Tracing Cross Border Web Tracking

Iordanou, Costas; Smaragdakis, Georgios; Poese, Ingmar; Laoutaris, Nikolaos

doi:10.1145/3278532.3278561

Cited by 46 publications

(34 citation statements)

References 30 publications

(36 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, it is important to design practical, web transparency tools such as CONRAD, which will be readily available to privacy researchers, regulators and end-users. These tools can be used by plain users or the research community to investigate personal data leakage and anonymity on the web, due to 3rd parties' activities such as CSync [21].…”

Section: Summary and Discussionmentioning

confidence: 99%

Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid to Ask

Papadopoulos¹,

Kourtellis

Markatos

2019

The World Wide Web Conference

104

View full text Add to dashboard Cite

User data is the primary input of digital advertising, fueling the free Internet as we know it. As a result, web companies invest a lot in elaborate tracking mechanisms to acquire user data that can sell to data markets and advertisers. However, with same-origin policy, and cookies as a primary identification mechanism on the web, each tracker knows the same user with a different ID. To mitigate this, Cookie Synchronization (CSync) came to the rescue, facilitating an information sharing channel between third parties that may or not have direct access to the website the user visits. In the background, with CSync, they merge user data they own, but also reconstruct a user's browsing history, bypassing the same origin policy.In this paper, we perform a first to our knowledge in-depth study of CSync in the wild, using a year-long weblog from 850 real mobile users. Through our study, we aim to understand the characteristics of the CSync protocol and the impact it has on web users' privacy. For this, we design and implement CONRAD, a holistic mechanism to detect CSync events at real time, and the privacy loss on the user side, even when the synced IDs are obfuscated. Using CONRAD, we find that 97% of the regular web users are exposed to CSync: most of them within the first week of their browsing, and the median userID gets leaked, on average, to 3.5 different domains. Finally, we see that CSync increases the number of domains that track the user by a factor of 6.75.

show abstract

Section: Summary and Discussionmentioning

confidence: 99%

Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid to Ask

Papadopoulos¹,

Kourtellis

Markatos

2019

The World Wide Web Conference

104

View full text Add to dashboard Cite

show abstract

“…We then use the filter lists to classify follow-up thirdparty requests that would have been blocked by the lists. This technique has been extensively used in the previous works [23,[28][29][30] (for more details, see Table 12 in the Appendix). We classify a request as blocked if it matches one of the conditions: -the request directly matches the list.…”

Section: Measuring Tracking Requestsmentioning

confidence: 99%

Missed by Filter Lists: Detecting Unknown Third-Party Trackers with Invisible Pixels

Fouad¹,

Bielova²,

Legout³

et al. 2020

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Web tracking has been extensively studied over the last decade. To detect tracking, previous studies and user tools rely on filter lists. However, it has been shown that filter lists miss trackers. In this paper, we propose an alternative method to detect trackers inspired by analyzing behavior of invisible pixels. By crawling 84,658 webpages from 8,744 domains, we detect that third-party invisible pixels are widely deployed: they are present on more than 94.51% of domains and constitute 35.66% of all third-party images. We propose a fine-grained behavioral classification of tracking based on the analysis of invisible pixels. We use this classification to detect new categories of tracking and uncover new collaborations between domains on the full dataset of 4, 216, 454 third-party requests. We demonstrate that two popular methods to detect tracking, based on EasyList&EasyPrivacy and on Disconnect lists respectively miss 25.22% and 30.34% of the trackers that we detect. Moreover, we find that if we combine all three lists, 379, 245 requests originated from 8,744 domains still track users on 68.70% of websites.

show abstract

“…GDPR is newly introduced, and so there have only been a handful of measurements and analyses: [6] concluded that tracking flows mostly stay within the EU. In a periodic survey of top 500 sites, [3] found that around one-sixth of websites (15.7%) had reorganised privacy policies by May 25, 2018.…”

Section: Related Workmentioning

confidence: 99%