1. Browsers Eat Data Quality
For BREAKFAST
@SimoAhava from @8_bit_sheep at #SPWK

2. Browser
Tracking
Prevention

4. www.CookieStatus.com

5. Quick quiz

6. https://blog.superweek.hu/welcome.html
SOURCE TARGET
https://shop.superweek.hu/image.jpg
HTTP request includes cookies written on which domain: SOURCE or TARGET?
HTTP GET

7. https://blog.superweek.hu/welcome.html
SOURCE TARGET
https://shop.superweek.hu/image.jpg
Is this an example of 3RD PARTY REQUEST or 1ST PARTY REQUEST?
HTTP GET

8. Cross-site tracking

9. Graphic adapted from https://web.dev/samesite-cookies-explained/
https://www.simoahava.com/

10. Graphic adapted from https://web.dev/samesite-cookies-explained/
Same-site === First-party context
https://www.simoahava.com/

11. Graphic adapted from https://web.dev/samesite-cookies-explained/
https://image.cdn.com/image.gif
https://www.simoahava.com/

12. Graphic adapted from https://web.dev/samesite-cookies-explained/
Cross-site === Third-party context
https://image.cdn.com/image.gif
https://www.simoahava.com/

13. Graphic adapted from https://web.dev/samesite-cookies-explained/
https://page.somedomain.com/
https://page.otherdomain.com/
https://page.thirddomain.com/
https://image.cdn.com/image.gif
All pages include a request to the third-party resource, thus including
all cookies written on the third-party domain, enabling cross-site tracking.

14. Some popular exploits

15. Leverage other script-writable storage.

16. Decorate outbound links with identifiers.

17. Decorate referring URL with identifiers.

18. Stateless tracking with fingerprints.

19. Third-party-to-first-party collusion, e.g. with CNAME.

20. Browsers take the initiative

21. 2003
Defaultcookie
policy
blocks
3P
cookies
w
ithoutprior"seeding"

22. 2003
Defaultcookie
policy
blocks
3P
cookies
w
ithoutprior"seeding"
2013
Partitioned
and
ephem
eral3P
H
TM
L5
storage

23. 2003
Defaultcookie
policy
blocks
3P
cookies
w
ithoutprior"seeding"
ITP
1-Algorithm
ic
classification,3P
cookies
partitioned
2013
Partitioned
and
ephem
eral3P
H
TM
L5
storage
9/2017

24. 2003
Defaultcookie
policy
blocks
3P
cookies
w
ithoutprior"seeding"
ITP
1-Algorithm
ic
classification,3P
cookies
partitioned
2/2018
Storage
Access
APIto
allow
access
to
partitioned
storage
2013
Partitioned
and
ephem
eral3P
H
TM
L5
storage
9/2017

25. 2003
Defaultcookie
policy
blocks
3P
cookies
w
ithoutprior"seeding"
ITP
1-Algorithm
ic
classification,3P
cookies
partitioned
2/2018
Storage
Access
APIto
allow
access
to
partitioned
storage
ITP
2
-Rem
ovalof24-hourgrace
period
forunrestricted
3P
cookie
access,
1P
bounce
trackerand
trackercollusion
protection
2013
Partitioned
and
ephem
eral3P
H
TM
L5
storage
9/2017 9/2018

26. 2003
Defaultcookie
policy
blocks
3P
cookies
w
ithoutprior"seeding"
ITP
1-Algorithm
ic
classification,3P
cookies
partitioned
2/2018
Storage
Access
APIto
allow
access
to
partitioned
storage
ITP
2
-Rem
ovalof24-hourgrace
period
forunrestricted
3P
cookie
access,
1P
bounce
trackerand
trackercollusion
protection
2013
Partitioned
and
ephem
eral3P
H
TM
L5
storage
ITP
2.1-3P
cookies
no
longerpartitioned,restrictions
on
1P
JavaScriptcookies
9/2017 9/2018 3/2019

27. 2003
Defaultcookie
policy
blocks
3P
cookies
w
ithoutprior"seeding"
ITP
1-Algorithm
ic
classification,3P
cookies
partitioned
2/2018
Storage
Access
APIto
allow
access
to
partitioned
storage
ITP
2
-Rem
ovalof24-hourgrace
period
forunrestricted
3P
cookie
access,
1P
bounce
trackerand
trackercollusion
protection
2013
Partitioned
and
ephem
eral3P
H
TM
L5
storage
ITP
2.1-3P
cookies
no
longerpartitioned,restrictions
on
1P
JavaScriptcookies
4/2019
ITP
2.2
-1P
JavaScriptcookies
lim
ited
to
24-hourexpiration
in
som
e
cases
9/2017 9/2018 3/2019

