A Large-Scale Study of Cookie Banner Interaction Tools and Their Impact on Users’ Privacy - Prof. Dr. Norbert Pohlmann

A Large-Scale Study of Cookie Banner Interaction Tools and Their Impact on Users’ Privacy

N. Demir, Norbert Pohlmann (Institut für Internet-Sicherheit), T. Urban, C. Wressnegger:
„A Large-Scale Study of Cookie Banner Interaction Tools and their Impact on Users’ Privacy”,
23rd Privacy Enhancing Technologies Symposium (PETS) 2024

ABSTRACT
Cookie notices (or cookie banners) are a popular mechanism for websites to provide (European) Internet users a tool to choose which cookies the site may set. Banner implementations range from merely providing information that a site uses cookies over offering the choice to accepting or denying all cookies to allowing fine-grained control of cookie usage. Users frequently get annoyed by the banner’s pervasiveness as they interrupt “natural” browsing on the Web. As a remedy, different browser extensions have been developed to automate the interaction with cookie banners.

In this work, we perform a large-scale measurement study comparing the effectiveness of extensions for “cookie banner interaction.” We configured the extensions to express different privacy choices (e.g., accepting all cookies, accepting functional cookies, or rejecting all cookies) to understand their capabilities to execute a user’s preferences. The results show statistically significant differences in which cookies are set, how many of them are set, and which types are set—even for extensions that aim to implement the same cookie choice. Extensions for “cookie banner interaction” can effectively reduce the number of set cookies compared to no interaction with the banners. However, all extensions increase the
tracking requests significantly except when rejecting all cookies.

1 INTRODUCTION
Websites make rich use of HTTP cookies for various means (e.g., user tracking). To provide (European) Internet users more control over the usage of cookies, many website providers embed so-called
“cookie banners” on their webpages [8, 13, 17]. Some banners allow fine-grained control over the type of cookies to be used (e.g., rejecting advertising cookies), while others only inform users about their usage [44]. Cookie banners are meant to help users but are often designed in a way that nudges the user to accept all types of cookies rather than to reject them (“Dark Patterns” [15, 27]), and
their the omnipresence has started to annoy users [29].

Different tools help users cope with cookie banners by automatizing the interaction process [4, 24, 33, 34, 39]. These tools are usually implemented as a browser extension and often use rule-based approaches to identify and interact with banners. More specifically, the tools identify the banners and corresponding buttons on predefined patterns, similar to ad blockers that block URLs based on filter lists. Some tools offer the option to choose the cookie type the user consents to be set (e.g., “functional cookies” only). Users hence need to configure these tools according to their own privacy needs.
However, the impact of these tools on the user’s privacy still needs to be better understood. One challenge is that the interaction with these banners is neither standardized nor is it (legally) defined what
the purpose of a cookie is or how it can be determined. Thus, while users rely on these tools for convenience and to implement their choice, it is still being determined if these tools even meet these
expectations and which impact the tools have on users’ privacy.

In this work, we perform a measurement study to understand the effects of six extensions for “cookie banner interaction.“ We analyze five tools used in the field and one custom extension developed for
this study. In our experiments, we investigate (1) which and how many cookies a website sets, (2) the purpose of the used cookies, and (3) various deferred effects, such as the impact on tracking
requests. With this study, we aim to understand the impact and potential benefits of the different tools for users’ privacy. To do so, we visit 298k distinct pages on 30k websites once with each
tool and uncover statistically significant differences in the analyzed extensions’ effectiveness. We show that the number of cookies, category of used cookies, and individual cookies in terms of their
key names differ based on the used extension.

Previous studies have either analyzed the design of different banners [8, 15, 41, 44] or have built new tools to interact with banners in a meaningful way [4, 34]. While we build upon prior work by utilizing some of the presented tools in this work, we investigate an entirely different problem: The effectiveness of different tools that automatically interact with cookie banners. To the best of our knowledge, this is the first work comparing the impact of “cookie banner interaction” tools on the user’s privacy at a large scale

….

kostenlos downloaden