TrackingObserver: A Browser-Based
Web Tracking Detection Platform

As you browse the web, your browsing behavior may be observed and aggregated by third-party websites ("trackers") that you don't visit directly. These trackers are generally embedded by host websites in the form of advertisements, social media widgets (e.g., the Facebook "Like" button), or web analytics platforms (e.g., Google Analytics). The Wall Street Journal's What They Know series provides a good overview of web tracking and why some people consider it a privacy concern.

TrackingObserver is a Chrome extension that acts as a platform for detecting, measuring, and blocking third-party web trackers. Unlike other tools, TrackingObserver does not use a blacklist of known tracking domains, but rather detects trackers automatically based on their in-browser behaviors (such as setting and receiving third-party cookies).

Different trackers exhibit different behaviors, which give them different capabilities. For example, some trackers can track you only when you return to the same site, while others can track you as you browse multiple different sites. TrackingObserver automatically categorizes trackers according to the taxonomy described below.

TrackingObserver is not just a stand-alone Chrome extension, but a platform. It exposes APIs for tracking detection, measurement, and blocking, and you can install or develop add-ons that provide visualization or other functionality. TrackingObserver prevents add-ons from needing to reinvent or reimplement its automatic tracking detection algorithm, while allowing them to innovate in other ways.

TrackingObserver is based on our earlier measurement tool, TrackingTracker [1], and is described further in chapter/section 2.6 of [2].

We hope that TrackingObserver will be valuable for users, developers, and web tracking researchers.

Contact Us

TrackingObserver is part of a research project, and we welcome your suggestions, feedback, and bug reports to help improve our tool. Please contact us via the TrackingObserver Google Group.

Tracking Taxonomy

In our earlier work [1], we systematically reverse-engineered trackers in the wild, developed a taxonomy of trackers, and measured the tracking ecosystem. TrackingObserver automatically detects trackers and categorizes them according to this taxonomy:

  1. Analytics Tracking: The tracker serves as a third-party analytics engine for sites by providing a script that implements analytics functionality. It can only track users within sites. (If the site that provides the analytics script is different from the site to which the analytics information is sent, we call it referred analytics tracking.)
    Scope: Within-Site.

  2. Vanilla Tracking: The tracker uses client-side storage (e.g., cookies) from a third-party position to track users across sites.
    Scope: Cross-Site.

  3. Forced Tracking: The tracker forces users to visit its domain directly -- for example, by opening a popup or redirecting the user to a full-page ad -- allowing it to set tracking state (e.g., cookies) from a first-party position.
    Scope: Cross-Site.

  4. Personal Tracking: The cross-site tracker is visited by the user directly in other contexts. For example, the user may visit directly, and later encounter the Facebook "Like" button embedded on other websites. Facebook can then track the user's visits to those sites. Personal trackers commonly appear as social widgets (e.g., the "Like" button, the "tweet" button, or the Google "+1" button).
    Scope: Cross-Site.

  5. Referred Tracking: The tracker relies on a Vanilla, Forced, or Personal tracker to leak unique identifiers to it, rather than on its own client-side state, to track users across sites. Referred tracking is commonly practiced by ad networks. To take a hypothetical example, might set its own cookie, and then explicitly leak that cookie in requests to referred trackers and In this case, and need not set their own cookies in order to perform tracking.
    Scope: Cross-Site.

[1] Franziska Roesner, Tadayoshi Kohno, and David Wetherall. Detecting and Defending Against Third-Party Tracking on the Web. Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2012.

[2] Franziska Roesner. Security and Privacy from Untrusted Applications in Modern and Emerging Client Platforms. PhD Dissertation, University of Washington, Computer Science and Engineering, 2014.