Some websites simply cannot accept “no” for an answer. Instead of honoring visitors’ choice to block third-party cookies — identifiers that track browsing activity as a user moves between sites — they find sneaky ways to circumvent these settings. Now the makers of the Brave browser are taking action.
Earlier this week, Brave Nightly, the test and development version of the browser, rolled out a feature designed to prevent so-called bounce tracking. The new feature, known as Unbound Bounce, will roll out for general release in Brave version 1.37 scheduled for March 29.
Bounce tracking is one of the primary ways websites bypass third-party cookie blocking. When a browser blocks a website like site.example from loading a third-party tracking cookie from a domain like tracker.example, site.example pulls a quick one. When site.example detects that the tracker.example cookie cannot be set, it instead redirects the browser to the tracker.example site, sets a cookie from that domain, and then redirects to the original page or a new destination .
With this, the tracker.example cookie is passed through a URL parameter and then stored as a first-party cookie on the landing page. Once tracker.example places itself between enough sites that a visitor browses, the tracker ultimately builds a detailed profile of that activity, including the user’s interests and demographics.
The image below shows how third party cooking blocking is supposed to work. When the user moves from site-one.example to cats.example and later from site-two.example to cars.example, there is no way to track these movements as coming from the same person.
Bounce tracking circumvents this arrangement by inserting a third-party tracking site such as tracker.example between the originating site and the cats.example or cars.example sites that the user later navigates to. Tracker.example then records that it was the user who visited both cats.example and cars.example.
Although browsers that support third-party cookie blocking have existing mechanisms designed to thwart bounce tracking, this sneaky form of monitoring is still difficult to defend against, as the browser does not know in advance that it will be directed to tracker.example. This is where the unbound bounce comes in.
Ephemeral storage to the rescue
In an article, Brave’s privacy team on Wednesday outlined the process used by unlinked bounce. In a nutshell, unlinked bounce checks the site a user is about to visit against a list of known URLs to track bounces. When a destination site appears on the list and Brave has no cookies, local storage, or other associated data, the browser automatically creates a new unique browser storage area for the site.
Once a user leaves the tracking site, Brave deletes temporary storage. Since the data is no longer stored, the tracking site will not be able to re-identify the user the next time they are returned.
Brave has several other ways to prevent site tracking. They include request parameter stripping, debounce, and (when blocking is set to aggressive mode) a warning to give affected users a chance to opt out.
The Brave Privacy Team explained the full stream as follows:
- When navigating to a new URL, Brave checks whether that URL is a known bounce-tracking (or otherwise harmful) site, by checking filter lists (both crowdsourced and Brave-generated).
- If this URL appears in a list of filters, the browser checks the Trackers and Ads Blocked shields setting for the destination site. If this parameter is Aggressivethe user receives a warning indicating whether they want to continue browsing, as described in a previous blog post.
- If the user has Trackers and Ads Blocked in the default setting (or decides to continue browsing in the Aggressive parameter), the browser then checks the first-party DOM storage values (cookies, localStorage, etc.) for the destination site. If the user has existing stored values, the navigation continues using the existing stored values (in other words, Unlinkable Bouncing is not enforced). If no DOM storage value exists for the destination site, the browser creates a new temporary browser storage area for the destination site.
- Shortly after leaving the suspicious bounce tracking site (meaning no tabs are open for that site), the temporary storage is deleted, preventing the site from identifying you again the next time you are returned to the site.
Team members said Unbound Bounce is the first of four apps planned to implement what they call “first-party ephemeral storage.” The set of techniques allows a site to identify visitors for as long as it is open. Therefore, first party ephemeral storage prevents the first party site from re-identifying a user unless the user wishes to be re-identified.
Using first-party ephemeral storage will be akin to clearing browser storage every time the user leaves the site, except it’s easier and more targeted.
“This results in a total change in the default behavior of the web,” the privacy team members wrote. “To date, browsers have assumed that users want every site to remember them unless the user takes explicit action against remembering them. Instead, Brave works toward oblivion (and therefore privacy) by default.”