ABSTRACT
Web cookies are used widely by publishers and 3rd parties to track users and their behaviors. Despite the ubiquitous use of cookies, there is little prior work on their characteristics such as standard attributes, placement policies, and the knowledge that can be amassed via 3rd party cookies. In this paper, we present an empirical study of web cookie characteristics, placement practices and information transmission. To conduct this study, we implemented a lightweight web crawler that tracks and stores the cookies as it navigates to websites. We use this crawler to collect over 3.2M cookies from the two crawls, separated by 18 months, of the top 100K Alexa web sites. We report on the general cookie characteristics and add context via a cookie category index and website genre labels. We consider privacy implications by examining specific cookie attributes and placement behavior of 3rd party cookies. We find that 3rd party cookies outnumber 1st party cookies by a factor of two, and we illuminate the connection between domain genres and cookie attributes. We find that less than 1% of the entities that place cookies can aggregate information across 75% of web sites. Finally, we consider the issue of information transmission and aggregation by domains via 3rd party cookies. We develop a mathematical framework to quantify user information leakage for a broad class of users, and present findings using real world domains. In particular, we demonstrate the interplay between a domain's footprint across the Internet and the browsing behavior of users, which has significant impact on information transmission.
- A. Barth. RFC 6265: HTTP State Management System, April 2011.Google Scholar
- K. Borders and A. Prakash. Towards Quantification of Network-based Information Leaks via HTTP. In In Proceedings of the Third USENIX Workshop on Hot Topics in Security (HotSEC), San Jose, CA, May 2008. Google ScholarDigital Library
- The Cookie Collective. How We Classify Cookies, 2013. http://cookiepedia.co.uk/classify-cookies.Google Scholar
- US Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, December 2010.Google Scholar
- Italo Dacosta, Saurabh Chakradeo, Mustaque Ahamad, and Patrick Traynor. One-time Cookies: Preventing Session Hijacking Attacks with Stateless Authentication Tokens. ACM Transactions on Internet Technology, 12(1):1:1--1:24, July 2012. Google ScholarDigital Library
- Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web, pages 289--299. International World Wide Web Conferences Steering Committee, 2015. Google ScholarDigital Library
- Zachary Evans and Hossain Shahriar. Web session security: Attack and defense techniques. Case Studies in Secure Computing: Achievements and Trends, page 389, 2014.Google Scholar
- Kevin Fu, Emil Sit, Kendra Smith, and Nick Feamster. Dos and Don'Ts of Client Authentication on the Web. In Proceedings of the 10th Conference on USENIX Security Symposium - Volume 10, SSYM'01, pages 19--19, Berkeley, CA, USA, 2001. USENIX Association. Google ScholarDigital Library
- John Giannandrea and Lou Montulli. Persistent Client State: HTTP Cookies, October 1994.Google Scholar
- Arthur Goldberg, Robert Buff, and Andrew Schmitt. A comparison of HTTP and HTTPS performance. Computer Measurement Group, CMG98, 1998.Google Scholar
- Ghostery Inc. Ghostery, 2014.Google Scholar
- JISC Legal Information. EU Cookie Directive - Directive 2009/136/EC, April 2010.Google Scholar
- Martin Johns. SessionSafe: Implementing XSS Immune Session Handling. In Dieter Gollmann, Jan Meier, and Andrei Sabelfeld, editors, Computer Security - ESORICS 2006, volume 4189 of Lecture Notes in Computer Science, pages 444--460. Springer Berlin Heidelberg, 2006. Google ScholarDigital Library
- B. Krishnamurthy, D. Malandrino, and C. Wills. Measuring Privacy Loss and the Impact of Privacy Protection in Web Browsing. In In Proceedings of the Symposium on Usable Privacy and Security, Pittsburgh, PA, July 2007. Google ScholarDigital Library
- B. Krishnamurthy and C. Wills. Generating a Privacy Footprint on the Internet. In In Proceedings of the ACM Internet Measurement Conference, Rio de Janerio, Brazil, October 2006. Google ScholarDigital Library
