1. bookVolume 2022 (2022): Issue 1 (January 2022)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

How Can and Would People Protect From Online Tracking?

Published Online: 20 Nov 2021
Page range: 105 - 125
Received: 31 May 2021
Accepted: 16 Sep 2021
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

Online tracking is complex and users find it challenging to protect themselves from it. While the academic community has extensively studied systems and users for tracking practices, the link between the data protection regulations, websites’ practices of presenting privacy-enhancing technologies (PETs), and how users learn about PETs and practice them is not clear. This paper takes a multidimensional approach to find such a link. We conduct a study to evaluate the 100 top EU websites, where we find that information about PETs is provided far beyond the cookie notice. We also find that opting-out from privacy settings is not as easy as opting-in and becomes even more difficult (if not impossible) when the user decides to opt-out of previously accepted privacy settings. In addition, we conduct an online survey with 614 participants across three countries (UK, France, Germany) to gain a broad understanding of users’ tracking protection practices. We find that users mostly learn about PETs for tracking protection via their own research or with the help of family and friends. We find a disparity between what websites offer as tracking protection and the ways individuals report to do so. Observing such a disparity sheds light on why current policies and practices are ineffective in supporting the use of PETs by users.

Keywords

[1] W. Alcorn, C. Frichot, and M. Orru. The Browser Hacker’s Handbook. John Wiley & Sons, 2014. Search in Google Scholar

[2] M. Bailey, D. Dittrich, E. Kenneally, and D. Maughan. The menlo report. IEEE Security & Privacy, 10(2):71–75, 2012. Search in Google Scholar

[3] H. Beales. The value of behavioral targeting. Network Advertising Initiative, 1:2010, 2010. Search in Google Scholar

[4] Z. Benenson, A. Girard, and I. Krontiris. User acceptance factors for anonymous credentials: An empirical investigation. In WEIS, 2015. Search in Google Scholar

[5] G. Blank, W. H. Dutton, and J. Lefkowitz. Perceived threats to privacy online: The internet in britain, the oxford internet survey, 2019. 2019. Search in Google Scholar

[6] T. Braun, M. Günter, M. Kasumi, and I. Khalil. Virtual private network architecture. Charging and Accounting Technology for the Internet (Aug. 1, 1999)(VPNA), 1999. Search in Google Scholar

[7] Brave. Accurately Predicting Ad Blocker Savings, 2019. Search in Google Scholar

[8] D. Camp. Firefox Now Available with Enhanced Tracking Protection by Default ..., 2019. Search in Google Scholar

[9] B. Chandramouli, J. Goldstein, X. Jin, B. S. Raman, and S. Duan. Real-time-ready behavioral targeting in a large-scale advertisement system, May 14 2013. US Patent 8,442,863. Search in Google Scholar

[10] E. Commission. Special eurobarometer 431: Data protection, 2015. Search in Google Scholar

[11] K. P. Coopamootoo. Usage patterns of privacy-enhancing technologies. In ACM CCS, 2020. Search in Google Scholar

[12] L. F. Cranor, H. Habib, y. Zou, A. Acquisti, J. Reidenberg, N. Sadeh, and F. Schaub. Design and evaluation of a usable icon and tagline to signal an opt-out of the sale of personal information as required by ccpa. 2020. Search in Google Scholar

[13] A. Das, G. Acar, N. Borisov, and A. Pradeep. The web’s sixth sense: A study of scripts accessing smartphone sensors. In ACM CCS, 2018. Search in Google Scholar

[14] L. de la Torre. A guide to the california consumer privacy act of 2018. Available at SSRN 3275571, 2018. Search in Google Scholar

[15] P. De Ryck, L. Desmet, F. Piessens, and M. Johns. Primer on client-side web security. Springer, 2014. Search in Google Scholar

[16] M. Degeling, C. Utz, C. Lentzsch, H. Hosseini, F. Schaub, and T. Holz. We value your privacy... now take some cookies: Measuring the gdpr’s impact on web privacy. In NDSS, 2018. Search in Google Scholar

[17] A. Developer. App Tracking Transparency, 2021. Search in Google Scholar

[18] B. G. Edelman and M. Luca. Digital discrimination: The case of airbnb. com. Harvard Business School NOM Unit Working Paper, (14-054), 2014. Search in Google Scholar

