
Preventing Tracking Prevention Tracking - om2
https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/
======
3pt14159
Some of the people I've talked with over the years study things like nuclear
weapons arms control or cyberwarfare. The most paranoid of the bunch have
resorted to having Virtual Private Servers screen shot websites with headless
browsers once it loads and pipe it back to their research machine. I can't
remember if it's a table of PNGs or just one big one, but either way it's sent
back over a SSH tunnel and when you click the server knows what you're trying
to click on and preforms the action for you, and will randomly forward the
click to a new VPS.

It's not perfect because the IP blocks make it obvious that it comes from
DigitalOcean, AWS, etc, but it's sure better than loading untrusted PDFs or JS
locally. Still vulnerable to a network attack, though.

~~~
alasdair_
How does this stop something as simple as user-unique URLs for each link? A
new VPS that fetches a unique URL is trivial to tie to the same user.

~~~
chii
open multiple browser sessions for the user, and randomly choose one of them
as the 'result' (but still click on all of them, even if the resultant page
isn't viewed).

Or, just don't use the website if they do this.

------
Spivak
If you want this in Firefox you need to tweak an about:config setting. I
really hope it becomes the default at some point.

    
    
        # Only send the origin cross-domain.
        network.http.referer.XOriginTrimmingPolicy = 2
    

This alone is a pretty liberal policy. People in this crowd probably want even
more which can be found here:
[https://wiki.mozilla.org/Security/Referrer](https://wiki.mozilla.org/Security/Referrer)

~~~
xvector
Why does this header need to exist in the first place? Seems like a huge
privacy breach. Why can't 0 be the default setting?

~~~
kevinoid
I can't speak to why it was originally defined, but since the Referer [sic]
header has existed for decades, many sites depend on it to function. The Smart
Referer extension whitelist[1] and bug tracker[2] have several examples.

1\. [https://gitlab.com/smart-referer/smart-referer/blob/gh-
pages...](https://gitlab.com/smart-referer/smart-referer/blob/gh-
pages/whitelist.txt)

2\. [https://gitlab.com/smart-referer/smart-
referer/issues?scope=...](https://gitlab.com/smart-referer/smart-
referer/issues?scope=all&state=all&label_name\[\]=Old%20Whitelist)

~~~
eitland
> I can't speak to why it was originally defined, but since the Referer [sic]
> header has existed for decade

I can remember my Dad getting a mail from someone he linked to that was about
to move his website and politely contacted his neighbors on the internet to
allow them to update their links.

Very useful at that time.

~~~
tempestn
It can still be useful for that kind of thing. When I notice an unexpected
spike of traffic on one of our sites I'll often look at our analytics to see
where it came from and then potentially drop in there to answer comments and
such. Not to say that's worth the privacy trade-off though, unfortunately.

------
wayoutthere
> Origin-Only Referrer For All Third-Party Requests

This is going to break a lot of things. Things that probably _should_ be
broken, but it will cause headaches nonetheless.

~~~
tinus_hn
Luckily if a big browser makes this the default, these things will probably be
fixed.

~~~
spartanatreyu
Conversely, if a big browser makes a new default that ends up being the wrong
decision, that default might spread to other browsers and things will
definitely be broken.

The css value `100vh` meant the height of the viewport of the browser, until
it didn't.

~~~
csande17
> The css value `100vh` meant the height of the viewport of the browser, until
> it didn't.

Huh, what's it mean now? Is there some subtle difference, like it doesn't
include the horizonal scroll bar or something?

~~~
rcgs
Mobile devices interpret it differently because of the hide/show browser UI
they often have.

------
apacheCamel
I hope there is a light at the end of the tunnel for all of this. It seems
like there will always be a cat and mouse effort to be just one step ahead of
the other. Like how many websites have those popups now where they ask you to
turn off ad-blocking. Intrusive ads and website tracking should both be a
problem by default. I guess not all ads can be a problem, but I am unsure if
the same could be said about tracking...

~~~
om2
We're willing to play the cat and mouse game indefinitely, if that's what it
takes. Widely deployed trackers are limited in how fast they can try new
tricks. And in practice, we know that ITP is working pretty well to block
cross-site tracking: [https://daringfireball.net/linked/2019/12/09/the-
information...](https://daringfireball.net/linked/2019/12/09/the-information-
ad-tracking)

~~~
saagarjha
> Widely deployed trackers are limited in how fast they can try new tricks.

