research-article

Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid to Ask

Authors:

Panagiotis Papadopoulos,

Nicolas Kourtellis,

Evangelos MarkatosAuthors Info & Claims

WWW '19: The World Wide Web Conference

Pages 1432 - 1442

https://doi.org/10.1145/3308558.3313542

Published: 13 May 2019 Publication History

Abstract

User data is the primary input of digital advertising, fueling the free Internet as we know it. As a result, web companies invest a lot in elaborate tracking mechanisms to acquire user data that can sell to data markets and advertisers. However, with same-origin policy and cookies as a primary identification mechanism on the web, each tracker knows the same user with a different ID. To mitigate this, Cookie Synchronization (CSync) came to the rescue, facilitating an information sharing channel between 3rd-parties that may or not have direct access to the website the user visits. In the background, with CSync, they merge user data they own, but also reconstruct a user's browsing history, bypassing the same origin policy.

In this paper, we perform a first to our knowledge in-depth study of CSync in the wild, using a year-long weblog from 850 real mobile users. Through our study, we aim to understand the characteristics of the CSync protocol and the impact it has on web users' privacy. For this, we design and implement CONRAD, a holistic mechanism to detect CSync events at real time, and the privacy loss on the user side, even when the synced IDs are obfuscated. Using CONRAD, we find that 97% of the regular web users are exposed to CSync: most of them within the first week of their browsing, and the median userID gets leaked, on average, to 3.5 different domains. Finally, we see that CSync increases the number of domains that track the user by a factor of 6.75.

References

[1]

Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA.

[2]

Muhammad Ahmad Bashir, Sajjad Arshad, William Robertson, and Christo Wilson. 2016. Tracing information flows between ad exchanges using retargeted ads. In Proceedings of the 25th USENIX Security Symposium.

Digital Library

[3]

Muhammad Ahmad Bashir and Christo Wilson. 2018. Diffusion of User Tracking Data in the Online Advertising Ecosystem. Proceedings on Privacy Enhancing Technologies 4 (2018), 85-103.

[4]

Dirk Bergemann and Alessandro Bonatti. 2015. Selling cookies. American Economic Journal: Microeconomics 7, 3 (2015), 259-294.

[5]

Juan Miguel Carrascosa, Jakub Mikians, Ruben Cuevas, Vijay Erramilli, and Nikolaos Laoutaris. 2015. I always feel like somebody's watching me: measuring online behavioural advertising. In Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies. ACM.

Digital Library

[6]

Tom Chavez. 2010. Data: Deja Vu All Over Again?https://adexchanger.com/considering-digital/tom-chavez/.

[7]

Mozilla Developer. 2018. Document.cookie - Web APIs. https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie.

[8]

Disconnect. 2019. A faster, safer Internet is one click away. https://disconnect.me/.

[9]

Peter Eckersley. 2010. How Unique is Your Web Browser?. In Proceedings of the 10th International Conference on PETS' 10.

Digital Library

[10]

Jo el van Bergen. 2017. Mixed content weakens HTTPS. https://developers.google.com/web/fundamentals/ security/prevent-mixed-content/what-is-mixed-content.

[11]

Steven Englehardt and Arvind Narayanan. 2016. Online Tracking: A 1-million-site Measurement and Analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security(CCS '16).

Digital Library

[12]

European Commission. 2018. What is personal data?https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en.

[13]

Marjan Falahrastegar, Hamed Haddadi, Steve Uhlig, and Richard Mortier. 2016. Tracking Personal Identifiers Across the Web.

[14]

Famlam Fanboy, MonztA and Khrin. 2018. EasyList - Overview. https://easylist.to/.

[15]

Gemfury Dev Center. 2019. HTTPS: Is your URL string secure over SSL?https://gemfury.com/help/url-string-over-https/.

[16]

Arpita Ghosh, Mohammad Mahdian, R. Preston McAfee, and Sergei Vassilvitskii. 2015. To Match or Not to Match: Economics of Cookie Matching in Online Advertising. ACM Trans. Econ. Comput. 2015(2015).

