1. bookTom 2022 (2022): Zeszyt 1 (January 2022)
Informacje o czasopiśmie
License
Format
Czasopismo
eISSN
2299-0984
Pierwsze wydanie
16 Apr 2015
Częstotliwość wydawania
4 razy w roku
Języki
Angielski
access type Otwarty dostęp

How Can and Would People Protect From Online Tracking?

Data publikacji: 20 Nov 2021
Tom & Zeszyt: Tom 2022 (2022) - Zeszyt 1 (January 2022)
Zakres stron: 105 - 125
Otrzymano: 31 May 2021
Przyjęty: 16 Sep 2021
Informacje o czasopiśmie
License
Format
Czasopismo
eISSN
2299-0984
Pierwsze wydanie
16 Apr 2015
Częstotliwość wydawania
4 razy w roku
Języki
Angielski
Abstract

Online tracking is complex and users find it challenging to protect themselves from it. While the academic community has extensively studied systems and users for tracking practices, the link between the data protection regulations, websites’ practices of presenting privacy-enhancing technologies (PETs), and how users learn about PETs and practice them is not clear. This paper takes a multidimensional approach to find such a link. We conduct a study to evaluate the 100 top EU websites, where we find that information about PETs is provided far beyond the cookie notice. We also find that opting-out from privacy settings is not as easy as opting-in and becomes even more difficult (if not impossible) when the user decides to opt-out of previously accepted privacy settings. In addition, we conduct an online survey with 614 participants across three countries (UK, France, Germany) to gain a broad understanding of users’ tracking protection practices. We find that users mostly learn about PETs for tracking protection via their own research or with the help of family and friends. We find a disparity between what websites offer as tracking protection and the ways individuals report to do so. Observing such a disparity sheds light on why current policies and practices are ineffective in supporting the use of PETs by users.

Keywords

[1] W. Alcorn, C. Frichot, and M. Orru. The Browser Hacker’s Handbook. John Wiley & Sons, 2014. Search in Google Scholar

[2] M. Bailey, D. Dittrich, E. Kenneally, and D. Maughan. The menlo report. IEEE Security & Privacy, 10(2):71–75, 2012.10.1109/MSP.2012.52 Search in Google Scholar

[3] H. Beales. The value of behavioral targeting. Network Advertising Initiative, 1:2010, 2010. Search in Google Scholar

[4] Z. Benenson, A. Girard, and I. Krontiris. User acceptance factors for anonymous credentials: An empirical investigation. In WEIS, 2015. Search in Google Scholar

[5] G. Blank, W. H. Dutton, and J. Lefkowitz. Perceived threats to privacy online: The internet in britain, the oxford internet survey, 2019. 2019.10.2139/ssrn.3522106 Search in Google Scholar

[6] T. Braun, M. Günter, M. Kasumi, and I. Khalil. Virtual private network architecture. Charging and Accounting Technology for the Internet (Aug. 1, 1999)(VPNA), 1999. Search in Google Scholar

[7] Brave. Accurately Predicting Ad Blocker Savings, 2019. Search in Google Scholar

[8] D. Camp. Firefox Now Available with Enhanced Tracking Protection by Default ..., 2019. Search in Google Scholar

[9] B. Chandramouli, J. Goldstein, X. Jin, B. S. Raman, and S. Duan. Real-time-ready behavioral targeting in a large-scale advertisement system, May 14 2013. US Patent 8,442,863. Search in Google Scholar

[10] E. Commission. Special eurobarometer 431: Data protection, 2015. Search in Google Scholar

[11] K. P. Coopamootoo. Usage patterns of privacy-enhancing technologies. In ACM CCS, 2020.10.1145/3372297.3423347 Search in Google Scholar

[12] L. F. Cranor, H. Habib, y. Zou, A. Acquisti, J. Reidenberg, N. Sadeh, and F. Schaub. Design and evaluation of a usable icon and tagline to signal an opt-out of the sale of personal information as required by ccpa. 2020. Search in Google Scholar