[19] S. Englehardt and A. Narayanan. Online tracking: A 1-million-site measurement and analysis. In ACM CCS, pages 1388–1401, 2016. Search in Google Scholar

[20] ENISA. Privacy enhancing technologies, 2020. Search in Google Scholar

[21] J. Estrada-Jiménez, J. Parra-Arnau, A. Rodríguez-Hoyos, and J. Forné. Online advertising: Analysis of privacy threats and protection approaches. Computer Communications, 100, 2017. Search in Google Scholar

[22] L. Fernandez. Digital advertising in political campaigns and elections. In A Research Agenda for Digital Politics. Edward Elgar Publishing, 2020. Search in Google Scholar

[23] H. Field. Hundreds of Millions Have Downloaded Suspicious VPN Apps With Serious Privacy Flaws. Apple and Google Haven’t Taken Action, 2019 (Sep 16, 2020). Search in Google Scholar

[24] Forbes-Insights. Rethinking privacy in the ai era, 2019. Search in Google Scholar

[25] K. Garimella, O. Kostakis, and M. Mathioudakis. Ad-blocking: A study on performance, privacy and countermeasures. In ACM Web Science Conference, pages 259–262, 2017. Search in Google Scholar

[26] N. Gerber, V. Zimmermann, and M. Volkamer. Why johnny fails to protect his privacy. In IEEE EuroS&P, pages 109–118. IEEE, 2019. Search in Google Scholar

[27] A. Gervais, A. Filios, V. Lenders, and S. Capkun. Quantifying web adblocker privacy. In European Symposium on Research in Computer Security, pages 21–42. Springer, 2017. Search in Google Scholar

[28] A. Gómez-Boix, P. Laperdrix, and B. Baudry. Hiding in the crowd: an analysis of the effectiveness of browser finger-printing at large scale. In world wide web conference, pages 309–318, 2018. Search in Google Scholar

[29] J. Greenberg. Ad Blockers Are Making Money Off Ads (And Tracking, Too), 2016 (Sep 16, 2020). Search in Google Scholar

[30] G. Greenleaf. Global data privacy laws 2019: 132 national laws & many bills. 2019. Search in Google Scholar

[31] H. Habib, S. Pearman, J. Wang, Y. Zou, A. Acquisti, L. F. Cranor, N. Sadeh, and F. Schaub. It’s a scavenger hunt: Usability of websites’ opt-out and data deletion choices. In CHI, 2020. Search in Google Scholar

[32] H. Habib, Y. Zou, A. Jannu, N. Sridhar, C. Swoopes, A. Acquisti, L. F. Cranor, N. Sadeh, and F. Schaub. An empirical analysis of data deletion and opt-out choices on 150 web-sites. In SOUPS, 2019. Search in Google Scholar

[33] D. Harborth and S. Pape. Examining technology use factors of privacy-enhancing technologies: the role of perceived anonymity and trust. 2018. Search in Google Scholar

[34] M. Hatamian. Engineering privacy in smartphone apps: A technical guideline catalog for app developers. IEEE Access, 2020. Search in Google Scholar

[35] ICO. Enforcement action, 2021. Search in Google Scholar

[36] I. C. O. (ICO). Age appropriate design: a code of practice for online services. ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services/, 2020. Search in Google Scholar

[37] I. C. O. (ICO). How do we comply with the cookie rules? ico.org.uk/for-organisations/guide-to-pecr/guidance-on-theuse-of-cookies-and-similar-technologies/how-do-we-comply-with-the-cookie-rules/ May 2020., 2020. Search in Google Scholar

[38] I. C. O. (ICO). Ico legislation cover. https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/, 2021. Search in Google Scholar

[39] M. Ikram, R. Masood, G. Tyson, M. A. Kaafar, N. Loizon, and R. Ensafi. The chain of implicit trust: An analysis of the web third-party resources loading. In World Wide Web Conference, 2019. Search in Google Scholar

[40] A. Inc. Safari 12.1 Release Notes, 2019 (Sep 16, 2020). Search in Google Scholar

[41] N. Jagpal, E. Dingle, J.-P. Gravel, P. Mavrommatis, N. Provos, M. A. Rajab, and K. Thomas. Trends and lessons from three years fighting malicious extensions. In USENIX, pages 579–593, 2015. Search in Google Scholar