28. 9/2019
ITP
2.3
-Allscript-w
ritable
storage
gets
lim
ited
lifetim
e,
docum
ent.referrerfrom
classified
dom
ain
stripped
to
eTLD+1
2003
Defaultcookie
policy
blocks
3P
cookies
w
ithoutprior"seeding"
ITP
1-Algorithm
ic
classification,3P
cookies
partitioned
2/2018
Storage
Access
APIto
allow
access
to
partitioned
storage
ITP
2
-Rem
ovalof24-hourgrace
period
forunrestricted
3P
cookie
access,
1P
bounce
trackerand
trackercollusion
protection
2013
Partitioned
and
ephem
eral3P
H
TM
L5
storage
ITP
2.1-3P
cookies
no
longerpartitioned,restrictions
on
1P
JavaScriptcookies
4/2019
ITP
2.2
-1P
JavaScriptcookies
lim
ited
to
24-hourexpiration
in
som
e
cases
9/2017 9/2018 3/2019

29. 9/2019
ITP
2.3
-Allscript-w
ritable
storage
gets
lim
ited
lifetim
e,
docum
ent.referrerfrom
classified
dom
ain
stripped
to
eTLD+1
All3P
requests
(non-navigational)getreferrer
stripped
to
origin,all3P
cookies
blocked
if
site
notinteracted
w
ith
in
1P
context
2003
Defaultcookie
policy
blocks
3P
cookies
w
ithoutprior"seeding"
9/2017
ITP
1-Algorithm
ic
classification,3P
cookies
partitioned
3/2018
Storage
Access
APIto
allow
access
to
partitioned
storage
9/2018
ITP
2
-Rem
ovalof24-hourgrace
period
forunrestricted
3P
cookie
access,
1P
bounce
trackerand
trackercollusion
protection
2013
Partitioned
and
ephem
eral3P
H
TM
L5
storage
3/2019
ITP
2.1-3P
cookies
no
longerpartitioned,restrictions
on
1P
JavaScriptcookies
4/2019
ITP
2.2
-1P
JavaScriptcookies
lim
ited
to
24-hourexpiration
in
som
e
cases
12/2019

30. ETP
introduced
-3P
tracking
cookies
blocked
ifactivated
10/2018
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

31. ETP
introduced
-3P
tracking
cookies
blocked
ifactivated
ETP
m
odes
introduced
-Standard
is
the
default
10/2018
1/2019
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

32. ETP
introduced
-3P
tracking
cookies
blocked
ifactivated
ETP
m
odes
introduced
-Standard
is
the
default
ETP
released
-Standard
seton
fornew
installs
10/2018
1/2019
6/2019
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

33. ETP
introduced
-3P
tracking
cookies
blocked
ifactivated
ETP
m
odes
introduced
-Standard
is
the
default
ETP
released
-Standard
seton
fornew
installs
10/2018
1/2019
6/2019
ETP
setto
Standard
forallusers
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

34. 10/2018
1/2019
6/2019
Brave
Shields
released
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

35. 10/2018
1/2019
6/2019
Brave
Shields
released
Restrictions
to
fingerprinting
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

36. 10/2018
1/2019
6/2019
Brave
Shields
released
Restrictions
to
fingerprinting
Im
proved
ad
blockeralgorithm
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

37. 10/2018
1/2019
6/2019
Brave
Shields
released
Restrictions
to
fingerprinting
Rem
ove
know
n
tracking
param
eters
from
U
RLs
Im
proved
ad
blockeralgorithm
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

38. 10/2018
1/2019
6/2019
Tracking
prevention
(Edge
beta)blocks
cookies
from
know
n
trackers
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

39. 10/2018
1/2019
6/2019
Tracking
prevention
(Edge
beta)blocks
cookies
from
know
n
trackers
(Edge
beta)adds
additionalm
itigations
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

40. 10/2018
1/2019
6/2019
Tracking
prevention
(Edge
beta)blocks
cookies
from
know
n
trackers
(Edge
beta)adds
additionalm
itigations
1/2020
N
ew
Edge
released
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

41. 10/2018
1/2019
6/2019
1/2020
Cliqz
introduces
its
ow
n
ad
blocking
tech
11/2019
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

42. 11/201910/2018
1/2019
6/2019
1/2020
Sam
eSite
enforcem
ent*
* not a tracking protection mechanism
2/20209/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

