Brave takes the spring out of creepy bounce tracking

Browser maker Brave has developed a new way to ground "bounce tracking," a sneaky technique for bypassing privacy defenses in order to track people across different websites.

Bounce tracking, also known as redirect tracking, dates back at least to 2014 when ad companies were looking for ways to avoid third-party cookie blocking defenses.

"Bounce tracking is a way for trackers to track you even if browser-level privacy protections are in place," explained Peter Snyder, senior director of privacy at Brave, on Tuesday.

"Privacy respecting browsers try to prevent sites from learning about your behaviors and activities on other sites. Bounce tracking attempts to circumvent these protections by gaming how your browser behaves when you browse from one site to another."

Say a website embeds a third-party script from info.tracker. When the website is visited, the third-party script tries to read third-party cookies from info.tracker that have been stored in the visitor's browser.

If it can't – because third-party cookies are blocked – the script redirects to the info.tracker domain by writing a new URL to the browser's window.location object or via some link hijacking method like injecting an info.tracker iframe into the original website.

Doing so puts info.tracker into a first-party context, enabling it to set tracking cookies.

Info.tracker then redirects back to the original website URL and info.tracker cookies can then be read in third-party contexts. By doing so across multiple different websites, info.tracker can develop a profile of the people's interests.

To curtail privacy intrusions of this sort, Brave software engineer Aleksey Khoroshilov and senior software engineer Ivan Efremov devised a defense called Unlinkable Bouncing.

• Facebook exposes 'god mode' token that could siphon data
• Apple, Google, Microsoft, Mozilla agree on something: Make web dev lives easier
• Facebook is one bad Chrome extension away from another Cambridge Analytica scandal
• Your app deleted all my files. And my wallpaper too!

Unlinkable Bouncing prevents bounce tracking sites from tracking people over time by linking past website visits to new ones. It's designed to augment Brave's previously implemented bounce tracking defenses, which include warnings prior to visiting bounce tracking sites, stripping query parameters added to URLs to facilitate tracking, and debouncing, a mechanism for suppressing bounce tracking redirects.

Essentially, Unlinkable Bouncing enforces amnesia for bounce tracking sites. When navigating to a new URL, Brave checks its internal and its crowdsourced filter list for known bounce trackers.

If the URL is found, assuming a suitably strict browser privacy configuration, the browser creates a new temporary storage area for the bounce tracking site and then deletes it, purging any identifiers that were set. This prevents the bounce tracking site from re-identifying the visitor when any other website redirects to the bounce tracker.

Snyder says Unlinkable Bouncing is Brave's first application of "first-party ephemeral storage," a capability being developed to make websites more forgetful.

"This is a set of techniques that allow sites to remember (or identify) you only for as long as you’re visiting the site," he said. "It’s similar to – though more powerful and user-friendly than – clearing your browser storage every time you leave a site."

Unlinkable Bouncing is available in Brave Nightly, the company's experimental build, and is expected in the upcoming version 1.37 release.

European data privacy law has established a right to be forgotten. Brave is working toward a future where web users' activities don't have to be remembered. ®