Papers
Topics
Authors
Recent
Search
2000 character limit reached

SST-Guard: Detecting and Characterizing Server-Side Google Analytics in the Wild

Published 30 Apr 2026 in cs.CR and cs.CY | (2604.27497v1)

Abstract: As web browsers increasingly restrict client-side tracking, the web tracking ecosystem is shifting from client-side to server-side tracking (SST). In SST, the browser sends tracking requests to an intermediate endpoint, which then forwards them to the tracker's endpoint, eliminating direct client-to-tracker requests. As a result, existing tracking protections that block requests to known tracker endpoints are rendered ineffective. In this paper, we investigate server-side implementation of Google Analytics, the most widely deployed third-party tracking service on the web today. We also present SST-Guard, a multi-modal, browser-based system for detecting and blocking server-side Google Analytics (sGA). Our key insight is that even when the tracker's endpoints change, sGA must necessarily still collect and share the same semantic information as client-side Google Analytics (e.g., identifiers, event metadata). Therefore, rather than detecting requests to known Google Analytics endpoints, SST-Guard aims to detect underlying artifacts of collection and sharing of these semantic values to any arbitrary endpoint. Operationalizing this insight is challenging because real-world sGA deployments commonly customize endpoints and obfuscate URLs/payloads. SST-Guard addresses this challenge using a value-template approach that employs regular expressions to match semantic value patterns across multiple modalities: network requests, cookies, and the window object. We validate SST-Guard on Tranco top-10k websites, detecting 4.02\% (403) sGA domains with over 93\% accuracy across three modalities, with network request classifier demonstrating the highest accuracy (99.8\%). By deploying SST-Guard in the wild, we find 4.21\% (6,314) of Tranco top-150k websites using sGA.

Summary

  • The paper presents a novel multi-modal value-template approach using network requests, cookies, and window variables to detect sGA.
  • It achieves 99.8% accuracy and a meta-classifier F1 score of 97.17%, demonstrating strong resilience against evasion techniques.
  • The study finds that 4.21% of top domains deploy sGA, exposing significant challenges in maintaining tracking transparency and privacy.

SST-Guard: Detecting and Characterizing Server-Side Google Analytics

Motivation and Context

Server-side tracking (SST) has emerged in response to increased privacy protections in browsers and widespread deployment of filter lists for blocking client-side tracking. While conventional defenses rely on identifying direct client-to-tracker communication, SST shifts data reporting through publisher-controlled or intermediary endpoints, fundamentally weakening these defenses. Google Analytics, the dominant third-party tracker, has actively promoted server-side deployments, making accurate detection of sGA a critical challenge for ecosystem transparency and user privacy. Figure 1

Figure 1: Distinction between client-side (top) and server-side (bottom) tracking architectures, highlighting how SST obscures direct tracker communication.

SST-Guard System Overview

SST-Guard leverages a multi-modal strategy to detect sGA, focusing on semantic artifacts left in the browser irrespective of endpoint customization or payload obfuscation. The key innovation is a value-template approach, using regular expressions across three modalities—network requests, cookies, and window variables—to identify GA-specific artifacts. Feature extraction yields binary vectors per domain/request, enabling real-time classification via Logistic Regression. Figure 2

Figure 2: SST-Guard design pipeline: web crawl, value template generation, feature extraction, classifier training, artifact removal, and sGA detection.

Detection Performance and Robustness

SST-Guard achieves strong detection metrics, validated against ground truth from Google Tag Assistant on Tranco top-10k domains. On the sGA evaluation set, the network request classifier demonstrated 99.8% accuracy, with meta-classifier achieving F1 of 97.17%. Ensemble modalities proved robust against adversarial customizations, especially base64-encoded requests deployed as evasions. Window variable classifiers maintained resilience due to API stability constraints in developer tooling, even when network and cookies were obfuscated. Figure 3

Figure 3: Google Tag Assistant interface during server-side tracking detection, as used for ground truth validation.

sGA Ecosystem Characterization

SST-Guard's deployment across Tranco top-150k domains revealed sGA on 4.21% (6,314) domains, with 40,199 sGA requests. Subdomain-based routing dominated (81.59%), but 18.4% used path-based routing, evading subdomain analysis and filter lists. Analysis showed extensive use of CNAME cloaking (21.05%) and direct A/AAAA records (73.51%), frequently delegating hosting to Google, Stape.io, and AWS. Figure 4

Figure 4: Typical sGA deployment scenarios, including first-party endpoints, load balancer routing, and cloud-hosted containers via CNAME/A-records.

Subdomain naming was highly varied, with sgtm, gtm, and sst as the most common prefixes. Figure 5

Figure 5

Figure 5

Figure 5: Frequency distribution of subdomain prefixes in sGA deployment, demonstrating naming diversity.

Network level analysis via DNS resolution and ASN mapping confirmed infrastructure delegation, undermining DNS-based and browser CNAME defenses. Figure 6

Figure 6: Sankey diagram illustrating network-level routing, including CNAME cloaking and infrastructure shifts to external providers.

Payload and Filterlist Evasion

Payload analysis indicated high prevalence of standard GA keys (97.3%) but also substantial customization (96.6% non-standard parameters). Advanced evasion included base64 encoding, custom query parameters, and path endpoints beyond /g/collect. EasyPrivacy blocked only 93.5% of detected sGA requests, failing for customized or obfuscated deployments.

Practical Deployment and Performance

SST-Guard is deployed as a Chrome Manifest V3 extension with negligible performance impact, confirmed via page load time benchmarks against vanilla Chrome and uBlock Origin Lite. On domains with intensive obfuscation (e.g., themeisle.com, shapeways.com), window variable and cookie modalities reliably detected sGA where network-based classification failed. Figure 7

Figure 7

Figure 7: Cumulative distribution of mean page load time change induced by SST-Guard vs. baseline and filter-list extensions.

Implications and Future Directions

SST-Guard exposes the fragility of endpoint-based and DNS-level defenses under SST and provides actionable intelligence for enhancing filter lists (e.g., EasyPrivacy) through empirical feedback. Its value-template approach is theoretically extensible to other trackers if ground truth artifacts are available. However, the system relies on semantic invariants; approaches like direct Measurement Protocol usage or full custom events may require integrating taint tracking or cross-layer data flow analysis.

From a regulatory and auditing perspective, SST complicates compliance verification, reducing transparency and user agency. As SST adoption grows, browser and filter-list maintainers must adapt by leveraging behavioral and value-based detection rather than static pattern matching.

Conclusion

SST-Guard demonstrates that robust sGA detection requires multi-modal artifact analysis rather than endpoint inspection alone. Its high-accuracy classifiers, resilience under adversarial conditions, and practical deployment underscore its utility for privacy researchers and tool builders. The observed ecosystem trends—endpoint customization, infrastructure delegation, and payload obfuscation—indicate that future defenses must prioritize semantic behavior over legacy client-side assumptions. SST-Guard's methodologies offer a foundation for systematic tracking detection adaptable to evolving web architectures.

(2604.27497)

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.