Web browsers continue to clamp down on the ways in which companies track people around the web. In the latest example, Mozilla’s Firefox browser will start preventing companies from using a method called redirect tracking to identify people as they flit from one site to the next.
Redirect tracking appears to be a lower-profile method of tracking people online. However, as the online advertising industry races to find an identifier to replace the third-party cookie, redirect tracking could serve as an interim substitute, if not a permanent successor. That is to say, it would be a candidate if web browsers weren’t taking aim at redirect tracking as they have other potential third-party cookie stand-ins like device fingerprinting — but, you guessed it, they are.
“We chose to work on redirect tracking protection because we know trackers have used redirects to work around third-party cookie blocking,” said a Mozilla spokesperson.
WTF is redirect tracking?
Redirect tracking is a way for companies to track someone when they’re navigating between two sites. When a person clicks a link on Site A to visit Site B, they may be redirected to Site X before moving on to Site B. This redirect allows Site X to drop a first-party cookie on the person’s browser so that the cookie can be used to recognize the person when they navigate between other sites that redirect to Site X.
Wouldn’t people notice if they’re being redirected to sites they didn’t intend to visit?
Not necessarily. Redirects can happen within milliseconds. To use the aforementioned example, Site X would never have to actually appear on a person’s screen for that person’s browser to be redirected to the site before moving on to the site they meant to visit.
Why would companies use redirects to track people online?
With the third-party cookie on its way out and the online advertising is trying to come up with a replacement identifier. In the meantime, companies have to come up with other ways to track people around the web. Methods, such as device fingerprinting, are also under siege for compromising people’s privacy. Using first-party cookies is one of the most reliable methods for tracking people online, but it requires people to visit a site in order for that site to be able to drop a first-party cookie. That’s a challenge for many ad tech companies since most people are unlikely to ever intentionally visit their sites. Using redirects to force people to technically “visit” an ad tech company’s site is one way around this challenge.
How common is redirect tracking?
In a research paper presented at the Privacy Enhancing Technologies Symposium in July, a group of computer researchers analyzed redirect tracking across the top 50,000 sites, as ranked by traffic analytics firm Alexa. Of the sites analyzed, the researchers found that “11.6% of the scanned websites use one of the top 100 redirectors which are able to store nonblocked first-party tracking cookies on users’ machines even when third-party cookies are disabled,” according to the paper, which cited Google’s DoubleClick and Facebook as the top two redirecting domains it encountered.
Do other browsers block redirect tracking?
Yes. The anti-tracking feature in Apple’s Safari browser, called Intelligent Tracking Prevention, began blocking redirect tracking in 2018. However, Google’s Chrome browser — which has a 66% share of the global browser market, per StatCounter — does not block redirect tracking. A Google spokesperson said redirect tracking is not relevant on Chrome because the browser continues to support SameSite cookies and that it’s move to phase out support for third-party cookies will include protections against alternative tracking methods.
How do browsers block redirect tracking?
It varies. Safari seems to be the most aggressive. Returning to the earlier example, Apple’s browser recognizes if Site X is only serving as a redirect tracking intermediary and wipes any data, such as first-party cookies, that Site X tries to store in a person’s browser to use to track them later.
Firefox is not taking as strict of an approach. Instead of immediately wiping any data stored by Site X, Firefox will allow Site X to store a first-party cookie in a browser for 24 hours after the redirect happens, according to a Mozilla blog post announcing the redirect tracking prevention feature. Additionally, if a person had directly visited Site X outside of the redirect context — for example, if Site X is a search engine or social network that also operates an advertising business that tracks people around the web — then Firefox will allow Site X to keep first-party cookies stored on that person’s browser for 45 days.
Why would Firefox allow redirect tracking for 24 hours?
Firefox’s 24-hour grace period seems to be a recognition that redirect tracking is not only used for persistently following people around the internet and that blocking redirect tracking altogether could impair more legitimate ways that companies use redirect tracking, such as to measure when people click links in a company’s email newsletter that navigate to a third-party site.