[13] A. Das, G. Acar, N. Borisov, and A. Pradeep. The web’s sixth sense: A study of scripts accessing smartphone sensors. In ACM CCS, 2018.10.1145/3243734.3243860 Search in Google Scholar

[14] L. de la Torre. A guide to the california consumer privacy act of 2018. Available at SSRN 3275571, 2018.10.2139/ssrn.3275571 Search in Google Scholar

[15] P. De Ryck, L. Desmet, F. Piessens, and M. Johns. Primer on client-side web security. Springer, 2014.10.1007/978-3-319-12226-7 Search in Google Scholar

[16] M. Degeling, C. Utz, C. Lentzsch, H. Hosseini, F. Schaub, and T. Holz. We value your privacy... now take some cookies: Measuring the gdpr’s impact on web privacy. In NDSS, 2018.10.14722/ndss.2019.23378 Search in Google Scholar

[17] A. Developer. App Tracking Transparency, 2021. Search in Google Scholar

[18] B. G. Edelman and M. Luca. Digital discrimination: The case of airbnb. com. Harvard Business School NOM Unit Working Paper, (14-054), 2014.10.2139/ssrn.2377353 Search in Google Scholar

[19] S. Englehardt and A. Narayanan. Online tracking: A 1-million-site measurement and analysis. In ACM CCS, pages 1388–1401, 2016.10.1145/2976749.2978313 Search in Google Scholar

[20] ENISA. Privacy enhancing technologies, 2020.10.2478/popets-2020-0020 Search in Google Scholar

[21] J. Estrada-Jiménez, J. Parra-Arnau, A. Rodríguez-Hoyos, and J. Forné. Online advertising: Analysis of privacy threats and protection approaches. Computer Communications, 100, 2017.10.1016/j.comcom.2016.12.016 Search in Google Scholar

[22] L. Fernandez. Digital advertising in political campaigns and elections. In A Research Agenda for Digital Politics. Edward Elgar Publishing, 2020.10.4337/9781789903096.00015 Search in Google Scholar

[23] H. Field. Hundreds of Millions Have Downloaded Suspicious VPN Apps With Serious Privacy Flaws. Apple and Google Haven’t Taken Action, 2019 (Sep 16, 2020). Search in Google Scholar

[24] Forbes-Insights. Rethinking privacy in the ai era, 2019. Search in Google Scholar

[25] K. Garimella, O. Kostakis, and M. Mathioudakis. Ad-blocking: A study on performance, privacy and countermeasures. In ACM Web Science Conference, pages 259–262, 2017.10.1145/3091478.3091514 Search in Google Scholar

[26] N. Gerber, V. Zimmermann, and M. Volkamer. Why johnny fails to protect his privacy. In IEEE EuroS&P, pages 109–118. IEEE, 2019.10.1109/EuroSPW.2019.00019 Search in Google Scholar

[27] A. Gervais, A. Filios, V. Lenders, and S. Capkun. Quantifying web adblocker privacy. In European Symposium on Research in Computer Security, pages 21–42. Springer, 2017.10.1007/978-3-319-66399-9_2 Search in Google Scholar

[28] A. Gómez-Boix, P. Laperdrix, and B. Baudry. Hiding in the crowd: an analysis of the effectiveness of browser finger-printing at large scale. In world wide web conference, pages 309–318, 2018.10.1145/3178876.3186097 Search in Google Scholar

[29] J. Greenberg. Ad Blockers Are Making Money Off Ads (And Tracking, Too), 2016 (Sep 16, 2020). Search in Google Scholar

[30] G. Greenleaf. Global data privacy laws 2019: 132 national laws & many bills. 2019. Search in Google Scholar

[31] H. Habib, S. Pearman, J. Wang, Y. Zou, A. Acquisti, L. F. Cranor, N. Sadeh, and F. Schaub. It’s a scavenger hunt: Usability of websites’ opt-out and data deletion choices. In CHI, 2020.10.1145/3313831.3376511 Search in Google Scholar

