Unsanctioned Web Tracking is Harmful
Written by Greg Norcie
Recently, the Technical Architecture Group (TAG) of the World Wide Web Consortium (W3C), a group within the W3C charged with stewardship of the Web’s architecture, released a statement that “unsanctioned tracking” is harmful to the web.
What is Unsanctioned Tracking and How Does it Work?
This is not an indictment of all web tracking, however, simply a narrow subset. The TAG has said, “Tracking user activity on the Web using methods other than those defined for the purpose by the Web platform (‘unsanctioned tracking’) is harmful to the Web,” since such abuses of standards cannot be combatted with existing privacy enhancing technologies.
Specifically, the TAG noted three types of unsanctioned tracking technologies that are especially harmful to users’ privacy:
- Browser Fingerprinting
- Header Enrichment
Technique 1: Browser Fingerprinting
Browser fingerprinting takes advantage of the fact that small pieces of information can differ from browser to browser. For example, while many people use Firefox, very few people might use a specific Firefox version, on a certain operating system, with certain extensions installed and a certain screen resolution. Each one of those small pieces of information could have been customized by the user, and the more of those customizations people make, the more likely it is that they could be used as a “fingerprint” to identify specific people as they visit a web page. Projects like the EFF’s Panopticlick have shown that these small pieces of information, which together are not identifiable, can be combined to uniquely identify users.
Technique 2: Supercookies
In the web context, “cookies” refer to HTTP cookies — small pieces of data stored on a user’s computer by a website. While originally intended to store data like login credentials (so users wouldn’t necessarily have to log in over and over), cookies can also be used to track users across the web. For example, a user might have a tracking cookie set on a social network. When that user visits other websites that contain code from that website (such as buttons to share a link on the social network), those buttons can see the tracking cookie, and know that you visited the web page the button is on. Think about it — almost every site you visit on the web has a share button nowadays.
While tracking cookies are problematic, they are easily blocked and/or removed. Supercookies, on the other hand, are cookies that persist even after a user clears a browser’s cookies. Supercookies can be set in a variety of ways, such as by abusing ETags or by reissuing tracking cookies based on browser fingerprints.
Technique 3: Header Enrichment
When a user’s browser starts a web connection (over the HTTP protocol), it sends a number of messages back and forth. These messages have “headers” — basically, routing information saying where the request is from, and where it’s going. Header enrichment is a technique which is currently mostly used in the mobile space. Header enrichment involves a service provider injecting a unique ID into the HTTP headers a user’s browser sends out. This ID uniquely identifies the user, and cannot be changed or removed in a user’s browser settings. It should be noted that if a website enables HTTPS, third parties cannot see, let alone modify, HTTP headers.
Why is Unsanctioned Tracking Harmful?
There are three main reasons why unsanctioned tracking is harmful.
First, there are serious consent issues — most online tracking currently relies on an “opt-out” model where the user must explicitly state that they do not wish to be tracked. This is referred to as “opting out.” However, tracking techniques such as browser fingerprinting cannot be reliably avoided, so no opt-in consent is possible.
Second, unsanctioned traffic is almost impossible to avoid via technical means. In the past, users have utilized privacy-enhancing extensions like Privacy Badger and NoScript to avoid tracking by blocking the cookies and scripts used to track users. However, these extensions cannot block unsanctioned tracking.
Third, at a high level, pervasive tracking violates users’ fundamental right to privacy (as described, for example, in the United Nations Declaration of Human Rights).
Unsanctioned tracking is unknown to the user, without consent, and unable to be blocked by purely technical means. This means we must establish standards, policies, and laws which ensure that trackers obtain consent.
Moving forward, new standards should not unnecessarily increase attackers’ ability to perform unsanctioned tracking. For example, new standards should not increase “fingerprintability” — that is, they should not add features which increase the uniqueness of users’ browser profiles. When features that help uniquely identify users are absolutely necessary to a standard, they should be documented as such.
Further, users must be able to control their data, with easy to use, intuitive opt-outs. Advertisers and service providers should not utilize tracking technologies which are designed to perform unsanctioned tracking without providing a usable method for users to opt out.
Finally, unsanctioned tracking cannot be solved by technical means alone. CDT agrees with the TAG that policymakers and regulators must be aware of the risks of unsanctioned tracking, and make sure to properly incentivize companies to not perform unsanctioned tracking if the industry fails to self-regulate.