What Are ETags and How Can Third-Party Vendors Use Them to Track Your Users?

• ETags are HTTP cache identifiers that can be repurposed by third-party vendors to uniquely identify and track website visitors without using cookies. ETags are attached to every resource delivered by a server to manage caching, but if the identifier includes more than a version number, it can function as a persistent, per-user tracking mechanism that survives cookie deletion and consent opt-outs.
• Any third-party marketing technology running on your site could be using ETags for covert user identification. Analytics tools, chatbots, survey tools, video players, and other embedded vendors each make their own server requests with their own ETags, and the website owner has no visibility into whether those identifiers contain discrete user-level tracking data.
• ETag-based tracking is difficult to detect and creates liability for the site owner, not just the vendor. Because ETags operate at the HTTP header level rather than through visible client-side code, standard consent management and cookie audit tools do not flag them, yet the organization hosting the third-party technology is responsible for the privacy violations that occur on its pages.

Third-party cookies are on their way out, but does that mean tracking users will also crumble (see what I did there?). Probably not. There are too many back doors, too many complicated but elegant solutions to the problem of needing and wanting to track visitor behavior. Frankly, the ability to advertise in a uniquely segmented way is extremely valuable. User consent will drive some of the tracking but some—some—will happen through slimy tactics which may or may not be legal but cross ethical lines.

What are some of the shady options to identify users, beyond cookies? ETags and fingerprinting are a couple. In this article we will focus on ETags, but we will cover other shady options in future posts.

ETags are IDs that are attached to every resource delivered by a server. Nicoloas Hinternesch provides an in-depth explanation here. But the TLDR version for the digital marketer goes something like this: a user navigates to a URL for the first time, the request is cached for efficiency’s sake, an identifier, aka an ETag, is attached to that request to check the version number for future visits. So the next time the user navigates to the URL, the ETag identifiers are analyzed for the version number and either the cached version is served or, if it has been updated, the new version will load. The mechanics behind this can get a little technical, but the essence is that if the ETag for the cache version includes more than just a version number, it could potentially uniquely identify each visitor.

The reality is that ETags in and of themselves are positive for the web ecosystem. Caching allows for increased performance and less use of bandwidth. Privacy concerns happen when this approach is abused with discrete identifiers which may infringe upon privacy of the user.

We know if you are reading this you are actively researching privacy and have no desire to use unethical tactics, so how does this affect you and your brand?

The issue is that you are likely running third party marketing technologies on your site, for example your analytics tool, chat bot, survey tool or video tool. You are probably running dozens of these tools on every web page. Any of these technologies could be deploying the unethical practices described above with ETags. And of course, this tactic is hard to find. Unfortunately, your customers’ privacy could be being violated, and if it is, you are liable.

Monitoring such tactics is not easy, but Vault JS can help. We check and analyze all requests running for attributes like ETags. We can give you a sense of how your vendors are applying their ETags and whether anything looks fishy. We are here to help you protect your brand—and your customers’ privacy.

Let us shine a light on your risk. Sign up for a free site report to learn more about ETags running on your site today.

Julie Oberweis
COO, Co-Founder, Vault JS

She previously co-founded Ensighten, where she helped create the tag management industry. Julie holds the CFA charter and the CIPP/US certification from the IAPP, bringing a rare combination of financial, operational, and privacy expertise to the governance challenges facing enterprise marketing and compliance teams.