Online privacy is facing a new challenge: A first-party tracker that appears to be unblockable with standard privacy tools such as adblockers.
The tracker in question was spotted being deployed by French national newspaper, Liberation, which in October promised subscribers an entirely tracker-free experience.
That promise garnered it a bunch of attention from privacy experts who dug around and found a first-party tracker embedded on its site which uses a subdomain (that’s mostly random) in order to redirect to a third party — thereby making it difficult to block (i.e. without also blocking Liberation’s own domain).
“To participate in this rather invasive scheme, a website operator need to make a decision to delegate the domain name alias,” explains Dr Lukasz Olejnik, independent privacy researcher and advisor, and research associate Center for Technology and Global Affairs Oxford University.
“It’s a setting where the website the user visits delegates a domain name alias to a third-party script provider. So when the user visits example.com, the alias for the content might be Y.example.com, which in reality points to a site third-party.example.org, a third-party server.
“This setting can effectively bypass third-party trackers and adblockers, especially if the domain name part contains unpredictable strings. This is because the user is visiting a website where a tracker could work in context of the first party, the visited website.”
On Liberation’s site the tracker points to the domain of a French “marketing optimization” provider called Eulerian — which sells data-driven analytics to websites. Though Liberation claims its subscribers aren’t being tracked via this method for ad targeting purposes — but only so it can gather site analytics. (Non-subscribers will be tracked for ad targeting, however.)
The newspaper’s own fact check team have reported at length on the controversy here — covering both privacy and security implications of its use of the first-party tracker scheme, and noting that privacy researchers are working on methods to defeat the technique.
Zooming out, while the unblockable (or at least tricky to block) tracking scheme does not appear to be being used very widely as yet, there’s a chance such a technique could be taken up more widely if sites look to replace third party tracking cookies with alternatives.
This is because web browsers have been taking an increasingly proactive approach to squeezing the operation range of tracking technologies. Mozilla recently switched on third-party cookie tracker blocking by default, for example. While, this summer, WebKit announced a new tracking prevention policy that put privacy on a par with security. Google has also announced changes to how its Chrome browser handles cookies.
“Exact prevalence is unknown but it is fair to say thousands of sites subscribe to this particular scheme from the provider now under discussion, among them some very popular sites,” says Olejnik. “The technical possibility of such as scheme is not entirely new, in fact I did see it in use in 2014. There may have been less motivation to use it until now, though.”
“Focusing on forward-outlook is sometimes useful, isn’t it?” he adds.
Asked about practical ways such tracking might be defeated, Olejnik suggests tracker blockers would need to devise a “custom mode of checks to detect these specific schemes” — as they work on “slightly different principles than other ways of including third-party content”.
Perhaps more effective at skewering such tricky schemes might be a recent ruling by Europe’s top court which clarified that user consent must be obtained prior to storing or accessing non-essential cookies, and cannot be implied or assumed.