My Authors
Read all threads
If you visit 450 pages on 15 major health, education and news sites, 1121 third parties set 891772 cookies. Visiting health sites first maximizes the chance that data brokers can track you across sites.

Excellent study by @idonibrasco, @HNissenbaum et al: news.cornell.edu/stories/2020/0…
Using personal identifiers stored in third-party cookies to monitor, follow and profile people across sites may have an expiration date, but it's more prevalent than ever.

I think, examining cross-context ID in this way, presented at the @FTC's #PrivacyCon today, is very useful.
Observing the same personal identifier (aka pseudonymous cookie ID) across two websites proves that both sites help a third party to recognize a user again, and thus facilitate personal data sharing.

EU data protection authorities must adopt this methodology to gather evidence.
For example, the study observed 52 third-party trackers sharing user identities between website visits on Forbes and WebMD.

This proves that Forbes and WebMD facilitate personal data processing on visitors of both sites through 52 other companies. What's the GDPR lawful basis?
"Although the health sites may have fewer trackers than other types of sites ... those trackers are more persistent in following page visitors"

Of course, it's also interesting that the order in which users visit sites in health, education and news contexts makes a difference.
The authors mention several limitations, mostly leading to underestimating issues.

Every site visit can trigger different trackers, depending on who won the ad/data auction, syncing intervals etc.

Anyway, ID syncing across parties proves the depth of personal data processing.
…especially if observed across site visits that can reveal sensitive data.

EU authorities are currently focusing on cookie storage, and in the best case, on third party requests. Apart from raids, they could examine systematic ID matching (plus available info on third parties).
The most prevalent third-party trackers they observed: Google, Bing/Microsoft, Twitter, Yahoo/Verizon, Facebook, Drawbridge/Microsoft, Adobe. No surprises here.

But there are hundreds more.
To be honest, the number of 891,772 cookies set after visiting just 450 pages of 15 websites was surprising even to me. Also, 52 third parties syncing IDs between 2 single sites.

I observed lower numbers when examining websites from the EU. But even a few ID syncs are too many.
Btw. I really don't get why so many marketing surveillance firms do not use timestamped IDs for one-time use only, matched to persistent IDs on server-side. They must feel so safe.

Anyway, looking forward to further studies on persistent identifiers, from web to mobile to IoT.
Evidence gathering for DPAs, before inquiries or on-site inspection:

- Level 1: examine personal data transfer between user, website, third parties
- Level 2: examine across sites
- Level 3: examine across web, mobile, IoT
- Level 4: include info on how third parties *use* data
Technical testing has limitations, but EU data protection authorities could take advantage of it much more to gather evidence on actual personal data processing. In any case, technical testing must better capture/include the dynamic and networked nature of marketing surveillance.
Btw. Sorry for focusing on EU implications. The GDPR clearly paves the way to end this madness, yet is not enforced in major areas.

In the EU or not, you can limit web tracking to some extent. But this goes far beyond the web, it's systemic and individual 'choice' won't fix it.
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Wolfie Christl

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!