Cross Site Tracking and Online Privacy

Cross site tracking and online privacy are two topics that are closely linked. Cookies are a key tool used by websites to track user behavior across multiple sites.

Cookies can be used to create a profile of a user's browsing habits and interests, which can be sold to third-party advertisers. This is a major concern for online privacy advocates.

Most websites use third-party cookies to track user behavior, and these cookies can be used to build a detailed picture of a user's online activities. This is often done without the user's knowledge or consent.

Online tracking can be done in various ways, including through the use of pixel tags, web beacons, and JavaScript code.

Cross-site tracking is a digital phenomenon where your online activities are monitored and recorded by trackers embedded in the websites you visit.

These trackers are made up of small pieces of software like cookies, widgets, scripts, or tiny images that log every action you take.

You might have noticed social media buttons on websites, which are often included for analytics but also send your data back to those platforms.

Cross-site tracking creates user profiles by monitoring online activity across multiple websites, giving a clear picture of your interests and preferences.

Some of the most commonly used web tracking systems include widgets, scripts, or minuscule images embedded on any website user visits.

These trackers pursue you and keep a log of every activity while you browse the web, making it feel like a slight invasion of privacy.

Cross-site tracking exists to make your online experience more personalized and convenient. Most sites collect data to remember things like language preferences or what's in your shopping cart. This helps browsing feel easier and publishers' services better. Cookies, small data files stored by your browser, are often used for this purpose.

You've probably noticed that some websites remember your preferences even when you revisit them. This is because of cookies, which can also be used to follow you around the web and serve up ads based on your browsing history.

Cross-site tracking provides useful analytics and improves your online experience by storing information such as your language preferences and login details. This data is also used to aid in product improvement and personalize your browsing experience through targeted advertising.

For example, if you're an avid runner who frequently searches for athletic gear, you'd likely prefer seeing ads for the latest running shoes and fitness equipment rather than for unrelated products. This tailored advertising, enabled by cross-site tracking, aligns advertisements with your specific interests based on your browsing patterns.

Cross-site tracking is used by multiple sites to monitor user activity, and it's not just limited to one website. Third-party apps can also gather and access this data, making it a widespread practice.

Cross-site tracking raises significant privacy and security concerns. Not knowing how much of your data is collected and for what purposes can be alarming.

Third parties, such as advertising networks and data brokers, often collect our data without clear consent using cookies and web beacons. This lack of transparency and complex terms presented on websites can make it difficult to understand where your data might end up.

Few websites offer explanations in simple terms about how they use the collected data. This lack of transparency is a major red flag.

The General Data Protection Regulation (GDPR) in Europe and California Consumer Privacy Act (CCPA) are taking heed of these concerns and have developed regulations. GDPR requires websites to provide users with opt-in consent forms before collecting personal user data.

Websites cannot use pre-ticked boxes in such consent forms, which ensures users take positive steps to provide permission. Users also have the option to withdraw their consent at any time.

The CCPA mandates websites to mention upfront how the collected user data will be used and the parties they will be available to. This is a step in the right direction towards transparency.

Cross-site tracking without consent is a breach of privacy. It's also a serious concern when websites don't provide information in simple terms about how they use the collected user data.

If you're in the European Union or California, strict regulations like the GDPR and CCPA ensure that your data cannot be tracked without explicit consent.

Adjusting your browser settings can also protect you from cross-site tracking. For example, you can use Firefox's Private Browsing with Tracking Protection to make it harder for third-parties to track your search history across multiple sites.

Firefox's Private Window doesn't save the pages you visit, cookies, searches or temporary files, giving you some peace of mind for everyday web browsing.

To turn off cross-site tracking on Chrome, follow these steps: click the three dots at the top right, select "Settings", then click "Privacy and security" > "Third-party cookies", and turn on "Send a 'do not track' request with your browsing traffic."

Using a VPN can improve your online privacy, but it doesn't directly prevent cross-site tracking. A VPN hides your IP address and keeps your internet traffic private, making it harder for trackers to link your online activity directly to you.

Here are some ways to prevent cross-site tracking:

To block cross-site tracking, you can change your browser settings. For example, in Chrome, you can tap the three horizontal buttons in the top-right corner of your screen, tap "Settings", and scroll to "Privacy and Security" to select the "Do not track" slider. This will help prevent websites from tracking your browsing history.

Safari offers a similar option, where you can choose "Preferences", tap "Privacy", and select "Prevent cross-site tracking." Firefox also has a built-in setting to block cross-site tracking, which you can find by tapping the menu button, selecting "Settings", and then "Privacy & security."

If you're using Firefox, you can also take additional steps to block trackers by installing browser extensions that specialize in blocking trackers. This can provide more comprehensive protection against cross-site tracking.

