Welcome. How is everyone's tracking protection working?
26 March 2017
This is a brand new blog, so I'm setting up the basics. I just realized that I got the whole thing working without a single script, image, or HTML table. (These kids today have it easy, with their media queries and CSS Grid and stuff.)
One big question that I'm wondering about is: how many of the people who visit here are using some kind of protection from third-party tracking? Third-party tracking has been an unfixed vulnerability in web browsers for a long time. Check out the
In order to see how bad the problem is on this site, I'm going to set up a little bit of first-party data collection to measure people's vulnerability to third-party data collection.
The three parts of that big question are:
Can a third-party
trackersee state from other sites?
This will be easy to do with a little single-pixel image and the Aloodo tracking detection script.
Step one: add an image and two scripts to the page footer
The lines that matter are:
<script src="/code/check3p.js"></script> <script src="https://ad.aloodo.com/track.js"></script> <img id="check3p" src="/tk/sr.png" height="1" width="1" alt="">
I'm including a single-pixel image and two scripts: the Aloodo one and a new first-party script.
In most tracking protection configurations, the Aloodo
script will be blocked, because
appears on the commonly used tracking protection
Step two: write the first-party script
The local script is simple: /code/check3p.js
All it does is swap out the tracking image source three times.
When the Aloodo tracking script runs, to check if this browser is blocking the script from loading.
When the Aloodo script confirms that tracking is possible.
The work is done in the
which runs after the page loads. First, it sets the
src for the tracking pixel to
js.png, then sets
up two callbacks: one to run after the Aloodo script
is loaded, and switch the image to
one to run if the script can
track the user,
and switch the image to
Step three: check the logs
Now I can use the regular server logs to compare
the number of clients that load the original image,
load the two
(There are two different tracking callbacks because of the details of how Aloodo has to detect Privacy Badger, among other things. Not all tracking protection works the same.)
I'll run some reports on the logs and post again about the results. (If you want to see your own results in the meantime, you can take a tracking protection test.)