‘Protection against tracking in almost all browsers and extensions incomplete’

Researchers from the imec-DistriNet group at KU Leuven conclude after a study of 7 browsers and 46 extensions that in almost all cases there is a way to circumvent protection against tracking via cookies. The techniques discovered are not yet in use.

The researchers, Gertjan Franken, Tom Van Goethem and Wouter Joosen, developed a framework with which they analyzed the various browsers and extensions and identified new circumvention techniques. They looked at, among other things, the built-in tracking protections of Chrome, Firefox, Edge, Safari, Opera, Cliqz and the Tor Browser. They also looked at 46 extensions, of which 31 ad blockers and 15 variants that should offer protection against tracking. An overview of these is shown below. In their paper, the researchers write, based on their analysis, that for every protective measure there is a method to circumvent it. They distinguish three categories in the results: a request to a third party including a cookie, a request without a cookie and no request at all.

Tested extensions

The researchers explain that tracking often takes place because the browser makes a request to a third party, including a cookie. However, as there are also tracking techniques that do not require a cookie, such as browser fingerprinting, they also looked at requests made without a cookie. Within their framework, they tested using different methods to make a request to a third party. Among the seven techniques in total are HTML tags, response headers, JavaScript in a PDF, and the AppCache API. The researchers presented the results in several tables, which are presented below.

Results from browsers and different extensions

As part of the study, the authors also looked at whether the discovered techniques are also used on the ten thousand most popular websites according to the Alexa service. They did that with an automated crawler. The conclusion is that all use of the techniques is for legitimate reasons. They do point out that trackers may try to evade detection by allowing requests to take place only when the user interacts. On a specially created site, the researchers report how the disclosure process went to the various parties. There you can also find more data per browser or per extension. The authors presented their paper at the Usenix conference in the US.