UID smuggling: A new technique for tracking users online
It’s like oversized kids sitting on a digital seesaw. Every time people find a way to mitigate Big Tech’s iniquitous, excessive tracking, Big Tech finds a new sneaky way to keep doing the same thing.
Google, Meta, and other massive tech companies have been riding roughshod over people’s privacy for years. They’ve even been selling our most intimate medical data to any raggedy old trader. But then, slow-moving court cases and legislative processes started coming to fruition. As a result, we finally made some headway in our fight for privacy – even Google has been forced to announce the phasing out of third-party tracking.
So, has the cookie battle been won? Can we finally start researching our embarrassing medical conditions or look for unusual products in unorthodox places without having hundreds of advertising companies looking over our shoulders?
The short answer is: Get a tracker blocker right now ‘cos ad companies are way ahead of you.
For decades, advertisers have had access to a vast network of interlocked trackers that use third-party cookies as shared storage. The information in the cookie storage is an open book to the trackers installed on every participating website, and it forms a “shared state” for every user. That means they have uninterrupted access to spy on what you are doing across every tracked website.
Privacy-focused browsers introduced partitioned storage
In response, some browsers (notably Brave, Safari, and Firefox) implemented partitioned storage for third-party cookies, which isolates cookies to stop them from being used for cross-site tracking. “Partitioned storage” is an anti-tracking defense that removes the shared state or sharing ability and prevents trackers from linking information about the user across sites.
Of course, this presented advertising companies with significant challenges. For example, it may cost them more to place the right ad in front of the right person, and it makes it harder to track clicks to determine their campaigns’ success. So, if they couldn’t use cookies anymore, they had to find a new way to extract the information and sidestep partitioned storage.
Their solution is to directly insert a person’s UID (a unique User Identification) into every navigation request he makes on the internet.
In its simplest form, a UID is a unique identifier for an individual, e.g., your social security number for your dealings with the government or an account number for banking and retail. In the internet age, tech companies started using UIDs to help you log into your account. Embedding your UID in URLs can improve user experience, for example, checking if you’re already logged in, so you don’t have to keep logging in while shopping. In addition, affiliate product advertisers and bloggers use it to track sales and earn commissions.
As long as companies use the links responsibly and fully disclose their interest, it’s a handy concept, right?
Sadly, when users got smarter about tracking and started blocking third-party cookies, advertisers retaliated by embedding people’s UIDs into all their internet navigation requests.
UID smuggling means that the tracker decorates (alters) a user’s navigation requests with identifying information, which it then shares (smuggles the information) across first-party boundaries without your permission. This (modified) URL doesn’t need cookie storage to carry your information across websites. URL modification is a way to – literally – sneak the information you wanted to keep private past cookie blockers.
It results in a person carrying his UID like a banner while he surfs the internet. He effectively introduces himself by name to every participating website out there – all done without the help of cookies.
UID smuggling is effective across sites, channels, and devices, and it instantly identifies you to advertisers no matter what channel or device you use and no matter how many cookies you decline.
Ad companies, including (and perhaps, foremost) Google, have simply been playing for time during our fight against their networks of third-party cookies. As a result, they’ve gained extra time to develop and roll out an even more invasive way to track people while staying – only just – on the right side of our new privacy laws.
At the moment, US privacy laws are broadly focused on regulating how companies may store and handle the data they collect. It has taken many years to get these basic data protection laws in place. But while the legal framework is slowly taking shape, Big Tech is racing ahead. They’ve developed alternative tracking methods that may loosely conform to the letter of the law but grossly violate the spirit of the law.
Can we defend against UID smuggling?
You cannot stop UID smuggling by blocking third-party cookies in your browser because UIDs get embedded in URL requests, bypassing ad blockers. In practical terms, actively blocking web trackers is the only way to combat this.
And so, it begins again: our search for tech tools to defeat other tech tools. Use a privacy-first browser with a tracker blocker, a browser ad-blocker that can also block trackers, and a VPN with a tracker blocker.
