Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Browser Tracking Protections - SuperWeek 2020

4,992 views

Published on

My presentation titled "Browsers eat data quality for breakfast" from SuperWeek 2020.

The presentation introduces the "tracking protection / prevention / blocking" mechanisms implemented in the major browsers.

The information comes from the www.cookiestatus.com service.

Published in: Internet

Browser Tracking Protections - SuperWeek 2020

  1. 1. Browsers Eat Data Quality For BREAKFAST @SimoAhava from @8_bit_sheep at #SPWK
  2. 2. Browser Tracking Prevention
  3. 3. www.CookieStatus.com
  4. 4. Quick quiz
  5. 5. https://blog.superweek.hu/welcome.html SOURCE TARGET https://shop.superweek.hu/image.jpg HTTP request includes cookies written on which domain: SOURCE or TARGET? HTTP GET
  6. 6. https://blog.superweek.hu/welcome.html SOURCE TARGET https://shop.superweek.hu/image.jpg Is this an example of 3RD PARTY REQUEST or 1ST PARTY REQUEST? HTTP GET
  7. 7. Cross-site tracking
  8. 8. Graphic adapted from https://web.dev/samesite-cookies-explained/ https://www.simoahava.com/
  9. 9. Graphic adapted from https://web.dev/samesite-cookies-explained/ Same-site === First-party context https://www.simoahava.com/
  10. 10. Graphic adapted from https://web.dev/samesite-cookies-explained/ https://image.cdn.com/image.gif https://www.simoahava.com/
  11. 11. Graphic adapted from https://web.dev/samesite-cookies-explained/ Cross-site === Third-party context https://image.cdn.com/image.gif https://www.simoahava.com/
  12. 12. Graphic adapted from https://web.dev/samesite-cookies-explained/ https://page.somedomain.com/ https://page.otherdomain.com/ https://page.thirddomain.com/ https://image.cdn.com/image.gif All pages include a request to the third-party resource, thus including all cookies written on the third-party domain, enabling cross-site tracking.
  13. 13. Some popular exploits
  14. 14. Leverage other script-writable storage.
  15. 15. Decorate outbound links with identifiers.
  16. 16. Decorate referring URL with identifiers.
  17. 17. Stateless tracking with fingerprints.
  18. 18. Third-party-to-first-party collusion, e.g. with CNAME.
  19. 19. Browsers take the initiative
  20. 20. 2003 Defaultcookie policy blocks 3P cookies w ithoutprior"seeding"
  21. 21. 2003 Defaultcookie policy blocks 3P cookies w ithoutprior"seeding" 2013 Partitioned and ephem eral3P H TM L5 storage
  22. 22. 2003 Defaultcookie policy blocks 3P cookies w ithoutprior"seeding" ITP 1-Algorithm ic classification,3P cookies partitioned 2013 Partitioned and ephem eral3P H TM L5 storage 9/2017
  23. 23. 2003 Defaultcookie policy blocks 3P cookies w ithoutprior"seeding" ITP 1-Algorithm ic classification,3P cookies partitioned 2/2018 Storage Access APIto allow access to partitioned storage 2013 Partitioned and ephem eral3P H TM L5 storage 9/2017
  24. 24. 2003 Defaultcookie policy blocks 3P cookies w ithoutprior"seeding" ITP 1-Algorithm ic classification,3P cookies partitioned 2/2018 Storage Access APIto allow access to partitioned storage ITP 2 -Rem ovalof24-hourgrace period forunrestricted 3P cookie access, 1P bounce trackerand trackercollusion protection 2013 Partitioned and ephem eral3P H TM L5 storage 9/2017 9/2018
  25. 25. 2003 Defaultcookie policy blocks 3P cookies w ithoutprior"seeding" ITP 1-Algorithm ic classification,3P cookies partitioned 2/2018 Storage Access APIto allow access to partitioned storage ITP 2 -Rem ovalof24-hourgrace period forunrestricted 3P cookie access, 1P bounce trackerand trackercollusion protection 2013 Partitioned and ephem eral3P H TM L5 storage ITP 2.1-3P cookies no longerpartitioned,restrictions on 1P JavaScriptcookies 9/2017 9/2018 3/2019
  26. 26. 2003 Defaultcookie policy blocks 3P cookies w ithoutprior"seeding" ITP 1-Algorithm ic classification,3P cookies partitioned 2/2018 Storage Access APIto allow access to partitioned storage ITP 2 -Rem ovalof24-hourgrace period forunrestricted 3P cookie access, 1P bounce trackerand trackercollusion protection 2013 Partitioned and ephem eral3P H TM L5 storage ITP 2.1-3P cookies no longerpartitioned,restrictions on 1P JavaScriptcookies 4/2019 ITP 2.2 -1P JavaScriptcookies lim ited to 24-hourexpiration in som e cases 9/2017 9/2018 3/2019