[42] B. Krishnamurthy and C. Wills. Privacy diffusion on the web: a longitudinal perspective. In World wide web Conference, pages 541–550, 2009. Search in Google Scholar

[43] P. Leon, B. Ur, R. Shay, Y. Wang, R. Balebako, and L. Cranor. Why johnny can’t opt out: a usability evaluation of tools to limit online behavioral advertising. In ACM CHI, 2012. Search in Google Scholar

[44] P. G. Leon, A. Rao, F. Schaub, A. Marsh, L. F. Cranor, and N. Sadeh. Privacy and behavioral advertising: Towards meeting users’ preferences. In SOUPS, 2015. Search in Google Scholar

[45] A. Mathur, J. Vitak, A. Narayanan, and M. Chetty. Characterizing the use of browser-based blocking extensions to prevent online tracking. In SOUPS, pages 103–116, 2018. Search in Google Scholar

[46] C. Matte, N. Bielova, and C. Santos. Do cookie banners respect my choice? measuring legal compliance of banners from iab europe’s transparency and consent framework. IEEE S&P Conference, 2019. Search in Google Scholar

[47] J. R. Mayer and J. C. Mitchell. Third-party web tracking: Policy and technology. In 2012 IEEE Symposium on Security and Privacy, pages 413–427. IEEE, 2012. Search in Google Scholar

[48] A. McDonald and L. F. Cranor. Beliefs and behaviors: Internet users’ understanding of behavioral advertising. Tprc, 2010. Search in Google Scholar

[49] S. Medvedev et al. Data protection in russian federation: overview. Thomson Reuters Practical Law, 2016. Search in Google Scholar

[50] M. Mehrnezhad. A cross-platform evaluation of privacy notices and tracking practices. In EuroUSEC, 2020. Search in Google Scholar

[51] G. Merzdovnik, M. Huber, D. Buhov, N. Nikiforakis, S. Neuner, M. Schmiedecker, and E. Weippl. Block me if you can: A large-scale study of tracker-blocking tools. In IEEE EuroS&P, 2017. Search in Google Scholar

[52] N. Momen, M. Hatamian, and L. Fritsch. Did app privacy improve after the gdpr? IEEE Security & Privacy, 17(6), 2019. Search in Google Scholar

[53] M. Nouwens, I. Liccardi, M. Veale, D. Karger, and L. Kagal. Dark patterns after the gdpr: Scraping consent pop-ups and demonstrating their influence. In CHI, pages 1–13, 2020. Search in Google Scholar

[54] Y. J. Park. Do men and women differ in privacy? gendered privacy and (in) equality in the internet. Computers in Human Behavior, 50:252–258, 2015. Search in Google Scholar

[55] E. Peer, L. Brandimarte, S. Samat, and A. Acquisti. Beyond the turk: Alternative platforms for crowdsourcing behavioral research. Journal of Experimental Social Psychology, 70:153–163, 2017. Search in Google Scholar

[56] E. Pernot-Leplay. China’s approach on data privacy law: A third way between the us and the eu? Journal of Law & International Affairs, 8(1), 2020. Search in Google Scholar

[57] G. Pugliese, C. Riess, F. Gassmann, and Z. Benenson. Long-term observation on browser fingerprinting: Users’ track-ability and perspective. Privacy Enhancing Technologies, 2020(2):558–577, 2020. Search in Google Scholar

[58] E. Pujol, O. Hohlfeld, and A. Feldmann. Annoyed users: Ads and ad-block usage in the wild. In Internet Measurement Conference, pages 93–106, 2015. Search in Google Scholar

[59] A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, and P. Gill. Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem. NDSS, 2018. Search in Google Scholar

[60] J. Reardon, Á. Feal, P. Wijesekera, A. E. B. On, N. Vallina-Rodriguez, and S. Egelman. 50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system. In USENIX, pages 603–620, 2019. Search in Google Scholar

[61] E. M. Redmiles, S. Kross, and M. L. Mazurek. How i learned to be secure: A census-representative survey of security advice sources and behavior. In ACM CCS, page 666–677, New York, NY, USA, 2016. Search in Google Scholar

[62] K. Renaud, M. Volkamer, and A. Renkema-Padmos. Why doesn’t jane protect her privacy? In Symposium on Privacy Enhancing Technologies Symposium, pages 244–262. Springer, 2014. Search in Google Scholar

[63] I. Sanchez-Rola, M. Dell’Amico, P. Kotzias, D. Balzarotti, L. Bilge, P.-A. Vervier, and I. Santos. Can i opt out yet? gdpr and the global illusion of cookie control. In ACM Asia Computer and Communications Security, 2019. Search in Google Scholar

[64] C. Santos, N. Bielova, and C. Matte. Are cookie banners indeed compliant with the law? deciphering eu legal requirements on consent and technical means to verify compliance of cookie banners. arXiv preprint arXiv:1912.07144, 2019. Search in Google Scholar

[65] K. Satvat, M. Forshaw, F. Hao, and E. Toreini. On the privacy of private browsing–a forensic approach. In Data Privacy Management and Autonomous Spontaneous Security, pages 380–389. Springer, 2013. Search in Google Scholar

[66] F. Schaub, A. Marella, P. Kalvani, B. Ur, C. Pan, E. Forney, and L. F. Cranor. Watching them watching me: Browser extensions impact on user privacy awareness and concern. In USEC, pages 1–10, 2016. Search in Google Scholar

[67] M. Schunter. Tracking Preference Expression (DNT), 2019 (Sep 16, 2020). Search in Google Scholar

[68] F. Shirazi and M. Volkamer. What deters jane from preventing identification and tracking on the web? In Workshop on Privacy in the Electronic Society, 2014. Search in Google Scholar

[69] P. Snyder. Next steps for browser privacy: Pursuing privacy protections beyond extensions. Burlingame, CA, Jan. 2019. USENIX Association. Search in Google Scholar

[70] Statista. Number of internet users in european countries as of june 2019, 2019. Search in Google Scholar

[71] N. Statt. Apple updates Safari’s anti-tracking tech with full third-party cookie blocking, 2020 (Sep 16, 2020). Search in Google Scholar

[72] P. Story, D. Smullen, Y. Yao, A. Acquisti, L. F. Cranor, N. Sadeh, and F. Schaub. Awareness, adoption, and misconceptions of web privacy tools. PoPETs, 2021. Search in Google Scholar

[73] A. Technica. 96% of US users opt out of app tracking in iOS 14.5, analytics find, 2021. Search in Google Scholar

[74] P. Tigas, S. T. King, B. Livshits, et al. Percival: Making inbrowser perceptual ad blocking practical with deep learning. arXiv preprint arXiv:1905.07444, 2019. Search in Google Scholar

[75] M. Trevisan, S. Traverso, E. Bassi, and M. Mellia. 4 years of eu cookie law: Results and lessons learned. Proceedings on Privacy Enhancing Technologies, 2019(2):126–145, 2019. Search in Google Scholar

[76] T. Urban, M. Degeling, T. Holz, and N. Pohlmann. Beyond the front page: Measuring third party dynamics in the field. In Web Conference 2020, 2020. Search in Google Scholar

[77] C. Utz, M. Degeling, S. Fahl, F. Schaub, and T. Holz. (un) informed consent: Studying gdpr consent notices in the field. In ACM CCS, 2019. Search in Google Scholar

[78] J. Varmarken, H. Le, A. Shuba, A. Markopoulou, and Z. Shafiq. The tv is smart and full of trackers: Measuring smart tv advertising and tracking. Privacy Enhancing Technologies, 2020. Search in Google Scholar

[79] P. Voigt and A. Von dem Bussche. The eu general data protection regulation (gdpr). A Practical Guide, 1st Ed., Cham: Springer International Publishing, 2017. Search in Google Scholar

[80] C. E. Wills and D. C. Uzunoglu. What ad blockers are (and are not) doing. In IEEE Workshop on Hot Topics in Web Systems and Technologies. IEEE, 2016. Search in Google Scholar

[81] xda developers. Google Play Store’s new Safety section will show you how apps use your data, 2021. Search in Google Scholar

[82] Z. Yang and C. Yue. A comparative measurement study of web tracking on mobile and desktop environments. Privacy Enhancing Technologies, 2020. Search in Google Scholar

[83] Y. Yao, D. Lo Re, and Y. Wang. Folk models of online behavioral advertising. In ACM Conference on Computer Supported Cooperative Work and Social Computing, pages 1957–1969, 2017. Search in Google Scholar

[84] M. Zalewski. The tangled Web: A guide to securing modern web applications. No Starch Press, 2012. Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo