
Show HN: TrackingTheTrackers – Is a website disguising its 3rd-party trackers? - nextdns
https://trackingthetrackers.com/
======
munchbunny
From the site:

 _> While our analysis tool were not able to confirm that session cookies were
sent as well, a long list of leaking cookies could mean that they would be.
Anyone in possession of those cookies can impersonate you on that website —
i.e., access your account._

I hadn't considered that before, but they're right, it's _extremely easy_ to
accidentally leak session cookies through first party subdomains. I look
forward to the inevitable conference talks that will be discussing this
vulnerability.

------
teamjimmyy
We now have trackers acting like first-party properties, but where do you draw
the line between first-party and third-party? What I mean is, if I build my
own in-house analytics app that does a lot of what Adobe's product does,
should that be blocked too?

I specifically mean for site analytics, like Experience Cloud or GA, not
serving ads. Ad block is different IMO.

If this is hosted on a first party subdomain you're already blocking the
ability of it to set third-party cookies and track you across sites. So, in
practical terms, what's the difference between this CNAME trick and building
the same thing in-house to run your own analytics?

~~~
munchbunny
It depends on why you care about the distinction. If you're talking from a
purely privacy perspective, the important questions are (1) are you taking
analytics? (2) what are you doing with them? (3) is that in line with users'
expectations?

Third party, or third party disguised as first party, is only problematic
because of an implied "there's very little keeping the third party from using
your data for things that aren't just analytics for the first party." It's the
red flag for "this site may not be using your data the way you would want it
to."

Third party ad trackers disguised as first party cookies specifically violate
the general assumption that first party data stays first party, because those
third parties have specific mechanisms to track you across multiple first
parties.

~~~
x0x0
> violate the general assumption that first party data stays first party

How? Because they can't do that with cookies.

I think the most prominent objection to 3rd party cookies is they allow
systematic tracking. This seems like they just help eg apple or whomever
understand what you're doing on that same site.

~~~
zonidjan
There are plenty of other ways to fingerprint a user.
[https://amiunique.org/](https://amiunique.org/)

~~~
x0x0
That really doesn't answer the question. Munchberry claims these analytics
tools have cross domain tracking and I'm asking how, precisely. In part
because of professional interest, and in part because I don't actually think
it's true.

~~~
munchbunny
Thanks for getting my username right. ;)

You specifically got one detail wrong: it's not just for analytics tools. It's
the adtech industry in general using this technique, and Adobe offers its
analytics as part of its marketing software suite.

From their own site: " _What is Adobe Experience Cloud? It 's a collection of
best-in-class solutions for marketing, analytics, advertising, and commerce._"

~~~
x0x0
Apologies Munch _bunny_ , gonna blame that on a need for new glasses.

fwiw, Adobe Experience Cloud is generally not the sort of adtech that attempts
to sell information.

~~~
munchbunny
You're right, Adobe Experience Cloud doesn't sell information, so how
problematic you find the product depends on where you draw the line on
privacy.

Specifically, Adobe Experience Cloud definitely offers retargeting
capabilities (ads following you around the internet) and the ability to get
statistics on the effectiveness of that advertising. If they're at parity with
competing marketing suites, then they also have attribution capabilities to
track you with per-user, per-interaction granularity.

A site that serves Adobe Experience Cloud cookies in the third-party-
disguised-as-first-party way is likely enabling this capability for all
marketers that are going through Adobe Experience Cloud. So the interesting
question would be whether you, a visitor to Fox.com, consider being watched by
marketers who aren't Fox.com to be a privacy problem.

~~~
x0x0
All of the above is more private than eg google analytics because of the lack
of cross domain tracking... I'd consider it a big improvement vis-a-vis
google's product suite.

------
nextdns
A few websites that are disguising third-party trackers:

Fox News:
[https://trackingthetrackers.com/site/foxnews.com](https://trackingthetrackers.com/site/foxnews.com)

CNN:
[https://trackingthetrackers.com/site/cnn.com](https://trackingthetrackers.com/site/cnn.com)

BBC:
[https://trackingthetrackers.com/site/bbc.co.uk](https://trackingthetrackers.com/site/bbc.co.uk)

WebMD:
[https://trackingthetrackers.com/site/webmd.com](https://trackingthetrackers.com/site/webmd.com)

ESPN:
[https://trackingthetrackers.com/site/espn.com](https://trackingthetrackers.com/site/espn.com)

Ars Technica:
[https://trackingthetrackers.com/site/arstechnica.com](https://trackingthetrackers.com/site/arstechnica.com)

Go.com (Disney):
[https://trackingthetrackers.com/site/go.com](https://trackingthetrackers.com/site/go.com)

