Custom domain is evil?

[RicoTrevisan]

In this week's episode of Security Now, Steve discusses a research paper about website trackers getting around tracking counter measures by using CNAME. The same thing that is used by Plausible's custom domain feature.

• Is Steve's outrage warranted?
• Or is it much ado about nothing?
• Or did I misunderstand it? I listen to the show for years, but most of the topics are way above my pay grade, but I've grown to trust Steve's opinion.

Security Now's transcript: https://www.grc.com/sn/sn-808-notes.pdf (yes, he hates readable line breaks)
The research paper: https://arxiv.org/pdf/2102.09301.pdf
The video: https://twit.tv/shows/security-now/episodes/808 (scroll to 1:29:00)

[metmarkosaric]

thanks @RicoTrevisan! like everything else in technology, it really depends on what you use it for and what your intentions are.

adtech uses this technology to place cookies, create behavioral profiles and target individuals across different websites and devices as they browse the web. all these are illegal according to the GDPR and other privacy laws without getting user consent.

there's a big difference between that type of tracking for advertising purposes and web analytics the way we do them. no cookies, no personal data collected, no connection to the adtech, no cross-site or cross-device tracking, no persistent identifiers so cannot see if the same user comes back to a site on a different day, all open source with the site owner fully in control of the data collected.

we have custom domain as an optional feature for those site owners who'd like to get more accurate stats. it's an unfortunate side effect of adblockers choosing to block everything (good or bad) and something a lot of site owners that just want some data to improve their sites feel is unfair to them so some of them choose to enable this feature.

I wish blocklist maintainers would come together and create some kind of best practice list. Kind of "If you don't track personal data, don't do any connection to adtech, don't do any behavioral profiles across websites/devices, be open source etc etc, then we will not block you". Google and adtech will never do anything to get on this list and this would encourage a larger percentage of websites to remove these tools and replace them with one of these better "approved" tools.

And we would be the first to remove our custom domain feature and would take no step whatsoever to try and avoid adblockers if that was implemented. But unfortunately by the principle they're taking in that all trackers are bad they give no incentive for sites to remove GA/adtech and then they also give incentive to look for ways to count stats or target/profile people without being blocked by adblockers.