User tracking in the post-cookie era: How websites bypass GDPR consent to track users

Abstract:
During the past few years, mostly as a result of the GDPR and the CCPA, websites have started to present users with cookie consent banners. These banners are web forms where the users can state their preference and declare which cookies they would like to accept, if such option exists. Although requesting consent before storing any identifiable information is a good start towards respecting the user privacy, yet previous research has shown that websites do not always respect user choices. Furthermore, considering the ever decreasing reliance of trackers on cookies and actions browser vendors take by blocking or restricting third-party cookies, we anticipate a world where stateless tracking emerges, either because trackers or websites do not use cookies, or because users simply refuse to accept any. We explore whether websites use more persistent and sophisticated forms of tracking in order to track users who said they do not want cookies. Such forms of tracking include first-party ID leaking, ID synchronization, and browser fingerprinting. Our results suggest that websites do use such modern forms of tracking even before users had the opportunity to register their choice with respect to cookies. To add insult to injury, when users choose to raise their voice and reject all cookies, user tracking only intensifies. As a result, users’ choices play very little role with respect to tracking: we measured that more than 75% of tracking activities happened before users had the opportunity to make a selection in the cookie consent banner, or when users chose to reject all cookies.

Bio:
Evangelos Markatos is a professor of Computer Science at the University of Crete. He received his diploma in Computer Engineering from the University of Patras and the MSc and PhD in Computer Science from the University of Rochester. He is the founding head of the Distributed Computing Systems and Cyber Security Lab at FORTH-ICS where he conducts research in the broader area of computer systems with a special emphasis in Network Security, Privacy, and Cyber Crime.  He has been a member (i) of the permanent stakeholders group of ENISA (European Network and Information Security Agency) and (ii) of the Academic Advisory Network of Europol’s EC3 (European Cybercrime Center). He is currently a member of the Strategic Research and Innovation Agenda Board of ECSO: the European Cyber Security Organization. He has served (i) as the founding coordinator of  SysSec: The European  Network of Excellence in Threats and Vulnerabilities for the Future Internet, consisting of 8 partners and more than 70 associated partners funded in part by the European Commission, (ii) as the coordinator of the NoAH project which installed one of the largest academic Network of honeypots  in Europe, and (iii) as the founding member of SENTER: The European Network of the National Centers of Excellence in Cybercrime Research Training and Education. Prof. Markatos has co-authored more than 150 publications in top conferences and journals including  ACM SOSP, ACM SIGMETRICS, IEEE HPCA, ACM/IEEE ToN, IEEE JSAC, USENIX Security, INFOCOM, etc.