Most Browser Tracking Protection Doesn't Actually Stop Tracking by Default, but We Can Help

Filed under Privacy Research on

As yet another sign of how privacy is now completely mainstream, the major desktop browsers are stepping up their privacy promises. For example, you may have been hearing about how even Google’s Chrome browser is supposedly planning to eliminate “third-party cookies" by 2023, a move Apple’s Safari browser has already mostly carried out and Mozilla’s Firefox browser has partially made.

You may be wondering then, will eliminating third-party cookies and related developments completely prevent trackers that are lurking behind websites from getting your browsing history? Unfortunately, the answer is no. We know this is super confusing and would like to help you make sense of it all as well as help you actually block these invasive cross-site trackers!

The issue is that once such trackers are loaded in your browser, they have a ton of ways to track you beyond just third-party cookies (e.g., by another form of cookies called first-party cookies, by your IP address, and much, much more). And many of these mechanisms cannot be turned off because the browser needs them to properly function.

Blocking third-party cookies and related mechanisms do partially restrict cross-site trackers (which is a good thing for sure), but the reality is that as long as a tracker is still being loaded in your browser, it can definitely still track you — a bit less easily, but tracking is still tracking, and the most prevalent cross-site trackers (those from Google and Facebook) are certainly still tracking you. In this context, browser privacy tech that just restricts trackers after they have loaded is like using an umbrella in a hurricane: You’re still gonna get wet!

Therefore, to really stop a cross-site tracker, the kind that tries to track your activity from site to site, you have to prevent it from actually loading in your browser in the first place. This is a critical blocking feature that we provide in our all-in-one privacy browser extension for desktop Chrome, Firefox, Edge, and Safari, as well as in our own mobile browser for iOS and Android.

Blocking trackers from even loading also has major benefits beyond privacy: increased speed and less data usage. In our tests on a sample web page (WebMD.com), using our tracker blocking resulted in 66% fewer files loading, 34% less data transferred, and, consequently, increasing page load speed by 46% (see bottom section for details).

To sum up, to really stop trackers, you need to totally block them from loading in your browser — just placing restrictions on trackers after they load (like preventing them from using third-party cookies) won't cut it. That's the story in a nutshell, and below is more detail if you want to dig deeper, including how you can see it working in your own browser.

How Cross-Site Web Trackers Work

To dig in a bit further, let’s define a cross-site web tracker as anything that can load on a web page to track your web activity across sites, e.g., your browsing history. To do so, a cross-site web tracker has to do three things:

  1. Grab your information.
  2. Associate your information with your unique ID at the tracking company (behind the tracker).
  3. Send your information back to the tracking company for future profiling.

When you go to a website, it loads the web address (URL) at the top of the browser. What you may not realize, though, is that websites also ask your browser to load many more web addresses (URLs) in the background, and some of those are to third-party trackers. In Firefox (used in the images below), you can see this by going to Tools -> Web Developer -> Network, and then refreshing the page. (Other browsers have similar mechanisms, e.g., in Chrome you can do the same by going to View -> Developer -> Developer Tools, clicking on Network on the panel that comes up, and then refreshing the page.)

Screenshot showing the number of web requests to load the WebMD.com homepage and trackers that are not blocked.
Google & Facebook trackers loaded on WebMD.com.

A visit to WebMD.com using the desktop versions of the major browsers with default settings actually results in hundreds of web requests! Many of those are images and code from WebMD itself to display what you see on screen, but among them is a web request to Google Analytics, the most prevalent cross-site tracker on the Internet, lurking behind 72% of the top 10K websites. (The second most prevalent tracker is Google Global Site Tag and third is Facebook Pixel.)

When your browser makes this web request to Google Analytics, it exposes your IP address in the process – the string of numbers that identifies your device on the Internet (e.g., 18.250.0.1). Your IP address alone can make a pretty effective tracking ID, especially in most desktop situations where it doesn't change frequently because both the device and Internet connection are stable. And embedded information within these types of requests can contain a lot more information about your activity along with other identifiers, which is often why URLs are so long!

Once a tracker loads in your browser it has many more ways it can grab information, create unique IDs to identify you (called browser fingerprinting), and send everything back to its tracking network. That’s because most trackers run JavaScript code, which opens up a whole host of sophisticated tracking techniques that can effectively grab everything you do in the browser, from your mouse movements to your location to every keystroke you enter. And it is impossible to completely restrict all of these techniques because many are needed to make major sites function properly.

