Invisible Pixels Are Dead, Long Live Invisible Pixels!

Privacy has deteriorated in the world wide web ever since the 1990s. The tracking of browsing habits by different third-parties has been at the center of this deterioration. Web cookies and so-called web beacons have been the classical ways to implement third-party tracking. Due to the introduction of more sophisticated technical tracking solutions and other fundamental transformations, the use of classical image-based web beacons might be expected to have lost their appeal. According to a sample of over thirty thousand images collected from popular websites, this paper shows that such an assumption is a fallacy: classical 1 x 1 images are still commonly used for third-party tracking in the contemporary world wide web. While it seems that ad-blockers are unable to fully block these classical image-based tracking beacons, the paper further demonstrates that even limited information can be used to accurately classify the third-party 1 x 1 images from other images. An average classification accuracy of 0.956 is reached in the empirical experiment. With these results the paper contributes to the ongoing attempts to better understand the lack of privacy in the world wide web, and the means by which the situation might be eventually improved.Comment: Forthcoming in the 17th Workshop on Privacy in the Electronic Society (WPES 2018), Toronto, AC

An Automated Approach to Auditing Disclosure of Third-Party Data Collection in Website Privacy Policies

A dominant regulatory model for web privacy is "notice and choice". In this model, users are notified of data collection and provided with options to control it. To examine the efficacy of this approach, this study presents the first large-scale audit of disclosure of third-party data collection in website privacy policies. Data flows on one million websites are analyzed and over 200,000 websites' privacy policies are audited to determine if users are notified of the names of the companies which collect their data. Policies from 25 prominent third-party data collectors are also examined to provide deeper insights into the totality of the policy environment. Policies are additionally audited to determine if the choice expressed by the "Do Not Track" browser setting is respected. Third-party data collection is wide-spread, but fewer than 15% of attributed data flows are disclosed. The third-parties most likely to be disclosed are those with consumer services users may be aware of, those without consumer services are less likely to be mentioned. Policies are difficult to understand and the average time requirement to read both a given site{\guillemotright}s policy and the associated third-party policies exceeds 84 minutes. Only 7% of first-party site policies mention the Do Not Track signal, and the majority of such mentions are to specify that the signal is ignored. Among third-party policies examined, none offer unqualified support for the Do Not Track signal. Findings indicate that current implementations of "notice and choice" fail to provide notice or respect choice

GDPR: When the Right to Access Personal Data Becomes a Threat

After one year since the entry into force of the GDPR, all web sites and data controllers have updated their procedures to store users' data. The GDPR does not only cover how and what data should be saved by the service providers, but it also guarantees an easy way to know what data are collected and the freedom to export them. In this paper, we carry out a comprehensive study on the right to access data provided by Article 15 of the GDPR. We examined more than 300 data controllers, performing for each of them a request to access personal data. We found that almost each data controller has a slightly different procedure to fulfill the request and several ways to provide data back to the user, from a structured file like CSV to a screenshot of the monitor. We measure the time needed to complete the access data request and the completeness of the information provided. After this phase of data gathering, we analyze the authentication process followed by the data controllers to establish the identity of the requester. We find that 50.4\% of the data controllers that handled the request, even if they store the data in compliance with the GDPR, have flaws in the procedure of identifying the users or in the phase of sending the data, exposing the users to new threats. With the undesired and surprising result that the GDPR, in its present deployment, has actually decreased the privacy of the users of web services.Comment: Accepted for publication at IEEE INTERNATIONAL CONFERENCE ON WEB SERVICES (ICWS) 202

4 Years of EU Cookie Law: Results and Lessons Learned

Personalized advertisement has changed the web. It lets websites monetize the content they offer. The downside is the continuous collection of personal information with significant threats to personal privacy. In 2002, the European Union (EU) introduced a first set of regulations on the use of online tracking technologies. It aimed, among other things, to make online tracking mechanisms explicit to increase privacy aware- ness among users. Amended in 2009, the EU Directive mandates websites to ask for informed consent before using any kind of profiling technology, e.g., cookies. Since 2013, the ePrivacy Directive became mandatory, and each EU Member State transposed it in national legislation. Since then, most of European websites embed a “Cookie Bar”, the most visible effect of the regulation. In this paper, we run a large-scale measurement campaign to check the current implementation status of the EU cookie directive. For this, we use CookieCheck, a simple tool to automatically verify legislation violations. Results depict a shady picture: 49 % of websites do not respect the Directive and install profiling cookies before any user’s consent is given. Beside presenting a detailed picture, this paper casts lights on the difficulty of legislator attempts to regulate the troubled marriage between ad-supported web services and their users. In this picture, online privacy seems to be continuously at stake, and it is hard to reach transparency