In-Depth Evaluation of Redirect Tracking and Link Usage

Abstract In today’s web, information gathering on users’ online behavior takes a major role. Advertisers use different tracking techniques that invade users’ privacy by collecting data on their browsing activities and interests. To preventing this threat, various privacy tools are available that try to block third-party elements. However, there exist various tracking techniques that are not covered by those tools, such as redirect link tracking. Here, tracking is hidden in ordinary website links pointing to further content. By clicking those links, or by automatic URL redirects, the user is being redirected through a chain of potential tracking servers not visible to the user. In this scenario, the tracker collects valuable data about the content, topic, or user interests of the website. Additionally, the tracker sets not only thirdparty but also first-party tracking cookies which are far more difficult to block by browser settings and ad-block tools. Since the user is forced to follow the redirect, tracking is inevitable and a chain of (redirect) tracking servers gain more insights in the users’ behavior. In this work we present the first large scale study on the threat of redirect link tracking. By crawling the Alexa top 50k websites and following up to 34 page links, we recorded traces of HTTP requests from 1.2 million individual visits of websites as well as analyzed 108,435 redirect chains originating from links clicked on those websites. We evaluate the derived redirect network on its tracking ability and demonstrate that top trackers are able to identify the user on the most visited websites. We also show that 11.6% of the scanned websites use one of the top 100 redirectors which are able to store nonblocked first-party tracking cookies on users’ machines even when third-party cookies are disabled. Moreover, we present the effect of various browser cookie settings, resulting in a privacy loss even when using third-party blocking tools.

[1]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[2]  Josep M. Pujol,et al.  WhoTracks.Me: Monitoring the online tracking landscape at scale , 2018, ArXiv.

[3]  Wei Meng,et al.  Understanding Malvertising Through Ad-Injecting Browser Extensions , 2015, WWW.

[4]  Zhiyun Qian,et al.  Detecting Anti Ad-blockers in the Wild , 2017, Proc. Priv. Enhancing Technol..

[5]  Claude Castelluccia,et al.  Betrayed by Your Ads! - Reconstructing User Profiles from Targeted Ads , 2012, Privacy Enhancing Technologies.

[6]  Paul F. Syverson,et al.  HSTS Supports Targeted Surveillance , 2018, FOCI @ USENIX Security Symposium.

[7]  Markus Jakobsson,et al.  Badvertisements: Stealthy Click-Fraud with Unwitting Accessories , 2006, J. Digit. Forensic Pract..

[8]  Kumar Chellapilla,et al.  A taxonomy of JavaScript redirection spam , 2007, AIRWeb '07.

[9]  Cristiana Santos,et al.  Do Cookie Banners Respect my Choice? : Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[10]  Charles Duhigg,et al.  How Companies Learn Your Secrets , 2012 .

[11]  Arnaud Legout,et al.  Missed by Filter Lists: Detecting Unknown Third-Party Trackers with Invisible Pixels , 2020, Proc. Priv. Enhancing Technol..

[12]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[13]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[14]  A. Gunawardana,et al.  Aggregators and Contextual Effects in Search Ad Markets , 2008 .

[15]  E. Weippl,et al.  Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting , 2013 .

[16]  Weider D. Yu,et al.  A phishing vulnerability analysis of web based systems , 2008, 2008 IEEE Symposium on Computers and Communications.

[17]  Sándor Imre,et al.  User Tracking on the Web via Cross-Browser Fingerprinting , 2011, NordSec.

[18]  Vitaly Shmatikov,et al.  How To Break Anonymity of the Netflix Prize Dataset , 2006, ArXiv.

[19]  Wenke Lee,et al.  ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads , 2011, WWW.

[20]  Mohsen Imani,et al.  Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning , 2018, CCS.

[21]  Aaron Alva,et al.  Cross-Device Tracking: Measurement and Disclosures , 2017, Proc. Priv. Enhancing Technol..

[22]  P. S. Thilagam,et al.  Protection of Web User ’ s Privacy by Securing Browser from Web Privacy Attacks , 2011 .

[23]  Martin Stopczynski,et al.  Reducing User Tracking through Automatic Web Site State Isolations , 2014, ISC.

[24]  Jian-Tao Sun,et al.  Multi-domain active learning for text classification , 2012, KDD.

[25]  Christo Wilson,et al.  Diffusion of User Tracking Data in the Online Advertising Ecosystem , 2018, Proc. Priv. Enhancing Technol..

[26]  Suku Nair,et al.  Circumventing security toolbars and phishing filters via rogue wireless access points , 2010, Wirel. Commun. Mob. Comput..

[27]  Paul Ohm Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization , 2009 .

[28]  Michalis Faloutsos,et al.  TrackAdvisor: Taking Back Browsing Privacy from Third-Party Trackers , 2015, PAM.

[29]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[30]  Joel Waldfogel,et al.  The effect of ad blocking on website traffic and quality , 2018 .

[31]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[32]  Konstantina Papagiannaki,et al.  Like a Pack of Wolves: Community Structure of Web Trackers , 2016, PAM.

[33]  Balachander Krishnamurthy,et al.  Towards Seamless Tracking-Free Web: Improved Detection of Trackers via One-class Learning , 2016, Proc. Priv. Enhancing Technol..

[34]  Natasa Milic-Frayling,et al.  Network Analysis of Third Party Tracking: User Exposure to Tracking Cookies through Search , 2013, 2013 IEEE/WIC/ACM International Joint Conferences on Web Intelligence (WI) and Intelligent Agent Technologies (IAT).

[35]  Julia Angwin,et al.  Sites Feed Personal Details to New Tracking Industry , 2010 .

[36]  Shuai Li,et al.  Measuring Information Leakage in Website Fingerprinting Attacks and Defenses , 2017, CCS.

[37]  Edgar R. Weippl,et al.  Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[38]  Arvind Narayanan,et al.  Characterizing the Use of Browser-Based Blocking Extensions To Prevent Online Tracking , 2018, SOUPS @ USENIX Security Symposium.

[39]  Wouter Joosen,et al.  Crying wolf? On the price discrimination of online airline tickets , 2014, PETS 2014.

[40]  Mark E. J. Newman,et al.  Power-Law Distributions in Empirical Data , 2007, SIAM Rev..

[41]  Balachander Krishnamurthy,et al.  WWW 2009 MADRID! Track: Security and Privacy / Session: Web Privacy Privacy Diffusion on the Web: A Longitudinal Perspective , 2022 .

[42]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[43]  Zhenkai Liang,et al.  Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations , 2012, ACNS.

[44]  Arvind Narayanan,et al.  De-anonymizing Web Browsing Data with Social Networks , 2017, WWW.

[45]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[46]  Edward W. Felten,et al.  Cookies That Give You Away: The Surveillance Implications of Web Tracking , 2015, WWW.

[47]  Zhiyun Qian,et al.  The ad wars: retrospective measurement and analysis of anti-adblock filter lists , 2017, Internet Measurement Conference.

[48]  Jérôme Kunegis,et al.  On the Ubiquity of Web Tracking: Insights from a Billion-Page Web Crawl , 2016, J. Web Sci..

[49]  Jean-Loup Guillaume,et al.  Fast unfolding of communities in large networks , 2008, 0803.0476.

[50]  Stefan Katzenbeisser,et al.  Disguised Chromium Browser: Robust Browser, Flash and Canvas Fingerprinting Protection , 2016, WPES@CCS.

[51]  Krishna Bhargrava,et al.  A Study of URL Redirection Indicating Spam , 2009 .

[52]  Emiliano De Cristofaro,et al.  Adblocking and Counter Blocking: A Slice of the Arms Race , 2016, FOCI.

[53]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[54]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[55]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[56]  Siyuan Liu,et al.  Towards a New Understanding of Advice Interference , 2010, 2010 Fourth International Conference on Secure Software Integration and Reliability Improvement.

[57]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[58]  Romain Rouvoy,et al.  FP-STALKER: Tracking Browser Fingerprint Evolutions , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[59]  Vijay Erramilli,et al.  Detecting price and search discrimination on the internet , 2012, HotNets-XI.

[60]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning , 2011 .

[61]  Richard J. Enbody,et al.  Malvertising – exploiting web advertising , 2011 .

[62]  Massimo Barbaro,et al.  A Face Is Exposed for AOL Searcher No , 2006 .

[63]  Chuanxiong Guo,et al.  Online Detection and Prevention of Phishing Attacks , 2006, 2006 First International Conference on Communications and Networking in China.

[64]  Wouter Joosen,et al.  Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies , 2018, USENIX Security Symposium.

[65]  Craig E. Wills,et al.  What Ad Blockers Are (and Are Not) Doing , 2016, 2016 Fourth IEEE Workshop on Hot Topics in Web Systems and Technologies (HotWeb).

[66]  Yang Wang,et al.  Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising , 2012, CHI.

[67]  Venkata Rama Kiran Garimella,et al.  Ad-blocking: A Study on Performance, Privacy and Counter-measures , 2017, WebSci.

[68]  Paul Barford,et al.  Ad Blockers: Global Prevalence and Impact , 2016, Internet Measurement Conference.