Final Project Poster - The Team for Research in Ubiquitous Secure

Cookie Blocking and Privacy: First Parties Remain a Risk
German Gomez
Chris Hoofnagle, JD
Mario Garcia PhD
Florida International University
UC Berkeley
Texas A&M University-Corpus Christi
INTRODUCTION
RESULTS
CONCLUSION
The HTTP cookie was created to store textual information
that a web application can use to identify clients and
provide a state of information. A cookie is a small text
file stored on a user’s computer. Cookies are employed
for a variety of reasons including enhancing user’s online
experience by helping sites recognize users when they
return.
Cookies can be used to track users on the internet. Our
colleagues found in 2009 that over 70% of a large sample
of websites contained tracking cookies for Google
Analytics.
Blocking third-party Cookies does reduce on average 40% the number of
cookies on the browser as seen on Chart 1. From that same chart, one can
see a 2:1 relationship between the number of unique cookie name and the
unique cookie domain. However, despite blocking third party cookies, we
find that tracking cookies are still present in the form of first party cookies.
The Results in Chart 2 represent a detail view from Apples’ Safari 5.0 web
broswer. In our domain analysis we found in some cases double the number
of cookies set on the browser versus the top 100 websites. Among the top
cookie name we found strings such as __umt* , __qca and s_vi among
others belong to companies like Google, Quancast and Omniture. In spite of
the fat that when third-party cookies are blocked 40% cookie reduction
tracking cookies make up more than 25% on average from the total number
of cookies on this test.
In fact 33% of the sites that issue the most number
of cookies, in our visit to the top 100 with cookies
unblocked, were actually from different domains.
These cookies were still set when we blocked third
party cookies. Thus, users who wish to avoid web
tracking through cookies must also block some
first party cookies.
RESEARCH GOAL
Traditionally, advertising networks tracked consumers
using third party cookies. In recent years, some internet
browsers have given users better tools to block these
cookies, and two block them by default. We are
investigating whether blocking third party cookies is
effective in avoiding tracking by third parties.
I
1100
825
986
II
1027
We focused on two browser scenarios: first, we visited the
top 100 websites with the default cookie settings in the
browser. Firefox, Chrome, and Opera accept all cookies
by default, while Safari blocks third party cookies, and
Internet Explorer blocks third party cookies on sites
lacking a compact privacy policy. Second, we took a
standard privacy intervention: we blocked third party
cookies in the browsers and then visited the same sites.
A top level view flowchart (Figure 1) outlines the entire
procedure.
Cookies
II
550
586 594 586
654 684 652
545
585
437
275
309 331 330
0
307 320 303
Firefox
Chrome
IE
172 173 171 197
total unique cookie domain
total unique cookie name
total number of cookies
264
I Cookies unblocked
II Third-party cookies blocked
Opera*
Chart 1. General Analysis Top Web Browsers
We select two foundations for this project: we used the
top five web browsers on the market to visit the top 100
websites, ranked according to Quantcast in July 2010.
url list
I
876
Cookie Name Analysis Top 15
Quancast
Top 100
II
974
Safari
METHODS
I
Script
data.csv
4%
Cookie Domain Analysis Top 15
4%
4%
.insightexpressai.com
.whitepages.com
__qca
__utma
__utmb
__utmz
s_vi
TRUE
s_pers
rsi_segs
uid
ACOOKIE
__qseg
GUID
OAX
WT_FPC
akmbldtct
other
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
40
39
39
39
25
23
10
9
8
7
7
6
6
6
6
716
3%
2%
1%
.whitepages.com
1%
.rad.msn.com
1%
1%
.ask.com
1%
1%
1% . yellowpages.com
1%
1% .casalemedia.com
.bestbuy.com
73%
.people.com
.metacafe.com
Cookies unblocked Total = 986
Google analytics cookies
Quancast cookies
Omniture cookies
__utma
__utmb
__utmz
__qca
TRUE
s_vi
s_pers
rsi_segs
__qseg
WT_FPC
ACOOKIE
mbox
NGUserID
s_nr
v1st
other
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
40
40
40
38
19
19
10
9
7
6
5
5
4
4
4
586
.photobucket.com
.microsoft.com
5%
5%
.rad.msn.com
.netflix.com
.bestbuy.com
.att.com
5%
8
.fetchback.com
.cnet.com
5%
8
.metacafe.com
.candystand.com
2%
2%
70%
1%
1%
1%
1%
1%
1%
0%
0%
0%
16
10
.revsci.net
.photobucket.com
7
.microsoft.com
.evite.com
7
.netflix.com
.examiner.com
7
0
10
11
10
10
10
10
9
10
9
10
9
10
9
9
ACKNOWLEDGEMENTS
22
10
.rubiconproject.com
.people.com
Policymakers and web browser developer should
take a closer look to resolve third party tracking.
Advancement on technology has only lead us to
find ways to bypass the idea of blocking third party
cookies will be enough. Engineerser hand has
developed a fingerprinting technique that uses
cookies as a subset tool to track individuals.
Research should concentrate on providing users,
developers, advertisers a safe Internet experience
where privacy goes first, developer have their tools
to keep innovating and advertising helping the
economy not at the expense of others privacy.
23
11
.pubmatic.com
.ask.com
4%
FUTURE WORK
13
I will like to thank Dr. Kristen Gates, the TRUST REU
program, my research partner Julian Yalaju and my
mentors Chris Hoofnagle and Mario Garcia. This
work was supported in part by TRUST (Team for
Research in Ubiquitous Secure Technology), which
receives support from the National Science
Foundation (NSF award number CCF-0424422).
9
9
9
9
7.5
15.0
22.5
30.0
Cookies unblocked
Third-party cookies blocked
Third-party cookies blocked Total = 586
Figure 1. Method Flowchart
Chart 2. Data Analysis from Safari 5.
This work was supported by the TRUST Center (NSF award number CCF-0424422)