Stylized illustration of a fingerprint.

Some websites can't take no for an answer. Third-party cookies are used to track browsing activity as a user moves from site to site, but instead of respecting visitors choice to block third-party cookies, they find ways to circumvent those settings. The makers of the Brave browser are taking action.

Brave Nightly, the testing and development version of the browser, has a feature that prevents bounce tracking. The general release of Brave version 1.37 will include unlinkable bouncing.

Overriding privacy

Third-party cookie blocking is one of the ways websites circumvent it. When a browser prevents a website from loading a third-party tracking cookie, site.example pulls a fast one. When site.example discovers that the tracker.example cookie can't be set, the browser will be directed to the tracker.example site.

The tracker.example cookie is stashed as a first-party cookie on the landing page after being passed through a URL. Once tracker.example places itself between enough of the sites a visitor browses, the tracker builds a detailed profile of that activity.

The image shows how third-party cooking blocking works. There is no way to track the movements of the user from one site to another.

Advertisement

Third-party tracking sites such as tracker.example can be inserted in between the originating site and the cats to circumvent this arrangement. The tracker records that the user visited both cats and cars.

While browsers that support third-party cookie blocking have mechanisms in place to block bounce tracking, it is hard to defend against this form of snooping since the browser doesn't know that it will be directed to tracker.example. Unlinkable bouncing comes in.

Ephemeral storage to the rescue

The process that unlinkable bouncing uses was outlined in a post by the Brave privacy team. Unlinkable bouncing checks the site a user is about to visit against a list of URLs known to perform bounce tracking. When a destination site appears on the list, the browser creates a new storage area for the site, and it doesn't have any cookies, localStorage, or other data related to it.

Brave takes the temporary storage when a user leaves the site. The tracking site won't be able to re-identify the user when they are bounced through it because the data is no longer stored.

Brave has a number of ways to prevent site tracking. When blocking is set to aggressive mode, they include query-parameter stripping, debouncing, and a warning to give concerned users a chance to back out.

Advertisement

The full flow was explained by the Brave privacy team.

  1. When navigating to a new URL, Brave checks to see if that URL is a known bounce-tracking (or otherwise harmful) site, by consulting filter lists (both crowdsourced and Brave-generated).
  2. If that URL appears in a filter list, the browser checks the Trackers & ads blocked shields setting for the destination site. If that setting is Aggressive, the user is presented with a warning for whether they want to continue with the navigation, as described in a prior blog post.
  3. If the user has Trackers & ads blocked in the default setting (or decides to continue with the navigation in the Aggressive setting), the browser then checks the first-party DOM storage values (cookies, localStorage, etc.) for the destination site. If the user has any existing stored values, the navigation continues using the existing stored values (in other words, Unlinkable Bouncing is not applied). If no DOM storage values exist for the destination site, the browser creates a new, temporary browser storage area for the destination site.
  4. Soon after you leave the suspected bounce-tracking site (meaning no tabs are open for that site) the temporary storage is deleted, preventing the site from re-identifying you the next time you're bounced through the site.

Team members said that unlinkable bouncing is the first of four planned applications to implement what they call first-party ephemeral storage. First-party ephemeral storage prevents the first-party site from re-identifying a user unless the user wants to be re- identified.

It will be similar to clearing browser storage every time the user leaves the site, except it is easier and more targeted.

The privacy team members wrote that this brings about a total shift in the behavior of the Web. Brave is working toward forgetfulness by default.