Brave takes on the creepy websites that override your privacy settings

Some websites just can’t take “no” for an answer. Instead of respecting visitors’ choice to block third-party cookies—the identifiers that track browsing activity as a user moves from site to site—they find sneaky ways to bypass those settings. Now, makers of the Brave browser are taking action.

Earlier this week, Brave Nightly—the testing and development version of the browser—rolled out a feature that’s designed to prevent what’s known as bounce tracking. The new feature, known as unlinkable bouncing, will roll out for general release in Brave version 1.37 slated for March 29.

Overriding privacy

Bounce tracking is one of the key ways websites circumvent third-party cookie blocking. When a browser prevents a website such as site.example from loading a third-party tracking cookie from a domain such as tracker.example, site.example pulls a fast one. When site.example detects that the tracker.example cookie can’t be set, it instead redirects the browser to the tracker.example site, sets a cookie from that domain, and then redirects back to the original page or a new destination.

With that, the tracker.example cookie gets passed through a URL parameter and then gets stashed as a first-party cookie on the landing page. Once tracker.example places itself between enough of the sites a visitor browses, the tracker eventually builds a detailed profile of that activity, including the user’s interests and demographics.

The image below shows how third-party cookie blocking is supposed to work. When the user moves from site-one.example to cats.example and later from site-two.example to cars.example, there’s no way to track those movements as coming from the same person.

Bounce tracking circumvents this arrangement by inserting a third-party tracking site such as tracker.example in between the originating site and the cats.example or cars.example sites the user later browses to. Tracker.example then records that it was the user who visited both cats.example and cars.example.

While browsers that support third-party cookie blocking have existing mechanisms designed to thwart bounce tracking, this sneaky form of surveillance remains hard to defend against, since the browser doesn’t know beforehand that it will be directed to tracker.example. That’s where unlinkable bouncing comes in.

Ephemeral storage to the rescue

In a post, the Brave privacy team on Wednesday outlined the process that unlinkable bouncing uses. In a nutshell, unlinkable bouncing checks the site a user is about to visit against a list of URLs known to perform bounce tracking. When a destination site appears on the list and Brave has no cookies, localStorage, or other data related to it, the browser automatically creates a new one-time browser storage area for the site.

Once a user leaves the tracking site, Brave deletes the temporary storage. Because the data is no longer stored, the tracking site will be unable to re-identify the user the next time they are bounced through it.

Brave has several other ways to prevent site tracking. They include query-parameter stripping, debouncing, and (when blocking is set to aggressive mode) a warning to give concerned users a chance to back out.

The Brave privacy team explained the full flow as follows:

1. When navigating to a new URL, Brave checks to see if that URL is a known bounce-tracking (or otherwise harmful) site, by consulting filter lists (both crowdsourced and Brave-generated).
2. If that URL appears in a filter list, the browser checks the Trackers & ads blocked shields setting for the destination site. If that setting is Aggressive, the user is presented with a warning for whether they want to continue with the navigation, as described in a prior blog post.
3. If the user has Trackers & ads blocked in the default setting (or decides to continue with the navigation in the Aggressive setting), the browser then checks the first-party DOM storage values (cookies, localStorage, etc.) for the destination site. If the user has any existing stored values, the navigation continues using the existing stored values (in other words, Unlinkable Bouncing is not applied). If no DOM storage values exist for the destination site, the browser creates a new, temporary browser storage area for the destination site.
4. Soon after you leave the suspected bounce-tracking site (meaning no tabs are open for that site) the temporary storage is deleted, preventing the site from re-identifying you the next time you’re bounced through the site.

Team members said that unlinkable bouncing is the first of four planned applications to implement what they call “first-party ephemeral storage.” The set of techniques allows a site to identify visitors for only as long as they have it open. As a result, first-party ephemeral storage prevents the first-party site from re-identifying a user unless the user wants to be re-identified.

Using first-party ephemeral storage will be akin to clearing browser storage every time the user leaves the site, except it’s easier and more targeted.

“This brings about a total shift in the Web’s default behavior,” the privacy team members wrote. “To date, browsers have assumed users want every site to remember them unless the user takes some explicit step against that remembering. Instead, Brave is working toward forgetfulness (and thus privacy) by default.”