back to article Brave takes the spring out of creepy bounce tracking

Browser maker Brave has developed a new way to ground "bounce tracking," a sneaky technique for bypassing privacy defenses in order to track people across different websites. Bounce tracking, also known as redirect tracking, dates back at least to 2014 when ad companies were looking for ways to avoid third-party cookie …

  1. pip25

    Interesting

    How widespread is this bounce tracking these days? This is the first time I have heard of it, but maybe that's just me being ignorant.

    1. DarkwavePunk

      Re: Interesting

      Having worked with very "digital marketing" heavy companies in the past, I've seen horrors no one should have to. Implemented so many atrocities that I'm practically implicit in crimes against the Internet. This kind of shit runs deep in the industry and mutates fast.

  2. b0llchit Silver badge
    Big Brother

    Backwards world

    Brave is working toward a future where web users' activities don't have to be remembered.

    It is sad that this is needed. The spirit of GDPR is that all users should be in control of their data and must give informed permission before second and third parties are allowed to handle direct/indirect PI data (and not even getting into the problem of shadow profiles). So, yes, it is sad that we need technological measures to create more privacy.

    We should consider a reverse burden of proof for websites when they employ any form of tracker technology on their website(s). They should be the ones to proof that your data is not being used for anything else than explicitly advertised.

    1. Anonymous Coward
      Anonymous Coward

      Re: Backwards world

      I agree. Its unfortunate that the spirit of GDPR was side-lined in the implementation. Whilst I am normally against legislative solutions, I think the time has come to just out-right ban tracking that uses 3rd parties.

      The desperation to make an extra few pennies out of us is sickening and advertising is the scourge of the internet

    2. lglethal Silver badge
      Go

      Re: Backwards world

      Whilst I completely agree with you that the onus should be on the firms to justify why they need third party tracking (in truth 99.99999% dont!), but the Problem is Enforcement.

      There is basically no government department with the resources to go visiting every company behind every website and demanding to know why they are using third party tracking. Even a scatter gun approach of just approaching those that are most complained about, would be completely ineffective. Big firms would just consider it a cost of doing business to make the fines go away (whilst they continued with the tracking), and only the small guys would get hit.

      A law that's not enforced properly may as well not exist...

  3. Pascal Monett Silver badge
    Mushroom

    "Say a website embeds a third-party script from info.tracker"

    Say I'm using Firefox with NoScript.

    Problem solved.

    Or say that I'm blocking info.tracker's IP address at the firewall.

    Problem solved again.

    But I'm happy that there are people who are thinking about the deep mechanics of ad tracking. The more ways we have to block that, the better.

    1. Skoorb

      Re: "Say a website embeds a third-party script from info.tracker"

      Hard blocking all connection attempts or cookie setting doesn't always work. As you get redirected (bounced) to the tracker site, which then redirects back to the site you are trying to access, a hard block just means that you get a browser failure message when it can't load the tracker site, and you never get the site you wanted.

      Likewise, hard blocking cookies from the bounce tracker site can lead to you being constantly bounced between the site you want and the tracker site (site you want checks if third party tracker cookie exists, finds it doesn't and redirects to the tracker site, which tries and fails to set a first party cookie, before redirecting back the the site you want, which checks to see if the third party tracking cookie is there, finds it isn't and redirects you to the tracking site...) so you just get nothing happening in your browser for a few seconds, followed by a browser "too many redirects" failure message.

      If you've ever struggled to load a site as your browser just gives you a "too many redirects" error, and you use some sort of ad or cookie blocking tool this is likely what's happening behind the scenes.

      1. Hubert Cumberdale Silver badge

        Re: "Say a website embeds a third-party script from info.tracker"

        ...and that means I go somewhere else: f#ck their site, just as a matter of principle.

    2. Saint

      Re: "Say a website embeds a third-party script from info.tracker"

      In my opinion, it shouldnt be necessary for us to have to take such evasive actions. I'll support any work to block this sort of crap

    3. Sir Awesome

      Re: "Say a website embeds a third-party script from info.tracker"

      You've missed the point here - if you've got Adblock, they decide to redirect you to get your data. If you've blocked the tracker's IP in your firewall, your browsing session will come to a dead stop, due to the redirection target being unreachable.

      This workaround instead permits the redirect to the tracker, but expunges the data as son as the redirect is complete, so your browsing session can continue as normal.

    4. heyrick Silver badge

      Re: "Say a website embeds a third-party script from info.tracker"

      Better with Firefox and self destructing cookies that are set to expire after around 20 seconds (unless a whitelisted site). That way stuff can load, they can think they're tracking you, and the garbage will be nuked in short order.

  4. short a sandwich

    Aha

    That's why Google ad links are failing to load on Brave now. A light has dawned.

  5. Forget It
    Big Brother

    Yeah but ...

    Firefox addressed this issue back in 2020:

    https://blog.mozilla.org/security/2020/08/04/firefox-79-includes-protections-against-redirect-tracking/

    1. devin3782

      Re: Yeah but ...

