Download as PDF, PPTX
Uploaded bySimo Ahava
Browser Tracking Protections - SuperWeek 2020
The document discusses browser tracking prevention mechanisms and cookies management, detailing the evolution of policies and technologies that have been implemented over the years to block third-party cookies and enhance privacy. It mentions various algorithms and features introduced by different browsers to classify and restrict tracking, as well as notable data breaches correlating with these practices. Additionally, topics like ad frequency management, audience profiling, and cookie synchronization are explored in the context of advertising and user data protection.
More Related Content
Similar to Browser Tracking Protections - SuperWeek 2020
![Computer Networks 01[1 using all terms].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/computernetworks011-251214040533-327dd9f8-thumbnail.jpg?width=640&height=640&fit=bounds)
Browser Tracking Protections - SuperWeek 2020
- 1. Browsers Eat DataQuality For BREAKFAST @SimoAhava from @8_bit_sheep at #SPWK
- 2.
- 4.
- 5.
- 6. https://blog.superweek.hu/welcome.html SOURCE TARGET https://shop.superweek.hu/image.jpg HTTP requestincludes cookies written on which domain: SOURCE or TARGET? HTTP GET
- 7. https://blog.superweek.hu/welcome.html SOURCE TARGET https://shop.superweek.hu/image.jpg Is thisan example of 3RD PARTY REQUEST or 1ST PARTY REQUEST? HTTP GET
- 8.
- 9. Graphic adapted fromhttps://web.dev/samesite-cookies-explained/ https://www.simoahava.com/
- 10. Graphic adapted fromhttps://web.dev/samesite-cookies-explained/ Same-site === First-party context https://www.simoahava.com/
- 11. Graphic adapted fromhttps://web.dev/samesite-cookies-explained/ https://image.cdn.com/image.gif https://www.simoahava.com/
- 12. Graphic adapted fromhttps://web.dev/samesite-cookies-explained/ Cross-site === Third-party context https://image.cdn.com/image.gif https://www.simoahava.com/
- 13. Graphic adapted fromhttps://web.dev/samesite-cookies-explained/ https://page.somedomain.com/ https://page.otherdomain.com/ https://page.thirddomain.com/ https://image.cdn.com/image.gif All pages include a request to the third-party resource, thus including all cookies written on the third-party domain, enabling cross-site tracking.
- 14.
- 15. Leverage other script-writablestorage.
- 16. Decorate outbound linkswith identifiers.
- 17. Decorate referring URLwith identifiers.
- 18. Stateless tracking withfingerprints.
- 19. Third-party-to-first-party collusion, e.g.with CNAME.
- 20. Browsers take theinitiative
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30. ETP introduced -3P tracking cookies blocked ifactivated 10/2018 9/20192003 9/2017 3/20189/20182013 3/2019 4/2019 12/2019
- 31.
- 32.
- 33.
- 34. 10/2018 1/2019 6/2019 Brave Shields released 9/20192003 9/2017 3/20189/20182013 3/2019 4/2019 12/2019
- 35. 10/2018 1/2019 6/2019 Brave Shields released Restrictions to fingerprinting 9/20192003 9/2017 3/20189/20182013 3/2019 4/2019 12/2019
- 36.
- 37.
- 38. 10/2018 1/2019 6/2019 Tracking prevention (Edge beta)blocks cookies from know n trackers 9/20192003 9/2017 3/20189/20182013 3/2019 4/2019 12/2019
- 39.
- 40.