Full third-party cookie blocking is a feature that blocks all third-party cookies by default. There are no exceptions to this blocking, and third-party cookie access can only be granted through the Storage Access API and the temporary compatibility fix for popups.

ITP, or Intelligent Tracking Prevention, by default blocks all third-party cookies. This means that websites cannot set cookies on your device unless you explicitly grant permission. The only way to access third-party cookies is through the Storage Access API.

Third-party cookie blocking is not just a feature, but a security measure to protect your online privacy. By blocking third-party cookies, you are preventing advertisers and trackers from collecting your data and tracking your online behavior.

Here are some key facts about third-party cookie blocking:

By understanding how third-party cookie blocking works, you can take control of your online privacy and prevent advertisers and trackers from collecting your data.

Canvas fingerprinting is a browser fingerprinting technique that uses the HTML5 canvas element to track visitors. This element allows websites to instruct your browser to draw hidden graphics, which vary based on individual device settings like the graphics card and system hardware.

These graphics render differently on each user's device, creating a unique image for each user. This unique rendering acts as a digital fingerprint and enables precise tracking when combined with other site data.

The practice of websites deciphering how the user's browser responds to graphical instructions is known as canvas fingerprinting. Websites with this feature can direct your browser to draw a hidden image.

This particular image varies with the individual's device, graphics card, and hardware settings, resulting in the rendition of a unique image for every user. The distinctive image acts as a unique digital fingerprint for every user and can provide accurate information when coupled with other tracking data.

To block cross-site tracking, it's essential to understand anti-fingerprinting techniques. Anti-fingerprinting involves measuring the uniqueness of static device configuration, dynamic device or browser configuration, and user browsing data.

Websites can't access the Device Orientation/Motion APIs on mobile devices without user permission, which prevents device fingerprinting. This change was implemented to protect user privacy.

Preventing fingerprinting of attached cameras and microphones through the Web Real-Time Communication API (WebRTC) is another crucial step. This ensures that user data remains secure.

Font availability is restricted to web fonts and fonts that come with the operating system, excluding locally user-installed fonts. This change reduces the risk of device fingerprinting.

The user agent string only changes with the marketing version of the platform and the browser, not with minor software updates. This helps to minimize fingerprinting opportunities.

By removing existing fingerprinting vectors, we can improve user privacy. The Do Not Track flag was removed, which ironically was used as a fingerprinting vector.

Removing support for plug-ins on macOS and other desktop ports has also reduced fingerprinting risks. This change has helped to protect user data.

Here are some features that we have decided not to implement due to fingerprinting concerns:

Some trackers add "click IDs" as URL parameters in links and pick them up through JavaScript on the link destination website.

This technique is called cross-site tracking via link decoration, and it allows trackers to establish a user identity across websites.

ITP detects such link decoration and caps the expiry of cookies created in JavaScript on the landing webpage to 24 hours.

This means that even if a tracker tries to use link decoration, it will only be able to store the cookie for a limited time.

The General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) take a strong stance on cross-site tracking by requiring websites to obtain user consent.

Websites must use opt-in forms to collect personal data, and these forms cannot include pre-ticked boxes to ensure users actively agree to data collection.

Users have the right to withdraw their consent at any time, even after initially agreeing to the use of their data.

The GDPR mandates that websites must obtain user consent through opt-in forms before collecting personal data.

Websites cannot include pre-ticked boxes to ensure that users actively agree to data collection.

Users have the right to withdraw their consent at any time, even after initially agreeing to the use of their data.

The GDPR is a strong regulation that addresses privacy concerns and gives users more control over their personal data.

Action Against Classified Domains is a crucial aspect of online data management. All website data is deleted for classified domains that have not received user interaction in the last 30 days of browser use.

This deletion happens at regular intervals to prevent disk I/O issues.

Classified domains that receive user interaction, but engage in bounce tracking, may have their cookies rewritten to SameSite=strict.

Let's start by defining some key terms related to cross-site tracking.

A registrable domain is a website's eTLD+1 or effective top-level domain plus one label. This is important to understand because it affects how cookies are stored and accessed.

For our purposes, a website or site is a registrable domain including all of its subdomains. This means that http and https are considered the same site.

Cross-site navigations and cross-site loads refer to situations where a user is taken to a different website or a website loads subresources from another website. This is a key concept in understanding cross-site tracking.

First-party and third-party are also important terms to grasp. A first-party website is one that is shown in the URL bar, while a third-party website is one that loads a subresource from another website. Note that different parties have to be different websites.

Third-party cookies are not a special kind of cookie, but rather a situation where content has access to its cookies when loaded from a third-party. This can happen when a browser allows a third-party request to include cookies and the subsequent response sets new cookies.

Here are some key terms summarized: