If I'm understanding this correctly, it's only first party tracking in that it comes from a subdomain of the domain of the website you are browsing. But that subdomain points at a third party tracking provider. So this still seems like a single tracking provider on multiple website being able to correlate your browsing.

You still get full cookie separation because each website has a different subdomain and thus a different cookie. The analytics provider can track you across the internet, but they have to invest work and resources instead of getting it basically free.

Well, I'm hardly about to accept that it's legitimate to spy on me "because they invested work and resources instead of getting it basically for free".

It's like, a peeping Tom who just looks through a window - yuck that's gross. But a peeping Tom who spies by building a microdrone that can fly in the door when it opens and mount itself on the ceiling with suction pads - oh that's perfectly legitimate because of the work and resources Tom invested.

I mean, if it's gross to do something by accident and it's gross to do something without any investment, it's super gross to do it with resources.

It's not all that hard to track someone across the internet. I think many people have demonstrate hacks that steal legitimate functionality and get you there.

I think we'll probably have to go for a containerised internet (separate apps) and just deal with the disadvantages.

I agree that this is not an insignificant aspect. But I still don't think it is therefore something that should be tolerated.

But how would the provider track you across the internet with cookie separation (other than through fingerprinting)?

The provider a) is the other parts of the internet (think big cdn) and b) they communicate with other data brokers via a side channel instead of via cookie syncing.

This is already happening with large web publishers.

But even if they do that, how can they tell it is the same user on two different domains?

I wouldn't know, but fingerprinting is a thing and is bad enough.

Do you have a great way to block every fingerprinting method?

Firefox seems to be on the case. There is really no good reason to give any means for a website to fingerprint a browser.

uBlock origin (more specifically, EasyPrivacy list) blocks 1st party tracking as well.

For example, you could spin up an instance of Matomo (formerly Piwik) for your own website and still see no traffic from adblock users by default.

This is also why if you're using Matamo you should have it parse your access logs instead.

Google and Facebook have been adding gclid and fbclid arguments to outgoing links for a while. Click one of those, and the linked site can conspire with googbook to correlate identities.

More sites could do that.

This is generally better than 3rd partyies because the sites would have to actually conspire, cooperate and trust each other, which is a huge hurdle.

And if the trust is actually there, they could correlate offline without any indication. Facebook already does that (with credit records, likely phone records and medical records as well) and I wouldn’t be surprised if others don’t.

Correlation is less than perfect this way - but e.g. zip, gender and age are enough to give a pretty good correlation, and name makes it almost perfect - if you have an account somewhere, you probably gave these details.

> Google and Facebook have been adding gclid and fbclid arguments to outgoing links for a while.

Can you you send me an example of both of those please?

gclid seems to be for adwords only. imo, if you're already the type to click on ads, you shouldn't object to tracking of which site you came from. fbclid on the other hand applies to all links from facebook. it was a major story on HN: https://hn.algolia.com/?query=fbclid

Yes. E.g. Danish newspapers are working in a joint effort to do just that, via 1st party tracking.

https://translate.googleusercontent.com/translate_c?depth=1&...

Think of this as SSR for adverts/trackers. The harvested data is still going to 3rd parties, even if your browser connection(s) aren't.

This is about 3rd party trackers masquerading as the 1st party by asking the hosting page to provide a CNAME under their own domain. With the tracker hosted under the 1st party's domain, they work around people that deny 3rd party cookies.

The example at the top of the thread: https://www.liberation.fr/ has a tracker from f7ds.liberation.fr, which is really part of tracking provider Eulerian.

   f7ds.liberation.fr.     3599    IN      CNAME   liberation.eulerian.net.

TL;DR - the entire point of this is to let 3rd parties continue to correlate your identity by hiding as part of the 1st party.

I agree. I have a big problem with UBO etc. blocking self-hosted, single-site Piwik. It feels like being penalised for doing the right thing.

> It feels like being penalised for doing the right thing.

Just because there are worse things to do does not make Piwik the right thing. The right thing is not to collect the data at all.

What's wrong with finding out how people use my site, so I can write more of the content they like, and make it easier for them to navigate through?

In the world of tracking a self hosted, self-owned tracking solution would probably be by far the exception rather than the rule.

Browser and IP fingerprinting are already good enough to pinpoint you.