research-article

Tracking the Evolution of Cookie-based Tracking on Facebook

Authors:

Gertjan Franken,

Victor Le Pochat,

Wouter Joosen, and

Lieven DesmetAuthors Info & Claims

WPES'22: Proceedings of the 21st Workshop on Privacy in the Electronic Society

November 2022

Pages 181 - 196

https://doi.org/10.1145/3559613.3563200

Published: 07 November 2022 Publication History

Abstract

We analyze in depth and longitudinally how Facebook's cookie-based tracking behavior and its communication about tracking have evolved from 2015 to 2022. More stringent (enforcement of) regulation appears to have been effective at causing a reduction in identifier cookies for non-users and a more prominent cookie banner. However, several technical measures to reduce Facebook's tracking potential are not implemented, communication through the cookie banner and cookie policies remains incomplete and may be deceptive, and opt-out mechanisms seem to have no effect.

References

[1]

2015. Aanbeveling 4/2015. Commissie voor de bescherming van de persoonlijke levenssfeer, (May 13, 2015). https://www.gegevensbeschermingsautoriteit .be/publications/aanbeveling-nr.-04--2015.pdf.

[2]

2017. Aanbeveling 3/2017. Commissie voor de bescherming van de persoonlijke levenssfeer, (Apr. 12, 2017). https://www.gegevensbeschermingsautoriteit .be/publications/aanbeveling-nr.-03--2017.pdf.

[3]

2021. About updates to our cookies consent prompt and privacy controls in Europe. Meta Business Help Center. https://www.facebook.com/business/hel p/348535683460989.

[4]

Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In ACM SIGSAC Conference on Computer and Communications Security (CCS '14), 674--689.

Digital Library

[5]

Güne" Acar, Brendan Van Alsenoy, Frank Piessens, Claudia Diaz, and Bart Preneel. 2015. Facebook Tracking Through Social Plug-ins. Technical report prepared for the Belgian Privacy Commission. Version 1.1. COSIC, ICRI/CIR, DistriNet (KU Leuven), (June 24, 2015). https://securehomes.esat.kuleuven.be /~gacar/fb_tracking/fb_plugins.pdf.

[6]

Article 29 Working Party. 2013. Opinion 03/2013 on purpose limitation. (Apr. 2, 2013). https://ec.europa.eu/justice/article-29/documentation/opinion-recom mendation/files/2013/wp203_en.pdf.

[7]

Mika D Ayenson, Dietrich James Wambach, Ashkan Soltani, Nathan Good, and Chris Jay Hoofnagle. 2011. Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning. (July 29, 2011). SSRN: 1898390.

[8]

Victoria Baines. 2021. On Joined Up Law-making: The Privacy/Safety/Security Dynamic, and What this Means for Data Governance. (Nov. 28, 2021). SSRN: 3958982.

[9]

Paul Barford, Igor Canadi, Darja Krushevskaja, Qiang Ma, and S. Muthukrishnan. 2014. Adscape: Harvesting and Analyzing Online Display Ads. In 23rd International Conference on World Wide Web (WWW '14), 597--608.

Digital Library

[10]

Muhammad Ahmad Bashir, Umar Farooq, Maryam Shahid, Muhammad Fareed Zaffar, and Christo Wilson. 2019. Quantity vs. Quality: Evaluating User Interest Profiles Using Ad Preference Managers. In 26th Annual Network and Distributed System Security Symposium (NDSS '19). 3392.

[11]

Paschalis Bekos, Panagiotis Papadopoulos, Evangelos P. Markatos, and Nicolas Kourtellis. 2022. The Hitchhiker's Guide to Facebook Web Tracking with Invisible Pixels and Click IDs. (2022). arXiv: 2208.00710. 208.00710.

[12]

Dino Bollinger, Karel Kubicek, Carlos Cotrini, and David Basin. 2022. Automating Cookie Consent and GDPR Violation Detection. In 31st USENIX Security Symposium (USENIX Security '22). https://www.usenix.org/conferen ce/usenixsecurity22/presentation/bollinger.

[13]

Andrew Bosworth. 2016. Bringing People Better Ads. Meta. (May 26, 2016). https://about.fb.com/news/2016/05/bringing-people-better-ads/.

[14]

Tomasz Bujlow, Valentín Carela-Español, Josep Solé-Pareta, and Pere BarletRos. 2017. A Survey on Web Tracking: Mechanisms, Implications, and Defenses. Proceedings of the IEEE, 105, 8, 1476--1510. 37878.

