In-Depth Evaluation of Redirect Tracking and Link Usage

Martin Koop 1 , Erik Tews 2 ,  and Stefan Katzenbeisser 3
  • 1 Universität Passau,
  • 2 University of Twente,
  • 3 Universität Passau,

Abstract

In today’s web, information gathering on users’ online behavior takes a major role. Advertisers use different tracking techniques that invade users’ privacy by collecting data on their browsing activities and interests. To preventing this threat, various privacy tools are available that try to block third-party elements. However, there exist various tracking techniques that are not covered by those tools, such as redirect link tracking. Here, tracking is hidden in ordinary website links pointing to further content. By clicking those links, or by automatic URL redirects, the user is being redirected through a chain of potential tracking servers not visible to the user. In this scenario, the tracker collects valuable data about the content, topic, or user interests of the website. Additionally, the tracker sets not only thirdparty but also first-party tracking cookies which are far more difficult to block by browser settings and ad-block tools. Since the user is forced to follow the redirect, tracking is inevitable and a chain of (redirect) tracking servers gain more insights in the users’ behavior. In this work we present the first large scale study on the threat of redirect link tracking. By crawling the Alexa top 50k websites and following up to 34 page links, we recorded traces of HTTP requests from 1.2 million individual visits of websites as well as analyzed 108,435 redirect chains originating from links clicked on those websites. We evaluate the derived redirect network on its tracking ability and demonstrate that top trackers are able to identify the user on the most visited websites. We also show that 11.6% of the scanned websites use one of the top 100 redirectors which are able to store nonblocked first-party tracking cookies on users’ machines even when third-party cookies are disabled. Moreover, we present the effect of various browser cookie settings, resulting in a privacy loss even when using third-party blocking tools.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] S. Abu-Nimeh and S. Nair. Circumventing security toolbars and phishing filters via rogue wireless access points. Wireless Communications and Mobile Computing, 10(8):1128–1139, 2010.

  • [2] G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, pages 674–689, New York, NY, USA, 2014. ACM.

  • [3] G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens, and B. Preneel. FPDetective: Dusting the web for fingerprinters. In CCS, 2013.

  • [4] J. Angwin and T. Mc Ginty. Sites feed personal details to new tracking industry. The Wall Street Journal, http://online.wsj.com/article/SB10001424052748703977004575393173432219064.html, July 30, 2010.

  • [5] J. Angwin and J. Valentino-DeVries. Race Is On to ’Fingerprint’ Phones, PCs. http://www.wsj.com/articles/SB10001424052748704679204575646704100959546, 2010.

  • [6] M. Barbaro and T. Zeller, Jr. A Face Is Exposed for AOL Searcher No. 4417749. http://www.nytimes.com/2006/08/09/technology/09aol.html?ex=1312776000&en=f6f61949c6da4d38&ei=5090, 2006. Accessed on 2013-10-25.

  • [7] J. Barnes. Big data bring risks and benefits to insurance customers. http://www.ft.com/cms/s/0/21e289c4-97ef-11e3-8dc3-00144feab7de.html#axzz41oCbtf9J, 2014.

  • [8] M. A. Bashir and C. Wilson. Diffusion of User Tracking Data in the Online Advertising Ecosystem. In Proceedings on Privacy Enhancing Technologies (PETS 2018), Barcelona, Spain, July 2018.

  • [9] P. Baumann, S. Katzenbeisser, M. Stopczynski, and E. Tews. Disguised chromium browser: Robust browser, flash and canvas fingerprinting protection. In Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society, WPES ’16, page 37–46, 2016.

  • [10] S. Baviskar and P. S. Thilagam. Protection of Web User’s Privacy by Securing Browser from Web Privacy Attacks. IJCTA, 2011.

  • [11] K. Bhargrava, B. Gsrc, D. Brewer, B. Gsrc, and B. Gsrc. A Study of URL Redirection Indicating Spam. In CEAS, 2009.

  • [12] P. E. Black. Ratcliff/obershelp pattern recognition. Dictionary of algorithms and data structures, 17, 2004.

