Developers working on open-source ad-blocker uBlock Origin have uncovered a mechanism for tracking web browsers around the internet that defies today’s blocking techniques.

A method to block this so-called unblockable tracker has been developed by the team, though it only works in Firefox, leaving Chrome and possibly other browsers susceptible. This fix is now available to uBlock Origin users.

The tracker relies on DNS queries to get past browser defenses, so some form of domain-name look-up filtering could thwart this snooping. As far as netizens armed with just their browser and a regular old content-blocker plugin are concerned, this tracker can sneak by unnoticed. It can be potentially used by advertising and analytics networks to fingerprint netizens as they browse through the web, and silently build up profiles of their interests and keep count of pages they visit.

And, interestingly enough, it’s seemingly a result of an arms race between browser makers and ad-tech outfits as they battle over first and third-party cookies.

[…]

Many marketers, keen on maintaining their tracking and data collection capabilities, have turned to a technique called DNS delegation or DNS aliasing. It involves having a website publisher delegate a subdomain that the third-party analytics provider can use and aliasing it to an external server using a CNAME DNS record. The website and its external trackers thus seem to the browser to be coming from the same domain and are allowed to operate.

As Eulerian explains on its website, “The collection taking place under the name of the advertiser, and not under a third party, neither the ad blockers nor the browsers, interrupt the calls of tags.”

But wait, there’s more

Another marketing analytics biz, Wizaly, also advocates this technique to bypass Apple’s ITP 2.2 privacy protections.

As does Adobe, which explains on its website that one of the advantages of CNAME records for data collection is they “[allow] you to track visitors between a main landing domain and other domains in browsers that do not accept third-party cookies.”

In a conversation with The Register, Aeris said Criteo, an ad retargeting biz, appears to have deployed the technique to their customers recently, which suggests it will become more pervasive. Aeris added that DNS delegation clearly violates Europe’s GDPR, which “clearly states that ‘user-centric tracking’ requires consent, especially in the case of a third-party service usage.”

A recent statement from the Hamburg Commissioner for Data Protection and Freedom of Information in Germany notes that Google Analytics and similar services can only be used with consent.

“This exploit has been around for a long time, but is particularly useful now because if you can pretend to be a first-party cookie, then you avoid getting blocked by ad blockers, and the major browsers – Chrome, Safari, and Firefox,” said Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, in an email to The Register.

“This is an exploit, not an ‘oopsies,’ because it is a hidden and deliberate action to make a third-party cookie appear to be first-party to skirt privacy regulations and consumer choice. This is yet another example of the ‘badtech industrial complex’ protecting its river of gold.”

[…]

Two days ago, uBlock Origin developer Raymond Hill deployed a fix for Firefox users in uBlock Origin v1.24.1b0. Firefox supports an API to resolve the hostname of a DNS record, which can unmask CNAME shenanigans, thereby allowing developers to craft blocking behavior accordingly.

“uBO is now equipped to deal with third-party disguised as first-party as far as Firefox’s browser.dns allows it,” Hill wrote, adding that he assumes this can’t be fixed in Chrome at the moment because Chrome doesn’t have an equivalent DNS resolution API.

Aeris said, “For Chrome, there is no DNS API available, and so no easy way to detect this,” adding that Chrome under Manifest v3, a pending revision of Google’s extension platform, will break uBO. Hill, uBO’s creator, recently confirmed to The Register that’s still the case.

Even if Chrome were to implement a DNS resolution API, Google has made it clear it wants to maintain the ability to track people on the web and place cookies, for the sake of its ad business.

Apple’s answer to marketer angst over being denied analytic data by Safari has been to propose a privacy-preserving ad click attribution scheme that allows 64 different ad campaign identifiers – so marketers can see which worked.

Google’s alternative proposal, part of its “Privacy Sandbox” initiative, calls for an identifier field capable of storing 64 bits of data – considerably more than the integer 64.

As the Electronic Frontier Foundation has pointed out, this enables a range of numbers up to 18 quintillion, allowing advertisers to create unique IDs for every ad impression they serve, information that could then be associated with individual users.

Source: Bad news: ‘Unblockable’ web trackers emerge. Good news: Firefox with uBlock Origin can stop it. Chrome, not so much • The Register

More than 600 police forces across the country have entered into partnerships with the camera giant allowing them to quickly request and download video captured by Ring’s motion-detecting, internet-connected cameras inside and around Americans’ homes.

The company says the videos can be a critical tool in helping law enforcement investigate crimes such as trespassing, burglary and package theft. But some lawmakers and privacy advocates say the systems could also empower more widespread police surveillance, fuel racial profiling and spark new neighborhood fears.

In September, following a report about Ring’s police partnerships in The Washington Post, Sen. Edward Markey, D-Mass., wrote to Amazon asking for details about how it protected the privacy and civil liberties of people caught on camera. Since that report, the number of law enforcement agencies working with Ring has increased nearly 50%.

In two responses from Amazon’s vice president of public policy, Brian Huseman, the company said it placed few restrictions on how police used or shared the videos offered up by homeowners. (Amazon CEO Jeff Bezos also owns The Washington Post.)

Police in those communities can use Ring software to request up to 12 hours of video from anyone within half a square mile of a suspected crime scene, covering a 45-day time span, Huseman said. Police are required to include a case number for the crime they are investigating, but not any other details or evidence related to the crime or their request.

Markey said in a statement that Ring’s policies showed the company had failed to enact basic safeguards to protect Americans’ privacy.

“Connected doorbells are well on their way to becoming a mainstay of American households, and the lack of privacy and civil rights protections for innocent residents is nothing short of chilling,” he said.

“If you’re an adult walking your dog or a child playing on the sidewalk, you shouldn’t have to worry that Ring’s products are amassing footage of you and that law enforcement may hold that footage indefinitely or share that footage with any third parties.”

Ring, which Amazon bought last year for more than $800 million, did not immediately respond to requests for comment.

Source: Police can keep Ring camera video forever, and share with whomever they’d like, company tells senator – Stripes