mikewest/privacy-budget

Include research detailing the deployment of fingerprinting in response to cookie blocking

Closed this issue · 2 comments

In the introduction you state:

Blunt approaches to cookie blocking have been tried, and in response we have seen some user-tracking efforts move underground, employing harder-to-detect methods that subvert cookie controls.

Past measurement research [0], [1], [2], [3], and [4] has shown a steady rise in the use of fingerprinting in the wild. None of these papers have claimed this rise is due to browsers deploying cookie blocking. Can you share research that supports this claim?

[0] https://www.ieee-security.org/TC/SP2013/papers/4977a541.pdf
[1] https://www.esat.kuleuven.be/cosic/publications/article-2334.pdf
[2] https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf
[3] https://senglehardt.com/papers/ccs16_online_tracking.pdf
[4] https://sensor-js.xyz/webs-sixth-sense-ccs18.pdf

ehsan commented

Alternatively if there is no such peer reviewed research I think this claim must be removed given the existing body of literature that @englehardt quoted.

Hi Steven,

You’re right, as you pointed out there is a body of research that points to increasing use of fingerprinting in the ecosystem, but doesn’t necessarily attribute it to cookie blocking. And in fact, most of the work you pointed to was prior to technologies like ITP or regulations like GDPR, indicating that fingerprinting was already rising before cookie blocking became more widespread. Some recent work, however, has indicated that GDPR, for example, has done little to decrease the amount of tracking. [0] for example showed that while the number of trackers has decreased slightly, the total amount of data being sent to trackers has increased. "There is a higher potential for PII leakage, since the number of POST requests significantly increased through time." [1] found that "tracking is still ubiquitous and present in more than 90% of websites, even those in the EU".

[0] https://arxiv.org/pdf/1907.12860.pdf
[1] http://s3.eurecom.fr/docs/asiaccs19_gdpr.pdf

We’ve also begun to see the ad tech industry adapt to cookie restrictions either with various "cookieless identity" solutions, or by advertising their use of fingerprinting directly. For a few examples:

CAKE
"Another available method to help alleviate the loss of tracking campaign interactions on Safari is Session Regeneration. Also referred to as Fingerprinting, Session Regeneration is a probabilistic approach to attributing customer interactions. When enabled, this function will be used as a backup to cookies and/or the CAKE Request Session ID and will attempt to attribute a conversion to a recent click based off various attributes, commonly the IP and Device."

Flashtalking
"Cookie blocking and deletion rates are on the rise, making accurate reach, frequency and attribution increasingly difficult—if not impossible. Flashtalking’s cookieless tracking solution FTrack helps advertisers fill the gaps."

TUNE
"TUNE has long promoted cookieless tracking... The goal of the service is to support highly accurate tracking for web and mobile web traffic, with less than 5% session loss, and no more effort to implement as a standard pixel (client side)."

So while we unaware of a study directly linking the increase of fingerprinting to cookie restrictions, we have both seen studies showing regulatory cookie restrictions having little effect on overall tracking, as well as ad tech companies adapting their tracking and identity solutions to continue to work under cookie restricting technologies.