The Devil is in the Details: Detection, ...
Document type :
Communication dans un congrès avec actes
Permalink :
Title :
The Devil is in the Details: Detection, Measurement and Lawfulness of Server-Side Tracking on the Web
Author(s) :
Fouad, Imane [Auteur]
Centre de Recherche en Informatique, Signal et Automatique de Lille - UMR 9189 [CRIStAL]
Self-adaptation for distributed services and large software systems [SPIRALS]
Santos, Cristiana [Auteur]
Universiteit Utrecht / Utrecht University [Utrecht]
Laperdrix, Pierre [Auteur]
Centre de Recherche en Informatique, Signal et Automatique de Lille - UMR 9189 [CRIStAL]
Self-adaptation for distributed services and large software systems [SPIRALS]
Centre de Recherche en Informatique, Signal et Automatique de Lille - UMR 9189 [CRIStAL]
Self-adaptation for distributed services and large software systems [SPIRALS]
Santos, Cristiana [Auteur]
Universiteit Utrecht / Utrecht University [Utrecht]
Laperdrix, Pierre [Auteur]
Centre de Recherche en Informatique, Signal et Automatique de Lille - UMR 9189 [CRIStAL]
Self-adaptation for distributed services and large software systems [SPIRALS]
Conference title :
24th Privacy Enhancing Technologies Symposium (PETS 2024)
City :
Bristol
Country :
Royaume-Uni
Start date of the conference :
2024-07-15
Book title :
Privacy Enhancing Technologies
English keyword(s) :
Server-side tracking
CNAME tracking
GDPR
ePD
CNAME tracking
GDPR
ePD
HAL domain(s) :
Informatique [cs]/Web
English abstract : [en]
As online privacy is cementing itself as one of the core pillars of the Internet, major changes are happening across many industries. On the technological side, users are pushing for more privacy-preserving technologies ...
Show more >As online privacy is cementing itself as one of the core pillars of the Internet, major changes are happening across many industries. On the technological side, users are pushing for more privacy-preserving technologies and rely on browsers and extensions that limit online tracking as much as possible. On the legal front, regulations like GDPR and the ePrivacy Directive in Europe have forced companies to change their practices and be more transparent about how they handle user data. For the ad industry, the end of third-party cookies planned for 2025 is having severe ramifications as the main source of data on which this industry is built on will begone. In this tumultuous context, companies have come up with innovative ways to overcome current and future restrictions. A novel technique which has not received much attention called Server-side tracking (SST) moves its tracking logic away from the user’s device onto an external server. In this work, our aim is to detect SST on the web and understand its lawfulness with respect to current legislation. We developed a methodology that relies on crawls spaced 2 years apart performed before and after the introduction of SST to identify trackers that moved behind SST domains and that are now hidden from view. Our results show that 389, out of 7,367 visited websites, track users behind a cloaked domain and that 28 websites perform Server-side tracking in a first-party capacity. We demonstrate that such a tracking technique can overcome theSame-Origin Policy and introduce security vulnerabilities. Together with a legal scholar, we also show that SST entails non-compliant practices and infringes the GDPR and the ePrivacy Directive.Show less >
Show more >As online privacy is cementing itself as one of the core pillars of the Internet, major changes are happening across many industries. On the technological side, users are pushing for more privacy-preserving technologies and rely on browsers and extensions that limit online tracking as much as possible. On the legal front, regulations like GDPR and the ePrivacy Directive in Europe have forced companies to change their practices and be more transparent about how they handle user data. For the ad industry, the end of third-party cookies planned for 2025 is having severe ramifications as the main source of data on which this industry is built on will begone. In this tumultuous context, companies have come up with innovative ways to overcome current and future restrictions. A novel technique which has not received much attention called Server-side tracking (SST) moves its tracking logic away from the user’s device onto an external server. In this work, our aim is to detect SST on the web and understand its lawfulness with respect to current legislation. We developed a methodology that relies on crawls spaced 2 years apart performed before and after the introduction of SST to identify trackers that moved behind SST domains and that are now hidden from view. Our results show that 389, out of 7,367 visited websites, track users behind a cloaked domain and that 28 websites perform Server-side tracking in a first-party capacity. We demonstrate that such a tracking technique can overcome theSame-Origin Policy and introduce security vulnerabilities. Together with a legal scholar, we also show that SST entails non-compliant practices and infringes the GDPR and the ePrivacy Directive.Show less >
Language :
Anglais
Peer reviewed article :
Oui
Audience :
Internationale
Popular science :
Non
ANR Project :
Collections :
Source :
Submission date :
2024-06-20T02:02:33Z
Files
- document
- Open access
- Access the document
- server_side_tracking-PETS24.pdf
- Open access
- Access the document