Digital Library

[17]

Phillipa Gill, Vijay Erramilli, Augustin Chaintreau, Balachander Krishnamurthy, Konstantina Papagiannaki, and Pablo Rodriguez. 2013. Follow the Money: Understanding Economics of Online Aggregation and Advertising. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement Conference(IMC '13).

Digital Library

[18]

Roberto Gonzalez, Claudio Soriente, and Nikolaos Laoutaris. 2016. User Profiling in the Time of HTTPS. In Proceedings of the 2016 ACM SIGCOMM Conference on Internet Measurement Conference(IMC '16).

Digital Library

[19]

Google Developers. 2018. Cookie Matching. https://developers.google.com/ad-exchange/rtb/cookie-guide.

[20]

Costas Iordanou, Georgios Smaragdakis, Ingmar Poese, and Nikolaos Laoutaris. 2018. Tracing Cross Border Web Tracking. In Proceedings of the Internet Measurement Conference 2018(IMC '18).

Digital Library

[21]

Umar Iqbal, Zubair Shafiq, and Zhiyun Qian. 2017. The ad wars: retrospective measurement and analysis of anti-adblock filter lists. In Proceedings of the 2017 ACM SIGCOMM Conference on Internet Measurement Conference(IMC'17).

Digital Library

[22]

Jacob Kleinman. 2018. Stop Using WhatsApp If You Care About Your Privacy. https://lifehacker.com/stop-using-whatsapp-if-you-care-about-your-privacy-1825719172.

[23]

Paul J Leach, Tim Berners-Lee, Jeffrey C Mogul, Larry Masinter, Roy T Fielding, and James Gettys. 1999. Encoding Sensitive Information in URI's. https://tools.ietf.org/html/rfc2616#section-15.1.3.

[24]

Bernard Marr. 2017. Where Can You Buy Big Data? Here Are The Biggest Consumer Data Brokers. https://www.forbes.com/sites/bernardmarr/2017/ 09/07/where-can-you-buy-big-data-here-are-the-biggest-consumer-data-brokers/.

[25]

Jonathan Mayer. 2011. Tracking the Trackers: Microsoft Advertising. The Center for Internet and Society(2011).

[26]

Brian Morrissey. 2015. Forbes starts blocking ad-block users. https://digiday.com/media/forbes-ad-blocking/.

[27]

Muhammad Haris Mughees, Zhiyun Qian, and Zubair Shafiq. 2017. Detecting anti ad-blockers in the wild. Proceedings on Privacy Enhancing Technologies 2017, 3(2017), 130-146.

[28]

Rishab Nithyanand, Sheharbano Khattak, Mobin Javed, Narseo Vallina-Rodriguez, Marjan Falahrastegar, Julia E. Powles, Emiliano De Cristofaro, Hamed Haddadi, and Steven J. Murdoch. 2016. Adblocking and Counter Blocking: A Slice of the Arms Race. In 6th USENIX Workshop on Free and Open Communications on the Internet (FOCI 16).

[29]

Lukasz Olejnik, Minh-Dung Tran, and Claude Castelluccia. 2014. Selling off User Privacy at Auction. In 21st Annual Symposium Network and Distributed System Security(NDSS'14).

[30]

Kurt Opsahl and Rainey Reitman. 2013. The Disconcerting Details: How Facebook Teams Up With Data Brokers to Show You Targeted Ads. https://www.eff.org/deeplinks/2013/04/disconcerting-details-how-facebook-teams-data-brokers-show-you-targeted-ads.

[31]

Elias P. Papadopoulos, Michalis Diamantaris, Panagiotis Papadopoulos, Thanasis Petsas, Sotiris Ioannidis, and Evangelos P. Markatos. 2017. The Long-Standing Privacy Debate: Mobile Websites vs Mobile Apps. In Proceedings of the 26th International Conference on World Wide Web(WWW '17).

