N. Demir, N. Pohlmann, D. Theis, T. Urban:
„Towards Understanding First-Party Cookie Tracking in the Field“.
In Proceedings GI Sicherheit 2022 – Sicherheit, Schutz und Zuverlässigkeit,
Third-party tracking is a common and broadly used technique on the Web. Different defense mechanisms have emerged to counter these practices (e.g. browser vendors that ban all third-party cookies). However, these countermeasures only target third-party trackers and ignore the first party because the narrative is that such monitoring is mostly used to improve the utilized service (e.g. analytical services). In this paper, we present a large-scale measurement study that analyzes tracking performed by the first party but utilized by a third party to circumvent standard tracking preventing techniques. We visit the top 15,000 websites to analyze first-party cookies used to track users and a technique called “DNS CNAME cloaking”, which can be used by a third party to place first-party cookies. Using this data, we show that 76% of sites effectively utilize such tracking techniques. In a long-running analysis, we show that the usage of such cookies increased by more than 50% over 2021.
The business model of many modern (Web) applications relies on the revenue generated by “renting” space on their services to advertisement companies. These ad-tech companies try to place advertisements on the sites that meet the users’ interests motivating that they will interact with the ad, and ultimately buy the advertised product or service. To place such targeted ads, ad-tech companies track users across the Web, by assigning a unique identifier to each of them, and try to understand their interests by building so-called behavioral profiles [MC10]. The unique user identifiers are often stored in the third-party context (e.g. in an HTTP cookie). Some consider this large-scale tracking as privacy-invasive because it often happens without users’ explicit consent or knowledge [TH11], nor is the tracking made transparent to the user. The desire for more privacy and the need for more user data led to an arms race between anti-tracking tools, and novel techniques to track users. One recent (technical) step in this race was the announcement of major browser vendors to ban third-party cookies within the next years [Go20a; Mo20a]. While there is no immediate problem with third-party cookies, previous work showed that they are overwhelmingly used for advertisement purposes [Ur20a]. Hence, trackers need to find different ways to persist their identifiers on the users’ devices. One known way to do so is the computation of browser fingerprints, which are distinct identifiers that are computed based on properties of the user’s device or browser [EN16; La20]. However, these fingerprints change over time and, therefore, one cannot simply rely on them for tracking purposes [GLB18].