Inspect Website Privacy using Blacklight

A brief on inspecting website privacy using the Blacklight tool.

Blacklight is a free, real-time privacy inspection tool launched by The Markup in 2020. It strives to emulate user behaviour when surfing the web, while inspecting the specified websites for known privacy violations. Blacklight looks for ad trackers, third-party cookies, key logging, session recording, canvas fingerprinting, Facebook tracking and Google Analytics remarketing audiences. These techniques and their limitations are outlined in detail in the tool's launch post. The tool is open source and could be improved upon if you are so inclined.

When the user specifies a URL in Blacklight, the tool launches a new instance of a headless web browser (using open source Chromium) in the background, visits the specified website, monitors the scripts executed and network requests made, assesses against the tracking techniques above, and generates a privacy report.

The practice of tracking is generally rife across consumer websites, typically those providing a free service. Gotta make money, right? But the extent of tracking can be simply egregious in many cases. Take the example of Expedia. Inspect their website using Blacklight and you'll get the result below. Not only does it send data to Facebook and Google, it stores 14 times(!) the average number of third-party cookies, and makes a conscious effort to evade third-party cookie blockers.

Expedia website inspection using Blacklight
Expedia website inspection using Blacklight

This practice is not restricted to consumer websites though; even so-called Enterprise websites like Microsoft Azure are tracking you generously. In fact, Azure uses a session recorder to track user mouse movement, clicks, taps, scrolls and even network activity. Not expecting that, were you?

Azure website inspection using Blacklight
Azure website inspection using Blacklight

If you find this distasteful, you'll be appalled to learn that some of the worst offenders are non-profit organizations. Whether it is due to a lack of resources or sheer negligence, websites like Planned Parenthood have raised the bar, even capturing the text you enter on their site before hitting the submit button! Oh, and they handily beat Expedia's third party cookies storage too.

Planned Parenthood website inspection using Blacklight
Planned Parenthood website inspection using Blacklight

While the results aren't foolproof in themselves (websites may respond differently to automated requests versus genuine human interactions), they do highlight the need to improve privacy during our digital interactions. On a desktop/laptop, the Brave browser currently offers the strongest tracking protection by default, presenting a randomized fingerprint to websites as opposed to unique fingerprints presented by Chrome, Safari and Firefox. On mobile, Firefox Focus is a lightweight, privacy-focused browser with built-in tracking protection and ad blocking. In either case, it behooves you to review and harden your browser privacy settings, and not rely on the vanilla defaults.

If you are looking to extend the measures beyond just web browsing, have a look at my post on 10 simple ways to improve your privacy online.

Subscribe to alphasec

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe