—it wouldn’t allow a first-party cookie to be sent to a third party like Google,” Bennett Cyphers, a staff technologist at the EFF, wrote in a post explaining the reasons for the change.
“However, since Google’s script is able to access the cookie, it can stick the cookie value right into the request itself (specifically, into the “query string” portion of the request). Google receives the identifier from the first-party cookie and uses it to link the request back to a user profile.”
In order to detect cookie sharing, Privacy Badger checks each new third-party request for several different conditions. It looks to see whether the request is an image request first, as most cookie sharing employs tiny tracking pixels, which are essentially images. Next, it determines whether the request URL contains query arguments, which are used to send extra data with image requests. Lastly, Privacy Badger looks for any query arguments with big pieces of data that have information in common with first-party cookies set by a site. If those three conditions are true, then Privacy Badger sees it as a tracking request.
EFF tested the new capability against the top 10,000 sites and identified five new domains that were tracking on the largest number of those sites, including Google Analytics, Chartbeat, and Nexac.
“The techniques used by trackers are always evolving, so Privacy Badger’s countermeasures have to evolve, too. In the process of developing the new cookie-sharing heuristic, we learned more about how to evaluate and iterate on our detection metrics. As a result, Privacy Badger is stronger than ever,” Cyphers said.