A technique is used to enable the third-party tracker by bypassing the tracking prevention function



The behavior on the web is monitored by various tracking tools, but in recent years it has become more important to protect user privacy, and browsers such as Firefox are also equipped with a default tracking prevention function etc. It was. However, it has been reported that a new 'tracking method that works out of existing tracking prevention functions' has been discovered.

Address 1st-party tracker blocking · Issue # 780 · uBlockOrigin / uBlock-issues · GitHub

Invasive scheme spotted that foxes tracker blockers | TechCrunch

A common method for tracking user behavior is to use

cookies . Cookies include first party cookies issued by websites actually visited by users and third party cookies issued by other domains. Third-party tracking is performed across multiple websites, and information such as user browsing history is used for targeted advertising.

In recent years, there has been an increasing trend that such third-party tracking is a violation of user privacy. Apple, for example, announced a new anti-tracking policy in 2019, which was pointed out to TNW , an overseas media, that it would treat online tracking as if it were a security vulnerability.

Apple will soon treat online tracking like security vulnerabilities-GIGAZINE

However, according to what GeriHub user aeris reported in November 2019, 'a tracking technique that cannot be avoided with existing tracking prevention tools has been discovered.' The tracker in question seems to have been discovered on the website of the French daily newspaper Liberation , which announced in October 2019 that it would 'eliminate all ad trackers for subscribers and protect personal privacy.'

A technique discovered on the Liberation website is to embed a first party tracker in the website using a subdomain that redirects to a third party. The subdomains used are almost random, and unless you block the Liberation website itself, it seems difficult to prevent tracking this way.

The Liberation website used this method to enable user tracking by a company called Eulerian, which performs data-driven analysis. Liberation insists on this issue: “We did n’t track subscribers for targeted advertising, just collect data for website analysis”.



At the time of writing the article, it seems that the tracking method discovered this time that is difficult to block is not widely used. Nonetheless, TechCrunch points out that this approach can be a valid alternative for websites seeking an alternative tracking method to existing third-party cookies.

Lukasz Olejnik , a privacy researcher at the University of Oxford, said, “This setting can effectively avoid tools that prevent third-party tracking if part of the domain name contains unpredictable strings. Pointed out. According to Olejnik, a method to circumvent similar anti-tracking tools had already been developed as of 2014 . Even so, it was not so popular because the motivation to introduce this method was weak so far, but in recent years the trend of protecting user privacy has strengthened, so it is highly possible that the number of websites to introduce will increase Mr. thinks.

About how to disable the tracking method similar to the one discovered this time, Olejnik suggested that the tracking prevention tool has a custom check mode that detects the specific tracking method used by the website.


in Web Service,   Security, Posted by log1h_ik