      Firefox's is not quite the same as what brave are doing, its subtly similar yes. Mozilla implemented protection from middle men drive by cookies so they did it to prevent you picking up a pervert cookie en route so to speak.

      Brave's method is whereby you land on the site you want to browse and the tracker JavaScript then does things in order to inject pervert cookie after the browser done its blocking, assuming I've understood correctly.

      The next thing on the list for Firefox and Brave developers perhaps even ublock origin and ghostery devs too is to prevent sites breaking when sites are using javascript tracking/telemetry events which breaks the site when whichever tracker is blocked.

      1. HildyJ Silver badge

        Re: Yeah but ...

        I don't see as big a need to prevent sites breaking.

        I view a breaking site as something to avoid, not fix, because if the site knowingly added bounce tracking scripts, what else is there that I don't want?

        1. devin3782

          Re: Yeah but ...

          Yes but that's a problem when its your bank or you need to submit your meter readings and no matter how much you complain they simply say "its there for your security"

  6. Anonymous Coward
    Anonymous Coward

    Carbon tax

    If a way was found to make ad companies (as opposed to the user) liable for the extra "carbon" that these unnecessary round trips generate across the population of users, the problem would go away very quickly.

    1. heyrick Silver badge

      Re: Carbon tax

      Well, the advertising industry is clearly mass producing fairy dust zero going by the sort of turnover and profits that keep getting mentioned.

      Since they're using other people's electricity and bandwidth, I think a tax of, oh I don't know sixty percent? Yeah, tax them sixty percent of their turnover (not profit, that can be creatively made near zero) and use that money for all the green schemes out there.

      Let's have advertising fund something useful...

    2. Stuart Halliday

      Re: Carbon tax

      Make button which reports unwanted behaviour. If enough reports, ban that URL.

      1. devin3782

        Re: Carbon tax

        I like the idea; but you know, deep, deep down what will happen, it'll be abused

        1. heyrick Silver badge

          Re: Carbon tax

          Yes, ban all the advertising URLs. I'm on board with that idea...

    3. Doctor Syntax Silver badge

      Re: Carbon tax

      make ad companies (as opposed to the user) liable for the extra "carbon"

      The ad companies would just pass it on to their customers, the advertisers.

      1. that one in the corner Bronze badge

        Re: Carbon tax

        > The ad companies would just pass it on to their customers, the advertisers.

        Who will pass it on to us, the end customer

  7. Doctor Syntax Silver badge

    Rather than delete the cookies replacing them with junk would be better. Even if your browser and mine deletes cookies most people's won't so their cookies will still be seen and have value*. Poison the cookie well and let it be known it's poisoned and all cookies are devalued.

    * As priced up by those selling the data and perceived by those buying it.

    1. b0llchit Silver badge
      Happy

      Poisoned cookies

      Poisoned cookies may very well be a good way to destroy effective commercial tracking. We need to add as much noise as possible. Swamp them with junk.

      Imagine that privacy badger hooks into the requests and every tracking cookie gets different content. Different every time a request is made. Should be fun to have _ga cookies to start filling the database with just junk. A new ID for every request.

      This is actually a good idea as an additional add-on. I'd install it for poisoning all those sites that are not blocked by default.

    2. Anonymous Coward
      Anonymous Coward

      If their security is even basic, all incoming remote data is tainted until vetted: junk/random cookies would already be detected & filtered. Else it becomes be a DOS-like attack vector.

  8. Robert Grant Silver badge

    I find it really frustrating that people are willing to conceive of and build things like this.

    1. that one in the corner Bronze badge

      Hopefully you are frustrated at the tracker redirects, not the work done by Brave.

      1. Robert Grant Silver badge

        Hah, yes!

  9. Anonymous Coward
    Anonymous Coward

    What am I missing?

    Why not simply block 3rd party cookies period. None of this "If they already have a cookie here, they can have more" bollocks.

    1. Falmari Silver badge

      Re: What am I missing?

      @AC "What am I missing?"

      Bounce tracking makes the tracking cookies first party.

      From article:-

      "Say a website embeds a third-party script from info.tracker. When the website is visited, the third-party script tries to read third-party cookies from info.tracker that have been stored in the visitor's browser.

      If it can't – because third-party cookies are blocked – the script redirects to the info.tracker domain by writing a new URL to the browser's window.location object or via some link hijacking method like injecting an info.tracker iframe into the original website.

      Doing so puts info.tracker into a first-party context, enabling it to set tracking cookies."

      1. Anonymous Coward
        Anonymous Coward

        Re: What am I missing?

        I get how the initial cookie is set, but it continues to say:

        "Info.tracker then redirects back to the original website URL and info.tracker cookies can then be read in third-party contexts"

        This implies to me that once the info.tracker has set it's cookie the browser then allows it to continue to use cookies as a third party, so it does the first-part bounce, and from then on, 3rd party cookies work.

        Is this not the case? If not, then they'd have to "bounce" for every update!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022