Inspect Website Privacy using Blacklight
A brief on inspecting website privacy using the Blacklight tool.
Blacklight is a free, real-time privacy inspection tool launched by The Markup in 2020. It strives to emulate user behaviour when surfing the web, while inspecting the specified websites for known privacy violations. Blacklight looks for ad trackers, third-party cookies, key logging, session recording, canvas fingerprinting, Facebook tracking and Google Analytics remarketing audiences. These techniques and their limitations are outlined in detail in the tool's launch post. The tool is open source and could be improved upon if you are so inclined.
When the user specifies a URL in Blacklight, the tool launches a new instance of a headless web browser (using open source Chromium) in the background, visits the specified website, monitors the scripts executed and network requests made, assesses against the tracking techniques above, and generates a privacy report.
The practice of tracking is generally rife across consumer websites, typically those providing a free service. Gotta make money, right? But the extent of tracking can be simply egregious in many cases. Take the example of Expedia. Inspect their website using Blacklight and you'll get the result below. Not only does it send data to Facebook and Google, it stores 14 times(!) the average number of third-party cookies, and makes a conscious effort to evade third-party cookie blockers.
This practice is not restricted to consumer websites though; even so-called Enterprise websites like Microsoft Azure are tracking you generously. In fact, Azure uses a session recorder to track user mouse movement, clicks, taps, scrolls and even network activity. Not expecting that, were you?
If you find this distasteful, you'll be appalled to learn that some of the worst offenders are non-profit organizations. Whether it is due to a lack of resources or sheer negligence, websites like Planned Parenthood have raised the bar, even capturing the text you enter on their site before hitting the submit button! Oh, and they handily beat Expedia's third party cookies storage too.
While the results aren't foolproof in themselves (websites may respond differently to automated requests versus genuine human interactions), they do highlight the need to improve privacy during our digital interactions. On a desktop/laptop, the Brave browser currently offers the strongest tracking protection by default, presenting a randomized fingerprint to websites as opposed to unique fingerprints presented by Chrome, Safari and Firefox. On mobile, Firefox Focus is a lightweight, privacy-focused browser with built-in tracking protection and ad blocking. In either case, it behooves you to review and harden your browser privacy settings, and not rely on the vanilla defaults.
If you are looking to extend the measures beyond just web browsing, have a look at my post on 10 simple ways to improve your privacy online.