Browser maker Brave has developed a new way to implement “bounce tracking”, a sneaky technique to circumvent privacy defenses to track people across different websites.

Bounce tracking, also known as redirect tracking, dates back to at least 2014, when advertising companies were looking for ways to circumvent third-party cookie blocking defenses.

“Bounce tracking is a way for trackers to track you even if browser-level privacy protections are in place,” Peter Synder, senior privacy manager at Brave, explained on Tuesday.

“Browser privacy tries to prevent sites from learning about your behaviors and activities on other sites. Bounce tracking attempts to circumvent these protections by playing with how your browser behaves as you navigate from site to site. another.”

Suppose a website embeds a third-party script from info.tracker. When visiting the website, the third-party script tries to read third-party cookies from info.tracker that have been stored in the visitor’s browser.

If it can’t – because third-party cookies are blocked – the script redirects to the info.tracker domain by writing a new URL in the browser window.location object or via a link hijacking method such as injecting a info.tracker iframe in the original website.

This puts info.tracker in a first-party context, allowing it to set tracking cookies.

Info.tracker then redirects to the original website URL and info.tracker the cookies can then be read in third-party contexts. By doing this on several different websites, info.tracker can develop a profile of people’s interests.

To limit privacy intrusions of this type, Brave software engineer Aleksey Khoroshilov and senior software engineer Ivan Efremov devised a defense called Unlinkable Bouncing.

Unlinkable Bouncing prevents bounce tracking sites from tracking people over time by linking past website visits to new ones. It is designed to augment the bounce tracking defenses previously implemented by Brave, which include warnings before visiting bounce tracking sites, removal of query parameters appended to URLs to facilitate tracking, and anti- bounce, a mechanism for removing bounce tracking redirects.

Essentially, Unlinkable Bouncing enforces amnesia for bounce tracking sites. When navigating to a new URL, Brave checks its internal and crowdsourced filter list for known bounce trackers.

If the URL is found, assuming a sufficiently strict browser privacy configuration, the browser creates a new temporary storage area for the bounce tracking site and then deletes it, purging all identifiers that have been set. This prevents the bounce tracking site from re-identifying the visitor when another website redirects to the bounce tracking.

According to Synder, Unlinkable Bouncing is Brave’s first “first-party ephemeral storage” application, a capability being developed to make websites more forgetful.

“It’s a set of techniques that allow sites to remember (or identify) you only as long as you visit the site,” he said. “It’s similar to – although more powerful and user-friendly than – clearing your browser’s memory every time you leave a site.”

Unlinkable Bouncing is available in Brave Nightly, the company’s experimental build, and is expected in the upcoming 1.37 release.

European data protection law has established a right to be forgotten. Brave is working toward a future where user activities don’t need to be logged. ®