This is the sixteenth post in an ongoing series showcasing new privacy features in iBrowe. This post describes work by Software Engineer Aleksey Khoroshilov and Senior Software Engineer Ivan Efremov, written by Senior Director of Privacy Peter Snyder.

📋 Summary

iBrowe now offers Unlinkable Bouncing—a robust new defense that ensures any suspected bounce-tracking site sees each visit as a one-off, “never-before-seen” visitor. 🛡️ When you click a link that would normally route through a tracked redirect (e.g., tracker.example?dest=target.example), Unlinkable Bouncing isolates that session in a temporary storage sandbox. The bounce-tracker learns only that someone clicked through, but cannot tie it to your past or future visits. All temporary data is wiped as soon as you leave that site, making each bounce event unlinkable. 🚀 This feature layers atop iBrowe’s existing interstitial warnings, query-parameter stripping, and debouncing, and will ship in iBrowe 1.37 (Nightly available now). Under the hood, Unlinkable Bouncing leverages a new “first-party ephemeral storage” capability—enabling sites to remember you only while you’re actively browsing them, then forgetting everything as soon as you navigate away.

🔍 1. What Is Bounce Tracking?

1.1 How Bounce Tracking Works

Bounce tracking occurs when a tracker slips itself between your current site and your intended destination. For example:

  1. You visit rabbits.example and click a link to turtles.example.
  2. Instead of going directly to turtles.example, your browser is silently redirected through tracker.example/collect?src=rabbits.example&dest=turtles.example.
  3. tracker.example logs “user saw rabbits, now going to turtles,” then almost instantly forwards you to turtles.example.
  4. Over time, tracker.example can build a profile of your browsing interests (rabbits, turtles, etc.), even if iBrowe’s cookie- or storage-based protections are in place. 🕵️

1.2 Why Existing Protections Sometimes Fall Short

iBrowe already offers:

  • Interstitial Warnings (Aggressive Shields): Alerts when you’re about to hit a known bounce-tracker and lets you cancel. ⚠️
  • Query-Parameter Stripping: Removes common tracker IDs (e.g., ?fbclid=…) from URLs to block link-decorators. ✂️
  • Debouncing: Attempts to skip the redirect entirely by detecting that a bounce-tracker URL will redirect to a known final site, taking you straight there. ⏩

However:

  • Warnings require manual action—advanced users might still proceed.
  • Parameter Stripping does not prevent the tracker from learning which sites you visited—only that you came via some redirect.
  • Debouncing sometimes cannot reconstruct the final destination (obfuscated or encrypted parameters), so the bounce-tracker loads anyway.

Unlinkable Bouncing fills this gap by ensuring that—even when a tracker-page loads—its storage cannot persist or link across visits.

🛡️ 2. Introducing Unlinkable Bouncing

2.1 How It Works, Step by Step

  1. Navigation Begins: You click a link to tracker.example/redirect?dest=turtles.example.
  2. Filter List Check: iBrowe consults its curated list of known bounce-tracking domains (crowdsourced + iBrowe-maintained).
  3. Aggressive Shields Warning: If Shields are set to Aggressive, you see an interstitial:

    ⚠️ Suspected Bounce Tracker Detected
    This link may record your navigation. Proceed with caution.
    CancelContinue Anyway

  4. Existing Storage Check: If you proceed (or Shields are at default), iBrowe looks up any existing first-party storage (cookies, localStorage) for tracker.example.
    • If storage exists: iBrowe assumes you’ve visited before. Bounce tracking proceeds but no Unlinkable Bounce.
    • If no storage: iBrowe creates a temporary, isolated storage sandbox for tracker.example, separate from any persistent data.
  5. Tracker Page Loads: tracker.example can read from its ephemeral storage, learn “src=rabbits, dest=turtles,” but cannot tie it to any previous visit since the data is fresh and separate.
  6. Post-Load Cleanup: Once you navigate away from tracker.example (close the tab or move to another site), iBrowe nukes that temporary storage—cookies and localStorage vanish immediately.
  7. Destination Loads: You end up on turtles.example as intended, with tracker.example unable to recognize you on any future bounce. 👻

2.2 Key Benefits

  • Unlinkability: Every bounce “session” is treated as first-ever. The tracker never accumulates multi-visit history.
  • Full Functionality: The bounce page still runs its scripts and redirects—so any site logic reliant on that page won’t break.
  • Automatic Cleanup: You don’t have to manually clear cookies or storage; iBrowe erases everything the moment you leave.
  • Layered Defense: Works alongside warnings, query-stripping, and debouncing to cover all bounce-tracking edge cases.