[15]

Juan Miguel Carrascosa, Jakub Mikians, Ruben Cuevas, Vijay Erramilli, and Nikolaos Laoutaris. 2015. I Always Feel like Somebody's Watching Me: Measuring Online Behavioural Advertising. In 11th ACM Conference on Emerging Networking Experiments and Technologies (CoNEXT '15) Article 13, 13 pages.

Digital Library

[16]

Ronald P. Carver. 1983. Is Reading Rate Constant or Flexible? Reading Research Quarterly, 18, 2, 190--215.

[17]

Wolfie Christl. 2017. Corporate Surveillance in Everyday Life. How Companies Collect, Combine, Analyze, Trade, and Use Personal Data on Billions. Cracked Labs, (June 2017). https://crackedlabs.org/en/corporate-surveillance.

[18]

2017. Common Statement by the Contact Group of the Data Protection Authorities of The Netherlands, France, Spain, Hamburg and Belgium. (May 16, 2017). https://web.archive.org/web/20171109044229/https://www.cnil.fr/en /common-statement-contact-group-data-protection-authorities-netherlan ds-france-spain-hamburg-and.

[19]

2022. Cookies: closure of the injunction issued against FACEBOOK. Commission Nationale de l'Informatique et des Libertés. (July 28, 2022). https://www .cnil.fr/en/cookies-closure-injunction-issued-against-facebook.

[20]

2022. Cookies: FACEBOOK IRELAND LIMITED fined 60 million euros. Commission Nationale de l'Informatique et des Libertés. (Jan. 6, 2022). https://ww w.cnil.fr/en/cookies-facebook-ireland-limited-fined-60-million-euros.

[21]

Kovila P.L. Coopamootoo, Maryam Mehrnezhad, and Ehsan Toreini. 2022. I feel invaded, annoyed, anxious and I may protect myself": Individuals' Feelings about Online Tracking and their Protective Behaviour across Gender and Country. In 31st USENIX Security Symposium (USENIX Security '22), 287-- 304. https://www.usenix.org/conference/usenixsecurity22/presentation/coo pamootoo.

[22]

Lorrie Faith Cranor. 2022. Cookie Monster. Communications of the ACM, 65, 7, (June 2022), 30--32.

Digital Library

[23]

Nik Cubrilovic. 2011. Facebook Fixes Logout Issue, Explains Cookies. (Sept. 27, 2011). https://nikcub.me/posts/facebook-fixes-logout-issue-explains-cooki es/.

[24]

Nik Cubrilovic. 2011. Facebook Re-Enables Controversial Tracking Cookie. (Oct. 3, 2011). https://nikcub.me/posts/facebook-re-enables-controversial-tra cking-cookie.

[25]

Nik Cubrilovic. 2011. Logging out of Facebook is not enough. (Sept. 25, 2011). https://nikcub.me/posts/logging-out-of -facebook-is-not-enough.

[26]

Adrian Dabrowski, Georg Merzdovnik, Johanna Ullrich, Gerald Sendera, and Edgar Weippl. 2019. Measuring Cookies and Web Privacy in a Post-GDPR World. In 20th International Conference on Passive and Active Measurement (PAM '19), 258--270.

Digital Library

[27]

Els De Busser. 2021. Data Protection Around the World: Belgium. In Data Protection Around the World: Privacy Laws in Action. Elif Kiesow Cortez, (Ed.) T.M.C. Asser Press, 7--21. isbn: 978--94--6265--407--5. https://doi.org/10.1007/978 -94--6265--407--5_2.

[28]

Jos De Wachter and Charlotte Peeters. 2021. Advocate General Rules on the One-Stop Shop Mechanism. European Data Protection Law Review, 7, 1.

[29]

Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, and Thorsten Holz. 2019. We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy. In 26th Annual Network and Distributed System Security Symposium (NDSS '19). 2/ndss.2019.23378.

[30]

Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem. 2021. The CNAME of the Game: Large-scale Analysis of DNS-based Tracking Evasion. Proceedings on Privacy Enhancing Technologies, 2021, 3, (Apr. 2021), 394--412.

[31]

Yana Dimova and Victor Le Pochat. 2021. Privacy. In The 2021 Web Almanac. HTTP Archive. Chap. 11. https://almanac.httparchive.org/en/2021/privacy.

[32]

2002. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Official Journal of the European Union, L 201, (July 31, 2002), 37--47. https://eur-lex.europa.eu/eli/reg/2002/58/oj.

[33]

1995. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Union, L 281, (Nov. 23, 1995), 31--50. https://eur-lex.europa.eu/el i/dir/1995/46/oj.

