jnn-pa.googleapis.com is number 336 on the Cisco Umbrella Popularity List as of August 23, 2022. Updated every 24 hours, the list ranks the most popular domains on the internet by counting the unique IP addresses that request a particular URL. For example, if you visit google.com 37 times in one day on the same device, that only counts as one URL request. That’s how the ranking is done. And yet the obscure jnn-pa.googleapis.com is number 336 on a list of the one million most popular URLs on the whole internet. What gives?
jnn-pa.googleapis.com is a consent management processor created by the German company Usercentrics GmbH. jnn-pa.googleapis.com can be found on websites as varied as those of televangelists, colleges, and the IRS alike.
The first 11 URLs on the Cisco Umbrella Popularity List are all Netflix subdomains. Google.com is number 12 and google.co.uk is number 2228, but somehow jnn-googleapis.com is at number 336.
jnn-pa.googleapis.com ranks way ahead of docs.google.com (Google Docs), inbox.google.com (Gmail), drive.google.com, apps.apple.com (the App Store), dropbox.com, linkedin.com, and tiktok.com.
You’ve heard of all these services but have you ever heard of jnn-pa.googleapis.com? You can’t even access the URL on your phone or computer. It returns a 404 error. Yet it’s the 336th most requested URL on the whole internet. How? Why?
What is jnn-pa.googleapis.com?
jnn-pa.googleapis.com is a consent management processor. Sites use it to store and manage user consents. Internet speculation claim it’s a Google Analytics server or a tracker but it’s actually a third-party service using Google’s APIs.
What does jnn-pa.googleapis.com do?
jnn-pa.googleapis.com is a consent management processor made by Usercentrics GmbH. You’ve certainly seen that “Manage cookies” prompt when you visit a website. jnn-pa.googleapis.com is one of the programs that perform the actual management of those cookies. It documents what you have allowed the website to track about you (or not).
Strict internet privacy laws like the GDPR and CCPA make a consent management processor compulsory for any website targeting European and American users. If you’re sued for breaching the GDPR, the logs of a processor like jnn-pa.googleapis.com will be your evidence of when a user allowed you to track him, and what he allowed you to track.
Webrate statistics also show that 45% of all visitors to jnn-pa.googleapis.com come from inside Germany. This is where all of jnn-pa.googleapis.com’s traffic comes from. It’s not from ordinary users with smartphones and laptops. It’s from bots and servers.
What is a tracker?
A tracker is a script running on a website with the sole intention of studying user patterns. Not all trackers are malicious. Many are used for analytics. They measure how many people visit the website, how long they stay, and what they interact with. Others measure conversion and other metrics that would help site owners improve their services.
What are Google APIs and how do they work?
Application Programming Interfaces (APIs) are just that. They are intermediaries or middlemen that allow two programs to communicate with each other. If you want to display a map to your store on your website or mobile app, for example, you’re not going to create a whole new map service. Instead, you use Google Maps.
But it’s not that easy. Your site will be coded in one language and Google Maps in another. Think of an API as a translator. Google speaks Chinese, your site speaks English and the API is the translator the two programs use to communicate.
A second way is to think of APIs as trusty clerks with security clearances others don’t have. It would be foolish for Google to allow just anyone to access its back-end map interface. In this case, the Maps API acts as a clerk, fetching restricted information for third-party programs that request it instead of letting them into the back end.
Google APIs are used for all sorts of functions. Think of a typical example you have certainly seen on the web: “Sign in with Google.” when you click that nifty button while signing up to a website, you skip the entire process of picking usernames and entering your email address and full name. The website uses an API to fetch all this information from Google, allowing you to create an account with a single click. Embedded YouTube videos on third-party apps work the same way.
What are other related Google API subdomains and what do they do?
There are countless google API subdomains operated by both Google and third-party developers. I couldn’t possibly list them all. Google often operates multiple subdomains for a single service. These multiple redundancies make its services almost impossible to disrupt. Google Maps alone, for example, uses 100 URLs.
Can .googleapis.com subdomains be malicious?
Yes. .googleapis.com subdomains while hosted by Google, don’t all belong to Google. A developer who wants to connect to Google services receives a token after registration. This token allows a developer to create their own subdomain of Google APIs.
While Google takes stringent measures to prevent abuse, some crafty developers have used .googleapis.com subdomains for malicious purposes, usually tech support scams. Google usually shuts down such subdomains as soon as they detect suspicious patterns so scams are not a significant problem
Is jnn-pa.googleapis.com malicious?
No. jnn-pa.googleapis.com has been found running on websites as reputable as those of Time Magazine, Harvard University, YouTube, and every American’s scariest friend: the IRS.