  • [13] V. D. Blondel, J.-L. Guillaume, R. Lambiotte, and E. Lefebvre. Fast unfolding of communities in large networks. Journal of Statistical Mechanics: Theory and Experiment, 2008(10):P10008, oct 2008.

  • [14] K. Boda, Á. M. Földes, G. G. Gulyás, and S. Imre. User tracking on the web via cross-browser fingerprinting. In Information Security Technology for Applications, pages 31–46. Springer, 2012.

  • [15] Brave. Understanding Redirection-Based Tracking. https://brave.com/redirection-based-tracking/, 2020. Accessed on 2020-04-30.

  • [16] M. Brinkmann. Mozilla adds Dynamic First Party Isolation option to Firefox 77. https://www.ghacks.net/2020/04/17/mozilla-adds-dynamic-first-party-isolation-option-to-firefox-77/, 2020. Accessed on 2020-04-30.

  • [17] J. Brookman, P. Rouge, A. Alva, and C. Yeung. Crossdevice tracking: Measurement and disclosures. Proceedings on Privacy Enhancing Technologies, 2017(2):133–148, 2017.

  • [18] E. Bursztein. Tracking users that block cookies with a HTTP redirect. http://elie.im/blog/security/tracking-usersthat-block-cookies-with-a-http-redirect, 2011.

  • [19] C. Cadwalladr and E. Graham-Harrison. Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach. https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election, 2018.

  • [20] C. Castelluccia, M.-A. Kaafar, and M.-D. Tran. Betrayed by your ads! In S. Fischer-Hübner and M. Wright, editors, Privacy Enhancing Technologies, pages 1–17, Berlin, Heidelberg, 2012. Springer Berlin Heidelberg.

  • [21] K. Chellapilla and A. Maykov. A taxonomy of javascript redirection spam. In Proceedings of the 3rd International Workshop on Adversarial Information Retrieval on the Web, AIRWeb ’07, pages 81–88, New York, NY, USA, 2007. ACM.

  • [22] J. Chen and C. Guo. Online detection and prevention of phishing attacks. In 2006 First International Conference on Communications and Networking in China, pages 1–7, Oct 2006.

  • [23] A. Clauset, C. R. Shalizi, and M. E. J. Newman. Power-Law Distributions in Empirical Data. SIAM Rev., 2009.

  • [24] M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the 19th International Conference on World Wide Web, WWW ’10, pages 281–290, New York, NY, USA, 2010. ACM.

  • [25] C. Duhigg. How Companies Learn Your Secrets. http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?pagewanted=all&_r=0, 2012. Accessed on 2013-10-25.

  • [26] P. Eckersley. How unique is your web browser? PETs, 2010.

  • [27] S. Englehardt and A. Narayanan. Online tracking: A 1- million-site measurement and analysis. In Proceedings of ACM CCS 2016, 2016.

  • [28] S. Englehardt, D. Reisman, C. Eubank, P. Zimmerman, J. Mayer, A. Narayanan, and E. W. Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web, pages 289–299, 2015.

  • [29] Eyeo GmbH. Allowing acceptable ads in Adblock Plus. https://adblockplus.org/en/acceptable-ads, 2014. Accessed on 2014-08-13.

  • [30] I. Fouad, N. Bielova, A. Legout, and N. Sarafijanovic-Djukic. Missed by filter lists: Detecting unknown third-party trackers with invisible pixels. In PETS 2020-20th Privacy Enhancing Technologies Symposium, 2020.

  • [31] G. Franken, T. V. Goethem, and W. Joosen. Who left open the cookie jar? a comprehensive evaluation of thirdparty cookie policies. In 27th USENIX Security Symposium (USENIX Security 18), pages 151–168, Baltimore, MD, 2018. USENIX Association.

  • [32] B. Fulgham. Protecting against hsts abuse. http://webkit.org/blog/8146/protecting-against-hsts-abuse/, 2018. Accessed on 2020-02-02.

  • [33] M. Gandhi, M. Jakobsson, and J. Ratkiewicz. Badvertisements: Stealthy Click-Fraud with Unwitting Accessories. Journal of Digital Forensic Practice, 1:131–142, 2006.