43. 11/201910/2018
1/2019
6/2019
1/2020 2/2020
Sam
eSite
enforcem
ent
2022
N
o
m
ore
3P
cks
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

44. 11/201910/2018
1/2019
6/2019
1/2020 2/2020 2022
GDPR enforceable
Collection #1 breach
773M unique emails
verifications.io breach
763M unique emails
People Data Labs breach
622M unique emails
Zynga breach
172M unique emails
Onliner Spambot breach
711M emails
Exploit.ln breach
593M emails
Finland wins
hockey world
championship
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

45. GDPR enforceable
Collection #1 breach
773M unique emails
verifications.io breach
763M unique emails
People Data Labs breach
622M unique emails
Zynga breach
172M unique emails
Onliner Spambot breach
711M emails
Exploit.ln breach
593M emails
Finland wins
hockey world
championship
11/201910/2018
1/2019
6/2019
1/2020 2/2020 2022
Increasing amount of supply chain attacks (e.g. Magecart) and script hijacking
9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019

46. Impact

47. Build graphs and comprehensive audience profiles

48. Build graphs and comprehensive audience profiles
Target ads

49. Target ads
Manage ad frequency
Build graphs and comprehensive audience profiles

50. View-through attribution
Manage ad frequency
Build graphs and comprehensive audience profiles
Target ads

51. Manage ad frequency
Build graphs and comprehensive audience profiles
Cookie matching/syncing
View-through attribution
Target ads

52. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads

53. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations

54. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows

55. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services

56. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts

57. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts
1st party data collection

58. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts
1st party data collection
Tag management

59. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts
1st party data collection
Tag management
Client-side state

60. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts
1st party data collection
Tag management
Client-side state
Data quality

61. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts
1st party data collection
Tag management
Client-side state
Data quality

62. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts
1st party data collection
Tag management
Client-side state
Data quality

63. Classification of "known trackers"
Algorithmic, on-device Heuristic, global

64. 3rd party context

65. Block Restrict
Brave
3rd party context
Strips all cookies from 3P
requests.
Blocks all requests to
domains in filter lists.
Strips cross-site referrers
in navigational requests.
Spoofs cross-site referrers
in subresource HTTP requests.
Strips fbclid, gclid, msclkid, mc_eid
parameters from request URLs.

66. Block Restrict
Brave
3rd party context
Cookies, requests, referrers Referrers, request URLs
Chrome - -
Cliqz

67. Block Restrict
Brave
3rd party context
Cookies, requests, referrers Referrers
Chrome - -
Blocks cookies in 3P
context if target domain
is classified (on-device
and/or globally), with
mitigations (widget inter-
actions, redirects, oAuth
flows).
Other cookies set to 1h
expiration if no interaction
with site in 1P context.
Strips potential user identifiers
from request URLs, unless in
global safe set.
Downgrades referrer to origin
in cross-origin requests.
Cliqz

68. Block Restrict
Brave
3rd party context
Cookies, requests, referrers Referrers, request URLs
Chrome - -
Cliqz Cookies Cookies, referrers, request URLs
Edge

69. Block Restrict
Brave
3rd party context
Cookies, requests, referrers Referrers
Chrome - -
Cliqz Cookies Cookies, request URLs
Edge
Blocks cookies in 3P
requests if target domain
in Trust Protection Lists,
with mitigations for
engagement and same-org.
Blocks all script-writable
storage with same
conditions as above.
Blocks requests to
Fingerprinting and
Cryptomining domains.

70. Block Restrict
Brave
3rd party context
Cookies, requests, referrers Referrers, request URLs
Chrome - -
Cliqz Cookies
Edge
Firefox
Cookies, storage, requests -
Cookies, referrers, request URLs

71. Block Restrict
Brave
3rd party context
Cookies, requests, referrers Referrers
Chrome - -
Cliqz Cookies Cookies, request URLs
Edge Cookies, storage, requests -
Firefox
Blocks cookies in 3P
requests if target domain
classified in Disconnect.me.
Blocks requests to
Cryptomining category.
Blocks requests if domain
in Fingerprinting and
Tracking category.
Blocks localStorage and
IndexedDB for classified
domains.

72. Block Restrict
Brave
3rd party context
Cookies, requests, referrers Referrers, request URLs
Chrome - -
Cliqz Cookies
Edge Cookies, storage, requests -
Firefox Cookies, storage, requests -
Safari
Cookies, referrers, request URLs

73. Block Restrict
Brave
3rd party context
Cookies, requests, referrers Referrers, request URLs
Chrome - -
Cliqz Cookies Cookies, request URLs
Edge Cookies, storage, requests -
Firefox Cookies, storage, requests -
Safari
Blocks cookies if no prior
cookies set.
Blocks cookies if no
interaction with site in 1P.
Blocks cookies if
classified by ITP (except
with Storage Access API).
Blocks IndexedDB.
Partitioned and ephemeral
localStorage.
Downgrade referrer to origin
on subresource HTTP requests.
Downgrade referrer to eTLD+1
if referring page classified with
URL decoration.

