From Third-Party to First-Party: Measuring and Protecting Against Modern Web Tracking Mechanisms

πŸ“… 2026-06-15
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF
πŸ€– AI Summary
This study addresses the growing prevalence of covert first-party and server-side web tracking mechanisms, which evade conventional client-side detection approaches. Conducting the first large-scale measurement across mainstream websites, this work proposes a provider-agnostic identification methodology that integrates script similarity clustering, network graph modeling, and request behavior analysis to systematically characterize the ecosystem of such tracking practices. The findings reveal that over 54% of websites employ these techniques, with dominant vendors orchestrating a highly interconnected tracking infrastructure. Leveraging these insights, the authors derive blocking rules that intercept 63% more tracking requests than existing filter lists, substantially enhancing defensive efficacy against modern tracking threats.
πŸ“ Abstract
Web user tracking has always been a cat-and-mouse game between privacy-conscious users and trackers. Recently, this conflict has driven a shift from third-party tracking toward first-party tracking (FPT) and server-side tracking (SST). By relocating tracking logic to the browser's first-party context or the website's backend, these mechanisms obscure data flows and render traditional client-side detection tools increasingly ineffective. Despite the growing adoption of these techniques, our understanding of their deployment at scale remains limited, and generalized protection mechanisms are lacking. In this work, we conduct a large-scale measurement of top sites to assess this shift and the prevalence of FPT and SST. We develop a provider-independent methodology to detect these mechanisms and find that over 54% of analyzed sites now deploy FPT or SST-related techniques. By clustering scripts based on their similarity and constructing a network graph, we demonstrate that the ecosystem is densely connected and dominated by major vendors like Google. Finally, we demonstrate that current filter lists are largely ineffective against first-party tracking, and we propose new rules to address this gap. We show that these rules block 63% more requests than traditional filter lists.
Problem

Research questions and friction points this paper is trying to address.

first-party tracking
server-side tracking
web tracking
privacy protection
tracking detection
Innovation

Methods, ideas, or system contributions that make the work stand out.

first-party tracking
server-side tracking
tracking detection
filter lists
web privacy
πŸ”Ž Similar Papers
C
Christian BΓΆttger
Institute for Internet Security, Westphalian University of Applied Science; Doctoral School NRW, Department of Computer and Data Science
T
Tareq Khouja
Institute for Internet Security, Westphalian University of Applied Science
Norbert Pohlmann
Norbert Pohlmann
Professor and Director
Cyber Security
Nurullah Demir
Nurullah Demir
Cyber security & privacy researcher
Web SecurityAI SecurityWeb Measurements
Tobias Urban
Tobias Urban
Institute for Internet Security - if(is)
CybersecurityPrivacy