cookie blocking and privacy: first parties remain a risk
TRANSCRIPT
Cookie Blocking and Privacy: First Parties Remain a RiskGerman Gomez
Florida International UniversityChris Hoofnagle, JD
UC BerkeleyMario Garcia PhD
Texas A&M University-Corpus Christi
This work was supported by the TRUST Center (NSF award number CCF-0424422)
Figure 1. Method Flowchart
Chart 1. General Analysis Top Web Browsers
CONCLUSIONIn fact 33% of the sites that issue the most number of cookies, in our visit to the top 100 with cookies unblocked, were actually from different domains. These cookies were still set when we blocked third party cookies. Thus, users who wish to avoid web tracking through cookies must also block some first party cookies.
INTRODUCTIONThe HTTP cookie was created to store textual information that a web application can use to identify clients and provide a state of information. A cookie is a small text file stored on a user’s computer. Cookies are employed for a variety of reasons including enhancing user’s online experience by helping sites recognize users when they return.Cookies can be used to track users on the internet. Our colleagues found in 2009 that over 70% of a large sample of websites contained tracking cookies for Google Analytics.
RESEARCH GOALTraditionally, advertising networks tracked consumers using third party cookies. In recent years, some internet browsers have given users better tools to block these cookies, and two block them by default. We are investigating whether blocking third party cookies is effective in avoiding tracking by third parties.
METHODSWe select two foundations for this project: we used the top five web browsers on the market to visit the top 100 websites, ranked according to Quantcast in July 2010.
We focused on two browser scenarios: first, we visited the top 100 websites with the default cookie settings in the browser. Firefox, Chrome, and Opera accept all cookies by default, while Safari blocks third party cookies, and Internet Explorer blocks third party cookies on sites lacking a compact privacy policy. Second, we took a standard privacy intervention: we blocked third party cookies in the browsers and then visited the same sites.
A top level view flowchart (Figure 1) outlines the entire procedure.
RESULTS
0
275
550
825
1100
197264
437
585545
876
171
303330
652586
974
173
320331
684594
1027
172
307309
654586
986
Safari Firefox Chrome IE Opera*
total number of cookies total unique cookie name total unique cookie domain
Cookie Name Analysis Top 15 Cookie Domain Analysis Top 15
Chart 2. Data Analysis from Safari 5.
I II I II I II
QuancastTop 100
url list Cookies Script data.csv
5%
5%
5%
5%
2%
2%
1%1%1%1%1%1%0%0%0%
70%
4%4%
4%
4%
3%
2%
1%1%1%1%1%1%1%1%1%
73%
0 7.5 15.0 22.5 30.0
7
7
7
8
8
9
9
9
9
10
10
10
10
10
11
9
9
9
9
9
10
10
10
10
10
11
13
16
22
23
Cookies unblockedThird-party cookies blocked
.insightexpressai.com.whitepages.com
.pubmatic.com.ask.com
.rubiconproject.com.people.com
.revsci.net.photobucket.com
.whitepages.com.rad.msn.com
.ask.com. yellowpages.com
.casalemedia.com.bestbuy.com
.people.com.metacafe.com
.photobucket.com.microsoft.com
.rad.msn.com
.netflix.com
.bestbuy.com.att.com
.fetchback.com.cnet.com
.metacafe.com.candystand.com.microsoft.com
.evite.com
.netflix.com.examiner.com
Cookies unblocked Total = 986
Third-party cookies blocked Total = 586
Google analytics cookies
ACKNOWLEDGEMENTSI will like to thank Dr. Kristen Gates, the TRUST REU program, my research partner Julian Yalaju and my mentors Chris Hoofnagle and Mario Garcia. This work was supported in part by TRUST (Team for Research in Ubiquitous Secure Technology), which receives support from the National Science Foundation (NSF award number CCF-0424422).
__utma = 40__utmb = 40__utmz = 40__qca = 38TRUE = 19s_vi = 19s_pers = 10rsi_segs = 9__qseg = 7WT_FPC = 6ACOOKIE = 5mbox = 5NGUserID = 4s_nr = 4v1st = 4other = 586
__qca = 40__utma = 39__utmb = 39__utmz = 39s_vi = 25TRUE = 23s_pers = 10rsi_segs = 9uid = 8ACOOKIE = 7__qseg = 7GUID = 6OAX = 6WT_FPC = 6akmbldtct = 6other = 716
FUTURE WORKPolicymakers and web browser developer should take a closer look to resolve third party tracking. Advancement on technology has only lead us to find ways to bypass the idea of blocking third party cookies will be enough. Engineerser hand has developed a fingerprinting technique that uses cookies as a subset tool to track individuals. Research should concentrate on providing users, developers, advertisers a safe Internet experience where privacy goes first, developer have their tools to keep innovating and advertising helping the economy not at the expense of others privacy.
I Cookies unblockedII Third-party cookies blocked
Blocking third-party Cookies does reduce on average 40% the number of cookies on the browser as seen on Chart 1. From that same chart, one can see a 2:1 relationship between the number of unique cookie name and the unique cookie domain. However, despite blocking third party cookies, we find that tracking cookies are still present in the form of first party cookies. The Results in Chart 2 represent a detail view from Apples’ Safari 5.0 web broswer. In our domain analysis we found in some cases double the number of cookies set on the browser versus the top 100 websites. Among the top cookie name we found strings such as __umt* , __qca and s_vi among others belong to companies like Google, Quancast and Omniture. In spite of the fat that when third-party cookies are blocked 40% cookie reduction tracking cookies make up more than 25% on average from the total number of cookies on this test.
Quancast cookiesOmniture cookies