[IAM2019]

The article explains that trackers traditionally loaded some external JS which then phoned home and tracked users via third-party cookies.

I would like to point out that it has never been the case for Google Analytics and possibly other trackers. The developers of a website are supposed to copy/paste the Google Analytics snippet directly into their own JS, such that GA has access to first-party cookies. And then GA phones home some tracking data leveraged by this first-party cookie.

Blocking third-party cookies never blocked this kind of tracking. You needed to block the domains that the script requested via AJAX. But it is indeed made difficult with CNAME Cloaking, because the domains requested are subdomains of the current domain, and can be changed regularly as explained by the article.

There is no end-game solution against tracking. It will all come down to tracking companies ordering websites to install some library directly in their back-end and pass it user data as well as behavioral data captured from some other library installed in the front-end. Tracking data will pass through applicative pipes and it will be impossible to block reliably.

[nugget]

How does the centralized ad server track the user as they move from site A to site B, since no cross-domain cookies can be used? Without resorting to fingerprinting which could be circumvented by the client. Absent behavioral profiles and persistent tracking, most ad formats are worth very little. Isn’t limiting all communication to the first party domain a form of sandboxing?

[poitrus]

Javascript executed from site's own scripts does not give more or less rights to access first party cookies than Javascript executed from an externally loaded URL. Any Javascript executed on a page as the same access to all those.