Cited By
View all- Müller-Tribbensee T(2024)Privacy Promise Vs. Tracking Reality in Pay-or-Tracking WallsPrivacy Technologies and Policy10.1007/978-3-031-68024-3_9(168-188)Online publication date: 4-Sep-2024
Thou Shalt Not Reject: Analyzing Accept-Or-Pay Cookie Banners on the Web
Pages 154 - 161
Abstract
Privacy regulations have led to many websites showing cookie banners to their users. Usually, cookie banners present the user with the option to "accept" or "reject" cookies. Recently, a new form of paywall-like cookie banner has taken hold on the Web, giving users the option to either accept cookies (and consequently user tracking) or buy a paid subscription for a tracking-free website experience.
In this paper, we perform the first completely automated analysis of cookiewalls, i.e., cookie banners acting as a paywall. We find cookiewalls on 0.6% of all queried 45k websites. Moreover, cookiewalls are deployed to a large degree on European websites, e.g., for Germany we see cookiewalls on 8.5% of top 1k websites. Additionally, websites using cookiewalls send 6.4 times more third-party cookies and 42 times more tracking cookies to visitors, compared to regular cookie banner websites. We also uncover two large subscription Management Platforms used on hundreds of websites, which provide website operators with easy-to-setup cookiewall solutions. Finally, we publish tools, data, and code to foster reproducibility and further studies.
References
[1]
Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 674--689.
[2]
Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 1129--1140.
[3]
Amazon. 2023. Amazon Alexa. https://www.alexa.com/. (Accessed on05/25/2023).
[4]
Paschalis Bekos, Panagiotis Papadopoulos, Evangelos P Markatos, and Nicolas Kourtellis. 2023. The Hitchhiker's Guide to Facebook Web Tracking with Invisible Pixels and Click IDs. In Proceedings of the ACM Web Conference 2023. 2132--2143.
[5]
Aaron Cahn, Scott Alfeld, Paul Barford, and Shanmugavelayutham Muthukrishnan. 2016. An empirical study of web cookies. In Proceedings of the 25th international conference on world wide web. 891--901.
[6]
Chameleon Crawler contributors. 2015. Chameleon Crawler. https://github.com/ghostwords/chameleon.
[7]
Ed Chau and Robert Hertzberg. 2018. California Consumer Privacy Act. https: //leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.
[8]
Quan Chen, Panagiotis Ilia, Michalis Polychronakis, and Alexandros Kapravelos. 2021. Cookie swap party: Abusing first-party cookies for web tracking. In Proceedings of the Web Conference 2021. 2117--2129.
[9]
Rex Chen, Fei Fang, Thomas Norton, Aleecia M McDonald, and Norman Sadeh. 2021. Fighting the Fog: Evaluating the Clarity of Privacy Disclosures in the Age of CCPA. In Workshop on Privacy in the Electronic Society (WPES).
[10]
Chrome User Experience Report contributors. 2023. Chrome User Experience Report. https://developer.chrome.com/docs/crux/.
[11]
Common Crawl. 2023. Common Crawl. https://commoncrawl.org/.
[12]
consentmanager AB. 2023. Working with contentpass Integration. https://help. consentmanager.net/books/cmp/page/working-with-contentpass-integration.
[13]
Content Pass GmbH. 2023. contentpass website. https://www.contentpass.net/.
[14]
Fortiguard contributors. 2023. Web Filter Lookup | FortiGuard. https://www.fortiguard.com/webfilter. (Accessed on 05/25/2023).
[15]
Ninja Cookie contributors. 2023. Ninja Cookie | Opt out of non-essential cookies and automatically remove cookie popups. https://ninja-cookie.com/. (Accessed on 05/26/2023).
[16]
Cookie Banner Taskforce. 2023. Report of the work undertaken by the Cookie Banner Taskforce. https://edpb.europa.eu/system/files/2023-01/edpb_20230118_ report_cookie_banner_taskforce_en.pdf.
[17]
Adrian Dabrowski, Georg Merzdovnik, Johanna Ullrich, Gerald Sendera, and Edgar Weippl. 2019. Measuring cookies and web privacy in a post-gdpr world. In International Conference on Passive and Active Network Measurement. Springer, 258--270.
