Tracking Cookies in Open Source: A Practical Guide

TL;DR

Yes, tracking cookies from services like Facebook and Google can find their way into open source projects. This usually happens through third-party libraries or assets used by the project. Here’s how to check for them and what you can do about it.

1. Understanding How Cookies Get In

Open source projects rarely intentionally add tracking cookies. They typically arrive as a side effect of using:

• Third-party JavaScript libraries: Analytics tools (even seemingly simple ones) often include trackers.
• Content Delivery Networks (CDNs): CDNs might serve content with embedded tracking scripts.
• Social media widgets: ‘Like’ buttons, share buttons etc. almost always use cookies.
• Advertising networks: Projects that display ads will likely have trackers.

2. Checking Your Own Project (Developers)

If you maintain an open source project, these steps are for you:

1. Code Review: Manually inspect your code and dependencies for any references to domains known for tracking (see section 6).
2. Dependency Scanning Tools: Use tools that automatically scan your project’s dependencies. Some examples include:
   • Dependabot (GitHub): Can identify vulnerable or problematic dependencies, including those with trackers.
   • Snyk: A more comprehensive security scanning tool that also checks for tracking libraries.

     snyk test --all-projects

3. Browser Developer Tools: Load your project in a browser and use the developer tools (usually F12) to inspect network requests. Look for connections to tracking domains.
   • Open the ‘Network’ tab.
   • Filter by ‘Third-party’.
   • Reload the page and observe which domains are being contacted.

3. Checking a Project You Use (Users)

If you’re using an open source project, it’s harder to directly fix things, but you can still investigate:

1. Browser Extensions: Use privacy-focused browser extensions like:
   • Privacy Badger: Automatically learns to block trackers.
   • uBlock Origin: A powerful ad and tracker blocker.

     (Install from your browser's extension store)

   • Ghostery: Detects and blocks trackers, providing more control over what’s allowed.
2. Network Monitoring (Advanced): Use tools like Wireshark to capture network traffic and identify tracking domains. This requires technical expertise.

   wireshark

4. Removing Tracking Cookies/Scripts

If you find trackers, here’s how to deal with them:

• Replace the Library: Find an alternative library without tracking functionality.
• Self-Host Assets: Download and host third-party assets (like JavaScript files) yourself instead of using a CDN. This gives you more control.
• Remove Social Widgets: If possible, remove social media widgets entirely or use privacy-respecting alternatives.
• Configure Analytics Carefully: If you must use analytics, configure it to respect user privacy (e.g., anonymize IP addresses).

5. Preventing Future Issues

• Regular Dependency Updates: Keep your project’s dependencies up-to-date to benefit from security and privacy fixes.
• Principle of Least Privilege: Only include the libraries and assets you absolutely need.
• Automated Scanning: Integrate dependency scanning tools into your CI/CD pipeline.

  (Configure in your project's build system)

6. Common Tracking Domains

Here are some domains commonly associated with tracking:

• google-analytics.com
• facebook.net
• doubleclick.net
• adsense.google.com
• quantserve.com
• scorecardresearch.com

This is not an exhaustive list, and trackers often use subdomains or other techniques to hide their identity.