Some thoughts on anchor ping

April 8 2019 by Jeff Johnson

This is a follow-up to my recent article Safari link tracking can no longer be disabled. I'm quite surprised that my complaining about a hidden preference in Safari has generated so much discussion on the internet. I'm also quite pleased, because I think it's important to draw attention to the privacy implications of the HTML anchor ping attribute and have a public debate about it. I've heard so many people say that they weren't even aware that anchor ping existed until they saw my article, so I'm glad to raise awareness.

The main argument that has been offered in favor of anchor ping is that it's preferable to the alternative forms of tracking links, such as server-side redirects or client-side clickjacking. My response to this argument is that anchor ping not preferable for reasons to be explained below, and moreover, the entire argument is a fallacy, a false dilemma. Let me start with the second point. Anchor ping has not replaced redirects and clickjacking. We still have these forms of tracking! For example, notice how Apple News links have begun to permeate the web. And just a few months ago I wrote about how Google Search hijacks links in the search results when you press down your mouse on the links.

Anchor ping is not an alternative form of tracking, it's an additional form of tracking. We still have all the other forms of tracking along with this one. It may be true that if advertisers don't have anchor ping, they'll just use alternative methods, but the belief that advertisers won't use alternative methods of tracking if they have anchor ping has proven to be completely false. Anchor ping also turns out to be an advertiser's dream feature. It's completely invisible to the user, and it's more powerful and reliable than the other tracking methods. Anchor ping is asynchronous and not aborted when a web page is unloaded. Unlike clickjacking, anchor ping cannot be prevented by disabling JavaScript. Most browsers have the ability to disable JavaScript globally, and some browsers such as Google Chrome have the ability to disable JavaScript per-site, but anchor ping does not require JavaScript and continues to work without it. The value of the anchor ping attribute is a space-separated list of URLs, so it can ping multiple receivers for every link clicked.

The marketing of the anchor ping feature by the major browser vendors turned out to be a bait and switch. The following is what WHATWG has to say about it.

"The ping attribute is redundant with pre-existing technologies like HTTP redirects and JavaScript in allowing Web pages to track which off-site links are most popular or allowing advertisers to track click-through rates.

However, the ping attribute provides these advantages to the user over those alternatives:

Thus, while it is possible to track users without this feature, authors are encouraged to use the ping attribute so that the user agent can make the user experience more transparent."

Anchor ping was supposed to be transparent as in easily perceived by the user. Instead, anchor ping has become "transparent" as in invisible to the user. The browsers never informed the user about the ping notifications. And now browsers such as Safari and Chrome are removing the ability of the user to disable the notifications. As far as privacy is concerned, this is not "a wash" compared to previous tracking methods. It's a cover-up.

One of the stated benefits of anchor ping is that it allows the user to see the final target URL unobscured. My question is, why did browser vendors allow the final target URL to get obscured in the first place? Why do browsers even allow JavaScript clickjacking? Why do browsers allow cross-origin redirects without the user's permission? In my opinion, this supposed benefit of anchor ping is simply an excuse that lets the browsers off the hook for their total failure to protect users from link tracking. I think there ought to be "truth in links". What you see on hover is what you get. This means that the link doesn't change on click. It means that you don't send notifications to URLs that you didn't click. And it means that you don't end up at a different domain than the one you clicked. Although at least with server-side redirects, you can usually tell before you click that the link is targeted at a tracker (e.g.,, rather than the final source.

Another stated benefit of anchor ping is that the target page loads faster. But is making tracking more performant a goal for users, or a goal for advertisers? Why should tracking be rewarded with better performance instead of punished with worse performance? What's the incentive for protecting user privacy, the incentive for sites to not track clicks? It's known that longer load times cause sites to lose readers, but why shouldn't this fact be used to as an incentive to avoid tracking rather than as a barrier to easier tracking? It seems to me that anchor ping is giving advertisers everything they want and users nothing they want. If there's to be tracking, shouldn't the tracking be obvious to the user? Perhaps even obnoxiously obvious? It's always claimed that users don't care about privacy, but we've seen clearly that users simply don't know about anchor ping. How can they decide whether to care when they don't even know?

I'd like to see browsers do even more to protect users, instead of simply shrugging in defeat and focusing all of their efforts on optimizing for speed. I don't accept the argument that browsers shouldn't bother to protect the privacy of users, because advertisers will just find a technical bypass for every browser protection. By that logic, why bother locking the doors of your home, because criminals can break in anyway? I say make it harder for the violators, and make violations obvious to everyone.

Jeff Johnson (My apps, PayPal.Me)