- 41. 10/2018 1/2019 6/2019 1/2020 Cliqz introduces its ow n ad blocking tech 11/2019 9/20192003 9/2017 3/20189/20182013 3/2019 4/2019 12/2019
- 42. 11/201910/2018 1/2019 6/2019 1/2020 Sam eSite enforcem ent* * not atracking protection mechanism 2/20209/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 43. 11/201910/2018 1/2019 6/2019 1/2020 2/2020 Sam eSite enforcem ent 2022 N o m ore 3P cks 9/20192003 9/20173/2018 9/20182013 3/2019 4/2019 12/2019
- 44. 11/201910/2018 1/2019 6/2019 1/2020 2/2020 2022 GDPRenforceable Collection #1 breach 773M unique emails verifications.io breach 763M unique emails People Data Labs breach 622M unique emails Zynga breach 172M unique emails Onliner Spambot breach 711M emails Exploit.ln breach 593M emails Finland wins hockey world championship 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 45. GDPR enforceable Collection #1breach 773M unique emails verifications.io breach 763M unique emails People Data Labs breach 622M unique emails Zynga breach 172M unique emails Onliner Spambot breach 711M emails Exploit.ln breach 593M emails Finland wins hockey world championship 11/201910/2018 1/2019 6/2019 1/2020 2/2020 2022 Increasing amount of supply chain attacks (e.g. Magecart) and script hijacking 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 46.
- 47. Build graphs andcomprehensive audience profiles
- 48. Build graphs andcomprehensive audience profiles Target ads
- 49. Target ads Manage adfrequency Build graphs and comprehensive audience profiles
- 50. View-through attribution Manage adfrequency Build graphs and comprehensive audience profiles Target ads
- 51. Manage ad frequency Buildgraphs and comprehensive audience profiles Cookie matching/syncing View-through attribution Target ads
- 52. Manage ad frequency Buildgraphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads
- 53. Manage ad frequency Buildgraphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations
- 54. Manage ad frequency Buildgraphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows
- 55. Manage ad frequency Buildgraphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services
- 56. Manage ad frequency Buildgraphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts
- 57. Manage ad frequency Buildgraphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection
- 58. Manage ad frequency Buildgraphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management
- 59. Manage ad frequency Buildgraphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management Client-side state
- 60. Manage ad frequency Buildgraphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management Client-side state Data quality
- 61. Manage ad frequency Buildgraphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management Client-side state Data quality
- 62. Manage ad frequency Buildgraphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management Client-side state Data quality
- 63. Classification of "knowntrackers" Algorithmic, on-device Heuristic, global
- 64.
- 65. Block Restrict Brave 3rd partycontext Strips all cookies from 3P requests. Blocks all requests to domains in filter lists. Strips cross-site referrers in navigational requests. Spoofs cross-site referrers in subresource HTTP requests. Strips fbclid, gclid, msclkid, mc_eid parameters from request URLs.
- 66. Block Restrict Brave 3rd partycontext Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz
- 67. Block Restrict Brave 3rd partycontext Cookies, requests, referrers Referrers Chrome - - Blocks cookies in 3P context if target domain is classified (on-device and/or globally), with mitigations (widget inter- actions, redirects, oAuth flows). Other cookies set to 1h expiration if no interaction with site in 1P context. Strips potential user identifiers from request URLs, unless in global safe set. Downgrades referrer to origin in cross-origin requests. Cliqz
- 68. Block Restrict Brave 3rd partycontext Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Cookies, referrers, request URLs Edge
- 69. Block Restrict Brave 3rd partycontext Cookies, requests, referrers Referrers Chrome - - Cliqz Cookies Cookies, request URLs Edge Blocks cookies in 3P requests if target domain in Trust Protection Lists, with mitigations for engagement and same-org. Blocks all script-writable storage with same conditions as above. Blocks requests to Fingerprinting and Cryptomining domains.
- 70. Block Restrict Brave 3rd partycontext Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Edge Firefox Cookies, storage, requests - Cookies, referrers, request URLs
- 71. Block Restrict Brave 3rd partycontext Cookies, requests, referrers Referrers Chrome - - Cliqz Cookies Cookies, request URLs Edge Cookies, storage, requests - Firefox Blocks cookies in 3P requests if target domain classified in Disconnect.me. Blocks requests to Cryptomining category. Blocks requests if domain in Fingerprinting and Tracking category. Blocks localStorage and IndexedDB for classified domains.
