Browser data protection in 2020 is complicated

Does your modern, 2020’s browser respect privacy and therefore not reveal any personal information without your consent to unknown third-parties? The short – but still true – answer is: no. The longer answer is: it depends. What is for sure though is that the situation is rather confusing, even for individuals with a technical background. So I did some research on the topic, which I am going to share with you now.

Observation 1: data protection is an issue today

Nowadays, privacy matters have become part of our daily routines. Clicking away a cookie consent dialog is part of today’s user experience, and not the best one, imho. The GDPR (General Data Protection Regulation) created new business models such as consent management platforms, and supporting the GDPR principles is essentially a sine qua non for larger SaaS vendors now. As a matter of fact, privacy concerns are mainstream in 2020.

But how does your main tool – your browser – handle privacy for your various internet experiences? And what is the situation on your mobile, where many apps are just thin wrappers around something called web views, which in fact are just browsers again? In a nutshell, it’s a disaster. It always was.

Do browsers respect your privacy?

Observation 2: browser vendors are taking action

Probably for this reason, browser vendors decided to take some counter-measures in order to prevent information from leaking. I will give you some examples: In 2017, Apple introduced and added Intelligent Tracking Prevention to the Safari browser, blocking 3rd-party cookies used for cross-site tracking. Ad tech land and others were not amused, because their remarketing endeavours are usually based on third-party cookies. Fingerprint defense was also announced to prevent misuse of your personal information, which is good in theory but not a perfect solution yet. For more information regarding this development, I highly recommend reading this article published in the Financial Times.

In 2019, Google announced their new privacy strategy, which you can find here. Just like Apple, they’ve introduced better fingerprinting defence. But with regard to cookies, Google proposed a different approach: more control over 3rd-party cookies. No surprise there, since Google has a far greater interest in cross-site tracking data than Apple.

In contrast, Mozilla’s Firefox browser offers a lot of control over privacy-related features, an in-detailed explanation of which can be found in this blog post. This is probably one of the reasons why the Tor browser is based on a stripped and adapted version of Firefox.

Observation 3: third-party cookies are (sometimes) evil

Since February 2020, some technical users might already have noticed a new warning message in the developer console of the Google Chrome browser. It goes like this:

Warning message in Chrome’s developer console

This is because Google Chrome 80 has already implemented a new standard proposal for a more fine-grained 3rd-party cookie control. In my example above concerning Doubleclick, which is ironically a Google company, third-party cookies would be blocked by future versions of the Google browser. So I guess they will be changing that rather soon.

This SameSite proposal – cookie classification, secure by default – is less harsh than Apple’s blocking approach. Both methods are able to prevent a very common abusive attack known as CSRF.

Observation 4: the dark art of browser fingerprinting

Now here is the real deal everybody should be talking about: browser fingerprinting. And this is nothing new, it was always here and I would bet, it has always been used. Without anyone noticing. Without anyone’s consent.

Browser fingerprinting may take some explaining, and as a starting point I can recommend the following blog post by the Washington Post. The basic idea is to combine all the information your browser is exposing (usually for good purposes such as installed fonts, battery status etc.), apply some set theory and calculate a unique value for your browser environment, and by extension, you.

This is why every browser vendor is proposing fingerprinting defense as a future strategy to protect privacy. But can it be implemented easily? Absolutely not, as this is anything but trivial. In this Tor project blog post you can take a look at the current state of research and learn which problems exist that need to be solved first.

You can also get a hint of your own online uniqueness by visiting test sites such as this open source project. Don’t forget to try it out on your mobile as well as desktop browser.

Browser fingerprinting makes your profile unique

Conclusion

As this blog’s title suggests, browser data protection is complicated. And the privacy threats mentioned above are not genuinely new, as we have been dealing with 3rd-party cookies for the past 25 years now. Moreover, it is not only about web browsers but also about your mobile environment, as apps make quite some use of integrated mobile browsers. Currently, the major issues are being addressed by browser vendors, but this is rather a slow process, as new standards need to be established and entire business categories are at stake, as there are companies who sell and track user profiles.

Protecting your privacy today is hard, even for tech-savvy persons. Third-party cookies are occasionally useful and at least you can delete or block them – nevertheless, browser fingerprinting is a real problem. So if anyone complains about 3rd-party cookies, just explain fingerprinting and show some demo pages of this dark art.

All in all, my recommendation here is to take your personal privacy very seriously and to keep yourself informed and aware. Most importantly, you should not rely on your privacy being respected on the internet, whether searching your browser or using seemingly innocent apps on your mobile or other devices.