Welcome. How is everyone's tracking protection working?
26 March 2017
This is a brand new blog, so I'm setting up the basics. I just realized that I got the whole thing working without a single script, image, or HTML table. (These kids today have it easy, with their media queries and CSS Grid and stuff.)
One big question that I'm wondering about is: how many of the people
who visit here are using some kind of protection
from third-party tracking? Third-party tracking
has been an unfixed vulnerability in web browsers
for a long time. Check out the Unofficial Cookie
FAQ
from 1997.
Third-party cookies are in there...and we're
still dealing with the third-party tracking problem?
In order to see how bad the problem is on this site, I'm going to set up a little bit of first-party data collection to measure people's vulnerability to third-party data collection.
The three parts of that big question are:
Does first-party JavaScript load and run?
Does third-party JavaScript (from a site on popular filter lists) load and run?
Can a third-party
tracker
see state from other sites?
This will be easy to do with a little single-pixel image and the Aloodo tracking detection script.
Step one: add an image and two scripts to the page footer
This blog is on Metalsmith, so the right place to put these scripts will be in layouts/partials/footer.html.
The lines that matter are:
<script src="/code/check3p.js"></script>
<script src="https://ad.aloodo.com/track.js"></script>
<img id="check3p" src="/tk/sr.png"
height="1" width="1" alt="">
I'm including a single-pixel image and two scripts: the Aloodo one and a new first-party script.
In most tracking protection configurations, the Aloodo
script will be blocked, because ad.aloodo.com
appears on the commonly used tracking protection
lists.
Step two: write the first-party script
The local script is simple: /code/check3p.js
All it does is swap out the tracking image source three times.
When the script runs, to check that this is a browser with JavaScript on.
When the Aloodo tracking script runs, to check if this browser is blocking the script from loading.
When the Aloodo script confirms that tracking is possible.
The work is done in the setupAloodo
function,
which runs after the page loads. First, it sets the
src
for the tracking pixel to js.png
, then sets
up two callbacks: one to run after the Aloodo script
is loaded, and switch the image to ld.png
, and
one to run if the script can track
the user,
and switch the image to td.png
.
Step three: check the logs
Now I can use the regular server logs to compare
the number of clients that load the original image,
and the JavaScript-switched one, to the number that
load the two tracking
images.
(There are two different tracking callbacks because of the details of how Aloodo has to detect Privacy Badger, among other things. Not all tracking protection works the same.)
I'll run some reports on the logs and post again about the results. (If you want to see your own results in the meantime, you can take a tracking protection test.)