Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control

The European Union's (EU) General Data Protection Regulation (GDPR), in effect since May 2018, enforces strict limitations on handling users' personal data, hence impacting their activity tracking on the Web. In this study, we perform an evaluation of the tracking performed in 2,000 high-traffic websites, hosted both inside and outside of the EU. We evaluate both the information presented to users and the actual tracking implemented through cookies; we find that the GDPR has impacted website behavior in a truly global way, both directly and indirectly: USA-based websites behave similarly to EU-based ones, while third-party opt-out services reduce the amount of tracking even for websites which do not put any effort in respecting the new law. On the other hand, we find that tracking remains ubiquitous. In particular, we found cookies that can identify users when visiting more than 90% of the websites in our dataset - and we also encountered a large number of websites that present deceiving information, making it it very difficult, if at all possible, for users to avoid being tracked.

[1]  R. Priest Data Protection Act , 1988 .

[2]  David M. Kristol,et al.  HTTP State Management Mechanism , 1997, RFC.

[3]  Igor Santos,et al.  Knockin' on Trackers' Door: Large-Scale Automatic Analysis of Web Tracking , 2018, DIMVA.

[4]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[5]  Christopher Krügel,et al.  A Practical Attack to De-anonymize Social Network Users , 2010, 2010 IEEE Symposium on Security and Privacy.

[6]  Herbert Burkert,et al.  Some Preliminary Comments on the DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. , 1996 .

[7]  David Wray,et al.  Reassessing the accuracy and use of readability formulae , 2014 .

[8]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[9]  Norman M. Sadeh,et al.  PrivOnto: A semantic framework for the analysis of privacy policies , 2017 .

[10]  Nathaniel Good,et al.  Empirical Studies on Software Notices to Inform Policy Makers and Usability Designers , 2007, Financial Cryptography.

[11]  Sultan Idris,et al.  Readability : The limitations of an approach through formulae , 2012 .

[12]  R. Flesch A new readability yardstick. , 1948, The Journal of applied psychology.

[13]  Davide Balzarotti,et al.  Clock Around the Clock: Time-Based Device Fingerprinting , 2018, CCS.

[14]  Vyas Sekar,et al.  How to Catch when Proxies Lie: Verifying the Physical Locations of Network Proxies with Active Geolocation , 2018, Internet Measurement Conference.

[15]  Romain Rouvoy,et al.  FP-STALKER: Tracking Browser Fingerprint Evolutions , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[16]  Colin Potts,et al.  Privacy policies as decision-making tools: an evaluation of online privacy notices , 2004, CHI.

[17]  Edgar R. Weippl,et al.  Measuring Cookies and Web Privacy in a Post-GDPR World , 2019, PAM.

[18]  Balachander Krishnamurthy,et al.  WWW 2009 MADRID! Track: Security and Privacy / Session: Web Privacy Privacy Diffusion on the Web: A Longitudinal Perspective , 2022 .

[19]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[20]  Steven M. Bellovin,et al.  Privee: An Architecture for Automatically Analyzing Web Privacy Policies , 2014, USENIX Security Symposium.

[21]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[22]  Lorrie Faith Cranor,et al.  A comparative study of online privacy policies and formats , 2009, Privacy Enhancing Technologies.

[23]  Christopher Krügel,et al.  Is the Internet for Porn? An Insight Into the Online Adult Industry , 2010, WEIS.

[24]  Blase Ur,et al.  Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.

[25]  Maurizio Filippone,et al.  Monte Carlo Strength Evaluation: Fast and Reliable Password Checking , 2015, CCS.

[26]  Song Li,et al.  (Cross-)Browser Fingerprinting via OS and Hardware Level Features , 2017, NDSS.

[27]  Khrystyna V. Kmetyk,et al.  DATA PROTECTION IN THE EU , 2019 .

[28]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[29]  Josep M. Pujol,et al.  WhoTracks.Me: Monitoring the online tracking landscape at scale , 2018, ArXiv.

[30]  R. P. Fishburne,et al.  Derivation of New Readability Formulas (Automated Readability Index, Fog Count and Flesch Reading Ease Formula) for Navy Enlisted Personnel , 1975 .

[31]  Thorsten Holz,et al.  We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy , 2019, NDSS.

[32]  Vitaly Shmatikov,et al.  De-anonymizing Social Networks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[33]  Walter Rudametkin,et al.  Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[34]  Arvind Narayanan,et al.  Dark patterns , 2020, Commun. ACM.

[35]  Deirdre K. Mulligan,et al.  Stopping spyware at the gate: a user study of privacy, notice and spyware , 2005, SOUPS '05.

[36]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.