Browser tracking protections won't stop tracking, warns DuckDuckGo

Privacy don't like it, block the tracker, block the tracker


Eliminating third-party cookies will not stop companies from tracking web users, says DuckDuckGo, which claims it can help with its desktop browser extensions and mobile apps.

In a blog post on Tuesday, the privacy-focused search biz explains that the much discussed plan by Google to eliminate third-party cookies in Chrome by the end of 2022, and related restrictions already implemented in browsers like Brave, Firefox, and Safari, will have a limited effect on marketers' online tracking efforts.

You have to actually block their trackers from loading in your browser when visiting other sites

"To really stop Google and Facebook from tracking you on other websites, you have to actually block their trackers from loading in your browser when visiting other sites," said Gabriel Weinberg, CEO of DuckDuckGo, via Twitter. "Just restricting them after they load (like preventing them from using third-party cookies) isn’t enough."

Two of the most widely distributed trackers, Google Analytics tags and the Facebook pixel, for example, can be implemented using first-party cookies, so they're not blocked by third-party cookie limitations.

Weinberg argues that merely the act of loading a tracker – a webpage script, an asset like an image, or a cookie file – is itself a major tracking event. "The tracker can get a lot up front including your device info (IP address, user agent, HTTP headers, etc.) as well as your info the site chooses to send with it (e.g., from first-party cookies)."

Essentially, there are a lot of ways to track web users that don't rely on third-party cookies, like IP addresses in combination with other network data that can be used to calculate a browser fingerprint or identifier.

As we recently reported, third-party marketing firms have increased in the use of CNAME DNS records to borrow subdomains from publishers so their cookies appear to originate from a first-party domain and don't get blocked.

And app developers in China have been testing an identifier called the China Anonymization ID, or CAID, as a way to recover the tracking capabilities that will be lost once Apple finally implements the App Tracking Transparency framework that has so alarmed Facebook, Google, and other marketers.

Weinberg notes that the technology Google has in mind to replace the third-party cookie, like its Federated Learning of Cohorts (FLoC) scheme and related supposedly privacy-preserving ad delivery techniques, may still be useful for tracking. He argues that FLoC – which aims to assign interest group identifiers to users – can be combined with an IP address to become a unique identifier.

DuckDuckGo app on a smartphone screen next to Google search app and a finger touching it. Selective focus.

Apple's app transparency rules: Google's privacy labels for Chrome and Search on iOS highlighted by DuckDuckGo

READ MORE

"So any tracker that gets both [a FLoC cohort identifier and an IP address] can easily uniquely track and behaviorally target exceptionally well without third-party cookies or anything else," he said.

The DuckDuckGo tracker blocking app for mobile devices and desktop browser extensions can prevent trackers from loading, which not only serves to improve privacy but also speeds up page load times considerably.

In a page load time test of WebMD.com, the DuckDuckGo extension cut page load times for Chrome, Firefox, and Safari (with default settings) from 20.2, 15.3, and 13.1 seconds to 9.9, 9.1, and 7.5 respectively, or 46 per cent on average.

The extension reduced browsing data transferred by an average of 34 per cent and cut the number of browser requests for files per page load in Chrome, Firefox, and Safari respectively from 567, 602, and 411 to 164, 198, and 181, an average file count reduction of 66 per cent.

Enhanced web performance has long been a selling point for content blocking, ad blocking, and privacy extensions, many of which like uBlock Origin also prevent trackers from loading. But Weinberg points out that DuckDuckGo's software only blocks trackers and doesn't interfere with "non-creepy ads."

"DuckDuckGo is highly profitable based just on serving non-creepy contextual ads," he said. "We believe in a future where these types of ads are normal again, and think this future can be similarly profitable for publishers." ®

Broader topics


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022