  27. 27. 9/2019 ITP 2.3 -Allscript-w ritable storage gets lim ited lifetim e, docum ent.referrerfrom classified dom ain stripped to eTLD+1 2003 Defaultcookie policy blocks 3P cookies w ithoutprior"seeding" ITP 1-Algorithm ic classification,3P cookies partitioned 2/2018 Storage Access APIto allow access to partitioned storage ITP 2 -Rem ovalof24-hourgrace period forunrestricted 3P cookie access, 1P bounce trackerand trackercollusion protection 2013 Partitioned and ephem eral3P H TM L5 storage ITP 2.1-3P cookies no longerpartitioned,restrictions on 1P JavaScriptcookies 4/2019 ITP 2.2 -1P JavaScriptcookies lim ited to 24-hourexpiration in som e cases 9/2017 9/2018 3/2019
  28. 28. 9/2019 ITP 2.3 -Allscript-w ritable storage gets lim ited lifetim e, docum ent.referrerfrom classified dom ain stripped to eTLD+1 All3P requests (non-navigational)getreferrer stripped to origin,all3P cookies blocked if site notinteracted w ith in 1P context 2003 Defaultcookie policy blocks 3P cookies w ithoutprior"seeding" 9/2017 ITP 1-Algorithm ic classification,3P cookies partitioned 3/2018 Storage Access APIto allow access to partitioned storage 9/2018 ITP 2 -Rem ovalof24-hourgrace period forunrestricted 3P cookie access, 1P bounce trackerand trackercollusion protection 2013 Partitioned and ephem eral3P H TM L5 storage 3/2019 ITP 2.1-3P cookies no longerpartitioned,restrictions on 1P JavaScriptcookies 4/2019 ITP 2.2 -1P JavaScriptcookies lim ited to 24-hourexpiration in som e cases 12/2019
  29. 29. ETP introduced -3P tracking cookies blocked ifactivated 10/2018 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  30. 30. ETP introduced -3P tracking cookies blocked ifactivated ETP m odes introduced -Standard is the default 10/2018 1/2019 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  31. 31. ETP introduced -3P tracking cookies blocked ifactivated ETP m odes introduced -Standard is the default ETP released -Standard seton fornew installs 10/2018 1/2019 6/2019 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  32. 32. ETP introduced -3P tracking cookies blocked ifactivated ETP m odes introduced -Standard is the default ETP released -Standard seton fornew installs 10/2018 1/2019 6/2019 ETP setto Standard forallusers 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  33. 33. 10/2018 1/2019 6/2019 Brave Shields released 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  34. 34. 10/2018 1/2019 6/2019 Brave Shields released Restrictions to fingerprinting 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  35. 35. 10/2018 1/2019 6/2019 Brave Shields released Restrictions to fingerprinting Im proved ad blockeralgorithm 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  36. 36. 10/2018 1/2019 6/2019 Brave Shields released Restrictions to fingerprinting Rem ove know n tracking param eters from U RLs Im proved ad blockeralgorithm 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  37. 37. 10/2018 1/2019 6/2019 Tracking prevention (Edge beta)blocks cookies from know n trackers 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  38. 38. 10/2018 1/2019 6/2019 Tracking prevention (Edge beta)blocks cookies from know n trackers (Edge beta)adds additionalm itigations 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  39. 39. 10/2018 1/2019 6/2019 Tracking prevention (Edge beta)blocks cookies from know n trackers (Edge beta)adds additionalm itigations 1/2020 N ew Edge released 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  40. 40. 10/2018 1/2019 6/2019 1/2020 Cliqz introduces its ow n ad blocking tech 11/2019 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  41. 41. 11/201910/2018 1/2019 6/2019 1/2020 Sam eSite enforcem ent* * not a tracking protection mechanism 2/20209/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  42. 42. 11/201910/2018 1/2019 6/2019 1/2020 2/2020 Sam eSite enforcem ent 2022 N o m ore 3P cks 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  43. 43. 