How can I prevent tracking by ETAGs?

I don’t know of any great solutions. I can suggest three possible defenses, though all of them have limitations:

  • Privoxy. Privoxy can block ETag headers.

    In particular, you can use crunch-server-header or server-header-filter in your Privoxy configuration to block ETag: headers from the server. Also, you can use crunch-client-header or client-header-filter in your Privoxy configuration to block If-None-Match: and If-Modified-Since: headers from the client. However, I don’t know of any off-the-shelf formula you can just grab and use: you’d have to build your own Privoxy configuration yourself.

  • Your browser. If you use Firefox, you can configure Firefox to clear your cache each time you exit the browser. This may be bad for performance. Also, with this approach, ETags can still be used to track you within any one browser session, so it is not perfect, but it should clear any ETag cookie when you quit your browser.

  • RequestPolicy. If you use Firefox, you could use the RequestPolicy extension. One writer has pointed out that RequestPolicy may help defend against ETag tracking. Often, web sites track you by including resources from third-party advertisers or analytics providers. RequestPolicy lets you control what third-party resources your browser will request, when visiting a web page, and thus can let you protect yourself against that kind of tracking: if your browser never loads the third-party advertiser’s resource, then the third-party advertiser doesn’t have a chance to track you (using an ETag or any other mechanism). This defense is less than ideal, because it requires you to laboriously assemble your policy, and because web sites can still track you directly if they don’t rely upon any third-party resources.

Unfortunately, if you access the web through a transparent proxy, the presence of the proxy may complicate your attempts to avoid being tracked.


In addition to the more involved solutions proposed by @D.W., you can consider using your browser's private browsing mode, ala InPrivate (IE), PrivateBrowsing (FF), Incognito (Chrome), etc.
The main thing here is that the browser cache is not used (or at least, not used beyond the length of the private session). As such the Etag is not saved by your browser.

There are still some drawbacks to this approach, such as tracking within the session, and proxies as @D.W. mentioned. That said, it is pretty simple to use.


If you're using Firefox, you might be interested in an (optional) feature of my SecretAgent add on... which creates spoof ETag headers to suppress tracking.

The downside is that spoofing ETags will obviously impair caching on those sites which use ETags to optimise traffic (though this seems to have very minor impact on performance).

See www.secretagent.org.uk.

  (Disclaimer: I am the author of SecretAgent).