Abstract: As web browsers increasingly implement tracking protection features, the web tracking ecosystem has started to shift from the client-side to the server-side. Instead of sending requests directly to the tracker’s endpoint, server-side tracking (SST) sends tracking requests to publisher-controlled or intermediary endpoints that then forward the information to trackers server-side. As a result, client-side tracking protections become fragile because direct client-to-tracker requests may no longer be observed. In this paper, we investigate the server-side implementation of Google Analytics (sGA), the most widely deployed third-party tracking service on the web today. We present SST-Guard, a multi-modal browser-based system for detecting sGA despite endpoint customization and payload obfuscation. The key insight behind SST-Guard is that common sGA deployments change the standard Google Analytics endpoints, but still leave semantic artifacts of data collection by Google Analytics in the browser, including identifiers, event metadata, cookies, and JavaScript state. Therefore, rather than detecting requests to the standard Google Analytics endpoints, SST-Guard aims to detect underlying artifacts of collection and sharing of these semantic values to any arbitrary endpoint. Operationalizing this insight is challenging because real-world sGA deployments commonly customize endpoints and obfuscate URLs/payloads. SST-Guard addresses this challenge using a value-template approach that employs regular expressions to match semantic value patterns across multiple modalities: network requests, cookies, and the window object. We validate SST-Guard on Tranco top-10k websites, detecting 4.02% (403) sGA domains with over 93% accuracy across three modalities, with network request classifier demonstrating the highest accuracy (99.8%). Deploying SST-Guard at scale, we detect sGA on 4.21% (6,314) of Tranco top-150K websites. Our analysis shows that many sGA deployments use first-party subdomains, direct A/AAAA records, custom paths, or encoded payloads that circumvent existing defenses.
Bio: Muhammad Jazlan is a second-year Computer Science PhD student at UC Davis, advised by Zubair Shafiq and Alexander Gamero-Garrido. He works on privacy and security on the web, with a focus on tracking in the browser. His recent work includes SST-Guard and Tracking Conversations. He is also working on generating stable hardware fingerprints in the browser and studying tracking in AI chatbots and AI-powered browsers. He is currently a privacy researcher at VaultJS.