11/201910/2018 1/2019 6/2019 1/2020 2/2020 2022 GDPR enforceable Collection #1 breach 773M unique emails verifications.io breach 763M unique emails People Data Labs breach 622M unique emails Zynga breach 172M unique emails Onliner Spambot breach 711M emails Exploit.ln breach 593M emails Finland wins hockey world championship 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  44. 44. GDPR enforceable Collection #1 breach 773M unique emails verifications.io breach 763M unique emails People Data Labs breach 622M unique emails Zynga breach 172M unique emails Onliner Spambot breach 711M emails Exploit.ln breach 593M emails Finland wins hockey world championship 11/201910/2018 1/2019 6/2019 1/2020 2/2020 2022 Increasing amount of supply chain attacks (e.g. Magecart) and script hijacking 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
  45. 45. Impact
  46. 46. Build graphs and comprehensive audience profiles
  47. 47. Build graphs and comprehensive audience profiles Target ads
  48. 48. Target ads Manage ad frequency Build graphs and comprehensive audience profiles
  49. 49. View-through attribution Manage ad frequency Build graphs and comprehensive audience profiles Target ads
  50. 50. Manage ad frequency Build graphs and comprehensive audience profiles Cookie matching/syncing View-through attribution Target ads
  51. 51. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads
  52. 52. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations
  53. 53. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows
  54. 54. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services
  55. 55. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts
  56. 56. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection
  57. 57. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management
  58. 58. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management Client-side state
  59. 59. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management Client-side state Data quality
  60. 60. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management Client-side state Data quality
  61. 61. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management Client-side state Data quality
  62. 62. Classification of "known trackers" Algorithmic, on-device Heuristic, global
  63. 63. 3rd party context
  64. 64. Block Restrict Brave 3rd party context Strips all cookies from 3P requests. Blocks all requests to domains in filter lists. Strips cross-site referrers in navigational requests. Spoofs cross-site referrers in subresource HTTP requests. Strips fbclid, gclid, msclkid, mc_eid parameters from request URLs.
  65. 65. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz
  66. 66. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers Chrome - - Blocks cookies in 3P context if target domain is classified (on-device and/or globally), with mitigations (widget inter- actions, redirects, oAuth flows). Other cookies set to 1h expiration if no interaction with site in 1P context. Strips potential user identifiers from request URLs, unless in global safe set. Downgrades referrer to origin in cross-origin requests. Cliqz
  67. 67. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Cookies, referrers, request URLs Edge
  68. 68. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers Chrome - - Cliqz Cookies Cookies, request URLs Edge Blocks cookies in 3P requests if target domain in Trust Protection Lists, with mitigations for engagement and same-org. Blocks all script-writable storage with same conditions as above. Blocks requests to Fingerprinting and Cryptomining domains.
  69. 69. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Edge Firefox Cookies, storage, requests - Cookies, referrers, request URLs
  70. 70. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers Chrome - - Cliqz Cookies Cookies, request URLs Edge Cookies, storage, requests - Firefox Blocks cookies in 3P requests if target domain classified in Disconnect.me. Blocks requests to Cryptomining category. Blocks requests if domain in Fingerprinting and Tracking category. Blocks localStorage and IndexedDB for classified domains.
  71. 71. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Edge Cookies, storage, requests - Firefox Cookies, storage, requests - Safari Cookies, referrers, request URLs
  72. 72. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Cookies, request URLs Edge Cookies, storage, requests - Firefox Cookies, storage, requests - Safari Blocks cookies if no prior cookies set. Blocks cookies if no interaction with site in 1P. Blocks cookies if classified by ITP (except with Storage Access API). Blocks IndexedDB. Partitioned and ephemeral localStorage. Downgrade referrer to origin on subresource HTTP requests. Downgrade referrer to eTLD+1 if referring page classified with URL decoration.
  73. 73. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Edge Cookies, storage, requests - Firefox Cookies, storage, requests - Safari Cookies, storage Referrers, storage Cookies, referrers, request URLs
  74. 74. 1st party context
  75. 75. Block Restrict Brave 1st party context Cookies set with JavaScript expire in 7 days. Cookies set with HTTP headers expire in 6 months.
  76. 76. Block Restrict Brave 1st party context - Cookies Chrome - - Cliqz
  77. 77. Block Restrict Brave 1st party context Cookies, requests, referrers Referrers Chrome - - Non-HttpOnly cookies expire in 7 days. HttpOnly cookies expire in 30 days. Cookies set on classified domains that are visited infrequently expire in 7 days. Cookies set on classified domains that are visited frequently expire in 30 days. Cliqz
  78. 78. Block Restrict Brave 1st party context - Cookies Chrome - - Cliqz - Cookies Edge - - Firefox - - Safari
  79. 79. Block Restrict Brave 1st party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Cookies, request URLs Edge Cookies, storage, requests - Firefox Cookies, storage, requests - Safari Cookies set with JavaScript expire in 7 days. Cookies set with JavaScript when referring domain is classified and URL has link decoration expire in 24 hours. Other browser storage is expired in 7 days since last interaction if referring domain is classified and URL has link decoration.
  80. 80. Block Restrict Brave 1st party context - Cookies Chrome - - Cliqz - Cookies Edge - - Firefox - - Safari - Cookies, storage
  81. 81. Bubbling under
  82. 82. Brave Chrome Cliqz Edge Firefox Safari Cookies set to SameSite=Lax by default. Reject SameSite=None cookies that are not secure. Chrome 80, Feb 4!
  83. 83. Brave Chrome Cliqz Edge Firefox Safari Default referrer policy strict-origin-when-cross-origin. Chrome 80, Feb 4! ! !!
  84. 84. Cap lifetime of all script-writable storage. Brave Chrome Cliqz Edge Firefox Safari Technology Preview 99
  85. 85. Brave Chrome Cliqz Edge Firefox Safari Technology Preview 99 Block all cookies in 3P context - access only through Storage Access API. !
  86. 86. Brave Chrome Cliqz Edge Firefox Safari Technology Preview 99 The isLoggedIn API (experimental).
  87. 87. Brave Chrome Cliqz Edge Firefox Safari Private Click Measurement / Ad Click Attribution.
  88. 88. DO’s and DON’Ts
  89. 89. DO -Periodically audit the use of client-side state in your sites, services, and applications. Avoid over-reliance; use HttpOnly where possible, then HTTP headers, then JS. -Figure out how to incentivize logging in. -Set cookies you need in third-party context to SameSite=None;Secure, with fallbacks for unsupported browsers. - Utilize Storage Access API for access to third-party storage. -Consider the browser as a manifestation of the user’s desire and intent with regard to tracking. Err on the side of as much privacy as possible. -No evil.
  90. 90. DO NOT -Look at "server-side analytics" as a silver bullet. -Ignore small market share web browsers. -Expect tracking prevention development to settle / slow down. -Spread FUD about the impact of these measures without empirical data to back it up with. -Expect that browsers will handle the ethical / legal side of data collection for you. -Think that browsers have got tracking prevention "right"
  91. 91. Follow and participate
  92. 92. @BrendanEich @EricLaw @JohnWilander @JustinSchuh @Log3OverLog2 @pes10k @RandomnessnCats @SimoAhava @TheZEdwards bit.ly/privacy-sandbox brave.com/blog chromestatus.com/features cookiestatus.com cunderwood.dev haveibeenpwned.com panopticlick.eff.org webkit.org/blog webkit.org/tracking-prevention-policy bit.ly/ad-click-attribution bit.ly/privacycg bit.ly/privacy-ig
  93. 93. log(`Thank you, ${yourName}`)

×