Mayer and John C Mitchell Stanford University Stanford CA jmayermitchell csstanfordedu Abstract In the early days of the web content was designed and hosted by a single person group or organization No longer Webpages are increasingly composed of ID: 4033
Download Pdf The PPT/PDF document "ThirdParty Web Tracking Policy and Techn..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Figure1.Third-partyadvertising,social,andvideocontentontheNewYorkTimeswebsite.Analyticscontentisnotvisible. Webmeasurementprovidesobjective,reliableevidencethatbothfurtherspublicunderstandingandestablishesasoundbasisforpolicymaking.Second,webmeasurementisfast.Manyclaimsaboutspecictrackingpracticescanbesupportedorrebuttedwithmerehoursofwebmeasurementwork.4Webmeasurementfacilitateslongitudinalstudy.Oftentheverysamehardwareandsoftwarecanbereusedtocollectandanalyzedataevenyearsapart.Last,webmeasurementcanoftenbeautomated.Onceagenericmeasurementtoolhasbeenbuilt,itcanbetriviallyappliedtomillionsofwebsites.B.DesignPrinciplesPriorworkonthird-partywebtrackinghaslargelytakenoneofthreeapproachestomeasurement:monitornetworktrafc(e.g.[10],[11],[12],[13]),manuallyinspectbrowserstate(e.g.[8],[14]),ordevelopacustomtoolforaspecicmeasurementtask(e.g.[15],[16],[17]).WedevelopedFourthPartyaroundthreedesignprinciplesthatimproveontheseapproaches.4Forexample,whenanadvertisingnetworkcontestedourdiscoverythatitwashistorysnifng[7],wewereabletosecureindependentconrmationfromtwootherresearchgroupsthesameday.WhenAyensonetal.[8],[9]contactedusonaweekdayafternoonaboutawebanalyticscompanyusingmultiplesupercookietechnologies(seeSectionVII-A),wewereabletoverifytheirndingsbyevening.1)General-purposeinstrumentation:Byimplementingcomprehensiveinstrumentationandloggingonlyonce,FourthPartyavoidstheneedformanypurpose-builttools,decreasesduplicationofeffort,andtrimsdevelopmenttime.2)Productionwebbrowser:Buildingonaproductionbrowserallowsreuseofexistingadd-ons,includingforautomation,andcloselyemulatesreal-worldbrowsing.3)Standardizedlogformat:Astandardized,easy-to-manipulatelogformatfacilitatesdatasharingandcutsbackonredundantdatagathering.C.ImplementationWeimplementedFourthPartyasanextensiontoMozillaFirefox.ItcurrentlyinstrumentsthebrowserAPIsforHTTPtrafc,DOMwindows,cookies,andresourceloads.Fourth-PartyalsoinstrumentsJavaScriptAPIcallsonthewindow,navigator,andscreenobjectsusinggetters,setters,andECMAScriptproxies[18].AlleventsareloggedtoaSQLitedatabase.OnmanypagesFourthPartydoesnotperceivablyslowdownFirefox;onhighlydynamicpages,itcanincreasepageloadtimebyroughly2-3x.Weplantomakesubstantialperformanceimprovementsinanupcomingrevision.D.AnalysiswithFourthPartyAnalyzingFourthPartydataisfast.AlloftheFourthPartyresultspresentedinthispaperweregeneratedwithPython TableITHIRDPARTIESRECEIVINGUSERNAMEANDIDON185POPULARSITES.Third-PartyPS+1WebsitesLeakingUsernameorID scorecardresearch.com81(44%)google-analytics.com78(42%)quantserve.com63(34%)doubleclick.net62(34%)facebook.com45(24%)TableIIPOPULARWEBSITESLEAKINGUSERNAMEANDID.First-PartyPS+1Third-PartyPS+1sReceivingUsernameorID rottentomatoes.com83cafemom.com59lyricsmode.com54ivillage.com53livejournal.com53wouldbetouseasingleURLforallusersviewingtheirownprole,e.g.http://example.com/self/,andtoneverincludetheusernameoruserIDinthepagetitle.Severalofthesiteswecontactedwerewillingtoimplementthesexes,butmanymorepreferredthefunctionality,con-venience,andaestheticofausernameoruserIDinURLs.Itseemsquitelikelythepracticewillpersistindenitelyamongeventhemostpopularsites.Wealsoobservedotherformsofidentifyinginformationleak.Forexample:ViewingalocaladontheHomeDepotwebsitesenttheuser'srstnameandemailaddressto13companies.EnteringthewrongpasswordontheWallStreetJournalwebsitesenttheuser'semailaddressto7companies.Changingusersettingsonthevideo-sharingsiteMeta-cafesentrstname,lastname,birthday,emailaddress,physicaladdress,andphonenumbersto2companies.Inallofthesecasestheidentifyinginformationwasincludedasaparameterinarst-partyURL.ThebetterpracticeistosendidentifyinginformationaspartofaPOSTrequestbodysoitwillnotinadvertentlyleaktothirdparties.4)Thethirdpartyusesasecurityexploit:Athirdpartymayexploitacross-sitesecurityvulnerabilityonarst-partywebsitetolearntheuser'sidentity.Narayananhasshownhowinadequateframebustingcanfacilitateidentifyingauser[27].HuangandJacksonmorerecentlydemonstratedpracticaluseridenticationthroughFacebookandTwittersharingwidgetclickjacking[28].5)Re-identication:Thethirdpartycouldmatchpseudonymousbrowsinghistoriesagainstidentieddatasetstore-identifythem,muchlikeNarayananandShmatikovdidwiththeNetixPrizedataset[29]andtheFlickrandTwittersocialgraphs[30],andAcquistietal.didmorerecentlywithpersonalphotosonadatingsite[31].Athirdpartymight,forexample,comparebrowsingactivitytothetimesandlocationsoflinkspubliclysharedbyTwitterusers.C.PossibleHarmsTheriskofharmtoconsumersfromwebtrackingarisesfrommyriadpotentialscenarios.Eachparticularscenariomayhavealowprobabilityofoccurring.Butthechanceofsomescenariosoccurringissubstantial,especiallywhenconsideredovertimeandacrossmanycompanies.Whenconsideringharmfulwebtrackingscenarios,wendithelpfultofocusonfourvariables.First,anactorthatcausesharmtoaconsumer.Theactormight,forexample,beanauthorizedemployee,maliciousemployee,competitor,acquirer,hacker,orgovernmentagency.Second,ameansofaccessthatenablestheactortousetrackingdata.Thedatamightbevoluntarilytransferred,sold,stolen,misplaced,oraccidentallydistributed.Third,anactionthatharmstheconsumer.Theactioncouldbe,forexample,publication,alessfavorableoffer,denialofabenet,orterminationofemployment.Last,aparticularharmthatisinicted.Theharmmightbephysical,psychological,oreconomic.Thecountlesscombinationsofthesevariablesresultincountlesspossiblebadoutcomesforconsumers.Toex-emplifyourthinking,hereisonecommonlyconsideredscenario:Ahacker(actor)breaksintoatrackingcompany(meansofaccess)andpublishesitstrackinginformation(action),causingsomeembarrassingfactabouttheconsumertobecomeknownandinictingemotionaldistress(harm).9Risksassociatedwiththird-partytrackingareheightenedbythelackofmarketpressuretoexercisegoodsecurityandprivacypractices.Ifarst-partywebsiteisuntrustworthy,usersmaydeclinetovisitit.But,sinceusersareunawareoftheveryexistenceofmanythird-partywebsites,theycannotrewardresponsiblesitesandpenalizeirresponsiblesites.10D.UserPreferencesUsersurveyshaveconsistentlyshownoppositiontothirdpartiescollectingandusingbrowsingactivity.A2009rep-resentativeU.S.phonesurveybyTurowetal.[33]foundthat87%ofrespondentswouldnotwantadvertisingbasedontracking.Inanunrepresentative2010surveyofAmazonMechanicalTurkusersbyMcDonaldandCranor[34],only45%ofrespondentswantedtobeshownanyadsthathadbeentailoredtotheirinterests.ADecember2010USAToday/Galluppoll[35]reported67%ofrespondentsthoughtbehavioraltargetingshouldbeoutrightillegal.Inamid-2011representativeU.S.onlinesurveybyTRUSTeandHarrisInteractive[36],85%ofrespondentssaidtheywouldnotconsenttotrackingforadtargeting,and78%saidtheywouldnotconsenttotrackingforwebsiteanalytics.9Therehasnotyetbeenareporteddatabreachthatinvolvedreleaseofthird-partywebtrackingdata.(Currentdatabreachnoticationlawsmaynotextendtothird-partywebtrackinginformation.)Hackershavebeguntotargetmarketingcompanies;oneofthelargestdatabreachesof2011wasatEpsilon,anemailmarketingcompany[32].10Publisherscouldsomewhatstandinforusersbydemandinggoodcorporatepractices,buttheyhaveinlargemeasuredeclinedtodoso. Inearly2012theWhiteHousereleasedalong-awaitedonlineprivacyreportfromapolicycollaborationwiththeDepartmentofCommerce[50].ThereportcallsforbaselineprivacylegislationandCommerce-mediatedmulti-stakeholdercodesofconductthatareratiedandenforcedbytheFTC.TheWhiteHouseandCommerceDepartmenthavenotindicatedtheirproposalswouldaltertheFTC'spresentleadershiponwebtrackingissues,andtheChairmanoftheFTChassuggestedhesharesthatview[51].B.EuropeanUnionThe2002ePrivacyDirective,2002/58/EC,mandatedthatwebsitesenableuserstooptoutofhavinginformationstoredintheirbrowser,exceptasstrictlynecessarytoprovideserviceexplicitlyrequestedbytheuser.Inpracticethedirectivehashadlittleeffect;memberstateshavenottakenanymeasurestoenforcecompliance