Bookmark: "CrookedStyleSheets: Webpage tracking only using CSS (and no JS) "

Sebastian Greger


In this proof-of-concept, Jan Böhmer demonstrates how rather fine-grained tracking can be implemented by CSS-only:

  • user clicks
  • browser detection
  • font detection
  • hover duration
  • input detection

As the author states, this form of frontend tracking is essentially impossible to block:

The only way that is known to me currently, is to disable CSS for a web page completely […] The problem is that almost every modern web page looks very ugly without CSS and is sometimes even unusable. So, disabling CSS is not a real option […] A better solution would be if browsers didn’t load the external content (referenced in CSS) when it´s needed, but when the site is loaded. Then it would be impossible to detect individual actions.

The technique itself is not evil; just as selling kitchen knives does not make the vendor a accomplice in murder, using such technique could also be done for valid reasons. And as long as the data is collected in an ethical and legally compliant manner, that is not a problem (used responsibly, I do not see any difference to pinging a statistics server using JavaScript).

But knowing about a tracking technique that is almost impossible to block – and very hard to detect – leaves a bad feeling knowing how some actors in the data-hungry surveillance industry utilize any loophole they can. This attack vector is particularly important to consider when embedding third-party code – this would open an avenue for the remote party to track users without their control.

I'm Sebastian, Sociologist and Interaction Designer. This journal is mostly about bringing toge­ther social science and design for inclusive, privacy-focused, and sustainable "human-first" digital strategies. I also tend to a "digital garden" with carefully curated resources.

My occasionally sent email newsletter has all of the above, and there is of course also an RSS feed or my Mastodon/Fediverse profile.