How Your Third Parties Could Leverage ETags to Violate Your Customers' Privacy

Third-party cookies are on their way out, but does that mean tracking users will also crumble (see what I did there?). Probably not. There are too many back doors, too many complicated but elegant solutions to the problem of needing and wanting to track visitor behavior. Frankly, the ability to advertise in a uniquely segmented way is extremely valuable. User consent will drive some of the tracking but some—some—will happen through slimy tactics which may or may not be legal but cross ethical lines.


What are some of the shady options to identify users, beyond cookies? ETags and fingerprinting are a couple. In this article we will focus on ETags, but we will cover other shady options in future posts.


ETags are IDs that are attached to every resource delivered by a server. Nicoloas Hinternesch provides an in-depth explanation here. But the TLDR version for the digital marketer goes something like this: a user navigates to a URL for the first time, the request is cached for efficiency's sake, an identifier, aka an ETag, is attached to that request to check the version number for future visits. So the next time the user navigates to the URL, the ETag identifiers are analyzed for the version number and either the cached version is served or, if it has been updated, the new version will load. The mechanics behind this can get a little technical, but the essence is that if the ETag for the cache version includes more than just a version number, it could potentially uniquely identify each visitor.


The reality is that ETags in and of themselves are positive for the web ecosystem. Caching allows for increased performance and less use of bandwidth. Privacy concerns happen when this approach is abused with discrete identifiers which may infringe upon privacy of the user.


We know if you are reading this you are actively researching privacy and have no desire to use unethical tactics, so how does this affect you and your brand?


The issue is that you are likely running third party marketing technologies on your site, for example your analytics tool, chat bot, survey tool or video tool. You are probably running dozens of these tools on every web page. Any of these technologies could be deploying the unethical practices described above with ETags. And of course, this tactic is hard to find. Unfortunately, your customers’ privacy could be being violated, and if it is, you are liable.


Monitoring such tactics is not easy, but Vault JS can help. We check and analyze all requests running for attributes like ETags. We can give you a sense of how your vendors are applying their ETags and whether anything looks fishy. We are here to help you protect your brand—and your customers’ privacy.


Let us shine a light on your risk. Sign up for a free site report to learn more about ETags running on your site today.