,andinmanycasestheyhavetreatedbrowsercookiesettingsasadequateimplementation(see[52]).A2009amendmenttotheePrivacyDirective,2009/136/EC,replacedtheopt-outrulewithanopt-inconsentrule(see[53],[54],[55]).Memberstateimplementationsinitiallysplit.Somestatessuggestedexistingbrowsercookiesettingswouldremainadequate,onthelegaltheorythattheyconveyimplicitconsent.Themajorityview,andthedevelopingconsensus,isthatthedirectiverequiresexplicit,afrmativeconsentforeachthirdparty,andthatDoNotTrack(seeSectionIX-C)couldsatisfytheconsentrequirementofthedirective.ThisviewhasbeenendorsedbyleadersinboththeEuropeanCommission[56],[57],[58],theEU'sexecutivebranch,andtheArticle29WorkingParty[53],[52],[38],adataprotectionadvisorybody.EUandstateauthoritieshaveyettoenforcecompliancewiththeamendedePrivacyDirective.InFebruary2012theEuropeanCommissionproposedanewsetofrevisionstoEUdataprotectionlaw[59].Recommendedprovisionswouldclarifythatconsentmustbeexplicit,unambiguouslyextendthereachofregulationstonon-EUcompaniesthattrackEUresidents,andimposeastringentpenaltystructurereachingupto2%ofrevenue.C.OnlineAdvertisingSelf-RegulationTheonlineadvertisingindustryhaslargelyharmonizedself-regulatoryeffortsintheU.S.(theNetworkAdvertisingInitiative,NAI[60]andtheDigitalAdvertisingAlliance,DAA[61])andtheEU(theInteractiveAdvertisingBureauEurope,IABEurope[62]).Allthreeprogramsimposethesameconsumerchoicerequirement:participatingcompaniesmustallowuserstooptoutofbehavioraladvertising,thatis,adtargetingbasedontracking.Notethatthisisachoiceaboutoneparticularuseofdata;collectionandotherusesofthird-partytrackingdataareunaffected.14Participationinself-regulationhasuctuatedwithwaxingandwaninggovernmentscrutiny[65].Atpresentmostofthelargestonlineadvertisingandanalyticscompaniesparticipate,andmostofthesmalleronesdonot.Socialnetworksandcontentprovidersarealmostentirelyabsent.TheDAAannouncedinlate2011[63]thatitwouldattempttoexpanditsprogramtonon-advertisingbusinessesandthatitwouldbroadenitsconsumerchoicerequirementtonearlyallusesofthird-partydataforper-device15person-alization.MostofthelargestsocialnetworksandcontentproviderswerenotstakeholdersintheDAA'sprogramexpansionandhavenotsignaledacceptance.Therehasbeenscantindustryenforcementagainstbusi-nessesthatviolateself-regulatoryprinciples.Inlate2011theBetterBusinessBureauannounceditsrstdecisionsagainstcompaniesthathaddefectiveopt-outcookiemecha-nisms(seeSectionIX-A);thecompaniesxedtheiropt-outcookies,butwerenototherwisepenalized[66].TheNAIhasreleasedanannualComplianceReportsince2009[67],[68],[69].Onlyonecompanyhasbeenpenalizedfornon-compliance;itisrequiredtoundergoanannualindependentprivacyauditforthreeyears.V.BUSINESSMODELSANDTRENDSThereare,broadly,sixcommonbusinessmodelsforthird-partywebsites:advertisingcompanies,analyticsservices,socialnetworks,contentproviders,frontendservices,andhostingplatforms.Thistaxonomyisintendedtoassistre-searchersinmodelingthird-partybusinesses;inpractice,manyservicescutacrossbusinessmodels,andnewbusinessmodelsarefrequentlyattempted.A.AdvertisingCompaniesWhilepricingmodelsinonlineadvertisingconvergedbytheearly2000sonasmallsetofauctionalgorithms(see[70],[71]),marketplacestructuresvary.Therearethreemainmodels:directbuy,adnetworks,andadexchanges.1)DirectBuy:Intheoldestmodelofonlineadvertising,advertisers(andagencies)cutdealsdirectlywithrst-partywebsites(publishers).Thisapproachfellintodisfavorformostwebsitesinthelate1990sthrough2000s,butremainsthedominantmodelforsearchengineandsocialnetworkadvertising.Directbuyhas,oflate,experiencedarenais-sanceamongcontentpublishersowingtothedevelopmentofprivateadvertisingexchanges,real-timeadvertisingauc-tionsrunbypublishers.Manyimplementationsofdirectbuy14Theprogramsimposesimilarbaselinerequirements.Allthreemandateamodestdegreeofnoticeandtransparencyaboutbehavioraladvertising,reasonablesecurityprecautionsforbehavioraladvertisingdata,anduserconsentforbehavioraladvertisinguseofnarrowclassesofsensitiveinformation.Allthreealsoprohibitbehavioraltargetingspecicallydirectedtowardschildren.ArecentrevisionoftheDAAprinciples[63],[64]prohibitscertainparticularlysensitiveusesofinformation.15TheDAAhasleftthedooropentoper-usercontenttailoring,suchaspersonalizedsocialnetworkingwidgets[64]. VI.ECONOMICSOFTHIRD-PARTYWEBTRACKINGProponentsofwebtrackingoftenmaketheeconomicclaimthatitisneededtosubsidizewebservicesthroughadvertising(e.g.