# Geoffrey Frogeye's block list of first-party trackers

## What's a first-party tracker?

A tracker is a script put on many websites to gather informations about the visitor.
They can be used for multiple reasons: statistics, risk management, marketing, ads serving…
In any case, they are a threat to Internet users' privacy and many may want to block them.

Traditionnaly, trackers are served from a third-party.
For example, `website1.com` and `website2.com` both load their tracking script from `https://trackercompany.com/trackerscript.js`.
In order to block those, one can simply block the hostname `trackercompany.com`, which is what most ad blockers do.

However, to circumvent this block, tracker companies made the websites using them load trackers from `somestring.website1.com`.
The latter is a DNS redirection to `website1.trackercompany.com`, directly to an IP address belonging to the tracking company.

Those are called first-party trackers.
On top of aforementionned privacy issues, they also cause some security issue, as websites are usually configured to trust first-party scripts.
For more information, learn about [Cross-Origin Resource Sharing](https://enable-cors.org/).

In order to block those trackers, ad blockers would need to block every subdomain pointing to anything under `trackercompany.com` or to their network.
Unfortunately, most don't support those blocking methods as they are not DNS-aware, e.g. they only see `somestring.website1.com`.

This list is an inventory of every `somestring.website1.com` found to allow non DNS-aware ad blocker to still block first-party trackers.

### Learn more

- [CNAME Cloaking, the dangerous disguise of third-party trackers](https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a)
- [Trackers first-party](https://blog.imirhil.fr/2019/11/13/first-party-tracker.html) (french)
- [uBlock Origin issue](https://github.com/uBlockOrigin/uBlock-issues/issues/780)

## List variants

### First-party trackers (recommended)

- Hosts file: <https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt>
- Raw list: <https://hostfiles.frogeye.fr/firstparty-trackers.txt>

This list contains every hostname redirecting to [a hand-picked list of first-party trackers](https://git.frogeye.fr/geoffrey/eulaurarien/src/branch/master/rules/first-party.list).
It should be safe from false-positives.
Don't be afraid of the size of the list, as this is due to the nature of first-party trackers: a single tracker generates at least one hostname per client (typically two).

### First-party only trackers

- Hosts file: <https://hostfiles.frogeye.fr/firstparty-only-trackers-hosts.txt>
- Raw list: <https://hostfiles.frogeye.fr/firstparty-only-trackers.txt>

This is the same list as above, albeit not containing the hostnames under the tracking company domains (e.g. `website1.trackercompany.com`).
While those are technically third-party trackers, they cannot be blocked at once by some ad blockers (e.g. Pi-hole).
Use only with ad blocker able to import regular expressions and in conjuction with other block lists.

### Multi-party trackers

- Hosts file: <https://hostfiles.frogeye.fr/multiparty-trackers-hosts.txt>
- Raw list: <https://hostfiles.frogeye.fr/multiparty-trackers.txt>

As first-party trackers usually evolve from third-party trackers, this list contains every hostname redirecting to trackers found in existing lists of third-party trackers (see next section).
Since the latter were not designed with first-party trackers in mind, they are likely to contain false-positives.
In the other hand, they might protect against first-party tracker that we're not aware of / have not yet confirmed.

#### Source of third-party trackers

- [EasyPrivacy](https://easylist.to/easylist/easyprivacy.txt)

(yes there's only one for now. A lot of existing ones cause a lot of false positives)

### Multi-party only trackers

- Hosts file: <https://hostfiles.frogeye.fr/multiparty-only-trackers-hosts.txt>
- Raw list: <https://hostfiles.frogeye.fr/multiparty-only-trackers.txt>

This is the same list as above, albeit not containing the hostnames under the tracking company domains (e.g. `website1.trackercompany.com`).
While those are technically third-party trackers, they cannot be blocked at once by some ad blockers (e.g. Pi-hole).
Use only with ad blocker able to import regular expressions and in conjuction with other block lists, especially the ones in the previous section.

## Meta

In case of false positives/negatives, or any other question contact me the way you like: <https://geoffrey.frogeye.fr>

The software used to generate this list is available here: <https://git.frogeye.fr/geoffrey/eulaurarien>

## Acknowledgements

Some of the first-party tracker included in this list have been found by:

- [Aeris](https://imirhil.fr/)
- NextDNS and [their blocklist](https://github.com/nextdns/cname-cloaking-blocklist)'s contributors

The list was generated using data from

- [Rapid7 OpenData](https://opendata.rapid7.com/sonar.fdns_v2/), who kindly provided a free account
- [Cisco Umbrella Popularity List](http://s3-us-west-1.amazonaws.com/umbrella-static/index.html)
- [Public DNS Server List](https://public-dns.info/)