Web user tracking has always been a cat-and-mouse game between privacy-conscious users and trackers. Recently, this conflict has driven a shift from third-party tracking toward first-party tracking (FPT) and server-side tracking (SST). By relocating tracking logic to the browser's first-party context or the website's backend, these mechanisms obscure data flows and render traditional client-side detection tools increasingly ineffective. Despite the growing adoption of these techniques, our understanding of their deployment at scale remains limited, and generalized protection mechanisms are lacking. In this work, we conduct a large-scale measurement of top sites to assess this shift and the prevalence of FPT and SST. We develop a provider-independent methodology to detect these mechanisms and find that over 54% of analyzed sites now deploy FPT or SST-related techniques. By clustering scripts based on their similarity and constructing a network graph, we demonstrate that the ecosystem is densely connected and dominated by major vendors like Google. Finally, we demonstrate that current filter lists are largely ineffective against first-party tracking, and we propose new rules to address this gap. We show that these rules block 63% more requests than traditional filter lists.

翻译：网络用户追踪一直是注重隐私的用户与追踪者之间的猫鼠游戏。近年来，这种对抗驱动着追踪方式从第三方追踪向第一方追踪（FPT）和服务端追踪（SST）转变。通过将追踪逻辑迁移至浏览器的第一方上下文或网站的后端，这些机制模糊了数据流，并使得传统的客户端检测工具日益失效。尽管这些技术正被广泛采用，但我们对其大规模部署情况的认识仍然有限，并且缺乏通用的防护机制。本研究对头部网站进行了大规模测量，以评估这一转变趋势以及FPT和SST的普遍性。我们提出了一种独立于提供商的方法来检测这些机制，并发现超过54%的被分析网站已部署了FPT或SST相关技术。通过基于相似度对脚本进行聚类并构建网络图，我们证明此类生态系统高度互联，并由谷歌等主要供应商主导。最后，我们证实现有过滤列表对第一方追踪基本无效，并提出了弥补这一缺陷的新规则。实验表明，这些规则比传统过滤列表多拦截63%的请求。