[75],[76],[77],[78]).Webelievetheclaimissubjecttodebate[79],andcentralquestionsremainopen:Whichsegmentsoftheonlineadvertisingmarketde-pendonthird-partytracking,andhowisitused?Itappearsthatonlyasmallshareofonlineadvertisingisbehaviorallytargeted[79].Theextenttowhichadvertisingreliesonotherusesoftrackingisunclear.Whatmarginaltradeoffsdoadvertisersfaceforeachuseoftrackinginformation?Iftracking-basedadver-tisingbecomeslessfeasibleormorecostly,advertiserswillreallocatetheirexpenditures.17Howtheychoosetoreallocatewilldependontheeffectivenessandcostofthenext-bestalternativestotracking-basedadvertis-ing.Notethateffectivenessandcostpointinoppositedirectionsanadvertisermay,forexample,investmoreinanadvertisingapproachthatisper-adslightlylesseffectivebutalsoper-adsignicantlylessexpensive.18Towhatextentcanprivacy-preservingtechnologiesreplacecurrentusesoftracking?Anumberofdesignshavebeenadvancedthat,whilenotperfectsubstitutes,wouldenablemuchoftheadvertisingfunctionalitythattrackingsupports(seeSectionVIII-A).Limitationsontrackingcouldincentivizeadvertisingcompaniestode-velopandimplementprivacy-preservingtechnologies.Whatproportionofuserswouldconsenttotrackingorpayifrequiredtoaccessaservice?Ifdiminishedtracking-basedadvertisingdoesimpactpublishers,theycouldrequirevisitorstoeitherpayorconsenttotrack-ing.Someproportionofuserswouldchooseeitheroptionratherthanforgotheservice.Giventhepublicattentiontothird-partywebtracking,thereissurprisinglyscantresearchonthesecentralissues.A2009industry-sponsoredpaperbyBeales[80]hasbeenwidelycited(e.g.[50])forthepropositionthatbehavioraltargetingbringsinsubstantiallymorevaluethanotherformsofadtargeting.Beales'sstudyfoundthatbehaviorallytar-getedadvertisingwasroughlytwiceasexpensiveandtwiceaseffectiveasuntargeted(runofnetwork)advertising.Thereareatleastthreeproblemswiththemethodologyusedinthestudy.First,thepaperreliesondatafromasmall,unrepresentativesampleofadvertisingnetworks.Somestatisticsrelyondatafromfewerthanvecompanies.Theparticipatingcompaniesself-selectedandwereawareofthepurposeofthestudy.Second,thepapercomparesbehavioraladvertisingtountargetedadvertising.Asnotedearlier,therelevantcomparisonistothenext-bestalternative17Ineconomicterms:therearecross-demandelasticitiesbetweentrackingandnon-trackingformsofadvertising.18Advertisingauctionmechanismsfurthercomplicatetheinquiry,sincetheylimitthesurplusthatadvertiserscancapturefrombetteradtargeting.(e.g.contextualtargeting).Third,thestudyconcludesthatbehavioraladvertisingbringsvaluetopublishersthroughincreasedeffectivenessandprice.But,asnotedearlier,increasedpricedecreasesthemarginalvalueofbehavioraladvertisingtoadvertisers.Proponentsofthird-partywebtrackinghavealsofre-quentlyciteda2011paperbyGoldfarbandTucker[81],[82]reportinga65%decreaseinEUadvertisingeffectivenessafterthe2002ePrivacyDirectivewastransposedbymemberstates.WendfourawsintheGoldfarbandTuckerstudy.First,theanalysisreliesexclusivelyonself-reporteddatafromonecompany'ssurveysofwebusers.Thepaperdoesnotexplainhowthedatawascollected,letalonedemonstratehowitisvalidandreliable.Infact,thesurveydataappearstohaveanumberofoddities.Itsuggests,forexample,thataftertheEUePrivacyDirectivenon-EUadvertisingwastwiceaseffectiveonEUviewersasonnon-EUviewers.Second,theGoldfarbandTuckerdataisnotcontrolledfortypesofadtargeting.Behavioraladvertisingmayonlyaccountforaslightshareoftheadvertisinginthestudy.Third,theGoldfarbandTuckerstudyappearstoincor-rectlyassumethatthe2002EUePrivacyDirectivesigni-cantlyalteredonlineadvertisingbehaviorinEurope.Infact,advertisingpracticesintheEUwerelargelyunaffectedbytheePrivacyDirective(seeSectionIV-C).Fourth,thestudyseemstooverlookchangesintheonlineadvertisingmarket.Behavioraladvertisingwasscarcein2001andaverysmallshareofonlineadvertisingin2008[79].Thesametimeperiodyieldedsignicantadvancesincontextualanddemographicadtargeting.IftheEUlawnegativelyaffectedbehavioraladvertising,weshouldexpectanacross-the-boardperformanceliftforEUandnon-EUads,withaslightlygreaterriseinnon-EUperformance.Instead,theauthorspredictanddemonstrateasignicantdecreaseinEUperformanceandnear-constantnon-EUperformance.Analstudy,byYanetal.