Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detect and handle 3rd → 1st party JS (Google Analytics) #367

Closed
cooperq opened this issue Apr 17, 2015 · 10 comments

Comments

@cooperq
Copy link
Contributor

commented Apr 17, 2015

e.g. google analytics
[Edit] Previously: #340

@pde pde added this to the Privacy Badger 2.0 milestone Apr 17, 2015

@pde

This comment has been minimized.

Copy link
Member

commented Apr 17, 2015

There are two aspects to this. One is giving users visibility into how these parties are handled. Much of that should be addressed in #345 .

The second component is working out when there's some form of tracking occuring via 3rd->1st party JS. It's very hard to tell when some aspect of the first party origin's code/behaviour was sourced from the third party. One strategy might be to look for the first party's cookie strings being sent out in parts of requests to the third party.

@cooperq cooperq added the enhancement label Apr 24, 2015

@pde

This comment has been minimized.

Copy link
Member

commented Jun 5, 2015

@ghostwords suggested the technique of causing a traceback, and then inspecting it in order to find what script we were inside. That should work, but we will need a clever heuristic in order to avoid doing this time-consuming operation for every cookie get/set event.

@ghostwords

This comment has been minimized.

Copy link
Member

commented Apr 19, 2017

I was just looking into why Badger isn't learning to block Google Analytics. From what I see so far, www.google-analytics.com/analytics.js doesn't use cookies, but does issue requests (via pixels). For example:

https://www.google-analytics.com/r/collect?v=1&_v=j51&a=[numeric ID]&t=pageview&_s=1&dl=[site URL]&ul=en-us&de=UTF-8&dt=[site title]&sd=24-bit&sr=[screen resolution]&vp=[page resolution]&je=0&fl=25.0 r0&_u=[alphanumeric ID]&jid=[numeric ID]&gjid=[numeric ID]&cid=[numeric+dot+numeric ID]&tid=[UA ID]&_r=1&z=[numeric ID]

Badger should probably learn from at least certain request query strings, the same way it learns from cookie values.

@ghostwords ghostwords removed the help wanted label Apr 19, 2017

@ghostwords ghostwords changed the title Detect and handle 3rd → 1st party JS. Detect and handle 3rd → 1st party JS (Google Analytics) Aug 14, 2017

@woctezuma

This comment has been minimized.

Copy link

commented Sep 11, 2017

I believe that it is a pretty great deal that Privacy Badger can be defeated by “[issuing] requests (via pixels)” instead of “[using] cookies”. My suggestions are the following:

  • the heuristic of Privacy Badger should be able to take into account this kind of tracking, otherwise it is an incentive for trackers to exploit this vulnerability, in the case Privacy Badger gets traction,
  • meanwhile, this limitation should be acknowledged on a page with more visibility for the users.

For what it is worth, I have been using uBO-Scope for the past three days, and Google Analytics is present on 70% of the websites which I visit.

@ghostwords

This comment has been minimized.

Copy link
Member

commented Sep 11, 2017

Hi @woctezuma, thanks for chiming in! You are right, Google Analytics is a very common third-party tracking domain. We should prioritize looking into how we can handle it better.

@ghostwords

This comment has been minimized.

Copy link
Member

commented Oct 6, 2018

Should follow up on privacytoolsIO/privacytools.io#335 once this is fixed.

@ghostwords

This comment has been minimized.

Copy link
Member

commented Jun 19, 2019

Should be resolved by #2147.

@ghostwords ghostwords closed this Jun 19, 2019

@ghostwords

This comment has been minimized.

Copy link
Member

commented Jul 10, 2019

Hi @woctezuma, Privacy Badger now catches Google Analytics (as of version 2019.7.1). Would you mind updating your reviews and/or comments in places like privacytools.io's GitHub? Thank you!

@woctezuma

This comment has been minimized.

Copy link

commented Jul 10, 2019

Thank you for the info.

I will read about the changes, then accordingly:

Edit: Here.

@ghostwords

This comment has been minimized.

Copy link
Member

commented Jul 10, 2019

Linking to the legacy Firefox repo just so there is a link back to here: EFForg/privacybadgerfirefox-legacy#298

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.