[18]
Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, and Thorsten Holz. 2019. We value your privacy... now take some cookies: Measuring the GDPR's impact on web privacy. In Network and Distributed Systems Security (NDSS) Symposium.
[19]
Nurullah Demir, Daniel Theis, Tobias Urban, and Norbert Pohlmann. 2022. Towards Understanding First-Party Cookie Tracking in the Field. arXiv preprint arXiv:2202.01498 (2022).
[20]
Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In 22nd USENIX Security Symposium (USENIX Security 13). 605--620.
[21]
Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 1388--1401.
[22]
Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W Felten. 2015. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web. 289--299.
[23]
European Commission. 2023. The General Data Protection Regulation (GDPR) in EU. https://commission.europa.eu/law/law-topic/data-protection_en.
[24]
Marjan Falahrastegar, Hamed Haddadi, Steve Uhlig, and Richard Mortier. 2014. The rise of panopticons: Examining region-specific third-party web tracking. In International Workshop on Traffic Monitoring and Analysis. Springer, 104--114.
[25]
Roberto Gonzalez, Lili Jiang, Mohamed Ahmed, Miriam Marciel, Ruben Cuevas, Hassan Metwalley, and Saverio Niccolini. 2017. The cookie recipe: Untangling the use of cookies in the wild. In 2017 Network Traffic Measurement and Analysis Conference (TMA). IEEE, 1--9.
[26]
Google. 2022. CLD3 on GitHub. https://github.com/google/cld3.
[27]
Matthias Götze, Srdjan Matic, Costas Iordanou, Georgios Smaragdakis, and Nikolaos Laoutaris. 2022. Measuring Web Cookies in Governmental Websites. In 14th ACM Web Science Conference 2022. 44--54.
[28]
Colin M Gray, Cristiana Santos, Nataliia Bielova, Michael Toth, and Damian Clifford. 2021. Dark patterns and the legal requirements of consent banners: An interaction criticism perspective. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. 1--18.
[29]
Maximilian Hils, Daniel W Woods, and Rainer Böhme. 2020. Measuring the emergence of consent management on the web. In Proceedings of the ACM Internet Measurement Conference. 317--332.
[30]
Costas Iordanou, Georgios Smaragdakis, Ingmar Poese, and Nikolaos Laoutaris. 2018. Tracing cross border web tracking. In Proceedings of the Internet Measurement Conference 2018. 329--342.
[31]
Nikhil Jha, Martino Trevisan, Luca Vassio, and Marco Mellia. 2022. The Internet with Privacy Policies: Measuring The Web Upon Consent. ACM Trans. Web 16, 3, Article 15 (sep 2022), 24 pages. https://doi.org/10.1145/3555352
[32]
justdomains. 2022. DOMAIN-ONLY Filter Lists. https://github.com/justdomains/blocklists.
[33]
Erin Kenneally and David Dittrich. 2012. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Available at SSRN 2445102 (2012).
[34]
Daniel Kladnik. 2023. I don't care about cookies. https://www.i-dont-care-about-cookies.eu/.
[35]
Michael Kretschmer, Jan Pennekamp, and Klaus Wehrle. 2021. Cookie Banners and Privacy Policies: Measuring the Impact of the GDPR on the Web. ACM Trans. Web 15, 4, Article 20 (July 2021), 42 pages. https://doi.org/10.1145/3466722
[36]
Benjamin Krumnow, Hugo Jonker, and Stefan Karsch. 2022. How gullible are web measurement tools? A case study analysing and strengthening Open-WPM's reliability. In Proc. 18th International Conference on emerging Networking EXperiments and Technologies (CoNEXT '22). ACM, New York, NY, USA, 16. https://doi.org/10.1145/3555050.3569131
[37]
Lavanya. 2023. How can we find the Xpath for Shadow Element. https://www.numpyninja.com/post/how-can-we-find-the-xpath-for-shadow-element. (Accessed on 05/26/2023).
