ETags: a quiet web tracking mechanism

Published on: 2024-08-10 18:29:56

ETags, or entity tags, are commonly used for web cache validation, but they can also be used for tracking users. This article explains the ETag mechanism, its main use case, how it can be misused for user tracking, and ways to reduce that tracking.

What are ETags?

ETags are part of the HTTP protocol. They help determine whether content on the client side matches content on the server side. The server sends them as headers in the HTTP response, and the client sends them back in later requests for the same resource. This lets the server decide whether to return a new version of the content or a 304 Not Modified response. That saves bandwidth and improves performance.

How are ETags Used for Tracking?

While ETags are mainly used for cache validation, they can also be exploited for tracking. A server can generate a unique ETag when a user first visits a website, then use that ETag to identify the user on later visits, even after cookies are cleared. This works because the ETag is stored separately from cookies and is sent automatically by the browser in requests for the same resource.

Value of ETag Tracking

ETag tracking has several benefits for parties that want to track users:

Persistence: ETags can remain even after cookies are cleared.
Resource Efficiency: They help reduce bandwidth and server load.
Stealth: Most users do not know ETags exist and have limited control over them.

Limitations of ETag Tracking

Scope: ETags are tied to specific resources and are not shared across different resources or domains.
Dependence on Revisits: ETag-based tracking depends on the user returning to the same resource.
Privacy Regulations: Using ETags for tracking may fall under data protection laws.

Mitigating ETag Tracking

Users can take several steps to reduce tracking through ETags:

Use Privacy-Focused Browsers: Browsers such as Firefox and Brave do more to block tracking techniques, including ETag misuse.
Regularly Clear Cache: Clearing your browser cache on a regular basis can stop persistent ETags from tracking you over longer periods.
Use VPNs or Proxy Servers: These tools can hide your IP address and make it harder for servers to link ETags to your identity.

Conclusion

ETags are an important part of web optimization, but they can also be misused to track users. If you understand how ETags work and how they can be exploited, you are in a better position to protect your privacy online. They are harder to control than cookies in some cases, but practical steps such as using privacy-focused browsers and clearing browser cache regularly can reduce their tracking value.

The Fallacy of Evading Fingerprinting by Disabling JavaScript
Disabling JavaScript does not stop fingerprinting. This article explains why that assumption fails, how no-JS fingerprinting works, and which browser signals still expose identifying data through normal HTTP requests.
The Conflict Between Data Minimization Techniques and the Rise of Fraudulent Synthetic Profiles
Privacy controls reduce the data companies can collect, but they also make synthetic profile fraud harder to detect. This article explains where that tradeoff appears in online payments, how fraudsters use data minimization techniques to hide activity, and why stronger detection logic is needed when fewer signals are available.
Canvas Fingerprinting: A Quiet Method for Tracking Online Users
Canvas fingerprinting uses the HTML5 canvas element to generate a repeatable device identifier based on how a browser renders graphics. This article explains how the technique works, its role in cross-site device fingerprinting, its practical limits, and common spoofing methods.
Media Device Fingerprinting: A Modern Method for Online Tracking
Media Device Fingerprinting uses browser APIs to collect details about a user’s audio and video devices and turn that data into a tracking signal. This article explains how it works, why it matters for online fingerprinting, where it falls short, and what can reduce its effectiveness.
The Exciting Evolution of Browser Fingerprinting
Browser fingerprinting goes well beyond cookies. This article tracks how methods evolved from basic browser identifiers to canvas, WebGL, and device-based fingerprinting, and why each step changed the tradeoff between detection, privacy, and fraud prevention.