Security Lunch ☀️ Ed. — Wednesday, June 24th, 2026, 12:00 pm @ CoDa E160
SST-Guard: Detecting and Characterizing Server-Side Google Analytics in the Wild
Muhammad Jazlan
Can't make it in person? Join us on
zoom.
See our past & upcoming events on our
website!
Abstract:
As web browsers increasingly implement tracking protection features, the web tracking ecosystem has started to shift from the client-side to the server-side. Instead of sending requests directly to the tracker’s endpoint, server-side tracking (SST) sends tracking
requests to publisher-controlled or intermediary endpoints that then forward the information to trackers server-side. As a result, client-side tracking protections become fragile because direct client-to-tracker requests may no longer be observed.
In this paper, we investigate the server-side implementation of Google Analytics (sGA), the most widely deployed third-party tracking service on the web today. We present SST-Guard, a multi-modal browser-based system for detecting sGA despite endpoint customization
and payload obfuscation. The key insight behind SST-Guard is that common sGA deployments change the standard Google Analytics endpoints, but still leave semantic artifacts of data collection by Google Analytics in the browser, including identifiers, event
metadata, cookies, and JavaScript state. Therefore, rather than detecting requests to the standard Google Analytics endpoints, SST-Guard aims to detect underlying artifacts of collection and sharing of these semantic values to any arbitrary endpoint. Operationalizing
this insight is challenging because real-world sGA deployments commonly customize endpoints and obfuscate URLs/payloads. SST-Guard addresses this challenge using a value-template approach that employs regular expressions to match semantic value pat-
terns across multiple modalities: network requests, cookies, and the window object.
We validate SST-Guard on Tranco top-10k websites, detecting 4.02% (403) sGA domains with over 93% accuracy across three modalities, with network request classifier demonstrating the highest accuracy (99.8%). Deploying SST-Guard at scale, we detect sGA on 4.21%
(6,314) of Tranco top-150K websites. Our analysis shows that many sGA deployments use first-party subdomains, direct A/AAAA records, custom paths, or encoded payloads that circumvent existing defenses.
Bio:
Muhammad Jazlan is a second-year Computer Science PhD student at UC Davis, advised by Zubair Shafiq and Alexander Gamero-Garrido. He works on privacy and security on the web, with a focus on tracking in the browser. His recent work includes SST-Guard and Tracking
Conversations. He is also working on generating stable hardware fingerprints in the browser and studying tracking in AI chatbots and AI-powered browsers. He is currently a privacy researcher at VaultJS.