[38]
Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczyński, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Proceedings of the 26th Annual Network and Distributed System Security Symposium. Internet Society, 1--15.
[39]
Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. 2016. Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/lerner
[40]
Tai-Ching Li, Huy Hang, Michalis Faloutsos, and Petros Efstathopoulos. 2015. Trackadvisor: Taking back browsing privacy from third-party trackers. In In-ternational Conference on Passive and Active Network Measurement. Springer, 277--289.
[41]
Thomas Linden, Rishabh Khandelwal, Hamza Harkous, and Kassem Fawaz. 2020. The Privacy Policy Landscape After the GDPR. Proceedings on Privacy Enhancing Technologies 2020, 1 (2020).
[42]
Martin Brinkmann. 2023. Firefox may soon reject Cookie prompts automatically. https://www.ghacks.net/2023/04/17/firefox-may-interact-with-cookie-prompts-automatically-soon/.
[43]
Victor Morel, Cristiana Santos, Yvonne Lintao, and Soheil Human. 2022. Your Consent Is Worth 75 Euros A Year-Measurement and Lawfulness of Cookie Paywalls. In Proceedings of the 21st Workshop on Privacy in the Electronic Society. 213--218.
[44]
Mozilla. 2023. MDN: Using shadow DOM. https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_shadow_DOM.
[45]
Shaoor Munir, Sandra Siby, Umar Iqbal, Steven Englehardt, Zubair Shafiq, and Carmela Troncoso. 2023. CookieGraph: Understanding and Detecting First-Party Tracking Cookies. In ACM Conference on Computer and Communications Security (CCS) 2023.
[46]
Sean O'Connor, Ryan Nurwono, Aden Siebel, and Eleanor Birrell. 2021. (Un)clear and (In) conspicuous: The right to opt-out of sale under CCPA. In Workshop on Privacy in the Electronic Society (WPES).
[47]
Panagiotis Papadopoulos, Peter Snyder, Dimitrios Athanasakis, and Benjamin Livshits. 2020. Keeping out the masses: Understanding the popularity and implications of internet paywalls. In Proceedings of The Web Conference 2020. 1433--1444.
[48]
Craig Partridge and Mark Allman. 2016. Ethical considerations in network measurement papers. Commun. ACM 59, 10 (2016), 58--64.
[49]
Ali Rasaii. 2023. Analysis scripts and raw data for Cookiewall measurements. https://doi.org/10.17617/3.TREBZR.
[50]
Ali Rasaii. 2023. BannerClick on GitHub. https://github.com/bannerclick/bannerclick.
[51]
Ali Rasaii, Shivani Singh, Devashish Gosain, and Oliver Gasser. 2023. Exploring the Cookieverse: A Multi-Perspective Analysis of Web Cookies. In Proceedings of the 2023 Passive and Active Measurement Conference. https://doi.org/10.1007/978- 3-031-28486-1_26
[52]
Leon Revill. 2017. Open vs. Closed Shadow DOM. https://blog.revillweb.com/open-vs-closed-shadow-dom-9f3d7427d1af.
[53]
Leonard Richardson. 2007. Beautiful soup documentation. April (2007).
[54]
Kimberly Ruth, Deepak Kumar, Brandon Wang, Luke Valenta, and Zakir Durumeric. 2022. Toppling top lists: evaluating the accuracy of popular website lists. In Proceedings of the 22nd ACM Internet Measurement Conference, IMC 2022, Nice, France, October 25-27, 2022, Chadi Barakat, Cristel Pelsser, Theophilus A. Benson, and David R. Choffnes (Eds.). ACM, 374--387. https://doi.org/10.1145/3517745.3561444
[55]
Iskander Sanchez-Rola, Matteo Dell'Amico, Platon Kotzias, Davide Balzarotti, Leyla Bilge, Pierre-Antoine Vervier, and Igor Santos. 2019. Can i opt out yet? gdpr and the global illusion of cookie control. In Proceedings of the 2019 ACM Asia conference on computer and communications security. 340--351.