🔄 3. Unlinkable Bouncing vs. Other Browsers

Feature iBrowe (Default) Chrome/Edge Firefox Safari
Interstitial Warning ✅ (Aggressive)
Query-Parameter Stripping
Debouncing
Unlinkable Bouncing
First-Party Ephemeral Sandbox

Insight: iBrowe is the first major browser to offer a per-redirect ephemeral sandbox for suspected bounce-tracker domains—no other browser provides the same layered unlinkability.

🌱 4. First-Party Ephemeral Storage: A Broader Vision

Unlinkable Bouncing is iBrowe’s inaugural demonstration of First-Party Ephemeral Storage, a suite of techniques that allow sites to identify you only while you are actively on them, then forget you when you leave. 🔓

4.1 From Third-Party to First-Party Ephemerality

  • Existing Third-Party Model: iBrowe already isolates third-party storage (cookies, localStorage, IndexedDB) per first-party—and auto-deletes that data when you close the embedding site.
  • New First-Party Model: Unlinkable Bouncing transiently extends that same idea to first-party domains—but only for sites flagged as privacy-risky. That first-party’s storage is kept in a temporary sandbox so long as you remain on the bounce-tracker; once you leave, all data is purged.

4.2 The Privacy-First Paradigm Shift

Traditionally, browsers assume users want their data “remembered” unless they explicitly delete cookies or use private mode. iBrowe’s ephemeral storage flips that default:

  • Forget by Default: Sites must earn the right to “remember you” by your explicit, repeat visits.
  • User-Controlled Persistence: If a site legitimately requires login (e.g., bank.example), iBrowe can prompt you:

    🔐 “Do you want to allow bank.example to remember you across visits?”
    Yes, keep me logged in
    No, treat each visit as new

This transformation ensures that privacy becomes the baseline, and your identity is never tied across visits or sites without clear consent. 🌐

🔧 5. Under the Hood: Implementation Details

5.1 Identifying Suspect Sites

  • iBrowe maintains a list of known bounce-tracker domains via crowdsourced filter lists (EasyList variants, Link Cleaner, ClearURLs) and internal heuristics. This list is regularly updated. 📋
  • During navigation, if the target URL matches any pattern (e.g., tracker.*?dest=), iBrowe flags it for Unlinkable Bouncing.

5.2 Managing Temporary Storage

  • Per-Redirect Storage Bucket: On first visit to tracker.example, iBrowe spins up a separate storage partition (in memory) – including cookies, localStorage, and IndexedDB keys.
  • Sandbox Lifetime: The bucket persists only while that tab remains open. Closing the tab triggers an immediate wipe.
  • Isolation Guarantee: This temporary bucket cannot access persisted data in the user’s primary storage for tracker.example. If you revisit tracker.example again (with no other tabs open), a brand-new bucket is created.

5.3 Cleanup & Edge Cases

  • Navigate Forward: If the redirect automatically forwards you to the final site (turtles.example) in the same tab, the tracker.example sandbox unloads and is deleted just before loading the destination.
  • Multiple Tabs: If you have two tabs open to tracker.example, the sandbox only clears after both are closed.
  • Browser Restart: Any in-memory ephemeral buckets are cleared on restart—so half-finished bounce sessions cannot survive crashes.

🧩 6. Combining All Bounce Protections

iBrowe’s four complementary defenses now guard against bounce tracking:

  1. Aggressive Shields Warning (Optional): Alerts you before navigating to a bounce-tracker, giving you a chance to cancel. ⚠️
  2. Query-Parameter Stripping: Removes known tracking IDs (?fbclid=…, ?gclid=…) that tracker pages rely on. ✂️
  3. Debouncing: When possible, skip the tracker URL entirely by parsing the dest= parameter and directly loading the final site. ⏭️
  4. Unlinkable Bouncing: If bounce-tracker must load, isolate its storage so all visits look unique and cannot be linked. 🔒

Result: Bounce trackers can no longer piece together your multi-site journey. Even if they slip in as many redirects as they like, each session is anonymized and ephemeral.

🎉 7. Next Steps & Future Ephemeral Features

Unlinkable Bouncing paves the way for a suite of First-Party Ephemeral Storage innovations:

  • Login-By-Default Prompts: For sensitive sites (banks, health portals), iBrowe can ask, “Remember me?” before unlocking persistent storage.
  • Ephemeral Tabs: Allow users to mark any tab as “temporary,” clearing all first-party data on close—without full Private Mode.
  • Selective Whitelists: Let users choose sites that get standard storage persistence vs. those that stay ephemeral (e.g., “Work.com can remember me; News.com is ephemeral”).
  • Enhanced Privacy Dashboards: Show which sites hold ephemeral storage vs. persistent; let you purge ephemeral data manually if needed.

Stay tuned for further updates as iBrowe’s privacy-first storage model evolves!