research-article

Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control

Authors:

Iskander Sanchez-Rola,

Matteo Dell'Amico,

Platon Kotzias,

Davide Balzarotti,

Pierre-Antoine Vervier,

Igor SantosAuthors Info & Claims

Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

Pages 340 - 351

https://doi.org/10.1145/3321705.3329806

Published: 02 July 2019 Publication History

Abstract

The European Union's (EU) General Data Protection Regulation (GDPR), in effect since May 2018, enforces strict limitations on handling users' personal data, hence impacting their activity tracking on the Web. In this study, we perform an evaluation of the tracking performed in 2,000 high-traffic websites, hosted both inside and outside of the EU. We evaluate both the information presented to users and the actual tracking implemented through cookies; we find that the GDPR has impacted website behavior in a truly global way, both directly and indirectly: USA-based websites behave similarly to EU-based ones, while third-party opt-out services reduce the amount of tracking even for websites which do not put any effort in respecting the new law. On the other hand, we find that tracking remains ubiquitous. In particular, we found cookies that can identify users when visiting more than 90% of the websites in our dataset - and we also encountered a large number of websites that present deceiving information, making it it very difficult, if at all possible, for users to avoid being tracked.

References

[1]

Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: dusting the web for finger printers. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[2]

Harry Brignull. 2018. Dark Patterns. https://darkpatterns.org/

[3]

Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)Browser Fingerprinting viaOS and Hardware Level Features. In Proceedings of the Network and Distributed System Symposium (NDSS).

[4]

European Commission. 2018. Data protection in the EU. https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

[5]

Cookiebot.com. 2018. GDPR and cookies. https://www.cookiebot.com/en/gdpr-cookies/

[6]

Adrian Dabrowski, Georg Merzdovnik, Johanna Ullrich, Gerald Sendera, and Edgar Weippl. 2019. Measuring Cookies and Web Privacy in a Post-GDPR World. In International Conference on Passive and Active Network Measurement (PAM).

Digital Library

[7]

Jessica Davies. 2019. After GDPR, The New York Times cut off ad exchanges in Europe - and kept growing ad revenue. Digiday UK. https://digiday.com/media/gumgumtest-new-york-times-gdpr-cut-off-ad-exchanges-europe-ad-revenue/

[8]

Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, and Thorsten Holz. 2019. We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy. In Proceedings of the Network and Distributed System Security Symposium Symposium (NDSS).

[9]

Matteo Dell'Amico and Maurizio Filippone. 2015. Monte Carlo strength evaluation: Fast and reliable password checking. In Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[10]

Matteo Dell'Amico, Pietro Michiardi, and Yves Roudier. 2010. Password strength:An empirical analysis. In Proceedings of IEEE INFOCOM.

Digital Library

[11]

DMA Italia, FedoWEB, Iab Italia, Netcomm, UPA, and Iubenda. 2018. Cookies Instructions Kit. https://help.iubenda.com/wp-content/uploads/2018/04/Cookie-Law-Official-Kit-en.pdf.

[12]

Peter Eckersley. 2010. How unique is your web browser?. In Proceedings of the Privacy Enhancing Technologies (PETS).

Digital Library

[13]

Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[14]

1995. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Union (1995). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046

[15]

2009. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009.Official Journal of the European Union(2009). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32009L0136

[16]

2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive95/46/EC (General Data Protection Regulation). Official Journal of the European Union(2016). http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC

[17]

Evidon. 2018. Digital Governance, Privacy Compliance, Website Monitoring. https://www.evidon.com/.

[18]

Rudolph Flesch. 1948. A new readability yardstick.Journal of applied psychology 32, 3 (1948), 221.

[19]

Florida Statutes. 2016. Florida Statutes Section 627.4145 - Readable Language In Insurance Policies. https://law.onecle.com/florida/title-xxxvii/627.4145.html

[20]

Nathaniel Good, Rachna Dhamija, Jens Grossklags, David Thaw, StevenAronowitz, Deirdre Mulligan, and Joseph Konstan. 2005. Stopping spywareat the gate: a user study of privacy, notice and spyware. In Proceedings of the Symposium on Usable privacy and security (SOUPS).