How so? Tracking scripts are often included by a script tag that points at a
website. Can’t the code be updated, “deployed” to websites immediately, and
take advantage of the relatively slower release cycle of Safari?

~~~
om2
Maybe I should have said that some tricks are slow to deploy.

Sometimes the publisher only embeds an image form the tracker (the famed
"tracking pixel"). Getting lots of sites to change that to script is a pain.
Sometimes they need to deploy new server-side tech for a workaround. For the
recent CNAME cloaking trick, they have to get sites to modify their DNS and
change what URL they embed script from.

------
thayne
> ITP now downgrades all cross-site request referrer headers to just the
> page’s origin

What is meant by cross-site here? Does it mean a different eTLD+1, or a
different origin (as used by CORS)?

Specifically, if I make a request from
[https://www.example.com/path?query](https://www.example.com/path?query) to
[https://api.example.com](https://api.example.com) will the referer header
contain the "/path?query"? or will that get blocked as well?

------
core-questions
Trace buster Buster BUSTER!

[https://www.youtube.com/watch?v=Iw3G80bplTg](https://www.youtube.com/watch?v=Iw3G80bplTg)

------
choeger
So what's next? Tracking the Prevention of Tracking Prevention?

Honestly, this shit gets confusing, can someone please ML us out of it? Or
maybe we just design a sane and understandable First-Party only policy?

~~~
Toast_25
It's impossible to build a perfect system, even ML could have a bias towards a
certain solution or the badguys could ML a way to track us again.

~~~
baroffoos
Its funny how our brains have a kind of built in adblocker named banner
blindness. There have been a few times I was unable to understand a UI because
the important part was rectangle and too prominent so I ignore it entirely
without realizing it.

~~~
rhizome
Why do you think advertisers moved to moving ads, ads that fade in over the
page once you scroll a little and can be assumed to be focusing on the page,
reading? Autoplay video that moves down to the picture-in-picture corner? The
more annoyingly distracting the ad is, the better. Or so advertisers think.

------
rapind
Why can't a browser solve this (except for IP) by simply having an option to
not leak any data? Make audio and GL calls constant time, and don't persist
anything past the tab / window / site? No fonts or cache reuse beyond the
host? No referrers etc.

What's the hard problem here that prevents major browsers from having an
option like this?

~~~
cpeterso
Firefox has an about:config preference called "privacy.resistFingerprinting"
to enable some of Tor's mitigations against fingerprinting. Tor is based on
Firefox code and Mozilla merges some of Tor's code changes into Firefox to
make updating easier for the Tor team.

More details in this ghacks article:

[https://www.ghacks.net/2018/03/01/a-history-of-
fingerprintin...](https://www.ghacks.net/2018/03/01/a-history-of-
fingerprinting-protection-in-firefox/)

------
kube-system
Of course, Google suggests modifications that would hinder their competitors,
but not themselves. I wonder what percentage of browsers have a first-party
cookie from Google?

~~~
om2
If Google had any motive besides research and responsible disclosure, it would
more likely be to persuade us that ITP is not viable. But I think their issue
was fair and submitted in good faith.

------
xz0r
> We’d like to thank Google for sending us a report in which they explore both
> the ability to detect when web content is treated differently by tracking
> prevention and the bad things that are possible with such detection.

Its interesting that Google being an ad-tech company is doing something
against their own interest.

------
tomaszs
They have an app store they earn money from. They have ads system. For them
websites are competition. Because people loose time elsewhere than in apps.
They click other ads than theirs.

How should anyone believe these actions are for privacy? And not against
competition? Against the Internet?

Have you seen any consideration how it will impact website owners? I didn't.
It seems they really don't care. And it is very dangerous.

It looks like the path to break the Internet.

~~~
lilyball
Apple doesn't have an ads system, unless you mean the App Store ads that only
show up in App Store search (and thus are completely unrelated to Safari).
They had an ads system at one point but it was shut down over 3 years ago, and
was for in-app ads anyway, not browser ads.

~~~
saagarjha
Apple also runs ads in Apple News.

