"To really stop Google and Facebook from tracking you on other websites, you have to actually block their trackers from loading in your browser when visiting other sites," said Gabriel Weinberg, CEO of DuckDuckGo, via Twitter. "Just restricting them after they load (like preventing them from using third-party cookies) isn’t enough."
You have to actually block their trackers from loading in your browser when visiting other sites
Two of the most widely distributed trackers, Google Analytics tags and the Facebook pixel, for example, can be implemented using first-party cookies, so they're not blocked by third-party cookie limitations. Weinberg argues that merely the act of loading a tracker – a webpage script, an asset like an image, or a cookie file – is itself a major tracking event. "The tracker can get a lot up front including your device info (IP address, user agent, HTTP headers, etc.) as well as your info the site chooses to send with it (e.g., from first-party cookies)."
Essentially, there are a lot of ways to track web users that don't rely on third-party cookies, like IP addresses in combination with other network data that can be used to calculate a browser fingerprint or identifier.
As we recently reported, third-party marketing firms have increased in the use of CNAME DNS records to borrow subdomains from publishers so their cookies appear to originate from a first-party domain and don't get blocked.And app developers in China have been testing an identifier called the China Anonymization ID, or CAID, as a way to recover the tracking capabilities that will be lost once Apple finally implements the App Tracking Transparency framework that has so alarmed Facebook, Google, and other marketers. Weinberg notes that the technology Google has in mind to replace the third-party cookie, like its Federated Learning of Cohorts (FLoC) scheme and related supposedly privacy-preserving ad delivery techniques, may still be useful for tracking. He argues that FLoC – which aims to assign interest group identifiers to users – can be combined with an IP address to become a unique identifier.
The following browsers were tested: Firefox 70.0.1 (Mozilla Binaries from MX Linux) Firefox ESR 68.2.0 (Debian package) Chromium 78.0.3904.97 (Debian Package) Brave Browser 1.0.0 (Package from Brave web site) Epiphany 184.108.40.206 (Debian package) Midori 7.0 (Debian package) The method itself was relatively simple.
Apple's app transparency rules: Google's privacy labels for Chrome and Search on iOS highlighted by DuckDuckGo
"So any tracker that gets both [a FLoC cohort identifier and an IP address] can easily uniquely track and behaviorally target exceptionally well without third-party cookies or anything else," he said.
The DuckDuckGo tracker blocking app for mobile devices and desktop browser extensions can prevent trackers from loading, which not only serves to improve privacy but also speeds up page load times considerably.In a page load time test of WebMD.com, the DuckDuckGo extension cut page load times for Chrome, Firefox, and Safari (with default settings) from 20.2, 15.3, and 13.1 seconds to 9.9, 9.1, and 7.5 respectively, or 46 per cent on average.
The extension reduced browsing data transferred by an average of 34 per cent and cut the number of browser requests for files per page load in Chrome, Firefox, and Safari respectively from 567, 602, and 411 to 164, 198, and 181, an average file count reduction of 66 per cent. Enhanced web performance has long been a selling point for content blocking, ad blocking, and privacy extensions, many of which like uBlock Origin also prevent trackers from loading. But Weinberg points out that DuckDuckGo's software only blocks trackers and doesn't interfere with "non-creepy ads."
"DuckDuckGo is highly profitable based just on serving non-creepy contextual ads," he said. "We believe in a future where these types of ads are normal again, and think this future can be similarly profitable for publishers." ®