[32] H. Habib, Y. Zou, A. Jannu, N. Sridhar, C. Swoopes, A. Acquisti, L. F. Cranor, N. Sadeh, and F. Schaub. An empirical analysis of data deletion and opt-out choices on 150 web-sites. In SOUPS, 2019. Search in Google Scholar

[33] D. Harborth and S. Pape. Examining technology use factors of privacy-enhancing technologies: the role of perceived anonymity and trust. 2018. Search in Google Scholar

[34] M. Hatamian. Engineering privacy in smartphone apps: A technical guideline catalog for app developers. IEEE Access, 2020.10.1109/ACCESS.2020.2974911 Search in Google Scholar

[35] ICO. Enforcement action, 2021. Search in Google Scholar

[36] I. C. O. (ICO). Age appropriate design: a code of practice for online services. ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services/, 2020. Search in Google Scholar

[37] I. C. O. (ICO). How do we comply with the cookie rules? ico.org.uk/for-organisations/guide-to-pecr/guidance-on-theuse-of-cookies-and-similar-technologies/how-do-we-comply-with-the-cookie-rules/ May 2020., 2020. Search in Google Scholar

[38] I. C. O. (ICO). Ico legislation cover. https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/, 2021. Search in Google Scholar

[39] M. Ikram, R. Masood, G. Tyson, M. A. Kaafar, N. Loizon, and R. Ensafi. The chain of implicit trust: An analysis of the web third-party resources loading. In World Wide Web Conference, 2019.10.1145/3308558.3313521 Search in Google Scholar

[40] A. Inc. Safari 12.1 Release Notes, 2019 (Sep 16, 2020). Search in Google Scholar

[41] N. Jagpal, E. Dingle, J.-P. Gravel, P. Mavrommatis, N. Provos, M. A. Rajab, and K. Thomas. Trends and lessons from three years fighting malicious extensions. In USENIX, pages 579–593, 2015. Search in Google Scholar

[42] B. Krishnamurthy and C. Wills. Privacy diffusion on the web: a longitudinal perspective. In World wide web Conference, pages 541–550, 2009.10.1145/1526709.1526782 Search in Google Scholar

[43] P. Leon, B. Ur, R. Shay, Y. Wang, R. Balebako, and L. Cranor. Why johnny can’t opt out: a usability evaluation of tools to limit online behavioral advertising. In ACM CHI, 2012.10.1145/2207676.2207759 Search in Google Scholar

[44] P. G. Leon, A. Rao, F. Schaub, A. Marsh, L. F. Cranor, and N. Sadeh. Privacy and behavioral advertising: Towards meeting users’ preferences. In SOUPS, 2015. Search in Google Scholar

[45] A. Mathur, J. Vitak, A. Narayanan, and M. Chetty. Characterizing the use of browser-based blocking extensions to prevent online tracking. In SOUPS, pages 103–116, 2018. Search in Google Scholar

[46] C. Matte, N. Bielova, and C. Santos. Do cookie banners respect my choice? measuring legal compliance of banners from iab europe’s transparency and consent framework. IEEE S&P Conference, 2019.10.1109/SP40000.2020.00076 Search in Google Scholar

[47] J. R. Mayer and J. C. Mitchell. Third-party web tracking: Policy and technology. In 2012 IEEE Symposium on Security and Privacy, pages 413–427. IEEE, 2012.10.1109/SP.2012.47 Search in Google Scholar

[48] A. McDonald and L. F. Cranor. Beliefs and behaviors: Internet users’ understanding of behavioral advertising. Tprc, 2010. Search in Google Scholar

[49] S. Medvedev et al. Data protection in russian federation: overview. Thomson Reuters Practical Law, 2016. Search in Google Scholar

[50] M. Mehrnezhad. A cross-platform evaluation of privacy notices and tracking practices. In EuroUSEC, 2020.10.1109/EuroSPW51379.2020.00023 Search in Google Scholar

