Very nice, and scary at the same time... I feel that too often we consider that by using some content-blocking extensions (e.g.: uBlock Origin, Privacy Badger, etc.) we are 100% safe and privacy leakages are a thing of the past. But from what I understand this is not the case and some PII leakages still happen. As long as we are not aware of them it's hard or impossible to close the gap and I guess the first step to improve those tools is bringing more transparency. Local Sheriff seems to go in the right direction. Thank you for this work.
From your perspective, how well do the most popular privacy-protection extensions protect us from the kind of PII leakage identified by Local Sheriff. And how could we improve those tools to increase the protection?
afaik, extensions will not provide you with 100% protection in this case.
It could be for multiple reasons:
1. The 3rd party domain is not on the list:
a. Could be because the presence is not huge.
b. The domain is too new, and not available on any lists
right now.
2. The user might have whitelisted a 3rd party domain
because it breaks some component on the web.
They always need to catch-up, so it's a whack-a-mole game.
Along the same lines, a user can also control the referrer. for example in Firefox based browser you can control(globally) what info should be sent in the browsers itself. - https://wiki.mozilla.org/Security/Referrer . But this will also come with some breakage.
Similarly, blocking third-party cookies also does not help, as the leaks the telltale URLs will still pass on.
The legit use cases of these third-parties actually do not require the first-party to share these sensitive details.
1. Google analytics actually states that in their privacy policy - https://support.google.com/analytics/answer/6366371?hl=en
2. To load a font from CDN, I don't see why a company needs to send my booking ID and/or token to them. In some cases, domain might be needed but definitely not booking ID.
So, imo, the websites should take onus when implementing 3rd parties or atleast be transparent about what information is being shared and with whom.
Given that this analyses network traffic on the client side, Local Sheriff is probably playing the same catch-up game that a blocker targeting that same PII is.
I think that tool exists in some form already? Maybe its not perfect but uMatrix is a pretty powerful filtering tool. It gives you the option to block these third party domains - think of it as a firewall for your browser. Its built by the same person who made uBlock origin (which can actually have the same functionality I think).
From your perspective, how well do the most popular privacy-protection extensions protect us from the kind of PII leakage identified by Local Sheriff. And how could we improve those tools to increase the protection?