Washington Post:
[https://trackingthetrackers.com/site/washingtonpost.com](https://trackingthetrackers.com/site/washingtonpost.com)

Walmart:
[https://trackingthetrackers.com/site/walmart.com](https://trackingthetrackers.com/site/walmart.com)

Weather.com:
[https://trackingthetrackers.com/site/weather.com](https://trackingthetrackers.com/site/weather.com)

Apple:
[https://trackingthetrackers.com/site/apple.com](https://trackingthetrackers.com/site/apple.com)

NFL:
[https://trackingthetrackers.com/site/nfl.com](https://trackingthetrackers.com/site/nfl.com)

T-Mobile:
[https://trackingthetrackers.com/site/t-mobile.com](https://trackingthetrackers.com/site/t-mobile.com)

State Farm:
[https://trackingthetrackers.com/site/statefarm.com](https://trackingthetrackers.com/site/statefarm.com)

~~~
temp112719
Seems like most of these use Adobe Experience Cloud. I'm guessing they offer
some kind of HOWTO to set it up as disguised.

Good on Adobe for keeping it up. Flash wasn't enough to fuck the internet up
for years.

~~~
nextdns
Yes, for Adobe Experience Cloud, see:
[https://docs.adobe.com/content/help/en/core-
services/interfa...](https://docs.adobe.com/content/help/en/core-
services/interface/ec-cookies/cookies-first-party.html)

~~~
VWWHFSfQ
> In order to circumvent tracking limitations imposed by browsers and
> programs, you can implement first-party cookies.

Well at least they're forthcoming about knowing they're intentionally
circumventing users privacy settings.

------
pmoriarty
So, other than simply not using the site, is there anything a user can do to
avoid third-party tracking at sites like these?

~~~
poitrus
NextDNS blocks those trackers, see: [https://medium.com/nextdns/nextdns-added-
cname-uncloaking-su...](https://medium.com/nextdns/nextdns-added-cname-
uncloaking-support-becomes-the-first-cross-platform-solution-to-the-
problem-e3f437f84342)

~~~
beagle3
That's like a tiny bandaid; in the next iteration they'll copy the A/AAAA
records instead of CNAMEing them; that would make CNAME uncloaking useless
_and_ save one DNS roundtrip reducing browser latency.

~~~
3xblah
Without using CNAMEs the third party tracker IP addresses would be less
dynamic making them easier to block with a firewall.

------
lstamour
Back when I was working for a site on their first-party in-house analytics,
the only blocker to catch it was [https://apps.apple.com/ca/app/better-
blocker/id1080964978](https://apps.apple.com/ca/app/better-
blocker/id1080964978) (Better blocker) and since then, I’ve been running it on
my phone. Incidentally, it was not a fun job to have and I left shortly after.

Better blocker is by [https://ind.ie/](https://ind.ie/) and the rules are
online at [https://better.fyi/](https://better.fyi/)

That said, it’s not comprehensive, so I run it alongside another blocker that
uses more traditional rule sources (1Blocker). I find that a diversity of rule
sources and sometimes simply building rules manually for individual sites is
required. I do think this kind of lookup/service is very useful though in
advancing the state of tracker blocking. Next we’ll probably have to do
behavioural analysis until they move the trackers into site code or binary
data flows of the rest of the site... there is a point at which you have to
decide if it’s worth putting up with tracking to use a site or service... as
much as I dislike it. If it’s integrated, at least it will be faster than
third-party, I suppose.

------
throwawaymath
This tool is limited. It cannot be used to assess subdomains. For example,
checking news.ycombinator.com redirects to checking ycombinator.com.

~~~
nextdns
Fixed, not sure why we did that in the first place.

[https://trackingthetrackers.com/site/news.ycombinator.com](https://trackingthetrackers.com/site/news.ycombinator.com)

~~~
throwawaymath
Cool, fast update!

------
ogre_codes
What used to be the web is now a toxic wasteland filled with increasingly
obnoxious advertising backed by increasingly creepy/ invasive tracking. This
makes using tools like Apple's News App greatly more appealing to me
personally.

------
m463
It has been known for quite some time that CDNs like akamai are basically 3rd
party tracking mechanisms.

What's funny is they have basically gone 180 degrees from their original
design.

Originally they were meant as caching mechanisms.

Now they are cache-busting tracking mechanisms.

------
hanniabu
What if they have a tracking tracker buster?

~~~
nextdns
This is a v1 of our analyzer, but it's already doing a lot of things to mimic
a real user (like using a real browser, moving the mouse, scrolling, etc.).

~~~
hanniabu
Lol sorry, didn't think this comment would be taken seriously, it's a
reference from The Big Hit

[https://youtu.be/Iw3G80bplTg](https://youtu.be/Iw3G80bplTg)