  • [34] K. Garimella, O. Kostakis, and M. Mathioudakis. Adblocking: A study on performance, privacy and countermeasures. In Proceedings of the 2017 ACM on Web Science Conference, WebSci ’17, pages 259–262, New York, NY, USA, 2017. ACM.

  • [35] R. Gomer, E. M. Rodrigues, N. Milic-Frayling, and M. C. Schraefel. Network analysis of third party tracking: User exposure to tracking cookies through search. In 2013 IEEE/WIC/ACM International Joint Conferences on Web Intelligence (WI) and Intelligent Agent Technologies (IAT), volume 1, pages 549–556, Nov 2013.

  • [36] A. Gunawardana and C. Meek. Aggregators and Contextual Effects in Search Ad Markets. In WWW Workshop on Targeting and Ranking for Online Advertising, Apr. 2008.

  • [37] M. Ikram, H. J. Asghar, M. A. Kâafar, A. Mahanti, and B. Krishnamurthy. Towards seamless tracking-free web: Improved detection of trackers via one-class learning. PoPETs, 2017(1):79–99, 2017.

  • [38] U. Iqbal, Z. Shafiq, and Z. Qian. The ad wars: Retrospective measurement and analysis of anti-adblock filter lists. In Proceedings of the 2017 Internet Measurement Conference, IMC ’17, pages 171–183, New York, NY, USA, 2017. ACM.

  • [39] C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting browser state from web privacy attacks. In Proceedings of the 15th international conference on World Wide Web, pages 737–744, 2006.

  • [40] John Wilander. Full Third-Party Cookie Blocking and More. https://webkit.org/blog/10218/full-third-party-cookieblocking-and-more/, 2020.

  • [41] V. Kalavri, J. Blackburn, M. Varvello, and K. Papagiannaki. Like a Pack of Wolves: Community Structure of Web Trackers. In T. Karagiannis and X. Dimitropoulos, editors, Passive and Active Measurement, pages 42–54, Cham, 2016. Springer International Publishing.

  • [42] A. Karaj, S. Macbeth, R. Berson, and J. M. Pujol. Whotracks. me: Monitoring the online tracking landscape at scale. CoRR, abs/1804.08959, 2018.

  • [43] B. Krishnamurthy, F. Park, and C. E. Wills. Privacy Diffusion on the Web : A Longitudinal Perspective. In WWW, pages 541–550. ACM, 2009.

  • [44] P. G. Leon, B. Ur, R. Balebako, L. F. Cranor, R. Shay, and Y. Wang. Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising. CHI, 2012.

  • [45] L. Li, X. Jin, S. J. Pan, and J. Sun. Multi-domain active learning for text classification. In The 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’12, Beijing, China, August 12-16, 2012, pages 1086–1094, 2012.

  • [46] S. Li, M. Imani, and N. Hopper. Measuring Information Leakage in Website Fingerprinting Attacks and Defenses. In Proceedings of ACM CCS 2018, 2018.

  • [47] T. Li, H. Hang, M. Faloutsos, and P. Efstathopoulos. Trackadvisor: Taking back browsing privacy from third-party trackers. In Passive and Active Measurement - 16th International Conference, PAM 2015, New York, NY, USA, March 19-20, 2015, Proceedings, pages 277–289, 2015.

  • [48] K. Lobosco. Facebook friends could change your credit score. http://money.cnn.com/2013/08/26/technology/social/facebook-credit-score/index.html, 2013.

  • [49] M. Malloy, M. McNamara, A. Cahn, and P. Barford. Ad blockers: Global prevalence and impact. In Proceedings of the 2016 Internet Measurement Conference, IMC ’16, pages 119–125, New York, NY, USA, 2016. ACM.

  • [50] A. Mathur, J. Vitak, A. Narayanan, and M. Chetty. Characterizing the use of browser-based blocking extensions to prevent online tracking. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pages 103–116, Baltimore, MD, 2018. USENIX Association.

  • [51] C. Matte, N. Bielova, and C. Santos. Do cookie banners respect my choice? measuring legal compliance of banners from iab europe’s transparency and consent framework, 2019.

  • [52] J. R. Mayer and J. C. Mitchell. Third-Party Web Tracking: Policy and Technology. IEEE Symposium on Security and Privacy, 2012.

  • [53] G. Merzdovnik, M. Huber, D. Buhov, N. Nikiforakis, S. Neuner, M. Schmiedecker, and E. Weippl. Block me if you can: A large-scale study of tracker-blocking tools. In 2017 IEEE European Symposium on Security and Privacy, pages 319–333, April 2017.

  • [54] J. Mikians, L. Gyarmati, V. Erramilli, and N. Laoutaris. Detecting price and search discrimination on the internet. In HotNets, 2012.

  • [55] K. Mowery and H. Shacham. Pixel Perfect: Fingerprinting Canvas in HTML5. In W2SP. IEEE Computer Society, 2012.

  • [56] Mozilla. Tor Uplift Project. https://wiki.mozilla.org/Security/Tor_Uplift, 2017. Accessed on 2020-04-20.

  • [57] Mozilla. Security/Anti tracking policy. https://wiki.mozilla.org/Security/Anti_tracking_policy, 2019. Accessed on 2020-02-02.

  • [58] M. H. Mughees, Z. Qian, and Z. Shafiq. Detecting anti ad-blockers in the wild. Proceedings on Privacy Enhancing Technologies, 2017(3):130–146, 2017.

  • [59] M. Mulazzani and P. Reschl. Fast and reliable browser identification with javascript engine fingerprinting. W2SP, 2013.

  • [60] S. Murdoch, M. Perry, and E. Clark. Tor: Cross-origin fingerprinting unlinkabilit. https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability, 2014. Accessed on 2014-11-30.

  • [61] S. Murdoch, M. Perry, and E. Clark. Tor: Cross-Origin Identifier Unlinkability. https://2019.www.torproject.org/projects/torbrowser/design/#identifier-linkability, 2018. Accessed on 2020-04-20.

  • [62] A. Narayanan and V. Shmatikov. How To Break Anonymity of the Netflix Prize Dataset. CoRR, 2006.

  • [63] N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting. IEEE Symposium on Security and Privacy, 2013.

  • [64] R. Nithyanand, S. Khattak, M. Javed, N. Vallina-Rodriguez, M. Falahrastegar, J. E. Powles, E. D. Cristofaro, H. Haddadi, and S. J. Murdoch. Adblocking and counter blocking: A slice of the arms race. In 6th USENIX Workshop on Free and Open Communications on the Internet (FOCI 16), Austin, TX, 2016. USENIX Association.

  • [65] nugg.ad AG. Predictive Behavioral Targeting. https://www.nugg.ad/en/smart-audience-platform/audience-toolbox.html, 2016. Accessed on 2016-02-19.

  • [66] P. Ohm. Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization. UCLA Law Review, 2009.

  • [67] T. Project. Tor at the Heart: Firefox. https://blog.torproject.org/tor-heart-firefox, 2016. Accessed on 2020-04-20.

  • [68] N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Proceedings of the 17th Conference on Security Symposium, SS’08, pages 1–15, Berkeley, CA, USA, 2008. USENIX Association.

  • [69] F. Roesner, T. Kohno, and D. Wetherall. Detecting and Defending Against Third-Party Tracking on the Web. In Usenix NSDI, 2012.

  • [70] S. Schelter and J. Kunegis. On the ubiquity of web tracking: Insights from a billion-page web crawl. J. Web Science, 4:53–66, 2018.

  • [71] C. Scientist and T. Italia. Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning. World Wide Web Internet And Web Information Systems, 2009.

  • [72] B. Shiller, J. Waldfogel, and J. Ryan. The effect of ad blocking on website traffic and quality. The RAND Journal of Economics, 49(1):43–63, 2018.

  • [73] M. S. Siddiqui. Evercookies: Extremely persistent cookies. IJCSIS, 2011.

  • [74] P. Sirinam, M. Imani, M. Juarez, and M. Wright. Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning. In Proceedings of ACM CCS 2018, 2018.

  • [75] A. Sood and R. Enbody. Malvertising – exploiting web advertising. Computer Fraud and Security, 2011(4):11 – 16, 2011.

  • [76] Steven Englehardt. Firefox 72 blocks third-party fingerprinting resources. https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/, 2020.

  • [77] M. Stopczynski and M. Zugelder. Reducing user tracking through automatic web site state isolations. In International Conference on Information Security, pages 309–327. Springer, 2014.

  • [78] R. Stringham. A Review of Browser Privacy Initiatives and Proposals. https://medium.com/adobetech/a-reviewof-browser-privacy-initiatives-and-proposals-4ae86edc23c, 2019. Accessed on 2020-01-02.

  • [79] J. Su, A. Shukla, S. Goel, and A. Narayanan. Deanonymizing web browsing data with social networks. In Proceedings of the 26th International Conference on World Wide Web, WWW ’17, pages 1261–1269, Republic and Canton of Geneva, Switzerland, 2017. International World Wide Web Conferences Steering Committee.

  • [80] P. Syverson and M. Traudt. HSTS supports targeted surveillance. In 8th USENIX Workshop on Free and Open Communications on the Internet (FOCI 18), Baltimore, MD, Aug. 2018. USENIX Association.

  • [81] K. Tian, K. Cooper, K. Zhang, and S. Liu. Towards a new understanding of advice interference. In Fourth International Conference on Secure Software Integration and Reliability Improvement, SSIRI 2010, Singapore, June 9-11, 2010, pages 180–189, 2010.

  • [82] M. Tran, X. Dong, Z. Liang, and X. Jiang. Tracking the trackers: fast and scalable dynamic analysis of web content for privacy violations. ACNS, 2012.

  • [83] A. Vastel, P. Laperdrix, W. Rudametkin, and R. Rouvoy. Fp-stalker: Tracking browser fingerprint evolutions. In 2018 IEEE Symposium on Security and Privacy (SP), pages 728–741, May 2018.

  • [84] T. Vissers, N. Nikiforakis, N. Bielova, and W. Joosen. Crying Wolf? On the Price Discrimination of Online Airline Tickets. In HotPETs), 2014.

  • [85] D. Y. Weider, S. Nargundkar, and N. Tiruthani. A phishing vulnerability analysis of web based systems. In 2008 IEEE Symposium on Computers and Communications, pages 326–331. IEEE, 2008.

  • [86] J. Wilander. Intelligent tracking prevention 2.0. https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/, June 2018.

  • [87] J. Wilander. Preventing tracking prevention tracking. http://webkit.org/blog/9661/preventing-tracking-preventiontracking/, 2019. Accessed on 2020-02-02.

  • [88] C. E. Wills and D. C. Uzunoglu. What ad blockers are (and are not) doing. In 2016 Fourth IEEE Workshop on Hot Topics in Web Systems and Technologies (HotWeb), pages 72–77, Oct 2016.

  • [89] X. Xing, W. Meng, B. Lee, U. Weinsberg, A. Sheth, R. Perdisci, and W. Lee. Understanding malvertising through ad-injecting browser extensions. In Proceedings of the 24th International Conference on World Wide Web, WWW ’15, pages 1286–1295, Republic and Canton of Geneva, Switzerland, 2015. International World Wide Web Conferences Steering Committee.

  • [90] L. Zeltser. Malvertising: The Use of Malicious Ads to Install Malware. http://www.infosecisland.com/blogview/14371-Malvertising-The-Use-of-Malicious-Ads-to-Install-Malware.html, 2011. Accessed on 2013-10-30.

  • [91] J. Zhang, C. Seifert, J. W. Stokes, and W. Lee. Arrow: Generating signatures to detect drive-by downloads. In Proceedings of the 20th International Conference on World Wide Web, WWW ’11, pages 187–196, New York, NY, USA, 2011. ACM.

OPEN ACCESS

Journal + Issues

Search