[51] G. Merzdovnik, M. Huber, D. Buhov, N. Nikiforakis, S. Neuner, M. Schmiedecker, and E. Weippl. Block me if you can: A large-scale study of tracker-blocking tools. In IEEE EuroS&P, 2017.10.1109/EuroSP.2017.26 Search in Google Scholar

[52] N. Momen, M. Hatamian, and L. Fritsch. Did app privacy improve after the gdpr? IEEE Security & Privacy, 17(6), 2019.10.1109/MSEC.2019.2938445 Search in Google Scholar

[53] M. Nouwens, I. Liccardi, M. Veale, D. Karger, and L. Kagal. Dark patterns after the gdpr: Scraping consent pop-ups and demonstrating their influence. In CHI, pages 1–13, 2020.10.1145/3313831.3376321 Search in Google Scholar

[54] Y. J. Park. Do men and women differ in privacy? gendered privacy and (in) equality in the internet. Computers in Human Behavior, 50:252–258, 2015.10.1016/j.chb.2015.04.011 Search in Google Scholar

[55] E. Peer, L. Brandimarte, S. Samat, and A. Acquisti. Beyond the turk: Alternative platforms for crowdsourcing behavioral research. Journal of Experimental Social Psychology, 70:153–163, 2017. Search in Google Scholar

[56] E. Pernot-Leplay. China’s approach on data privacy law: A third way between the us and the eu? Journal of Law & International Affairs, 8(1), 2020. Search in Google Scholar

[57] G. Pugliese, C. Riess, F. Gassmann, and Z. Benenson. Long-term observation on browser fingerprinting: Users’ track-ability and perspective. Privacy Enhancing Technologies, 2020(2):558–577, 2020. Search in Google Scholar

[58] E. Pujol, O. Hohlfeld, and A. Feldmann. Annoyed users: Ads and ad-block usage in the wild. In Internet Measurement Conference, pages 93–106, 2015.10.1145/2815675.2815705 Search in Google Scholar

[59] A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, and P. Gill. Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem. NDSS, 2018.10.14722/ndss.2018.23353 Search in Google Scholar

[60] J. Reardon, Á. Feal, P. Wijesekera, A. E. B. On, N. Vallina-Rodriguez, and S. Egelman. 50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system. In USENIX, pages 603–620, 2019. Search in Google Scholar

[61] E. M. Redmiles, S. Kross, and M. L. Mazurek. How i learned to be secure: A census-representative survey of security advice sources and behavior. In ACM CCS, page 666–677, New York, NY, USA, 2016.10.1145/2976749.2978307 Search in Google Scholar

[62] K. Renaud, M. Volkamer, and A. Renkema-Padmos. Why doesn’t jane protect her privacy? In Symposium on Privacy Enhancing Technologies Symposium, pages 244–262. Springer, 2014.10.1007/978-3-319-08506-7_13 Search in Google Scholar

[63] I. Sanchez-Rola, M. Dell’Amico, P. Kotzias, D. Balzarotti, L. Bilge, P.-A. Vervier, and I. Santos. Can i opt out yet? gdpr and the global illusion of cookie control. In ACM Asia Computer and Communications Security, 2019.10.1145/3321705.3329806 Search in Google Scholar

[64] C. Santos, N. Bielova, and C. Matte. Are cookie banners indeed compliant with the law? deciphering eu legal requirements on consent and technical means to verify compliance of cookie banners. arXiv preprint arXiv:1912.07144, 2019. Search in Google Scholar

[65] K. Satvat, M. Forshaw, F. Hao, and E. Toreini. On the privacy of private browsing–a forensic approach. In Data Privacy Management and Autonomous Spontaneous Security, pages 380–389. Springer, 2013.10.1007/978-3-642-54568-9_25 Search in Google Scholar

