Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid to Ask

TL;DR

This paper provides an in-depth analysis of Cookie Synchronization (CSync), revealing its widespread use and significant privacy implications for web users, supported by a novel detection mechanism and real-world data analysis.

Contribution

It introduces CONRAD, a real-time detection system for CSync events, and offers the first comprehensive study of CSync behavior and privacy impact in the wild.

Findings

97% of users are exposed to CSync within the first week

Median userID is shared with 3.5 domains on average

CSync increases the number of tracking domains by 6.75 times

Abstract

User data is the primary input of digital advertising, fueling the free Internet as we know it. As a result, web companies invest a lot in elaborate tracking mechanisms to acquire user data that can sell to data markets and advertisers. However, with same-origin policy, and cookies as a primary identification mechanism on the web, each tracker knows the same user with a different ID. To mitigate this, Cookie Synchronization (CSync) came to the rescue, facilitating an information sharing channel between third parties that may or not have direct access to the website the user visits. In the background, with CSync, they merge user data they own, but also reconstruct a user's browsing history, bypassing the same origin policy. In this paper, we perform a first to our knowledge in-depth study of CSync in the wild, using a year-long weblog from 850 real mobile users. Through our study, we aim to understand the characteristics of the CSync protocol and the impact it has on web users' privacy. For this, we design and implement CONRAD, a holistic mechanism to detect CSync events at real time, and the privacy loss on the user side, even when the synced IDs are obfuscated. Using CONRAD, we find that 97% of the regular web users are exposed to CSync: most of them within the first week of their browsing, and the median userID gets leaked, on average, to 3.5 different domains. Finally, we see that CSync increases the number of domains that track the user by a factor of 6.75.