[56]
Cristiana Santos, Arianna Rossi, Lorena Sanchez Chamorro, Kerstin Bongard-Blanchy, and Ruba Abu-Salma. 2021. Cookie Banners, What's the Purpose? Analyzing Cookie Banner Text Through a Legal Lens. In Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society (Virtual Event, Republic of Korea) (WPES '21). Association for Computing Machinery, New York, NY, USA, 187--194. https://doi.org/10.1145/3463676.3485611
[57]
Sebastian Schelter and Jérôme Kunegis. 2016. Tracking the trackers: A large-scale analysis of embedded web trackers. In Tenth International AAAI Conference on Web and Social Media.
[58]
Selenium. 2023. Browser automation using Selenium. https://www.selenium.dev/.
[59]
Jannick Sørensen and Sokol Kosta. 2019. Before and after gdpr: The changes in third party presence at public and private european websites. In The World Wide Web Conference. 1590--1600.
[60]
Michael Toth, Nataliia Bielova, and Vincent Roca. 2022. On dark patterns and manipulation of website publishers by CMPs. Proceedings on Privacy Enhancing Technologies 3 (2022), 478--497.
[61]
Traffective GmbH. 2023. freechoice website. https://freechoice.club/.
[62]
Martino Trevisan, Stefano Traverso, Eleonora Bassi, and Marco Mellia. 2019. 4 Years of EU Cookie Law: Results and Lessons Learned. Proc. Priv. Enhancing Technol. 2019, 2 (2019), 126--145.
[63]
uBlock Origin contributors. 2023. uBlock Origin - Free, open-source ad content blocker. https://ublockorigin.com/. (Accessed on 05/26/2023).
[64]
Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. 2019. (un) informed consent: Studying gdpr consent notices in the field. In Proceedings of the 2019 acm sigsac conference on computer and communications security. 973--990.
[65]
WebTAP at Princeton University. 2023. Studies using OpenWPM. https://webtap.princeton.edu/software/.
[66]
Shoshana Zuboff. 2019. Surveillance capitalism and the challenge of collective action. In New labor forum, Vol. 28. SAGE Publications Sage CA: Los Angeles, CA, 10--29
Index Terms
- Thou Shalt Not Reject: Analyzing Accept-Or-Pay Cookie Banners on the Web
Recommendations
Cookie Banners, What's the Purpose?: Analyzing Cookie Banner Text Through a Legal Lens
WPES '21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic SocietyA cookie banner pops up when a user visits a website for the first time, requesting consent to the use of cookies and other trackers for a variety of purposes. Unlike prior work that has focused on evaluating the user interface (UI) design of cookie ...
Browser Feature Usage on the Modern Web
IMC '16: Proceedings of the 2016 Internet Measurement ConferenceModern web browsers are incredibly complex, with millions of lines of code and over one thousand JavaScript functions and properties available to website authors. This work investigates how these browser features are used on the modern, open web. We ...
Accept All Exploits: Exploring the Security Impact of Cookie Banners
ACSAC '22: Proceedings of the 38th Annual Computer Security Applications ConferenceThe General Data Protection Regulation (GDPR) and related regulations have had a profound impact on most aspects related to privacy on the Internet. By requiring the user’s consent for e.g., tracking, an affirmative action has to take place before such ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2023
746 pages
ISBN:9798400703829
DOI:10.1145/3618257
- General Chairs:
- Marie-José Montpetit,
- Aris Leivadeas,
- Program Chairs:
- Steve Uhlig,
- Mobin Javed
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 24 October 2023
Check for updates
Author Tags
Qualifiers
- Short-paper
Conference
IMC '23
Sponsor:
Acceptance Rates
Overall Acceptance Rate 277 of 1,083 submissions, 26%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 547Total Downloads
- Downloads (Last 12 months)547
- Downloads (Last 6 weeks)56
Reflects downloads up to 02 Oct 2024
Other Metrics
Citations
Cited By
View all- Müller-Tribbensee T(2024)Privacy Promise Vs. Tracking Reality in Pay-or-Tracking WallsPrivacy Technologies and Policy10.1007/978-3-031-68024-3_9(168-188)Online publication date: 4-Sep-2024
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in