- 72. Block Restrict Brave 3rd partycontext Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Edge Cookies, storage, requests - Firefox Cookies, storage, requests - Safari Cookies, referrers, request URLs
- 73. Block Restrict Brave 3rd partycontext Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Cookies, request URLs Edge Cookies, storage, requests - Firefox Cookies, storage, requests - Safari Blocks cookies if no prior cookies set. Blocks cookies if no interaction with site in 1P. Blocks cookies if classified by ITP (except with Storage Access API). Blocks IndexedDB. Partitioned and ephemeral localStorage. Downgrade referrer to origin on subresource HTTP requests. Downgrade referrer to eTLD+1 if referring page classified with URL decoration.
- 74. Block Restrict Brave 3rd partycontext Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Edge Cookies, storage, requests - Firefox Cookies, storage, requests - Safari Cookies, storage Referrers, storage Cookies, referrers, request URLs
- 75.
- 76. Block Restrict Brave 1st partycontext Cookies set with JavaScript expire in 7 days. Cookies set with HTTP headers expire in 6 months.
- 77. Block Restrict Brave 1st partycontext - Cookies Chrome - - Cliqz
- 78. Block Restrict Brave 1st partycontext Cookies, requests, referrers Referrers Chrome - - Non-HttpOnly cookies expire in 7 days. HttpOnly cookies expire in 30 days. Cookies set on classified domains that are visited infrequently expire in 7 days. Cookies set on classified domains that are visited frequently expire in 30 days. Cliqz
- 79. Block Restrict Brave 1st partycontext - Cookies Chrome - - Cliqz - Cookies Edge - - Firefox - - Safari
- 80. Block Restrict Brave 1st partycontext Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Cookies, request URLs Edge Cookies, storage, requests - Firefox Cookies, storage, requests - Safari Cookies set with JavaScript expire in 7 days. Cookies set with JavaScript when referring domain is classified and URL has link decoration expire in 24 hours. Other browser storage is expired in 7 days since last interaction if referring domain is classified and URL has link decoration.
- 81. Block Restrict Brave 1st partycontext - Cookies Chrome - - Cliqz - Cookies Edge - - Firefox - - Safari - Cookies, storage
- 82.
- 83. Brave Chrome CliqzEdge Firefox Safari Cookies set to SameSite=Lax by default. Reject SameSite=None cookies that are not secure. Chrome 80, Feb 4!
- 84. Brave Chrome CliqzEdge Firefox Safari Default referrer policy strict-origin-when-cross-origin. Chrome 80, Feb 4! ! !!
- 85. Cap lifetime ofall script-writable storage. Brave Chrome Cliqz Edge Firefox Safari Technology Preview 99
- 86. Brave Chrome CliqzEdge Firefox Safari Technology Preview 99 Block all cookies in 3P context - access only through Storage Access API. !
- 87. Brave Chrome CliqzEdge Firefox Safari Technology Preview 99 The isLoggedIn API (experimental).
- 88. Brave Chrome CliqzEdge Firefox Safari Private Click Measurement / Ad Click Attribution.
- 89.
- 90. DO -Periodically audit theuse of client-side state in your sites, services, and applications. Avoid over-reliance; use HttpOnly where possible, then HTTP headers, then JS. -Figure out how to incentivize logging in. -Set cookies you need in third-party context to SameSite=None;Secure, with fallbacks for unsupported browsers. - Utilize Storage Access API for access to third-party storage. -Consider the browser as a manifestation of the user’s desire and intent with regard to tracking. Err on the side of as much privacy as possible. -No evil.
- 91. DO NOT -Look at "server-sideanalytics" as a silver bullet. -Ignore small market share web browsers. -Expect tracking prevention development to settle / slow down. -Spread FUD about the impact of these measures without empirical data to back it up with. -Expect that browsers will handle the ethical / legal side of data collection for you. -Think that browsers have got tracking prevention "right"
- 92.
- 93.
- 94.