When you install a web browser that claims to block trackers, you might think that would stop websites spying on your browsing activity.
If so, you’d be wrong. As tracking protection becomes a table-stakes feature in more web browsers including Apple’s Safari, Mozilla Firefox, and Microsoft Edge, the targeted ad industry has found a way to circumvent those measures. It’s called “bounce tracking” or “redirect tracking,” and it involves hiding trackers inside the links you click on, making them harder to block without breaking websites.
“Anybody who runs an ad network is almost certainly doing some version of this,” says Peter Snyder, director of privacy at Brave, which has made privacy a central feature of its web browser.
While bounce tracking isn’t the only way websites can evade web browsers’ privacy controls, it’s received less attention than other tactics such as fingerprinting, which involves identifying users via their computers’ unique attributes. Even so, some browser makers say bounce tracking has become a widespread issue, and now they’re finding new ways to fight back.
How bounce tracking works
The most basic form of tracking protection on the web involves blocking certain types of “cookies,” or the identifiers that websites use to recognize individual visitors. Web browsers’ anti-tracking tools generally allow sites to store their own cookies so they can remember repeat visitors, but they’ll block cookies that originate from other parts of the web, which some companies use to follow you around online.
Safari started blocking some of these third-party cookies in 2017, and moved to complete blocking last year. Firefox added cookie blocking by default in 2019, as did Brave, which launched out of beta that same year. Microsoft Edge followed suit when it launched out of beta in early 2020.
“There’s this Las Vegas rule: What happens on one website stays on one website, and when you visit a different site, it shouldn’t be able to know exactly what you did on the other site,” Snyder says.
Bounce tracking tries to exploit this distinction between first- and third-party cookies. When you click on a link, a site that wants to track you could first load an intermediary site before transferring you to the intended destination. The intermediary site sets a first-party cookie along the way, and each time you cross through it, it gathers more information about where you’ve been and where you’re going.
“Because it’s being done as a first-party, the browser doesn’t know this is happening,” says Mike O’Neill, cofounder and CTO of Baycloud Systems, which helps companies comply with government privacy regulations. (O’Neill predicted the rise of bounce tracking in 2014, when Apple started experimenting with blocking cookies in Safari.)
Bounce tracking has other permutations as well. In a related method called Query Parameter Tracking or “link decoration,” a website will add a unique identifier to the links you click on, serving as a signal to the next site you visit. The destination site can then store the identifier in a first-party cookie on the original site’s behalf, letting it track your activity. The more this happens on additional sites, the more the original site can track you without ever using third-party cookies.
You can see this in action by examining the links in Facebook ads. If you see “fbclid=” in the link, that means Facebook has set a query parameter that it can use to track you elsewhere. If you click on a Facebook ad, the destination site can then recognize you as a specific Facebook user, and the social network can continue to track you there.
“Before you navigate from Facebook to some other site, they’ll modify the URL you’re about to visit, and they’ll stick some unique identifier in it,” Snyder says. “If they have code on both sides of the connection, they’ll read it off and say, ‘this unique cookie and this first party [are] the same as this unique cookie and this first party, and we know they both correspond to the same Facebook identity.'”
Web browsers respond
Bounce tracking is tricky to block because the underlying methods aren’t always nefarious. Websites might use redirect links to unsubscribe you from a newsletter, for instance, or they might use link decoration to relay information you filled out on a web form. Blocking or modifying those links can break some sites.
Arthur Edelstein, Mozilla’s senior product manager for privacy and security, says the company is working on more ways to prevent bounce tracking, but it’s also moving deliberately so that websites load without issue.
“We’ve basically tried to address what we see as the biggest tracking threats first, and work our way through all the different threats, so we’re kind of in the middle of that journey,” he says.
Brave is taking a more aggressive approach. The browser uses a variety of crowdsourced lists to block web domains that it associates with bounce tracking, and it strips out portions of weblinks—such as “fbclid=”—that it believes websites use for query parameter tracking. An update last month to Brave’s strictest privacy mode also added a warning page in cases where the browser can’t prevent bounce tracking, telling users they’ll be tracked if they proceed. (The popular ad blocker uBlock Origin uses a similar tactic.)
Snyder says the company plans to block more bounce trackers over time without breaking any websites, eventually obviating the need for those warning pages.
“We basically have four plans for combating this stuff, and the two easiest ones have shipped, and the next two are on their way out the door,” he says.
Given the ongoing cat and mouse game between browsers and trackers, you might think all of these privacy protections are pointless. Baycloud’s O’Neill says we’d all be better off with stronger privacy laws, so that browser makers wouldn’t have to keep closing the loopholes that trackers come up with.
“I don’t think it’s a long-term solution because they’ll find some way around it,” he says. “It’s like this arms race going on.”
But in the meantime, browser makers say their protections are better than nothing. Even just blocking third-party cookies vastly limits what websites can collect compared to bounce tracking, which requires you to click on links and only shares data between two sites at a time. The trackers’ workarounds, in other words, have their limits.
“It’s still better to live in a ‘bounce tracking world’ than an ‘allow third-party cookies world’,” Snyder says, “even if we should figure out how to solve this problem as well.”