[83],hasbeenwidelymiscitedbysupportersofthird-partytracking.Inthatpaper,theauthorspersuasivelydemonstratethatidealbehavioraltargetingcouldsubstantiallyimprovetheeffectivenessofrst-partyadvertisingontheBingsearchengine.Thepaperdoesnotexaminebehavioraladvertisinginpracticeorthird-partybehavioraladvertising.THIRD-PARTYWEBTRACKINGTECHNOLOGYVII.TRACKINGTECHNOLOGIESWhilethedebatessurroundingwebtrackingtendtofocusonHTTPcookies,therearemyriadstateful(supercookie)andstateless(ngerprinting)technologiesthatcanbeusedtopseudonymouslycorrelatewebactivities.1919Anoteonjargon:whenanon-cookietrackingtechnologyisusedtorecreateadeletedtrackingcookie,itisdubbedazombiecookie. LikePrivad,Adnostic[100]usesclient-basedfunction-alitytoperformadselection,butiteliminatesanonymizingproxiesatthecostoflesspreciseadtargeting.Adnosticalsosimpliescost-per-clickbillingbyallowingtheadvertisingnetworktolearnofauser'sadclicks.Cost-per-impressionbillingwouldstillrequirealow-performancetrustedinter-mediarysoastonotrevealtheuser'sadimpressions.Asimplemented,Adnosticrequiresabrowserextension,whichisapracticalbarriertomorewidespreadadoption.RePriv[101],byFredriksonandLivshits,isaveriablepolicyarchitecturethatenablesuserstoselectivelygrantpermissionforgeneratingandsharingclient-sidedatastoresthatenablewebsitepersonalization.TheRePrivmodelholdspromiseasageneral-purposeplatformforbuildingprivacy-preservingadvertisinglikePrivadandAdnostic.But,likeAdnostic,RePrivwouldhavetobetranslatedfromitscurrentimplementationasasingle-platformbrowserextensionintoexistingwebtechnologiesfornear-termdeployment.BilenkoandRichardson[102]proposeanapproachforkeyword-basedsearchadvertisingthatprovidesprivacyagainstaweakerthreatmodel.Thesearchadvertisingcom-panyistrustedtotemporarilycomputeonuserproledata,butthenstorethedatainthebrowseranddeleteitscopy.Theauthorsrantheiralgorithmagainst60daysofBingsearchadvertisinglogsandachievedalmostallthebenetofcur-rentserver-sidebehavioraltargeting.Specically,theyreportcapturingover95%oftheincreaseinclick-throughrates,generatingapproximately4%greaterrevenuethansearchadvertisingwithoutbehavioraltargeting.Weareskepticalthatthetemporarydata-usemodelislikelytobeadopted;webservicesingeneral,andonlineadvertisingcompaniesinparticular,havehistoricallybeenloathtovoluntarilydiscardlogs.Themodelalsointroducestheriskofinadvertentorsurreptitiouscollectionofthird-partytrackingdata.B.AnalyticsSomeanalyticsserviceshavetakentechnicalandlegalprecautionstosilotrackingdataforeachrst-partywebsite.Severalfreeandpaidservices,includingGoogleAnalyt-icsandAdobeSiteCatalyst(formerlyOmniture),usethesame-originpolicytorestrictthescopeofpseudonymousidentierstoarst-partywebsite.Googleusesarst-partycookietoachievethis;Adobeoffersthechoiceofacookiescopedtoarst-partysubdomainCNAMEdtoAdobe(e.g.metrics.apple.com)oracookiescopedtoauniqueAdobesubdomain(e.g.paypal.112.2o7.net).GoogleAnalyticsoffersanopt-infeaturetowebsitesthatpreventsloggingthelastoctetofauser'sIPaddress(anonymizeIp).20ThisprivacyoptiondoesnotseemtoreducethebenetoftheservicesinceGoogleAnalyticsdoesnotreportIPaddresses,andgeolocation(theonlyreportedmeasurementthatreliesonIPaddresses)isunlikelytovary20Itisunclearhowmuchprivacyisaffordedbythismeasure[97].muchbythelastoctet.Wenonethelessfoundbarelyanyuseoftheoption:inanAugust2011crawloftheAlexatop10,000globalwebsites,anonymizeIpwassetononly63of4861(1.3%)reportstoGoogleAnalytics.Paidanalyticsservicesusuallypromisebycontracttomakenouseofthedatatheycollectexceptasdirectedbytheirclients,andtheyimposeinternalbusinesscontrolstoensureeachclient'sdataremainssegregated.Adobe,forexample,makestheseguarantees[103]:AlthoughthedatageneratedbyAdobe'sproductsresidesonAdobe'sservers,eachcustomerownsthedatageneratedbytheuseofitssite.Bycontract,Adobehasnorighttoaccessorusethisdata.Inaddition,Adobedoesnotallowuseofthedataforanypurposeotherthanthoseoftheowner(webpublisher);thatis,Adobesiloseachcustomer'sdataforusebythatcustomer.IX.USERCHOICEMECHANISMSThreetechnicalsolutionshavebeenadvancedforgivinguserscontroloverthird-partywebtracking:opt-outcookies,blocking,andDoNotTrack.A.Opt-OutCookiesandtheAdChoicesIconUserchoiceincurrentonlineadvertisingself-regulationisimplementedwithopt-outcookies.Thereareseveralprob-lemswiththisapproach.First,itrequiresmanualupdating.Tooptoutofnewthirdparties,auserhastoinstallnewcookies.Second,cookiesexpire,soauserhastoperiodicallyrenewopt-outcookies.Third,usersmaycleartheircookies,inadvertentlyremovingtheiropt-outpreferences.Fourth,opt-outcookiesarefragile;itiseasyforathirdpartytoimproperlysetordeleteanopt-outcookie.Fifth,opt-outcookiesscalepoorly;eachthird-partyPS+1requiresanetworkroundtrip,resultinginasluggishuserexperiencewhenchangingmanypreferences.Browserextensionsforpersistingopt-outcookies,suchasTACOorGoogleKeepMyOptOuts,largelymitigatetheseissuesatthecostofusability.ManyonlineadvertisingcompanieshavebeguntoinsertanAdChoicesicon(13x13px)andtext(10pt)intodisplayads(Figure2(b))toincreaseuserawarenessofbehavioraltargetingandexistingself-regulatorychoicemechanisms.Clickingtheiconprovidesadditionalinformationabouthowtheadwastargetedand,inmanycases,alinktolandingpagewheretheusercansetopt-outcookies.Severalstudieshavecalledintoquestiontheusabilityoftheself-regulatoryopt-outmodel.BeforethedeploymentoftheAdChoicesiconanindustry-fundedpolicygroupconductedalarge-audienceusabilitysurvey[106].Itfoundthata31x31pxiconwith18ptfont(Figure3(a))wasnotveryeffectiveatconveyinginformationaboutbehavioraltargetingpractices(substantialrepetitionandconsumereducationmaybeneededtoimprove[the [5]W.Enck,P.Gilbert,B.Chun,L.P.Cox,J.Jung,P.Mc-Daniel,andA.N.Sheth,TaintDroid:Aninformation-owtrackingsystemforrealtimeprivacymonitoringonsmartphones,inProceedingsofthe9thUSENIXSymposiumonOperatingSystemsDesignandImplementation,October2010.[6]S.ThurmandY.I.Kane,Yourappsarewatchingyou,TheWallStreetJournal,December2010.[7]J.Mayer.(2011,July)Trackingthetrackers:Tocatchahistorythief.[Online].Available:http://cyberlaw.stanford.edu/node/6695[8]M.Ayenson,D.J.Wambach,A.Soltani,N.Good,andC.J.Hoofnagle,FlashcookiesandprivacyII:NowwithHTML5andETagrespawning,July2011.[9]A.Soltani.(2011,August)Respawnredux.[Online].Available:http://ashkansoltani.org/docs/respawn redux.html[10]B.KrishnamurthyandC.Wills,Privacyleakagevs.pro-tectionmeasures:thegrowingdisconnect,inProceedingsoftheWeb2.0SecurityandPrivacyWorkshop,May2011.[11],Ontheleakageofpersonallyidentiableinformationviaonlinesocialnetworks,inProceedingsoftheACMWorkshoponOnlineSocialNetworks,August2009.[12]B.KrishnamurthyandC.E.Wills,Privacydiffusionontheweb:Alongitudinalperspective,inProceedingsofthe18thConferenceontheWorldWideWeb,April2009.[13],GeneratingaprivacyfootprintontheInternet,inProceedingsofthe6thACMConferenceonInternetMeasurement,October2006.[14]A.Soltani,S.Canty,Q.Mayo,L.Thoma,andC.J.Hoof-nagle,Flashcookiesandprivacy,August2009.[15]F.Roesner,T.Kohno,andD.Wetherall,Detectinganddefendingagainstthird-partytrackingontheweb,inPro-ceedingsofthe9thUSENIXSymposiumonNetworkedSystemsDesignandImplementation,April2012.[16]P.G.Leon,L.F.Cranor,A.M.McDonald,andR.McGuire,Tokenattempt:ThemisrepresentationofwebsiteprivacypoliciesthroughthemisuseofP3Pcompactpolicytokens,inProceedingsofthe2010WorkshoponPrivacyintheElectronicSociety,October2010.[17]D.Jang,R.Jhala,S.Lerner,andH.Shacham,Anempiricalstudyofprivacy-violatinginformationowsinJavaScriptwebapplications,inProceedingsofthe2006ACMConfer-enceonComputerandCommunicationsSecurity,October2010.[18]ECMA.Harmonyproxies.[Online].Available:http://wiki.ecmascript.org/doku.php?id=harmony:proxies[19]J.Mayer.(2011,October)Trackingthetrackers:Whereeverybodyknowsyourusername.[Online].Available:http://cyberlaw.stanford.edu/node/6740[20]A.Narayanan.(2011,July)Thereisnosuchthingasanonymousonlinetracking.[Online].Available:http://cyberlaw.stanford.edu/node/6701[21]Datalogix.Datalogixprivacypolicy.[Online].Available:http://datalogix.com/privacy/[22]D.Perito,C.Castelluccia,M.A.Kaafar,andP.Manilsr,Howuniqueandtraceableareusernames?inProceedingsofthe2011PrivacyEnhancingTechnologiesSymposium,2011.[23]D.Irani,S.Webb,C.Pu,andK.Li,Personal-informationleakagefrommultipleonlinesocialnetworks,IEEEInter-netComputing,May2011.[24]D.Irani,S.Webb,K.Li,andC.Pu,Largeonlinesocialfootprints-anemergingthreat,inProceedingsofthe2009InternationalConferenceonComputationalScienceandEngineering,August2009.[25]A.Narayanan.(2008,November)Lendingclub.com:Ade-anonymizationwalkthrough.[Online].Available:http://33bits.org/2008/11/12/57/[26]MozillaFoundation.Publicsufxlist.[Online].Available:http://publicsufx.org/[27]A.Narayanan.(2010)HowGoogleDocsleaksyouridentity.[Online].Available:http://33bits.org/2010/02/22/google-docs-leaks-identity/[28]L.-S.HuangandC.Jackson,Clickjackingattacksunre-solved,July2011.[29]A.NarayananandV.Shmatikov,Robustde-anonymizationoflargedatasets,inProceedingsofthe2008IEEESympo-siumonSecurityandPrivacy,May2008.[30],De-anonymizingsocialnetworks,inProceedingsofthe2009IEEESymposiumonSecurityandPrivacy,May2009.[31]A.Acquisti,R.Gross,andF.Stutzman,FacesofFace-book,inBlackHat2011,August2011.[32]Epsilon.(2011,April)Epsilonnotiesclientsofunauthorizedentryintoemailsystem.[Online].Avail-able:http://epsilon.com/news-events/press-releases/2011/epsilon-noties-clients-unauthorized-entry-email-system[33]J.Turow,J.King,C.J.Hoofnagle,A.Bleakley,andM.Hennessy,Americansrejecttailoredadvertisingandthreeactivitiesthatenableit,September2009.[34]A.M.McDonaldandL.F.Cranor,Beliefsandbehaviors:Internetusers'understandingofbehavioraladvertising,inProceedingsofthe2010ResearchConferenceonCommu-nication,InformationandInternetPolicy,October2010.[35]Gallup.(2010,December)USAToday/Galluppoll.[Online].Available:http://gallup.com/poll/File/145334/Internet Ads Dec 21 2010.pdf[36]TRUSTeandHarrisInteractive.(2011,July)Privacyandonlinebehavioraladvertising.[Online].Available:http://truste.com/ad-privacy/TRUSTe-2011-Consumer-Behavioral-Advertising-Survey-Results.pdf[37]PewResearchCenter.(2012,March)Searchengineuse2012.[Online].Available:http://pewinternet.org/Reports/2012/Search-Engine-Use-2012.aspx[38]Article29DataProtectionWorkingParty.(2012,March)Lettertotheonlineadvertisingindustry.[Online].Available:http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/les/2012/20120301 reply to iab easa en.pdf[39]DigitalAdvertisingAlliance.(2012,February)DAApositiononbrowserbasedchoicemechanism.[Online].Available:http://aboutads.info/resource/download/DAA Committment.pdf[40]S.Stamm.(2011,November)Whywewon'tenableDNTbydefault.[Online].Available:http://blog.mozilla.com/privacy/2011/11/09/dnt-cannot-be-default/[41]T.Lowenthal.(2011,November)Deeperdiscus- Internetasweknowit,U.S.News,January2011,opinion.[77]B.Kunz,The$8billionDoNotTrackprize,BloombergBusinessweek,December2010,opinion.[78]H.David,DoNotTrack:Revenueimpactononlineadver-tising,BloombergGovernment,March2011.[79]J.Mayer.(2011,January)DoNotTrackisnothreattoad-supportedbusinesses.[Online].Available:http://cyberlaw.stanford.edu/node/6592[80]H.Beales,Thevalueofbehavioraltargeting,March2010.[Online].Available:http://networkadvertising.org/pdfs/Beales NAI Study.pdf[81]A.GoldfarbandC.E.Tucker,Privacyregulationandonlineadvertising,ManagementScience,January2011.[82],Onlineadvertising,behavioraltargeting,andpri-vacy,CommunicationsoftheACM,May2011.[83]J.Yan,N.Liu,G.Wang,W.Zhang,Y.Jiang,andZ.Chen,Howmuchcanbehavioraltargetinghelponlineadvertis-ing?inProceedingsofthe18thConferenceontheWorldWideWeb,April2009.[84]J.Franks,P.Hallam-Baker,J.Hostetler,S.Lawrence,P.Leach,A.Luotonen,andL.Stewart,HTTPauthenti-cation:Basicanddigestaccessauthentication,RFC2617,June1999.[85]R.Fielding,J.Gettys,J.Mogul,H.Frystyk,L.Masinter,P.Leach,andT.Berners-Lee,HyptertexttransferprotocolHTTP/1.1,RFC2616,June1999.[86]N.Cubrilovic.