74. Block Restrict
Brave
3rd party context
Cookies, requests, referrers Referrers, request URLs
Chrome - -
Cliqz Cookies
Edge Cookies, storage, requests -
Firefox Cookies, storage, requests -
Safari Cookies, storage Referrers, storage
Cookies, referrers, request URLs

75. 1st party context

76. Block Restrict
Brave
1st party context
Cookies set with JavaScript
expire in 7 days.
Cookies set with HTTP headers
expire in 6 months.

77. Block Restrict
Brave
1st party context
- Cookies
Chrome - -
Cliqz

78. Block Restrict
Brave
1st party context
Cookies, requests, referrers Referrers
Chrome - -
Non-HttpOnly cookies expire
in 7 days.
HttpOnly cookies expire in 30
days.
Cookies set on classified
domains that are visited
infrequently expire in 7 days.
Cookies set on classified
domains that are visited
frequently expire in 30 days.
Cliqz

79. Block Restrict
Brave
1st party context
- Cookies
Chrome - -
Cliqz - Cookies
Edge - -
Firefox - -
Safari

80. Block Restrict
Brave
1st party context
Cookies, requests, referrers Referrers, request URLs
Chrome - -
Cliqz Cookies Cookies, request URLs
Edge Cookies, storage, requests -
Firefox Cookies, storage, requests -
Safari
Cookies set with JavaScript
expire in 7 days.
Cookies set with JavaScript
when referring domain is
classified and URL has link
decoration expire in 24 hours.
Other browser storage is
expired in 7 days since last
interaction if referring domain
is classified and URL has
link decoration.

81. Block Restrict
Brave
1st party context
- Cookies
Chrome - -
Cliqz - Cookies
Edge - -
Firefox - -
Safari - Cookies, storage

82. Bubbling under

83. Brave Chrome Cliqz Edge Firefox Safari
Cookies set to SameSite=Lax by default.
Reject SameSite=None cookies that are not secure.
Chrome 80, Feb 4!

84. Brave Chrome Cliqz Edge Firefox Safari
Default referrer policy strict-origin-when-cross-origin.
Chrome 80, Feb 4!
! !!

85. Cap lifetime of all script-writable storage.
Brave Chrome Cliqz Edge Firefox Safari
Technology Preview 99

86. Brave Chrome Cliqz Edge Firefox Safari
Technology Preview 99
Block all cookies in 3P context - access only through Storage Access API.
!

87. Brave Chrome Cliqz Edge Firefox Safari
Technology Preview 99
The isLoggedIn API (experimental).

88. Brave Chrome Cliqz Edge Firefox Safari
Private Click Measurement / Ad Click Attribution.

89. DO’s and DON’Ts

90. DO
-Periodically audit the use of client-side state in your sites, services, and applications. Avoid
over-reliance; use HttpOnly where possible, then HTTP headers, then JS.
-Figure out how to incentivize logging in.
-Set cookies you need in third-party context to SameSite=None;Secure, with fallbacks
for unsupported browsers.
- Utilize Storage Access API for access to third-party storage.
-Consider the browser as a manifestation of the user’s desire and intent with regard to
tracking. Err on the side of as much privacy as possible.
-No evil.

91. DO NOT
-Look at "server-side analytics" as a silver bullet.
-Ignore small market share web browsers.
-Expect tracking prevention development to settle / slow down.
-Spread FUD about the impact of these measures without empirical data to back it up with.
-Expect that browsers will handle the ethical / legal side of data collection for you.
-Think that browsers have got tracking prevention "right"

92. Follow and participate

93. @BrendanEich
@EricLaw
@JohnWilander
@JustinSchuh
@Log3OverLog2
@pes10k
@RandomnessnCats
@SimoAhava
@TheZEdwards
bit.ly/privacy-sandbox
brave.com/blog
chromestatus.com/features
cookiestatus.com
cunderwood.dev
haveibeenpwned.com
panopticlick.eff.org
webkit.org/blog
webkit.org/tracking-prevention-policy
bit.ly/ad-click-attribution
bit.ly/privacycg
bit.ly/privacy-ig

94. log(`Thank you, ${yourName}`)