Trackers Bounce Back: Measuring Evasion of Partitioned Storage in the Wild

TL;DR

This paper systematically studies navigational tracking techniques that enable cross-site user activity aggregation despite partitioned storage efforts, revealing their prevalence and identifying key tracking domains.

Contribution

It is the first comprehensive measurement of all navigational tracking techniques, identifying numerous tracking domains and improving detection methods for user identifiers.

Findings

Navigational tracking occurs in over 10% of web navigations.

Identified 214 domains from 104 organizations using link decoration techniques.

Found 23 domains from 16 organizations employing bounce tracking.

Abstract

This work presents a systematic study of navigational tracking, the latest development in the cat-and-mouse game between browsers and online trackers. Navigational tracking allows trackers to 'aggregate users' activities and behaviors across sites by modifying their navigation requests. This technique is particularly important because it circumvents the increasing efforts by browsers to partition or block third-party storage, which was previously necessary for most cross-website tracking. While previous work has studied specific navigational tracking techniques (i.e. "bounce tracking"), our work is the first effort to systematically study and measure the entire category of navigational tracking techniques. We describe and measure the frequency of two different navigational tracking techniques on the Web, and find that navigational tracking is present on slightly more than ten percent of all navigations that we made. Our contributions include identifying 214 domains belonging to at least 104 organizations tracking users across sites through link decoration techniques using direct or indirect navigation flows. We identify a further 23 domains belonging to at least 16 organizations tracking users through bounce tracking (i.e. bouncing users through unrelated third parties to generate user profiles). We also improve on prior techniques for differenting user identifiers from non-sensitive information, which is necessary to detect one class of navigational tracking. We discuss how our findings can used to protect users from navigational tracking, and commit to releasing both our complete dataset and our measurement pipeline