Final Project Poster - The Team for Research in Ubiquitous Secure
Transcription
Final Project Poster - The Team for Research in Ubiquitous Secure
Cookie Blocking and Privacy: First Parties Remain a Risk German Gomez Chris Hoofnagle, JD Mario Garcia PhD Florida International University UC Berkeley Texas A&M University-Corpus Christi INTRODUCTION RESULTS CONCLUSION The HTTP cookie was created to store textual information that a web application can use to identify clients and provide a state of information. A cookie is a small text file stored on a user’s computer. Cookies are employed for a variety of reasons including enhancing user’s online experience by helping sites recognize users when they return. Cookies can be used to track users on the internet. Our colleagues found in 2009 that over 70% of a large sample of websites contained tracking cookies for Google Analytics. Blocking third-party Cookies does reduce on average 40% the number of cookies on the browser as seen on Chart 1. From that same chart, one can see a 2:1 relationship between the number of unique cookie name and the unique cookie domain. However, despite blocking third party cookies, we find that tracking cookies are still present in the form of first party cookies. The Results in Chart 2 represent a detail view from Apples’ Safari 5.0 web broswer. In our domain analysis we found in some cases double the number of cookies set on the browser versus the top 100 websites. Among the top cookie name we found strings such as __umt* , __qca and s_vi among others belong to companies like Google, Quancast and Omniture. In spite of the fat that when third-party cookies are blocked 40% cookie reduction tracking cookies make up more than 25% on average from the total number of cookies on this test. In fact 33% of the sites that issue the most number of cookies, in our visit to the top 100 with cookies unblocked, were actually from different domains. These cookies were still set when we blocked third party cookies. Thus, users who wish to avoid web tracking through cookies must also block some first party cookies. RESEARCH GOAL Traditionally, advertising networks tracked consumers using third party cookies. In recent years, some internet browsers have given users better tools to block these cookies, and two block them by default. We are investigating whether blocking third party cookies is effective in avoiding tracking by third parties. I 1100 825 986 II 1027 We focused on two browser scenarios: first, we visited the top 100 websites with the default cookie settings in the browser. Firefox, Chrome, and Opera accept all cookies by default, while Safari blocks third party cookies, and Internet Explorer blocks third party cookies on sites lacking a compact privacy policy. Second, we took a standard privacy intervention: we blocked third party cookies in the browsers and then visited the same sites. A top level view flowchart (Figure 1) outlines the entire procedure. Cookies II 550 586 594 586 654 684 652 545 585 437 275 309 331 330 0 307 320 303 Firefox Chrome IE 172 173 171 197 total unique cookie domain total unique cookie name total number of cookies 264 I Cookies unblocked II Third-party cookies blocked Opera* Chart 1. General Analysis Top Web Browsers We select two foundations for this project: we used the top five web browsers on the market to visit the top 100 websites, ranked according to Quantcast in July 2010. url list I 876 Cookie Name Analysis Top 15 Quancast Top 100 II 974 Safari METHODS I Script data.csv 4% Cookie Domain Analysis Top 15 4% 4% .insightexpressai.com .whitepages.com __qca __utma __utmb __utmz s_vi TRUE s_pers rsi_segs uid ACOOKIE __qseg GUID OAX WT_FPC akmbldtct other = = = = = = = = = = = = = = = = 40 39 39 39 25 23 10 9 8 7 7 6 6 6 6 716 3% 2% 1% .whitepages.com 1% .rad.msn.com 1% 1% .ask.com 1% 1% 1% . yellowpages.com 1% 1% .casalemedia.com .bestbuy.com 73% .people.com .metacafe.com Cookies unblocked Total = 986 Google analytics cookies Quancast cookies Omniture cookies __utma __utmb __utmz __qca TRUE s_vi s_pers rsi_segs __qseg WT_FPC ACOOKIE mbox NGUserID s_nr v1st other = = = = = = = = = = = = = = = = 40 40 40 38 19 19 10 9 7 6 5 5 4 4 4 586 .photobucket.com .microsoft.com 5% 5% .rad.msn.com .netflix.com .bestbuy.com .att.com 5% 8 .fetchback.com .cnet.com 5% 8 .metacafe.com .candystand.com 2% 2% 70% 1% 1% 1% 1% 1% 1% 0% 0% 0% 16 10 .revsci.net .photobucket.com 7 .microsoft.com .evite.com 7 .netflix.com .examiner.com 7 0 10 11 10 10 10 10 9 10 9 10 9 10 9 9 ACKNOWLEDGEMENTS 22 10 .rubiconproject.com .people.com Policymakers and web browser developer should take a closer look to resolve third party tracking. Advancement on technology has only lead us to find ways to bypass the idea of blocking third party cookies will be enough. Engineerser hand has developed a fingerprinting technique that uses cookies as a subset tool to track individuals. Research should concentrate on providing users, developers, advertisers a safe Internet experience where privacy goes first, developer have their tools to keep innovating and advertising helping the economy not at the expense of others privacy. 23 11 .pubmatic.com .ask.com 4% FUTURE WORK 13 I will like to thank Dr. Kristen Gates, the TRUST REU program, my research partner Julian Yalaju and my mentors Chris Hoofnagle and Mario Garcia. This work was supported in part by TRUST (Team for Research in Ubiquitous Secure Technology), which receives support from the National Science Foundation (NSF award number CCF-0424422). 9 9 9 9 7.5 15.0 22.5 30.0 Cookies unblocked Third-party cookies blocked Third-party cookies blocked Total = 586 Figure 1. Method Flowchart Chart 2. Data Analysis from Safari 5. This work was supported by the TRUST Center (NSF award number CCF-0424422)