The prevalence of cookie-free mobile devices and growing hostility to third-party cookies has marked the cookie for almost certain death. A new report will add to the chorus calling for the end of third-party cookies as an online tracking tool.
The report (cited by TheVerge) from Princeton researchers details how relatively simple it is to connect browsing behavior across the internet and to real identity. The report (embedded below) is called “Cookies that give you away: Evaluating the surveillance implications of web tracking.”
The researchers undertook the study following, and in part motivated by, the NSA-Snowden revelations.
The researchers sought to determine how much could be learned and inferred about real-world identify simply by passively “eavesdropping” on the network and analyzing cookies. The study concludes “mass surveillance” is possible from watching and matching data generated via third-party HTTP tracking cookies.
The report finds that even HTTPS doesn’t do much to impede the surveillance capability:
We conducted automated web crawls of 65 simulated users’ web browsing over three months, and found that unique cookies are so prevalent that the eavesdropper can reliably link 90% of a user’s web page visits to the same pseudonymous ID. (We omitted pages that embed no ID cookies at all, but those are a minority.)
We also found that the cookie linking method is extremely robust and succeeds under a variety of conditions (Section 4.1). We considered how variations in cookie expiration dates, the size of the user’s history (i.e., the number of pages visited), and the types of pages visited affect the eavesdropper’s changes, and found the impact to be minimal. Perhaps most significantly, however, we found that this surveillance method can still link about 50% of a user’s history to the same pseudonymous ID even with just 25% of the current density of trackers on the web. This means that even if 75% of sites or trackers adopt mitigation strategies (such as deploying HTTPS), the eavesdropper still learns a lot.
Matching Cookies to Identify Single Users
Source: Princeton University, “Cookies that give you away” (April 2014)
In the diagram above, the report illustrates how third party cookies can be used to connect the dots and identify the same user even when there are three different IP addresses involved in visits to different sites at different times.
The researchers describe the “threat” scenarios they envision from this type of passive surveillance of the network:
The adversary may have one of two goals: first, the adversary might want to target a specific individual for surveillance. In this case the adversary knows either the target’s real-world identity or a single ID cookie known to belong to the target (whether on a domain that’s typically a first party or on a tracker domain). Second, the adversary might be engaged in mass surveillance. This adversary would like to “scoop up” web track and associate real-world identities with as much of it as possible.
The researchers say, in conclusion, that they hope the report will contribute to the “policy debate on both surveillance and the web tracking ecosystem.” They say also they hope their findings will help provide an impetus to “fix the problems we identified with non-use of HTTPS on first party sites.”
- Survey: 87 Percent Want “Do Not Track” To Elude Marketers
- Report: Almost 90 Percent Concerned About Online Privacy & Trying To Avoid Advertisers
- Google Reportedly Looking To Replace Third-Party Cookies With New AdID
- Abandoning Third-Party Cookies? What Gives, Google?
- Google Replacing “Android ID” With “Advertising ID” Similar To Apple’s IDFA