Digital Library

[32]

Panagiotis Papadopoulos, Nicolas Kourtellis, and Evangelos P. Markatos. 2018. The Cost of Digital Advertisement: Comparing User and Advertiser Views. In Proceedings of the 27th International Conference on World Wide Web(WWW'18).

Digital Library

[33]

Panagiotis Papadopoulos, Nicolas Kourtellis, and Evangelos P. Markatos. 2018. Exclusive: How the (Synced) Cookie Monster Breached My Encrypted VPN Session. In Proceedings of the 11th European Workshop on Systems Security(EuroSec'18).

Digital Library

[34]

Panagiotis Papadopoulos, Nicolas Kourtellis, Pablo Rodriguez Rodriguez, and Nikolaos Laoutaris. 2017. If You Are Not Paying for It, You Are the Product: How Much Do Advertisers Pay to Reach You?. In Proceedings of the 2017 ACM SIGCOMM Conference on Internet Measurement Conference(IMC '17).

Digital Library

[35]

Andrea Peterson. 2015. Bankrupt RadioShack wants to sell off user data. But the bigger risk is if a Facebook or Google goes bust. https://www.washingtonpost.com/news/the-switch/wp/2015/03/26/bankrupt-radioshack-wants-to-sell-off-user-data-but-the-bigger-risk-is-if-a-facebook-or-google-goes-bust/.

[36]

Andrea Peterson. 2015. Bankrupt RadioShack wants to sell off user data. But the bigger risk is if a Facebook or Google goes bust. https://www.washingtonpost.com/news/the-switch/wp/2015/03/26/bankrupt-radioshack-wants-to-sell-off-user-data-but-the-bigger-risk-is-if-a-facebook-or-google-goes-bust/.

[37]

Rainey Reitman. 2013. How To Opt Out of Receiving Facebook Ads Based on Your Real-Life Shopping Activity. https://www.eff.org/deeplinks/2013/02/howto-opt-out-databrokers-showing-your-targeted-advertisements-facebook.

[38]

Matt Richtel. 2000. F.T.C. Moves to Halt Sale Of Database at Toysmart. http://www.nytimes.com/2000/07/11/business/ftc-moves-to-halt-sale-of-database-at-toysmart.html.

[39]

samy.pl. 2014. Evercookie - virtually irrevocable persistent cookies. https://samy.pl/evercookie/.

[40]

Judy Selby. 2016. The Impact of Big Data Decisions on Business Valuations. https://datafloq.com/read/impact-big-data-decisions-business-valuation.

[41]

Nicola Smith. 2016. How publishers are turning up the heat in the ad-blocking war. https://www.theguardian.com/media-network/2016/sep/02/publishers-ad-block-users-hide-content.

[42]

Statista Inc.2018. Percentage of all global web pages served to mobile phones from 2009 to 2018. https://www.statista.com/statistics/241462/global-mobile-phone-website-traffic-share.

[43]

The Editors of Wired. 2016. How WIRED Is Going to Handle Ad Blocking. https://www.wired.com/how-wired-is-going-to-handle-ad-blocking/.

[44]

Narseo Vallina-Rodriguez, Srikanth Sundaresan, Abbas Razaghpanah, Rishab Nithyanand, Mark Allman, Christian Kreibich, and Phillipa Gill. 2016. Tracking the trackers: Towards understanding the mobile advertising and tracking ecosystem. arXiv preprint arXiv:1609.07190(2016).

[45]

World Wide Web Consortium (W3C). 2010. Same Origin Policy. https://www.w3.org/Security/wiki/Same_Origin_Policy.

[46]

Zhonghao Yu, Sam Macbeth, Konark Modi, and Josep M. Pujol. 2016. Tracking the Trackers. In Proceedings of the 25th International Conference on World Wide Web(WWW '16).

Digital Library

Cited By

Lin MLin SWu HWang KYang XVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Browsing without Third-Party Cookies: What Do You See?Proceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689014(130-138)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689014
Shi RPeng ZFu TLan LZeng JShi YShi JLin SLi LChua TNgo CKumar RLauw HKa-Wei Lee R(2024)An Identity Alignment Method based on Online TrackingCompanion Proceedings of the ACM Web Conference 202410.1145/3589335.3651469(609-612)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589335.3651469
Castell-Uroz IBarlet-Ros P(2024)A First Look into Utiq: Next-Generation Cookies at the ISP Level2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00040(315-320)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00040
Show More Cited By

Recommendations

Exclusive: How the (synced) Cookie Monster breached my encrypted VPN session
EuroSec'18: Proceedings of the 11th European Workshop on Systems Security

In recent years, and after the Snowden revelations, there has been a significant movement in the web from organizations, policymakers and individuals to enhance the privacy awareness among users. As a consequence, more and more publishers support TLS in ...
Everything you wanted to know about starting an E-Commerce web site but was afraid to ask. (Volume 1)
Cross Cookie: A Cookie Protocol for Web Mashups
ISECS '08: Proceedings of the 2008 International Symposium on Electronic Commerce and Security

In this paper, HTTP cookies, especially when they are used in Web mashups, are studied. A new cookie protocol named Cross Cookie is proposed. In a Cross Cookie, both information of where the cookie is originated and where the cookie is used on client-...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '19: The World Wide Web Conference

May 2019

3620 pages

ISBN:9781450366748

DOI:10.1145/3308558

Editors:
Ling Liu
Georgia Tech, USA
,
Ryen White
Microsoft Research, USA

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

IW3C2: International World Wide Web Conference Committee

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 May 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

WWW '19

WWW '19: The Web Conference

May 13 - 17, 2019

CA, San Francisco, USA

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

50
Total Citations
View Citations
1,241
Total Downloads

Downloads (Last 12 months)179
Downloads (Last 6 weeks)22

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lin MLin SWu HWang KYang XVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Browsing without Third-Party Cookies: What Do You See?Proceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689014(130-138)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689014
Shi RPeng ZFu TLan LZeng JShi YShi JLin SLi LChua TNgo CKumar RLauw HKa-Wei Lee R(2024)An Identity Alignment Method based on Online TrackingCompanion Proceedings of the ACM Web Conference 202410.1145/3589335.3651469(609-612)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589335.3651469
Castell-Uroz IBarlet-Ros P(2024)A First Look into Utiq: Next-Generation Cookies at the ISP Level2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00040(315-320)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00040
Rodríguez-Galán GTorres J(2024)Personal data filtering: a systematic literature review comparing the effectiveness of XSS attacks in web applications vs cookie stealingAnnals of Telecommunications10.1007/s12243-024-01022-8Online publication date: 18-Apr-2024
https://doi.org/10.1007/s12243-024-01022-8
Kögler MPaulick KScheffran JBirkholz M(2024)Sustainable use of a smartphone and regulatory needsSustainable Development10.1002/sd.2995Online publication date: 29-Apr-2024
https://doi.org/10.1002/sd.2995
Khandelwal RNayak AHarkous HFawaz KCalandrino JTroncoso C(2023)Automated cookie notice analysis and enforcementProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620300(1109-1126)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620300
Moawi H(2023)Predicting Voting Behaviors and Election Results Using Digital Trace Data and TwitterSSRN Electronic Journal10.2139/ssrn.4464047Online publication date: 2023
https://doi.org/10.2139/ssrn.4464047
Sebastián SDiugan RCaballero JSanchez-Rola IBilge L(2023)Domain and Website Attribution beyond WHOISProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627190(124-137)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627190
Ahmad ZCasarin SCalzavara S(2023)An Empirical Analysis of Web Storage and Its Applications to Web TrackingACM Transactions on the Web10.1145/362338218:1(1-28)Online publication date: 11-Oct-2023
https://dl.acm.org/doi/10.1145/3623382
Pegioudis JPapadogiannakis EKourtellis NMarkatos EPapadopoulos PMontpetit MLeivadeas AUhlig SJaved M(2023)Not only E.T. Phones Home: Analysing the Native User Tracking of Mobile BrowsersProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624842(181-187)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624842
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents