Brave takes on the creepy websites that override your privacy settings

Privacy antidote —

Even if you block 3rd-party cookies, bounce tracking can set them anyway. Until now.


Stylized illustration of a fingerprint.

Getty Images

Some websites just can’t take “no” for an answer. Instead of respecting visitors’ choice to block third-party cookies—the identifiers that track browsing activity as a user moves from site to site—they find sneaky ways to bypass those settings. Now, makers of the Brave browser are taking action.

Earlier this week, Brave Nightly—the testing and development version of the browser—rolled out a feature that’s designed to prevent what’s known as bounce tracking. The new feature, known as unlinkable bouncing, will roll out for general release in Brave version 1.37 slated for March 29.

Overriding privacy

Bounce tracking is one of the key ways websites circumvent third-party cookie blocking. When a browser prevents a website such as site.example from loading a third-party tracking cookie from a domain such as tracker.example, site.example pulls a fast one. When site.example detects that the tracker.example cookie can’t be set, it instead redirects the browser to the tracker.example site, sets a cookie from that domain, and then redirects back to the original page or a new destination.

With that, the tracker.example cookie gets passed through a URL parameter and then gets stashed as a first-party cookie on the landing page. Once tracker.example places itself between enough of the sites a visitor browses, the tracker eventually builds a detailed profile of that activity, including the user’s interests and demographics.

The image below shows how third-party cookie blocking is supposed to work. When the user moves from site-one.example to cats.example and later from site-two.example to cars.example, there’s no way to track those movements as coming from the same person.

Bounce tracking circumvents this arrangement by inserting a third-party tracking site such as tracker.example in between the originating site and the cats.example or cars.example sites the user later browses to. Tracker.example then records that it was the user who visited both cats.example and cars.example.

While browsers that support third-party cookie blocking have existing mechanisms designed to thwart bounce tracking, this sneaky form of surveillance remains hard to defend against, since the browser doesn’t know beforehand that it will be directed to tracker.example. That’s where unlinkable bouncing comes in.

Ephemeral storage to the rescue

In a post, the Brave privacy team on Wednesday outlined the process that unlinkable bouncing uses. In a nutshell, unlinkable bouncing checks the site a user is about to visit against a list of URLs known to perform bounce tracking. When a destination site appears on the list and Brave has no cookies, localStorage, or other data related to it, the browser automatically creates a new one-time browser storage area for the site.

Once a user leaves the tracking site, Brave deletes the temporary storage. Because the data is no longer stored, the tracking site will be unable to re-identify the user the next time they are bounced through it.

Brave has several other ways to prevent site tracking. They include query-parameter stripping, debouncing, and (when blocking is set to aggressive mode) a warning to give concerned users a chance to back out.

The Brave privacy team explained the full flow as follows:

  1. When navigating to a new URL, Brave checks to see if that URL is a known bounce-tracking (or otherwise harmful) site, by consulting filter lists (both crowdsourced and Brave-generated).
  2. If that URL appears in a filter list, the browser checks the Trackers & ads blocked shields setting for the destination site. If that setting is Aggressive, the user is presented with a warning for whether they want to continue with the navigation, as described in a prior blog post.
  3. If the user has Trackers & ads blocked in the default setting (or decides to continue with the navigation in the Aggressive setting), the browser then checks the first-party DOM storage values (cookies, localStorage, etc.) for the destination site. If the user has any existing stored values, the navigation continues using the existing stored values (in other words, Unlinkable Bouncing is not applied). If no DOM storage values exist for the destination site, the browser creates a new, temporary browser storage area for the destination site.
  4. Soon after you leave the suspected bounce-tracking site (meaning no tabs are open for that site) the temporary storage is deleted, preventing the site from re-identifying you the next time you’re bounced through the site.

Team members said that unlinkable bouncing is the first of four planned applications to implement what they call “first-party ephemeral storage.” The set of techniques allows a site to identify visitors for only as long as they have it open. As a result, first-party ephemeral storage prevents the first-party site from re-identifying a user unless the user wants to be re-identified.

Using first-party ephemeral storage will be akin to clearing browser storage every time the user leaves the site, except it’s easier and more targeted.

“This brings about a total shift in the Web’s default behavior,” the privacy team members wrote. “To date, browsers have assumed users want every site to remember them unless the user takes some explicit step against that remembering. Instead, Brave is working toward forgetfulness (and thus privacy) by default.”

Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here

Related Posts
HTC VIVE Pro 2, VIVE Focus 3 officially launched in Hong Kong, you can get the best VR game of the year for free thumbnail

HTC VIVE Pro 2, VIVE Focus 3 officially launched in Hong Kong, you can get the best VR game of the year for free

今年 5 月舉行的 HTC VIVECON 2021 中,公布了兩款具備 5K 超高解像度和 120° 寬廣視野的全新 VR 頭戴裝置 Vive Focus 3 和 Vive Pro 2 Full Kit ,如今兩款 VR 新品正式在香港開售,有關方面更開展開賣活動優惠,入手的話可獲不同禮品。 HTC Vive Focus 3 和 Vive Pro 2 兩款產品的最大特色,當然是 5K 超高解像度和 120° 寬廣視野。Vive Focus 3 和 Vive Pro 2 的評測可參考我們之前的報導,事實上兩款新的 VR 頭戴裝置都有超清觀看效果,在玩遊戲與工作應用上面都可提供更佳的體驗。目前 Vive Focus 3 和 Vive Pro 2 已於…
Read More
Netflix Slashes $300m, Plans for Password-Sharing Crackdown thumbnail

Netflix Slashes $300m, Plans for Password-Sharing Crackdown

Netflix is reportedly cutting spending by $300 million this year, as per industry insiders. This significant reduction comes amid the company’s attempts to streamline its operations. Netflix is introducing new strategies to maintain its dominance in the rapidly evolving entertainment landscape. The decision to cut spending aligns with the company’s recent layoffs. In a strategic
Read More
Index Of News
Total
0
Share