Bookmarked:
In this proof-of-concept, Jan Böhmer demonstrates how rather fine-grained tracking can be implemented by CSS-only:
- user clicks
- browser detection
- font detection
- hover duration
- input detection
As the author states, this form of frontend tracking is essentially impossible to block:
The only way that is known to me currently, is to disable CSS for a web page completely […] The problem is that almost every modern web page looks very ugly without CSS and is sometimes even unusable. So, disabling CSS is not a real option […] A better solution would be if browsers didn’t load the external content (referenced in CSS) when it´s needed, but when the site is loaded. Then it would be impossible to detect individual actions.
The technique itself is not evil; just as selling kitchen knives does not make the vendor a accomplice in murder, using such technique could also be done for valid reasons. And as long as the data is collected in an ethical and legally compliant manner, that is not a problem (used responsibly, I do not see any difference to pinging a statistics server using JavaScript).
But knowing about a tracking technique that is almost impossible to block – and very hard to detect – leaves a bad feeling knowing how some actors in the data-hungry surveillance industry utilize any loophole they can. This attack vector is particularly important to consider when embedding third-party code – this would open an avenue for the remote party to track users without their control.
