Advertisement

Measuring Cookies and Web Privacy in a Post-GDPR World

  • Adrian DabrowskiEmail author
  • Georg Merzdovnik
  • Johanna Ullrich
  • Gerald Sendera
  • Edgar Weippl
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11419)

Abstract

In response, the European Union has adopted the General Data Protection Regulation (GDPR), a legislative framework for data protection empowering individuals to control their data. Since its adoption on May 25th, 2018, its real-world implications are still not fully understood. An often mentioned aspect is Internet browser cookies, used for authentication and session management but also for user tracking and advertisement targeting.

In this paper, we assess the impact of the GDPR on browser cookies in the wild in a threefold way. First, we investigate whether there are differences in cookie setting when accessing Internet services from different jurisdictions. Therefore, we collected cookies from the Alexa Top 100,000 websites and compared their cookie behavior from different vantage points. Second, we assess whether cookie setting behavior has changed over time by comparing today’s results with a data set from 2016. Finally, we discuss challenges caused by these new cookie setting policies for Internet measurement studies and propose ways to overcome them.

Keywords

GDPR Cookies Privacy 

Notes

Acknowledgments

This research was funded by the Christian Doppler Laboratory for Security and Quality Improvement in the Production System Lifecycle (CDL-SQI), Institute of Information Systems Engineering, TU Wien and the Josef Ressel Centers project TARGET. The competence center SBA Research (SBA-K1) is funded within the framework of COMET Competence Centers for Excellent Technologies by BMVIT, BMDW, and the federal state of Vienna.

References

  1. 1.
  2. 2.
    Barth, A.: HTTP state management mechanism. RFC 6265 (Proposed Standard), April 2011.  https://doi.org/10.17487/RFC6265. https://www.rfc-editor.org/rfc/rfc6265.txt
  3. 3.
    Cahn, A., Alfeld, S., Barford, P., Muthukrishnan, S.: An empirical study of web cookies. In: Proceedings of the 25th International Conference on World Wide Web, WWW 2016, pp. 891–901. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland (2016).  https://doi.org/10.1145/2872427.2882991
  4. 4.
    Cisco: Cisco umbrella 1 million, December 2016. http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
  5. 5.
    Dabrowski, A., Merzdovnik, G., Kommenda, N., Weippl, E.: Browser history stealing with captive Wi-Fi portals. In: 2016 IEEE Security and Privacy Workshops (SPW), pp. 234–240, May 2016.  https://doi.org/10.1109/SPW.2016.42
  6. 6.
    Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy... now take some cookies: measuring the GDPR’s impact on web privacy. In: Network and Distributed System Security Symposium (NDSS) (2019)Google Scholar
  7. 7.
    Englehardt, S., Narayanan, A.: Online tracking: A 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1388–1401. ACM, New York (2016).  https://doi.org/10.1145/2976749.2978313
  8. 8.
    Englehardt, S., et al.: Cookies that give you away: the surveillance implications of web tracking. In: Proceedings of the 24th International Conference on World Wide Web, WWW 2015, pp. 289–299. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland (2015).  https://doi.org/10.1145/2736277.2741679
  9. 9.
    European Commission: Adequacy of the protection of personal data in non-EU countries (2018). https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
  10. 10.
  11. 11.
    European Commission: Data transfers outside the EU (2018). https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en
  12. 12.
    Fielding, R., Reschke, J.: Hypertext transfer protocol (HTTP/1.1): message syntax and routing. RFC 7230 (Proposed Standard), June 2014.  https://doi.org/10.17487/RFC7230. https://www.rfc-editor.org/rfc/rfc7230.txt
  13. 13.
    General Data Protection Regulation Shield: Gdpr shield (2018). https://gdprshield.co.uk
  14. 14.
    Gonzalez, R., et al.: The cookie recipe: untangling the use of cookies in the wild. In: 2017 Network Traffic Measurement and Analysis Conference (TMA), pp. 1–9, June 2017Google Scholar
  15. 15.
    Hannak, A., Soeller, G., Lazer, D., Mislove, A., Wilson, C.: Measuring price discrimination and steering on e-commerce web sites. In: Proceedings of the 2014 Conference on Internet Measurement Conference, IMC 2014, pp. 305–318. ACM, New York (2014).  https://doi.org/10.1145/2663716.2663744
  16. 16.
    Hern, A., Belam, M.: LA times among US-based news sites blocking EU users due to GDPR (2018). https://www.theguardian.com/technology/2018/may/25/gdpr-us-based-news-websites-eu-internet-users-la-times
  17. 17.
    Iordanou, C., Smaragdakis, G., Poese, I., Laoutaris, N.: Tracing cross border web tracking. In: Proceedings of ACM IMC 2018, Boston, MA, October 2018Google Scholar
  18. 18.
    Kulyk, O., Hilt, A., Gerber, N., Volkamer, M.: “This website uses cookies”: users’ perceptions and reactions to the cookie disclaimer. In: European Workshop on Usable Security (EuroUSEC) (2018)Google Scholar
  19. 19.
    Lerner, A., Simpson, A.K., Kohno, T., Roesner, F.: Internet jones and the raiders of the lost trackers: an archaeological study of web tracking from 1996 to 2016. In: 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX (2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/lerner
  20. 20.
    Linden, T., Harkous, H., Fawaz, K.: The privacy policy landscape after the GDPR (2018). http://arxiv.org/abs/1809.08396
  21. 21.
    Merzdovnik, G., et al.: Block me if you can: a large-scale study of tracker-blocking tools. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 319–333. IEEE (2017)Google Scholar
  22. 22.
    Plonka, D., Berger, A.W.: kIP: a measured approach to IPv6 address anonymization (2017). http://arxiv.org/abs/1707.03900
  23. 23.
    Pochat, V.L., van Goethem, T., Joosen, W.: Rigging research results by manipulating top websites rankings (2018). https://arxiv.org/abs/1806.01156v1
  24. 24.
    Scheitle, Q., et al.: A long way to the top: significance, structure, and stability of internet top lists. In: Proceedings of the Internet Measurement Conference 2018, IMC 2018, pp. 478–493. ACM, New York (2018).  https://doi.org/10.1145/3278532.3278574
  25. 25.
    Sivakorn, S., Polakis, I., Keromytis, A.D.: The cracked cookie jar: HTTP cookie hijacking and the exposure of private information. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 724–742, May 2016Google Scholar
  26. 26.
    Tiku, N.: Europe’s new privacy law will change the web, and more (2018). https://www.wired.com/story/europes-new-privacy-law-will-change-the-web-and-more/
  27. 27.
    Trammell, B., Kühlewind, M.: Revisiting the privacy implications of two-way internet latency data. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 73–84. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-76481-8_6CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.SBA ResearchViennaAustria
  2. 2.Christian Doppler Laboratory for Security and Quality Improvement in the Production System Lifecycle, Institute of Information Systems EngineeringTU WienViennaAustria

Personalised recommendations