[66] F. Schaub, A. Marella, P. Kalvani, B. Ur, C. Pan, E. Forney, and L. F. Cranor. Watching them watching me: Browser extensions impact on user privacy awareness and concern. In USEC, pages 1–10, 2016.10.14722/usec.2016.23017 Search in Google Scholar

[67] M. Schunter. Tracking Preference Expression (DNT), 2019 (Sep 16, 2020). Search in Google Scholar

[68] F. Shirazi and M. Volkamer. What deters jane from preventing identification and tracking on the web? In Workshop on Privacy in the Electronic Society, 2014.10.1145/2665943.2665963 Search in Google Scholar

[69] P. Snyder. Next steps for browser privacy: Pursuing privacy protections beyond extensions. Burlingame, CA, Jan. 2019. USENIX Association. Search in Google Scholar

[70] Statista. Number of internet users in european countries as of june 2019, 2019. Search in Google Scholar

[71] N. Statt. Apple updates Safari’s anti-tracking tech with full third-party cookie blocking, 2020 (Sep 16, 2020). Search in Google Scholar

[72] P. Story, D. Smullen, Y. Yao, A. Acquisti, L. F. Cranor, N. Sadeh, and F. Schaub. Awareness, adoption, and misconceptions of web privacy tools. PoPETs, 2021.10.2478/popets-2021-0049 Search in Google Scholar

[73] A. Technica. 96% of US users opt out of app tracking in iOS 14.5, analytics find, 2021. Search in Google Scholar

[74] P. Tigas, S. T. King, B. Livshits, et al. Percival: Making inbrowser perceptual ad blocking practical with deep learning. arXiv preprint arXiv:1905.07444, 2019. Search in Google Scholar

[75] M. Trevisan, S. Traverso, E. Bassi, and M. Mellia. 4 years of eu cookie law: Results and lessons learned. Proceedings on Privacy Enhancing Technologies, 2019(2):126–145, 2019. Search in Google Scholar

[76] T. Urban, M. Degeling, T. Holz, and N. Pohlmann. Beyond the front page: Measuring third party dynamics in the field. In Web Conference 2020, 2020.10.1145/3366423.3380203 Search in Google Scholar

[77] C. Utz, M. Degeling, S. Fahl, F. Schaub, and T. Holz. (un) informed consent: Studying gdpr consent notices in the field. In ACM CCS, 2019.10.1145/3319535.3354212 Search in Google Scholar

[78] J. Varmarken, H. Le, A. Shuba, A. Markopoulou, and Z. Shafiq. The tv is smart and full of trackers: Measuring smart tv advertising and tracking. Privacy Enhancing Technologies, 2020.10.2478/popets-2020-0021 Search in Google Scholar

[79] P. Voigt and A. Von dem Bussche. The eu general data protection regulation (gdpr). A Practical Guide, 1st Ed., Cham: Springer International Publishing, 2017.10.1007/978-3-319-57959-7_1 Search in Google Scholar

[80] C. E. Wills and D. C. Uzunoglu. What ad blockers are (and are not) doing. In IEEE Workshop on Hot Topics in Web Systems and Technologies. IEEE, 2016.10.1109/HotWeb.2016.21 Search in Google Scholar

[81] xda developers. Google Play Store’s new Safety section will show you how apps use your data, 2021. Search in Google Scholar

[82] Z. Yang and C. Yue. A comparative measurement study of web tracking on mobile and desktop environments. Privacy Enhancing Technologies, 2020.10.2478/popets-2020-0016 Search in Google Scholar

[83] Y. Yao, D. Lo Re, and Y. Wang. Folk models of online behavioral advertising. In ACM Conference on Computer Supported Cooperative Work and Social Computing, pages 1957–1969, 2017.10.1145/2998181.2998316 Search in Google Scholar

[84] M. Zalewski. The tangled Web: A guide to securing modern web applications. No Starch Press, 2012. Search in Google Scholar

Polecane artykuły z Trend MD

Zaplanuj zdalną konferencję ze Sciendo