(2011,August)PersistentandunblockablecookiesusingHTTPheaders.[Online].Available:http://nikcub.appspot.com/posts/persistant-and-unblockable-cookies-using-http-headers[87]E.Bursztein.(2011,July)TrackingusersthatblockcookieswithaHTTPredi-rect.[Online].Available:http://elie.im/blog/security/tracking-users-that-block-cookies-with-a-http-redirect/[88]M.Zalewski.(2011,December)Rapidhistoryextractionthroughnon-destructivecachetiming.[Online].Available:http://lcamtuf.coredump.cx/cachetime/[89]T.DierksandE.Rescorla,Thetransportlayersecurity(TLS)protocolversion1.2,RFC5246,August2008.[90]J.Hodges,C.Jackson,andA.Barth,HTTPstricttransportsecurity(HSTS),draft-ietf-websec-strict-transport-sec-06,March2012.[91]Z.Weinberg,E.Chen,P.R.Jayaraman,andC.Jackson,Istillknowwhatyouvisitedlastsummer:Leakingbrowsinghistoryviauserinteractionandsidechannelattacks,inProceedingsofthe2011IEEESymposiumonSecurityandPrivacy,May2011.[92]S.Kamkar.(2010,September)evercookie.[Online].Available:http://samy.pl/evercookie/[93]A.M.McDonaldandL.F.Cranor,AsurveyoftheuseofAdobeFlashlocalsharedobjectstorespawnHTTPcookies,CarnegieMellonCyLab,Tech.Rep.11-001,January2011.[94]J.Mayer.(2011,August)Trackingthetrackers:Microsoftadvertising.[Online].Available:http://cyberlaw.stanford.edu/node/6715[95],`Anyperson...apamphleteer':Internetanonymityintheageofweb2.0,Undergraduatethesis,PrincetonUniversity,Princeton,NJ,May2009.[96]P.Eckersley,Howuniqueisyourwebbrowser?inPro-ceedingsofthe2010PrivacyEnhancingTechnologiesSym-posium,July2010.[97]T.-F.Yen,Y.Xie,F.Yu,R.P.Yu,andM.Abadi,Hostngerprintingandtrackingontheweb:Privacyandsecurityimplications,inProceedingsofthe19thAnnualNetworkandDistributedSystemSecuritySymposium,February2012.[98]S.Guha,B.Cheng,andP.Francis,Privad:Practicalprivacyinonlineadvertising,inProceedingsofthe2011USENIXSymposiumonNetworkedSystemsDesignandImplementa-tion,April2011.[99]A.Reznichenko,S.Guha,andP.Francis,AuctionsinDo-Not-TrackcompliantInternetadvertising,inProceedingsofthe2011ACMConferenceonComputerandCommunica-tionsSecurity,October2011.[100]V.Toubiana,A.Narayanan,D.Boneh,H.Nissenbaum,andS.Barocas,Adnostic:Privacypreservingtargetedadvertis-ing,inProceedingsofthe2010NetworkandDistributedSystemSecuritySymposium,March2010.[101]M.FredriksonandB.Livshits,Repriv:Re-envisioningin-browserprivacy,inProceedingsofthe2011IEEESympo-siumonSecurityandPrivacy,May2011.[102]M.BilenkoandM.Richardson,Predictiveclient-sidepro-lesforpersonalizedadvertisingg,inProceedingsofthe2011ACMConferenceonKnowledgeDiscoveryandDataMining,August2011.[103]M.J.Rasmussen,Adobepositionpaperonprivacyandtracking,inW3CWorkshoponWebTrackingandUserPrivacy,April2011.[104]S.Clifford,Alittle`i'toteachaboutonlineprivacy,TheNewYorkTimes,January2010.[105]J.Hernandez,A.Jagadeesh,andJ.Mayer.(2011,August)Trackingthetrackers:TheAdChoicesicon.[Online].Available:http://cyberlaw.stanford.edu/node/6714[106]M.HastakandM.J.Culnan,Onlinebehavioraladvertisingiconstudy,January2010.[Online].Available:http://futureofprivacy.org/nal report.pdf[107]P.G.Leon,B.Ur,R.Balebako,L.F.Cranor,R.Shay,andY.Wang,WhyJohnnycan'toptout:Ausabilityevaluationoftoolstolimitonlinebehavioraladvertising,CarnegieMellonCyLab,Tech.Rep.11-017,October2011.[108]WorldWideWebConsortium.(2011,April)Webtrackinganduserprivacyworkshop.[Online].Available:http://w3.org/2011/04/29-w3cdnt-minutes.html[109]G.Aggrawal,E.Bursztein,C.Jackson,andD.Boneh,Ananalysisofprivatebrowsingmodesinmodernbrowsers,inProceedingsofthe19thUSENIXSecuritySymposium,2010.[110]J.Mayer.(2011,September)Trackingthetrackers:Self-helptools.[Online].Available:http://cyberlaw.stanford.edu/node/6730[111]A.Fowler.(2011,November)DoNotTrackAdoptioninFirefoxMobileis3xhigherthandesktop.[Online].Available:http://blog.mozilla.com/privacy/2011/11/02/do-not-track-adoption-in-refox-mobile-is-3x-higher-than-desktop/[112]S.Guha,B.Cheng,andP.Francis,Challengesinmeasuringonlineadvertisingsystems,inProceedingsofthe10thACMConferenceonInternetMeasurement,November2010.[113]J.Mayer.(2011,July)Trackingthetrackers:Earlyresults.[Online].Available:http://cyberlaw.stanford.edu/node/6694