In other words, third-party cookies are just one of many browser mechanisms available to trackers, but even without them trackers can still track you through many other methods, including via the information sent in the initial loading web request.

The United Kingdom’s Competition and Markets Authority’s landmark report on the digital advertising market makes this clear in Appendix G, section 325:

“However, we note that it is possible to circumvent blocks on third-party cookies, by asking advertisers and publishers to implement equivalent tracking code using first-party cookies.
(i) For instance, Google Analytics tags are currently implemented using first-party cookies. (See section above on Google Analytics, Floodlight, and Google Tag Manager.)
(ii) To take another example, Facebook Pixel collects data from non-Facebook properties which is used for Facebook’s advertising services, and websites can implement Facebook Pixel using first-party cookies. This means Facebook Pixel can work with browsers blocking third-party cookies.”

That is, the two most prevalent cross-site trackers aren't really constrained by current or upcoming default tracker restrictions. The report goes further saying that a world without third-party cookies in particular will likely strengthen Google and Facebook’s digital advertising duopoly. Fortunately, there is a way to effectively curtail invasive cross-site web trackers: By stopping them from loading in your browser in the first place.

How to Really Stop Cross-Site Web Trackers

To really stop cross-site web trackers, you need to totally block them from loading in your browser, as opposed to just restricting them after they load. That is the only way to stop the Google Analytics tracker, the Facebook pixel tracker, and hundreds of other trackers from stalking you across the Internet, including through your IP address. By doing so, your browser will then stop automatically sending any of your information to these trackers just by visiting an unrelated website, making it harder for them to use your browsing history for filter bubbles, creepy ads, and more.

To use another metaphor, regular privacy browser tech is like locking the back door of the house (third-party cookies) and a few windows (related restrictions) but leaving the front door wide open (IP address) along with the rest of the windows (many other forms of tracking including first-party cookies). Google Analytics is doing just fine in this situation, as are most of all the rest of the major trackers. To stop these trackers effectively, you have to board up the whole house and not let them see inside at all. Here’s what that looks like with our browser extension and in our own browser:

Screenshot showing trackers in webmd.com being blocked by the DuckDuckGo Privacy Essentials browser extension.
Google & Facebook trackers blocked by DuckDuckGo.

We simply prevent the browser from allowing that initial tracker web request to even get off the ground. And, using our Tracker Radar technology, we are continually crawling the web ourselves to identify the universe of these requests. Our product vision is privacy, simplified, and so we block as many trackers as we can while simultaneously not breaking website functionality. This is of course a constant effort since trackers are continually changing.

As you might imagine, this is also a challenging technical problem. Without some additional privacy technology like we provide in our product, blocking some of these hidden trackers — like Google Analytics — can break some sites based on how tightly they’ve been integrated into website functionality. But we think a tracker blocker that doesn’t prevent the most prevalent hidden tracker from loading isn’t a credible tracker blocker (as Google Analytics is by far the most prevalent). We are now also starting to work on blocking initial requests of visible third-party content like video embeds, with more to come on that in a future post.

How DuckDuckGo Improves Your Browsing Experience

The result of using the DuckDuckGo app & extension on a web page is that potentially hundreds of behind-the-scenes tracker requests are blocked before they even load, meaning not just greater privacy but also additional benefits like less data transfer and faster load times. That's because so much of the data associated with a website nowadays is actually just for tracking you!

Chart showing the page load times, number of web requests and data transferred when visiting WebMD.com on desktop.
Browser-Only Average Browser + DuckDuckGo Extension Average
Web Requests 527 181
Data Transferred (MB) 8.1 5.4
Page Load Time* (seconds) 16.2 8.8
Google Analytics Tracker Allowed to load Blocked from loading
Facebook Pixel Tracker Allowed to load Blocked from loading

* Page load time measured using the loadEventEnd property.

While Google, Facebook, and others work hard to have their trackers get around browser roadblocks in pursuit of your data, we provide the tool to really push back without changing how you use the Internet. For everyone who’s had enough: the DuckDuckGo app & extension lets you take back your online privacy now.

Note: Google recently announced how they plan to replace third-party cookies. It's of course bad for privacy too, but the tracker blocking technology in our app & extension should continue to be effective at preventing trackers from receiving this new tracking information (along with your IP address) by still preventing them from loading in the first place.


For more privacy advice follow us on Twitter, and stay protected and informed with our privacy newsletters.

Most Browser Tracking Protection Doesn't Actually Stop Tracking by Default, but We Can Help
Share this