Digital Library

[21]

Jens Grossklags and Nathan Good. 2007. Empirical studies on software notices to inform policy makers and usability designers. In International Conference on Financial Cryptography and Data Security.

Digital Library

[22]

Alex Hern and Jim Waterson. 2018. Sites block users, shut down activities and flood inboxes as GDPR rules loom. The Guardian. https://www.theguardian.com/technology/2018/may/24/sites-block-eu-users-before-gdpr-takes-effect

[23]

Dahlia Janan and David Wray. 2012. Readability: The limitations of an approach through formulae. http://www.leeds.ac.uk/educol/documents/213296.pdf

[24]

Carlos Jensen and Colin Potts. 2004. Privacy policies as decision-making tools:an evaluation of online privacy notices. In Proceedings of the SIGCHI conference on Human Factors in Computing Systems (CHI).

Digital Library

[25]

Jeremy Kahn, Stephanie Bodoni, and Stefan Nicola. 2018. It'll CostBillions for Companies to Comply With Europe's New Data Law. https://www.bloomberg.com/news/articles/2018-03--22/it-ll-cost-billions-for-companies-to-comply-with-europe-s-new-data-law

[26]

Arjaldo Karaj, Sam Macbeth, Rémi Berson, and Josep M. Pujol. 2018. Who-Tracks.Me: Monitoring the online tracking landscape at scale.

[27]

J Peter Kincaid, Robert P Fishburne Jr, Richard L Rogers, and Brad S Chissom. 1975. Derivation of new readability formulas (automated readability index, fog count and flesch reading ease formula) for navy enlisted personnel. (1975).

[28]

Balachander Krishnamurthy and Craig Wills. 2009. Privacy diffusion on the web:a longitudinal perspective. In Proceedings of the International Conference on World Wide Web (WWW).

Digital Library

[29]

Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland).

[30]

Issie Lapowsky. 2018. California Unanimously Passes Historic Privacy Bill. Wired. https://www.wired.com/story/california-unanimously-passes-historic-privacy-bill

[31]

Legislation.gov.uk. 2018. Data Protection Act 2018. http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

[32]

Sam Macbeth. 2017. Tracking the Trackers: Analysing the global tracking landscape with GhostRank. (2017). https://www.ghostery.com/wp-content/themes/ghostery/images/campaigns/tracker-study/Ghostery_Study_-_Tracking_the_Trackers.pdf

[33]

Aleecia M Mcdonald, Robert W Reeder, Patrick Gage Kelley, and Lorrie Faith Cranor. 2009. A comparative study of online privacy policies and formats. In International Symposium on Privacy Enhancing Technologies Symposium (PETS).

Digital Library

[34]

William Melicher, Blase Ur, Sean M Segreti, Saranga Komanduri, Lujo Bauer,Nicolas Christin, and Lorrie Faith Cranor. 2016. Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks. In Proceedings of the USENIX Security Symposium (Sec).

Digital Library

[35]

Rani Molla. 2018. Advertisers will spend $40 billion more on internet ads than on TV ads this year. Recide. https://www.recode.net/2018/3/26/17163852/online-internet-advertisers-outspend-tv-ads-advertisers-social-video-mobile-40-billion-2018

[36]

Lou Montulli and David M. Kristol. 2000. HTTP State Management Mechanism. RFC 2965. https://rfc-editor.org/rfc/rfc2965.txt

[37]

Mozilla. 2018. Security/Tracking protection. https://wiki.mozilla.org/Security/Tracking_protection.

[38]

NAI Consumer. 2018. Opt Out of interest-based advertisement. http://optout.networkadvertising.org.

[39]

Arvind Narayanan and Vitaly Shmatikov. 2009. De-anonymizing social networks. In Proceedings of IEEE Symposium on Security and Privacy (Oakland).

Digital Library

[40]

Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Proceedings of IEEE Symposium on Security and Privacy (Oakland).

Digital Library

[41]

Alessandro Oltramari, Dhivya Piraviperumal, Florian Schaub, Shomir Wilson, Sushain Cherivirala, Thomas B Norton, N Cameron Russell, Peter Story, Joel Reidenberg, and Norman Sadeh. 2017. Priv Onto: A semantic framework for the analysis of privacy policies.Semantic Web(2017).

[42]

OneTrust. 2018. Privacy Management Software. https://www.onetrust.com/.

[43]

Piwik. 2018. Turn on/off GDPR compliance on the website. https://help.piwik.pro/consent-manager/setting-consent-manager/.

[44]

Quantcast. 2018. AI-driven Audience Insights, Targeting & Measurement. https://www.quantcast.com/.

[45]

Iskander Sanchez-Rola and Igor Santos. 2018. Knockin' on Trackers' Door: Large-Scale Automatic Analysis of Web Tracking. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA).

[46]

Iskander Sanchez-Rola, Igor Santos, and Davide Balzarotti. 2018. Clock Around the Clock: Time-Based Device Fingerprinting. In Proceedings of the ACM SIGSA Cconference on Computer & communications security (CCS).

Digital Library

[47]

Amazon Web Services. 2018. Alexa Top Sites. https://aws.amazon.com/es/alexa-top-sites/.

[48]

Symantec. 2018. Symantec RuleSpace: OEM URL Categorization Database and Real-Time Web Categorization Technology. https://www.symantec.com/products/rulespace

[49]

TRUSTe. 2018. Your advertising choices. http://preferences-mgr.truste.com/.

[50]

Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. FP-STALKER: Tracking Browser Fingerprint Evolutions. In Proceedings of IEEE Symposium on Security and Privacy (Oakland).

[51]

Zachary Weinberg, Shinyoung Cho, Nicolas Christin, Vyas Sekar, and Phillipa Gill. 2018. How to Catch when Proxies Lie: Verifying the Physical Locations of Network Proxies with Active Geolocation. In Proceedings of the Internet Measurement Conference (IMC).

Digital Library

[52]

Daniel Lowe Wheeler. 2016. zxcvbn: Low-Budget Password Strength Estimation. In Proceedings of the USENIX Security Symposium (Sec).

Digital Library

[53]

Whotracks.me. 2018. GDPR-What Happened? https://whotracks.me/blog/gdpr-what-happened.html

[54]

Wiley Rein. 2017. The GDPRs Reach: Material and Territorial Scope Under Articles 2 and 3. https://www.wileyrein.com/newsroom-newsletters-item-May_2017_PIF-The_GDPRs_Reach-Material_and_Territorial_Scope_Under_Articles_2_and_3.html

[55]

Gilbert Wondracek, Thorsten Holz, Engin Kirda, and Christopher Kruegel. 2010. A practical attack to de-anonymize social network users. In Proceedings of IEEE Symposium on Security and Privacy (Oakland).

Digital Library

[56]

Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda, and Christopher Kruegel. 2010. Is the Internet for Porn? An Insight Into the Online Adult Industry. In Proceedings of the Workshop on the Economics of Information Security(WEIS).

[57]

Your Online Choice. 2018. A guide to online behavioural advertisement. http://www.youronlinechoices.com/es/preferencias/.

[58]

Your Ad Choices. 2018. Web Choices: Digital Advertising Alliance's Consumer Choice Tool. http://optout.aboutads.info.

[59]

Sebastian Zimmeck and Steven M. Bellovin. 2014. Privee: An Architecture for Automatically Analyzing Web Privacy Policies. In Proceedings of the USENIX Security Symposium (Sec).

Digital Library

Cited By

Beauvisage TMellet K(2024)Réguler le marché par le consentement ? Les professionnels de la publicité face au Règlement général sur la protection des données (RGPD)Revue Française de Socio-Économie10.3917/rfse.032.0153n° 32:1(153-172)Online publication date: 22-May-2024
https://doi.org/10.3917/rfse.032.0153
Sim KHeo HCho H(2024)Combating Web Tracking: Analyzing Web Tracking Technologies for User PrivacyFuture Internet10.3390/fi1610036316:10(363)Online publication date: 5-Oct-2024
https://doi.org/10.3390/fi16100363
Bushati GRasmusen SKurteva AVats ANako PFensel A(2024)What is in your cookie box? Explaining ingredients of web cookies with knowledge graphsSemantic Web10.3233/SW-23343515:5(1593-1609)Online publication date: 9-Oct-2024
https://doi.org/10.3233/SW-233435
Show More Cited By

Recommendations

Characterising Third Party Cookie Usage in the EU after GDPR
WebSci '19: Proceedings of the 10th ACM Conference on Web Science

The recently introduced General Data Protection Regulation (GDPR) requires that when obtaining information online that could be used to identify individuals, their consents must be obtained. Among other things, this affects many common forms of cookies, ...
Online Tracking of Kids and Teens by Means of Invisible Images: COPPA vs. GDPR
MPS '18: Proceedings of the 2nd International Workshop on Multimedia Privacy and Security

The recent news of a large-scale online tracking campaign involving Facebook users, which gave way to systematic misuse of the collected user-related data, have left millions of people deeply concerned about the state of their online privacy as well as ...
BakingTimer: privacy analysis of server-side request processing time
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Cookies were originally introduced as a way to provide state awareness to websites, and are now one of the backbones of the current web. However, their use is not limited to store the login information or to save the current state of user browsing. In ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

July 2019

708 pages

ISBN:9781450367523

DOI:10.1145/3321705

General Chairs:
Steven Galbraith
University of Auckland, New Zealand
,
Giovanni Russello
University of Auckland, New Zealand
,
Willy Susilo
University of Wollongong, Australia
,
Program Chairs:
Dieter Gollmann
Hamburg University of Technology, Germany & Nanyang Technological University, Singapore
,
Engin Kirda
Northeastern University, USA
,
Zhenkai Liang
National University of Singapore, Singapore

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 July 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

Asia CCS '19

Sponsor:

SIGSAC

Asia CCS '19: ACM Asia Conference on Computer and Communications Security

July 9 - 12, 2019

Auckland, New Zealand

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

99
Total Citations
View Citations
2,920
Total Downloads

Downloads (Last 12 months)367
Downloads (Last 6 weeks)45

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Beauvisage TMellet K(2024)Réguler le marché par le consentement ? Les professionnels de la publicité face au Règlement général sur la protection des données (RGPD)Revue Française de Socio-Économie10.3917/rfse.032.0153n° 32:1(153-172)Online publication date: 22-May-2024
https://doi.org/10.3917/rfse.032.0153
Sim KHeo HCho H(2024)Combating Web Tracking: Analyzing Web Tracking Technologies for User PrivacyFuture Internet10.3390/fi1610036316:10(363)Online publication date: 5-Oct-2024
https://doi.org/10.3390/fi16100363
Bushati GRasmusen SKurteva AVats ANako PFensel A(2024)What is in your cookie box? Explaining ingredients of web cookies with knowledge graphsSemantic Web10.3233/SW-23343515:5(1593-1609)Online publication date: 9-Oct-2024
https://doi.org/10.3233/SW-233435
Zac AWey PBechtold SRodriguez DDel Alamo J(2024)The Court Speaks, But Who Listens? Automated Compliance Review of the GDPRSSRN Electronic Journal10.2139/ssrn.4709913Online publication date: 2024
https://doi.org/10.2139/ssrn.4709913
Goldberg SJohnson GShriver S(2024)Regulating Privacy Online: An Economic Evaluation of the GDPRAmerican Economic Journal: Economic Policy10.1257/pol.2021030916:1(325-358)Online publication date: 1-Feb-2024
https://doi.org/10.1257/pol.20210309
Wiefling SHönscheid MLo Iacono L(2024)A Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the WebProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664478(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664478
Anselmi GVekaria YD'Souza ACallejo PMandalari AShafiq ZVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Watching TV with the Second-Party: A First Look at Automatic Content Recognition Tracking in Smart TVsProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689013(622-634)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689013
Zhang MMeng WZhou YRen KRoychoudhury APaiva AAbreu RStorey M(2024)CSChecker: Revisiting GDPR and CCPA Compliance of Cookie Banners on the WebProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639159(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639159
Smith MTorres-Agüero AGrossman RSen PChen YBorcea CChua TNgo CKa-Wei Lee RKumar RLauw H(2024)A Study of GDPR Compliance under the Transparency and Consent FrameworkProceedings of the ACM Web Conference 202410.1145/3589334.3645618(1227-1236)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645618
Birrell ERodolitz JDing ALee JMcReynolds EHutson JLerner A(2024)SoK: Technical Implementation and Human Impact of Internet Privacy Regulations2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00206(673-696)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00206
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents