Fledging Will continue until privacy improves: empirical analysis of google's privacy-preserving targeted advertising
Article No.: 231, Pages 4121 - 4138
Abstract
Google recently announced plans to phase out third-party cookies and is currently in the process of rolling out the Chrome Privacy Sandbox, a collection of APIs and web standards that offer privacy-preserving alternatives to existing technologies, particularly for the digital advertising ecosystem. This includes FLEDGE, also referred to as the Protected Audience, which provides the necessary mechanisms for effectively conducting real-time bidding and ad auctions directly within users' browsers. FLEDGE is designed to eliminate the invasive data collection and pervasive tracking practices used for remarketing and targeted advertising. In this paper, we provide a study of the FLEDGE ecosystem both before and after its official deployment in Chrome. We find that even though multiple prominent ad platforms have entered the space, Google ran 99.8% of the auctions we observed, highlighting its dominant role. Subsequently, we provide the first in-depth empirical analysis of FLEDGE, and uncover a series of severe design and implementation flaws. We leverage those for conducting 12 novel attacks, including tracking, cross-site leakage, service disruption, and pollution attacks. While FLEDGE aims to enhance user privacy, our research demonstrates that it is currently exposing users to significant risks, and we outline mitigations for addressing the issues that we have uncovered. We have also responsibly disclosed our findings to Google so as to kickstart remediation efforts. We believe that our research highlights the dire need for more in-depth investigations of the entire Privacy Sandbox, due to the massive impact it will have on user privacy.
References
[1]
"Bcc research expects the digital advertising space to surpass the trillion-dollar mark by 2027," 2023. [Online]. Available: https://blog.bccresearch.com/digital-advertising-industry
[2]
S. Englehardt, D. Reisman, C. Eubank, P. Zimmerman, J. Mayer, A. Narayanan, and E. W. Felten, "Cookies that give you away: The surveillance implications of web tracking," in Proceedings of the 24th International Conference on World Wide Web, 2015, pp. 289-299.
[3]
M. B. Musa and R. Nithyanand, "Atom: ad-network tomography," Proceedings on Privacy Enhancing Technologies, vol. 4, pp. 295-313, 2022.
[4]
A. Datta, M. C. Tschantz, and A. Datta, "Automated experiments on ad privacy settings: A tale of opacity, choice, and discrimination," arXiv preprint arXiv:1408.6491, 2014.
[5]
M. Lécuyer, G. Ducoffe, F. Lan, A. Papancea, T. Petsios, R. Spahn, A. Chaintreau, and R. Geambasu, "Xray: Enhancing the web's transparency with differential correlation," in USENIX Security, 2014.
[6]
A. Korolova, "Privacy violations using microtargeted ads: A case study," in IEEE ICDM Workshops, 2010.
[7]
B. Imana, A. Korolova, and J. Heidemann, "Auditing for discrimination in algorithms delivering job ads," in Web Conference (WWW), 2021.
[8]
C. Castelluccia, M.-A. Kaafar, and M.-D. Tran, "Betrayed by your ads! reconstructing user profiles from targeted ads," in PETS 2012.
[9]
P. Vines, F. Roesner, and T. Kohno, "Exploring adint: using ad targeting for surveillance on a budget-or-how alice can buy ads to track bob," in WPES, 2017.
[10]
M. Ali, A. Goetzen, P. Sapiezynski, E. Redmiles, and A. Mislove, "All Things Unequal: Measuring Disparity of Potentially Harmful Ads on Facebook," in ConPro, 2022.
[11]
M. Ali, P. Sapiezynski, M. Bogen, A. Korolova, A. Mislove, and A. Rieke, "Discrimination through optimization: How facebook's ad delivery can lead to biased outcomes," in CSCW, 2019.
[12]
O. Papakyriakopoulos, C. Tessono, A. Narayanan, and M. Kshirsagar, "How algorithms shape the distribution of political advertising: Case studies of facebook, google, and tiktok," in Proceedings of the 2022 AAAI/ACM Conference on AI, Ethics, and Society, 2022, pp. 532-546.
[13]
"Webkit - intelligent tracking prevention 2.2," 2019. [Online]. Available: https://webkit.org/blog/8828/intelligent-tracking-prevention-2-2/
[14]
"Brave - advanced privacy," 2023. [Online]. Available: https://brave.com/privacy-features/
[15]
S. Englehardt and A. Narayanan, "Online tracking: A 1-million-site measurement and analysis," in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016.
[16]
Y. Dimova, G. Acar, L. Olejnik, W. Joosen, and T. Van Goethem, "The cname of the game: Large-scale analysis of dns-based tracking evasion," arXiv preprint arXiv:2102.09301, 2021.
[17]
G. Franken, T. Van Goethem, and W. Joosen, "Who left open the cookie jar? a comprehensive evaluation of third-party cookie policies," in USENIX Security Symposium, 2018.
[18]
I. Sanchez-Rola, X. Ugarte-Pedrero, I. Santos, and P. G. Bringas, "The web is watching you: A comprehensive review of web-tracking techniques and countermeasures," Logic Journal of the IGPL, vol. 25, no. 1, pp. 18-29, 2017.
[19]
"Mozilla - competition should not be weaponized to hobble privacy protections on the open web," 2022. [Online]. Available: https://blog.mozilla.org/netpolicy/2022/04/12/competition-should-not-be-weaponized-to-hobble-privacy-protections-on-the-open-web/
[20]
"Brave - privacy and competition concerns with google's privacy sandbox," 2022. [Online]. Available: https://brave.com/web-standards-at-brave/6-privacy-sandbox-concerns/
[21]
"Eff - don't play in google's privacy sandbox," 2019. [Online]. Available: https://www.eff.org/deeplinks/2019/08/dont-play-googles-privacy-sandbox-1
[22]
"What is the privacy sandbox?" 2021. [Online]. Available: https://developer.chrome.com/docs/privacy-sandbox/overview/
[23]
"Protected audience api," 2022. [Online]. Available: https://developer.chrome.com/docs/privacy-sandbox/protected-audience/
[24]
"FLEDGE Code Repository," 2024. [Online]. Available: https://github.com/masood/fledge-sec-24
[25]
K. Zhong, Y. Ma, and S. Angel, "Ibex: Privacy-preserving ad conversion tracking and bidding," in ACM CCS, 2022.
[26]
M. Squarcina, P. Adao, L. Veronese, and M. Maffei, "Cookie crumbles: breaking and fixing web session integrity," in USENIX Security Symposium, 2023.
[27]
"Private aggregation api," 2022. [Online]. Available: https://developers.google.com/privacy-sandbox/relevance/private-aggregation
[28]
S. Fei, Z. Yan, W. Ding, and H. Xie, "Security vulnerabilities of sgx and countermeasures: A survey," ACM Comput. Surv., vol. 54, no. 6, jul 2021. [Online]. Available:
[29]
J. Lee, J. Jang, Y. Jang, N. Kwak, Y. Choi, C. Choi, T. Kim, M. Peinado, and B. B. Kang, "Hacking in darkness: Return-oriented programming against secure enclaves," in 26th USENIX Security Symposium, 2017.
[30]
J. V. Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx, "Foreshadow: Extracting the keys to the intel SGX kingdom with transient Out-of-Order execution," in 27th USENIX Security Symposium, 2018.
[31]
J. Cui, J. Z. Yu, S. Shinde, P. Saxena, and Z. Cai, "Smashex: Smashing sgx enclaves using exceptions." ACM CCS, 2021.
[32]
Z. Chen, G. Vasilakis, K. Murdock, E. Dean, D. Oswald, and F. D. Garcia, "VoltPillager: Hardware-based fault injection attacks against intel SGX enclaves using the SVID voltage scaling interface," in 30th USENIX Security Symposium, 2021.
[33]
M. Thomson and C. Wood, "Rfc 9458 oblivious http," 2023.
[34]
"Original-TURTLEDOVE," 2021. [Online]. Available: https://github.com/WICG/turtledove/blob/main/Original-TURTLEDOVE.md
[35]
V. Le Pochat, T. Van Goethem, S. Tajalizadehkhoob, M. Korczyński, and W. Joosen, "Tranco: A research-oriented top sites ranking hardened against manipulation," ser. NDSS 2019.
[36]
G. A. Johnson, S. K. Shriver, and S. G. Goldberg, "Privacy and market concentration: intended and unintended consequences of the gdpr," Management Science, 2023.
[37]
"Protected Audience API and Ad Manager after Chrome GA - Google Ad Manager Help." [Online]. Available: https://support.google.com/admanager/answer/13627134?hl=en
[38]
"Ad Manager testing updates - Google Ad Manager Help." [Online]. Available: https://support.google.com/admanager/answer/13178817?hl=en#zippy=%2Cpublished-on-january-initial-privacy-sandbox-tests-are-encouraging-with-more-insights-to-come-this-year
[39]
"Fledge tester list." [Online]. Available: https://github.com/WICG/turtledove/blob/main/fledge-tester-list.md
[40]
"Google's post-cookie ad tech tests face skepticism." [Online]. Available: https://adage.com/article/digital-marketing-ad-tech-news/googles-post-cookie-ad-tech-tests-face-skepticism/2430111
[41]
M. Ruminski, "Rtb house update on fledge tests." [Online]. Available: https://blog.rtbhouse.com/rtb-house-update-on-fledge-tests/
[42]
Teads, "FLEDGE Key/Value Service." [Online]. Available: https://github.com/teads/fledge-key-value-service
[43]
"Increase on device Interest Group cap to 2000 per owner · Issue #798 · WICG/turtledove." [Online]. Available: https://github.com/WICG/turtledove/issues/798
[44]
"Protected Audience API (a.k.a. FLEDGE)." [Online]. Available: https://github.com/WICG/turtledove/blob/main/FLEDGE.md
[45]
Google Campaign Manager 360 Help, "Helping advertisers comply with the GDPR & AADC." [Online]. Available: https://support.google.com/campaignmanager/answer/9028179?hl=en
[46]
E. Maris, T. Libert, and J. R. Henrichsen, "Tracking sex: The implications of widespread sexual data leakage and tracking on porn websites," new media & society, vol. 22, no. 11, 2020.
[47]
"Browser connection limitations I Documentation." [Online]. Available: https://docs.diffusiondata.com/cloud/latest/manual/html/designguide/solution/support/connection_limitations.html
[48]
H. Nielsen, J. Mogul, L. M. Masinter, R. T. Fielding, J. Gettys, P. J. Leach, and T. Berners-Lee, "Hypertext Transfer Protocol - HTTP/1.1," Internet Engineering Task Force, Request for Comments RFC 2616, Jun. 1999. [Online]. Available: https://datatracker.ietf.org/doc/rfc2616/
[49]
M. Belshe, R. Peon, and M. Thomson, "Hypertext Transfer Protocol Version 2 (HTTP/2)," Internet Engineering Task Force, Request for Comments RFC 7540, May 2015. [Online]. Available: https://datatracker.ietf.org/doc/rfc7540/
[50]
Chromium, "Chromium Source: Interest Group Storage." [Online]. Available: https://source.chromium.org/chromium/chromium/src/+/main:content/browser/interest_group/interest_group_stor age.h;l=33?q=THREAd&ss=chromium%2Fchromium%2Fsrc:content%2Fbrowser%2Finterest_group%2F
[51]
Chromium, "Chromium Source: Interest Group Manager." [Online]. Available: https://source.chromium.org/chromium/chromium/src/+/main:content/browser/interest_group/interest_group_manager_impl.h
[52]
"Chrome - protected audience api feature status," 2023. [Online]. Available: https://developer.chrome.com/docs/privacy-sandbox/protected-audience-api/feature-status/
[53]
"Chrome - fledge k-anonymity server private information retrieval," 2023. [Online]. Available: https://github.com/WICG/turtledove/blob/main/FLEDGE_k_anonymity_server.md#private-information-retrieval
[54]
K. Drakonakis, S. Ioannidis, and J. Polakis, "The cookie hunter: Automated black-box auditing for web authentication and authorization flaws," in ACM CCS, 2020.
[55]
J. DeBlasio, S. Savage, G. M. Voelker, and A. C. Snoeren, "Tripwire: Inferring internet site compromise," in IMC, 2017.
[56]
S. Sivakorn, I. Polakis, and A. D. Keromytis, "I am robot:(deep) learning to break semantic image captchas," in 2016 IEEE EuroS & P, 2016.
[57]
M. I. Hossen, Y. Tu, M. F. Rabby, M. N. Islam, H. Cao, and X. Hei, "An object detection based solver for Google's image reCAPTCHA v2," in RAID 2020.
[58]
K. Thomas, D. Iatskiv, E. Bursztein, T. Pietraszek, C. Grier, and D. McCoy, "Dialing back abuse on phone verified accounts," in CCS 2014.
[59]
M. M. Ali, B. Chitale, M. Ghasemisharif, C. Kanich, N. Nikiforakis, and J. Polakis, "Navigating Murky Waters: Automated Browser Feature Testing for Uncovering Tracking Vectors," in NDSS 2023.
[60]
P. Syverson and M. Traudt, "Hsts supports targeted surveillance," in USENIX FOCI, 2018.
[61]
K. Solomos, J. Kristoff, C. Kanich, and J. Polakis, "Tales of favicons and caches: Persistent tracking in modern browsers," in Network and Distributed System Security Symposium, 2021.
[62]
A. Berke and D. Calacci, "Privacy limitations of interest-based advertising on the web: A post-mortem empirical analysis of google's floc," in ACM CCS, 2022.
[63]
Y. Beugin and P. McDaniel, "Interest-disclosing mechanisms for advertising are privacy-exposing (not preserving)," in PETS, 2024.
[64]
A. Lerner, A. K. Simpson, T. Kohno, and F. Roesner, "Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016," in USENIX Security Symposium, 2016.
[65]
G. Franken, T. V. Goethem, and W. Joosen, "Who left open the cookie jar? a comprehensive evaluation of Third-Party cookie policies," in USENIX Security Symposium, 2018.
[66]
N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna, "Cookieless monster: Exploring the ecosystem of web-based device fingerprinting," in 2013 IEEE Symposium on Security and Privacy, 2013.
[67]
P. Eckersley, "How unique is your web browser?" in Proceedings of the 10th International Conference on Privacy Enhancing Technologies, ser. PETS'10, 2010.
[68]
K. Mowery and H. Shacham, "Pixel perfect: Fingerprinting canvas in HTML5," in Proceedings of W2SP 2012, May 2012.
[69]
P. Laperdrix, W. Rudametkin, and B. Baudry, "Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints," in Symposium on Security and Privacy (SP), 2016.
[70]
O. Starov and N. Nikiforakis, "Xhound: Quantifying the fingerprint- ability of browser extensions," in 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017, pp. 941-956.
[71]
A. Sjösten, S. Van Acker, and A. Sabelfeld, "Discovering browser extensions via web accessible resources," in CODASPY, 2017.
[72]
X. Lin, F. Araujo, T. Taylor, J. Jang, and J. Polakis, "Fashion faux pas: Implicit stylistic fingerprints for bypassing browsers' anti-fingerprinting defenses," in IEEE Symposium on Security and Privacy, 2023.
[73]
K. Solomos, P. Ilia, N. Nikiforakis, and J. Polakis, "Escaping the confines of time: Continuous browser extension fingerprinting through ephemeral modifications," in ACM CCS, 2022.
[74]
K. Solomos, P. Ilia, S. Karami, N. Nikiforakis, and J. Polakis, "The dangers of human touch: Fingerprinting browser extensions through user actions," in USENIX Security, 2022.
[75]
S. Karami, P. Ilia, K. Solomos, and J. Polakis, "Carnus: Exploring the privacy threats of browser extension fingerprinting." in NDSS, 2020.
[76]
S. Karami, F. Kalantari, M. Zaeifi, X. J. Maso, E. Trickel, P. Ilia, Y. Shoshitaishvili, A. Doupé, and J. Polakis, "Unleash the simulacrum: Shifting browser realities for robust {Extension-Fingerprinting} prevention," in USENIX Security, 2022.
[77]
A. Andreou, M. Silva, F. Benevenuto, O. Goga, P. Loiseau, and A. Mislove, "Measuring the Facebook Advertising Ecosystem," in Network and Distributed System Security Symposium, 2019.
[78]
J. Cook, R. Nithyanand, and Z. Shafiq, "Inferring tracker-advertiser relationships in the online advertising ecosystem using header bidding," arXiv preprint arXiv:1907.07275, 2019.
[79]
M. A. Bashir, S. Arshad, W. Robertson, and C. Wilson, "Tracing information flows between ad exchanges using retargeted ads," in USENIX Security Symposium, 2016.
[80]
E. Zeng, R. McAmis, T. Kohno, and F. Roesner, "What factors affect targeting and bids in online advertising? a field measurement study," in ACM Internet Measurement Conference, 2022.
[81]
P. Papadopoulos, N. Kourtellis, P. R. Rodriguez, and N. Laoutaris, "If you are not paying for it, you are the product: How much do advertisers pay to reach you?" in IMC, 2017.
[82]
M. Pachilakis, P. Papadopoulos, E. P. Markatos, and N. Kourtellis, "No more chasing waterfalls: A measurement study of the header bidding ad-ecosystem," in IMC, 2019.
[83]
M. Pachilakis, P. Papadopoulos, N. Laoutaris, E. P. Markatos, and N. Kourtellis, "Youradvalue: Measuring advertising price dynamics without bankrupting user privacy," Proceedings of the ACM on Measurement and Analysis of Computing Systems, vol. 5, no. 3, pp. 1-26, 2021.
[84]
G. Venkatadri, Y. Liu, A. Andreou, O. Goga, P. Loiseau, A. Mislove, and K. P. Gummadi, "Privacy Risks with Facebook's PII-based Targeting: Auditing a Data Broker's Advertising Interface," in IEEE Symposium onSecurity and Privacy, 2018.
[85]
U. Iqbal, C. Wolfe, C. Nguyen, S. Englehardt, and Z. Shafiq, "Khaleesi: Breaker of advertising and tracking request chains," in USENIX Security Symposium, 2022.
[86]
U. Iqbal, P. Snyder, S. Zhu, B. Livshits, Z. Qian, and Z. Shafiq, "Adgraph: A graph-based approach to ad and tracker blocking," in IEEE Symposium on Security and Privacy, 2020.
[87]
S. Munir, S. Siby, U. Iqbal, S. Englehardt, Z. Shafiq, and C. Troncoso, "Cookiegraph: Understanding and detecting first-party tracking cookies," in ACM CCS, 2023.
[88]
M. Ghasemisharif and J. Polakis, "Read between the lines: Detecting tracking javascript with bytecode classification," in ACM CCS, 2023.
[89]
S. Siby, U. Iqbal, S. Englehardt, Z. Shafiq, and C. Troncoso, "Webgraph: Capturing advertising and tracking information flows for robust blocking," in USENIX Security Symposium, 2022.
[90]
V. Toubiana, A. Narayanan, D. Boneh, H. Nissenbaum, and S. Barocas, "Adnostic: Privacy preserving targeted advertising," in NDSS, 2010.
[91]
S. T. Boshrooyeh, A. Küpçü, and Ö. Özkasap, "Privado: Privacy-preserving group-based advertising using multiple independent social network providers," ACM TOPS, vol. 23, no. 3, pp. 1-36, 2020.
[92]
S. Guha, B. Cheng, and P. Francis, "Privad: Practical privacy in online advertising," in USENIX NSDI, 2011.
[93]
M. Backes, A. Kate, M. Maffei, and K. Pecina, "Obliviad: Provably secure and practical online behavioral advertising," in IEEE Symposium on Security and Privacy, 2012.
Index Terms
- Fledging Will continue until privacy improves: empirical analysis of google's privacy-preserving targeted advertising
Index terms have been assigned to the content through auto-classification.
Recommendations
Privacy concerns for mobile app download
In the mobile age, protecting users' information from privacy-invasive apps becomes increasingly critical. To precaution users against possible privacy risks, a few Android app stores prominently disclose app permission requests on app download pages. ...
Privacy Capsules: Preventing Information Leaks by Mobile Apps
MobiSys '16: Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and ServicesPreventing the leakage of user information via untrusted third-party apps is a key challenge in mobile privacy. We propose and evaluate privacy capsules (PCs), a platform execution model for mobile apps that prevents the flow of private information to ...
Privacy-enhancing features of identidroid
CERIAS '15: Proceedings of the 16th Annual Information Security SymposiumAs privacy today is a major concern for mobile systems, network anonymizers are widely available on smartphones systems, such as Android. However, in many cases applications are still able to identify the user and the device by means different from the ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © 2024 The USENIX Association.
Sponsors
- Bloomberg Engineering
- Google Inc.
- NSF
- Futurewei Technologies
- IBM
Publisher
USENIX Association
United States
Publication History
Published: 12 August 2024
Qualifiers
- Research-article
- Research
- Refereed limited
Acceptance Rates
Overall Acceptance Rate 40 of 100 submissions, 40%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 23 Jan 2025