Measuring the Impact of the GDPR on Data Sharing in Ad Networks

Tobias Urban, Dennis Tatang, Martin Degeling, Thorsten Holz, Norbert Pohlmann

ACM Asia Conference on Computer & Communications Security (ASIACCS), Taipei, Taiwan, June 2020


In the modern Web, service providers often rely heavily on third parties to run their services. For example, they make use of ad networks to finance their services, externally hosted libraries to develop features quickly, and analytics providers to gain insights into visitor behavior.For security and privacy, website owners need to be aware ofthe content they provide their users. However, in reality, they oftendo not know which third parties are embedded, for example, when these third parties request additional content as it is common in real-time ad auctions.In this paper, we present a large-scale measurement study to analyze the magnitude of these new challenges. To better reflect the connectedness of third parties, we measured their relations in a model we call third party trees, which reflects an approximation ofthe loading dependencies of all third parties embedded into a given website. Using this concept, we show that including a single third party can lead to subsequent requests from up to eight additional services. Furthermore, our findings indicate that the third parties embedded on a page load are not always deterministic, as 50 %of the branches in the third party trees change between repeated visits. In addition, we found that 93 % of the analyzed websites embedded third parties that are located in regions that might not be in line with the current legal framework. Our study also replicates previous work that mostly focused on landing pages of websites.We show that this method is only able to measure a lower bound assubsites show a significant increase of privacy-invasive techniques.For example, our results show an increase of used cookies by about36 % when crawling websites more deeply


tags: Ad networks, online tracking, privacy