For people who felt safe from online tracking because they use tracker-blocking browser extensions (such as uBlock Origin and many others), a pair of recent studies brings some bad news. Let’s look at the findings and what we can do about them. [Thread]

A draft paper from last week uses an obvious-in-retrospect way to find new trackers: by detecting domains that drop tracking pixels. Turns out that filter lists like EasyList/EasyPrivacy (on which most extensions are based) miss over 20% of these trackers. arxiv.org/pdf/1812.01514.pdf

Is 20% a big deal? Unfortunately yes — because it doesn’t account for trackers exchanging information about users behind the scenes for real-time ad auctions. That’s where the second paper (by Bashir & @bowlinearl, published at PETS) comes in. ccs.neu.edu/home/ahmad/publi…

The paper shows that because of incomplete blocking, the major ad/analytics companies can still observe 40-90% (!) of users’ browsing histories (under realistic assumptions about the extent of tracking info exchanged behind the scenes in ad auctions).

What does all this mean? For real online privacy, we need to look beyond the arms race between trackers and browser extensions. Effective action on third-party tracking needs to disrupt the business model of commercial surveillance. freedom-to-tinker.com/2018/0…

One way to disrupt the business of third-party tracking is through GDPR & other regulatory interventions. The other is action by browser vendors—Safari, Mozilla, and Brave have been leading on that front. Research & advocacy have played a big role; we should keep up the pressure!