- B. Krishnamurthy and C. Wills. Characterizing Privacy in Online Social Networks. In In Proceedings of the ACM SIGCOMM Workshop on Online Social Networks, Seattle, WA, August 2008. Google ScholarDigital Library
- B. Krishnamurthy and C. Wills. Privacy Leakage in Mobile Online Social Networks . In In Proceedings of the USENIX Workshop on Online Social Networks, Boston, MA, June 2010. Google ScholarDigital Library
- Balachander Krishnamurthy and Craig Wills. Privacy Diffusion on the Web: A Longitudinal Perspective. In Proceedings of the 18th International Conference on World Wide Web, WWW '09, pages 541--550, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- D. Kristol and L. Montulli. RFC 2109: HTTP State Management System, February 1997. Google ScholarDigital Library
- D. Kristol and L. Montulli. RFC 2965: HTTP State Management System, October 2000. Google ScholarDigital Library
- D. Malandrino, L. Serra, A. Petta, V. Scarano, R. Spinelli, and B. Krishnamurthy. Privacy Awareness about Information Leakage: Who knows what about me? In In Proceedings of the Workshop on Privacy in the Electronic Society, Berlin, Germany, November 2013. Google ScholarDigital Library
- J. Mayer and J. Mitchell. Third-Party Web Tracking: Policy and Technology. In In Proceedings of the IEEE Symposium on Security and Privacy, San Francisco, CA, May 2012. Google ScholarDigital Library
- Jonathan R. Mayer and John C. Mitchell. Third-Party Web Tracking: Policy and Technology. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP '12, pages 413--427, Washington, DC, USA, 2012. IEEE Computer Society. Google ScholarDigital Library
- Mozilla. Betterprivacy, May 2014.Google Scholar
- Lukasz Olejnik, Tran Minh-Dung, and Claude Castelluccia. Selling Off Privacy at Auction.Google Scholar
- Franziska Roesner, Tadayoshi Kohno, and David Wetherall. Detecting and Defending Against Third-party Tracking on the Web. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, NSDI'12, pages 12--12, Berkeley, CA, USA, 2012. USENIX Association. Google ScholarDigital Library
- Philippe De Ryck, Lieven Desmet, Frank Piessens, and Martin Johns. Attacks on the user's session. In Primer on Client-Side Web Security, SpringerBriefs in Computer Science, pages 69--82. Springer International Publishing, 2014.Google ScholarCross Ref
- J. Schwartz. Giving the Web a Memory Cost Its Users Privacy, September 2001.Google Scholar
- Société Des Produits Nestlè. Original Nestlé® Toll House® Chocolate Chip Cookies, 2014.Google Scholar
- Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas, and Chris Jay Hoofnagle. Flash Cookies and Privacy. 2009.Google ScholarCross Ref
- Andrew F. Tappenden and James Miller. Cookies: A Deployment Study and the Testing Implications. ACM Transactions on the Web, 3(3):9:1--9:49, July 2009. Google ScholarDigital Library
- Rodica Tirtea. Bittersweet cookies some security and privacy considerations. Heraklion, 2011.Google Scholar
- Chuan Yue, Mengjun Xie, and Haining Wang. An Automatic HTTP Cookie Management System. Computer Networks, 54(13):2182--2198, September 2010. Google ScholarDigital Library
- Yuchen Zhou and David Evans. Why aren't http-only cookies more widely deployed. Proceedings of 4th Web, 2, 2010.Google Scholar
Index Terms
- An Empirical Study of Web Cookies
Recommendations
Cookies and Web browser design: toward realizing informed consent online
CHI '01: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsWe first provide criteria for assessing informed consent online. Then we examine how cookie technology and Web browser designs have responded to concerns about informed consent. Specifically, we document relevant design changes in Netscape Navigator and ...
Cookies: A deployment study and the testing implications
The results of an extensive investigation of cookie deployment amongst 100,000 Internet sites are presented. Cookie deployment is found to be approaching universal levels and hence there exists an associated need for relevant Web and software ...
Comments