[34]

Peter Eckersley. 2010. How Unique Is Your Web Browser? In 10th International Conference on Privacy Enhancing Technologies (PETS '10), 1--18. 78--3--642--14527--8_1.

[35]

Amir Efrati. 2011. Like' Button Follows Web Users. The Wall Street Journal, (May 18, 2011). https://www.wsj.com/articles/SB1000142405274870428150457 6329441432995616.

[36]

Steven Englehardt and Arvind Narayanan. 2016. Online Tracking: A 1-MillionSite Measurement and Analysis. In 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16), 1388--1401. 8313.

[37]

Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W. Felten. 2015. Cookies That Give You Away: The Surveillance Implications of Web Tracking. In 24th International Conference on World Wide Web (WWW '15), 289--299.

Digital Library

[38]

European Court of Justice. 2019. Judgement nr. C-673/17 Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband eV v. Planet49 GmbH, ECLI:EU:C:2019:801. (Oct. 1, 2019). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62017CJ0673.

[39]

European Data Protection Board. 2022. Dark patterns in social media platform interfaces: How to recognise and avoid them. Guidelines 3/2022. Version 1.0. (Mar. 14, 2022). https://edpb.europa.eu/our-work-tools/documents/public-co nsultations/2022/guidelines-32022-dark-patterns-social-media_en.

[40]

European Data Protection Board. 2020. Guidelines 05/2020 on consent under Regulation 2016/679. (May 4, 2020). https://edpb.europa.eu/sites/default/files /files/file1/edpb_guidelines_202005_consent_en.pdf.

[41]

European Data Protection Board. 2019. Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects. (Oct. 8, 2019). https://edpb.europa.eu/our-wo rk-tools/our-documents/guidelines/guidelines-22019-processing-personaldata-under-article-61b_en.

[42]

2021. Facebook case : the CJEU has ruled. Gegevensbeschermingsautoriteit. (June 15, 2021). https://www.dataprotectionauthority.be/citizen/facebook-cas e-the-cjeu-has-ruled

Cited By

Pan RRuiz-Martínez A(2024)Evolution of web tracking protection in ChromeJournal of Information Security and Applications10.1016/j.jisa.2023.10364379:COnline publication date: 4-Mar-2024
https://dl.acm.org/doi/10.1016/j.jisa.2023.103643
Halpin H(2023)The Hidden History of the Like Button: From Decentralized Data to Semantic EnclosureSocial Media + Society10.1177/205630512311955429:3Online publication date: 25-Aug-2023
https://doi.org/10.1177/20563051231195542

Index Terms

Tracking the Evolution of Cookie-based Tracking on Facebook
1. Security and privacy
  1. Human and societal aspects of security and privacy
  2. Software and application security
    1. Social network security and privacy

Recommendations

Cookies That Give You Away: The Surveillance Implications of Web Tracking
WWW '15: Proceedings of the 24th International Conference on World Wide Web

We study the ability of a passive eavesdropper to leverage "third-party" HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which tags the browser with a unique cookie, then the adversary can link visits to those pages ...
Read More
Web Tracking Technologies and Protection Mechanisms
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Billions of users browse the Web on a daily basis, leaving their digital traces on millions of websites. Every such visit, every mouse move or button click may trigger a wide variety of hidden data exchanges across multiple tracking companies. As a ...
Read More
Online Tracking: A 1-million-site Measurement and Analysis
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

We present the largest and most detailed measurement of online tracking conducted to date, based on a crawl of the top 1 million websites. We make 15 types of measurements on each site, including stateful (cookie-based) and stateless (fingerprinting-...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES'22: Proceedings of the 21st Workshop on Privacy in the Electronic Society

November 2022

227 pages

ISBN:9781450398732

DOI:10.1145/3559613

Program Chairs:
Yuan Hong
University of Connecticut, USA
,
Lingyu Wang
Concordia University, Canada

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

KU Leuven
Flemish Research Programme Cybersecurity
Fonds Wetenschappelijk Onderzoek

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
290
Total Downloads

Downloads (Last 12 months)134
Downloads (Last 6 weeks)13

Other Metrics

View Author Metrics

Citations

Cited By

Pan RRuiz-Martínez A(2024)Evolution of web tracking protection in ChromeJournal of Information Security and Applications10.1016/j.jisa.2023.10364379:COnline publication date: 4-Mar-2024
https://dl.acm.org/doi/10.1016/j.jisa.2023.103643
Halpin H(2023)The Hidden History of the Like Button: From Decentralized Data to Semantic EnclosureSocial Media + Society10.1177/205630512311955429:3Online publication date: 25-Aug-2023
https://doi.org/10.1177/20563051231195542

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents