If you visit 450 pages on 15 major health, education and news sites, 1121 third parties set 891772 cookies. Visiting health sites first maximizes the chance that data brokers can track you across sites.

Excellent study by @idonibrasco, @HNissenbaum et al: news.cornell.edu/stories/2020/0…

Using personal identifiers stored in third-party cookies to monitor, follow and profile people across sites may have an expiration date, but it's more prevalent than ever.

I think, examining cross-context ID in this way, presented at the @FTC's #PrivacyCon today, is very useful.

Observing the same personal identifier (aka pseudonymous cookie ID) across two websites proves that both sites help a third party to recognize a user again, and thus facilitate personal data sharing.

EU data protection authorities must adopt this methodology to gather evidence.

For example, the study observed 52 third-party trackers sharing user identities between website visits on Forbes and WebMD.

This proves that Forbes and WebMD facilitate personal data processing on visitors of both sites through 52 other companies. What's the GDPR lawful basis?

"Although the health sites may have fewer trackers than other types of sites ... those trackers are more persistent in following page visitors"

Of course, it's also interesting that the order in which users visit sites in health, education and news contexts makes a difference.

The authors mention several limitations, mostly leading to underestimating issues.

Every site visit can trigger different trackers, depending on who won the ad/data auction, syncing intervals etc.

Anyway, ID syncing across parties proves the depth of personal data processing.

…especially if observed across site visits that can reveal sensitive data.

EU authorities are currently focusing on cookie storage, and in the best case, on third party requests. Apart from raids, they could examine systematic ID matching (plus available info on third parties).

The most prevalent third-party trackers they observed: Google, Bing/Microsoft, Twitter, Yahoo/Verizon, Facebook, Drawbridge/Microsoft, Adobe. No surprises here.

But there are hundreds more.

To be honest, the number of 891,772 cookies set after visiting just 450 pages of 15 websites was surprising even to me. Also, 52 third parties syncing IDs between 2 single sites.

I observed lower numbers when examining websites from the EU. But even a few ID syncs are too many.

Btw. I really don't get why so many marketing surveillance firms do not use timestamped IDs for one-time use only, matched to persistent IDs on server-side. They must feel so safe.

Anyway, looking forward to further studies on persistent identifiers, from web to mobile to IoT.

Evidence gathering for DPAs, before inquiries or on-site inspection:

- Level 1: examine personal data transfer between user, website, third parties
- Level 2: examine across sites
- Level 3: examine across web, mobile, IoT
- Level 4: include info on how third parties *use* data

Technical testing has limitations, but EU data protection authorities could take advantage of it much more to gather evidence on actual personal data processing. In any case, technical testing must better capture/include the dynamic and networked nature of marketing surveillance.

Btw. Sorry for focusing on EU implications. The GDPR clearly paves the way to end this madness, yet is not enforced in major areas.

In the EU or not, you can limit web tracking to some extent. But this goes far beyond the web, it's systemic and individual 'choice' won't fix it.